[clug] My windows box got rooted last week... how at risk is Linux?

Daniel Pittman daniel at rimspace.net
Wed Jun 11 09:19:28 GMT 2008 

Kim Holburn <kim.holburn at gmail.com> writes:
> On 2008/Jun/11, at 2:08 AM, Jason Stokes wrote:
>
>> Appeared to be downloading trojanish stuff over http from urls I
>> never connect to.  I had to pull the internet connection and spend
>> the weekend reinstalling everything.  I hate Microsoft.
>>
>> I've heard of Linux getting rooted, but the distros are pretty secure out of
>> the box these days, right?
>
> Yes but you can easily configure linux badly and I've seen it done.  
> A linux box doesn't have to be rooted to be doing bad.

There are occasional kernel level remote exploits, even, not that they
are very common:

http://www.frsirt.com/english/advisories/2008/1770
http://www.frsirt.com/english/advisories/2007/3860

> While linux in general is less insecure than windows, I believe it is
> entirely possible to configure a linux box so it is secure, really
> really secure, using SELinux or App Armour etc.  Mind you, I've never
> known anyone who actually did it successfully though ;-) 

What, Mandatory Access Control systems being hard?  Say it ain't so. ;)

Seriously, those MAC modules don't actually add /that/ much security in
many cases; the issues they protect against are bypassed by the
exploits.

For example, many remote web exploits that I deal with inject some code
running as the Apache user, non-persistent, that uses little but network
bandwidth.

Since none of this in outside the scope of code in the Apache space
these attacks may well succeed, despite MAC controls that would
otherwise depend against them.

So, don't assume that just because you have some MAC you are safe
against all exploits, I guess.

[...]

>> I don't hear much about Linux viruses, or massive botnets of Linux boxes.
>
> Negligible viruses.  Linux is still fairly diverse.  It is vulnerable
> to network attacks but not usually automated attacks like windows is.

The vast majority of attacks I see against machines I manage are
automated: probes for weak passwords, open relays or proxy services, or
opportunistic exploits against old[1] web based vulnerabilities.

> Each attack needs a person so you can't get botnets.  

Most of those, in turn, form part of a botnet in one way or another, or
are used to relay spam.  Other studies, such as eBay in 2007, have shown
that Linux hosts -- often compromised shared hosting sites without root
access -- are a large part of some phishing and DDoS infrastructure.

[...]

> Unless you have a really good reason, put a firewall between the
> machine and the internet.  That goes quadruple for windows boxes.

This makes very little security difference if your exposure is due to a
kernel IP level bug, or to a service that you expose to the Internet.

It also leads to a much more significant risk that your "crunchy on the
outside, soft in the middle" infrastructure will be compromised the
moment someone walks an infected laptop into the building.


While it is a good idea to limit service availability to the Internet to
what you absolutely need, a machine with no exposed services is no safer
behind a firewall.

Likewise, any number of firewalls[2] will not help you if the risk is an
attack on an old awstats installation via HTTP -- and your business is
serving web content.

Regards,
        Daniel

Footnotes: 
[1]  Most of the attacks are against six month old or more
     vulnerabilities, because -- as you correctly point out -- enough
     people just /don't/ keep up to date WRT security.

[2]  ...unless by "firewall" you mean "Intrusion Detection System",
     and include interruption of detected attacks, which most people
     will not read into this statement.

More information about the linux mailing list