Linux the cause of Ebay phishing...
http://www.osnews.com/story.php?news_id=18738 The moral of the story is that unsecured (particularly unpatched) Linux boxes are just as bad (or worse) than Windows boxes. I've seen a lot of people just install Linux machines and leave them running. Yes they run forever, but that doesn't make them secure. It seems like Linux is now more and more a target. -- Web1: http://wand.net.nz/~iam4/ Web2: http://www.jandi.co.nz Blog: http://iansblog.jandi.co.nz
On Mon, 2007-10-08 at 13:15 +1300, Ian McDonald wrote:
http://www.osnews.com/story.php?news_id=18738
The moral of the story is that unsecured (particularly unpatched) Linux boxes are just as bad (or worse) than Windows boxes.
I've seen a lot of people just install Linux machines and leave them running. Yes they run forever, but that doesn't make them secure. It seems like Linux is now more and more a target.
What's possibly more of interest here is *how* the linux boxen got cr4><0r3d. It could just be an SQL injection vulnerability or arbitrary shell command execution vulnerability in some PHP plugin module of some web app framework, yet Linux as a whole gets blamed. Cheers David
On 10/8/07, David McNab <david(a)rebirthing.co.nz> wrote:
On Mon, 2007-10-08 at 13:15 +1300, Ian McDonald wrote:
http://www.osnews.com/story.php?news_id=18738
The moral of the story is that unsecured (particularly unpatched) Linux boxes are just as bad (or worse) than Windows boxes.
I've seen a lot of people just install Linux machines and leave them running. Yes they run forever, but that doesn't make them secure. It seems like Linux is now more and more a target.
What's possibly more of interest here is *how* the linux boxen got cr4><0r3d.
It could just be an SQL injection vulnerability or arbitrary shell command execution vulnerability in some PHP plugin module of some web app framework, yet Linux as a whole gets blamed.
The thing is that Linux these days means what your distro ships with it. You could argue that Linux itself is just the kernel which is not very vulnerable, but also useless without programs such as Apache, PHP etc. Microsoft has put a lot of effort into lowering the attack space with Longhorn and Linux distros could probably learn from this. Ian -- Web1: http://wand.net.nz/~iam4/ Web2: http://www.jandi.co.nz Blog: http://iansblog.jandi.co.nz
It could just be an SQL injection vulnerability or arbitrary shell command execution vulnerability in some PHP plugin module of some web app framework, yet Linux as a whole gets blamed.
The thing is that Linux these days means what your distro ships with it. You could argue that Linux itself is just the kernel which is not very vulnerable, but also useless without programs such as Apache, PHP etc.
If Linux is "what your distro ships with", then you should cut it some slack, because last I checked distros didn't ship with broken (exploitable) PHP code on a public facing webserver.
Microsoft has put a lot of effort into lowering the attack space with Longhorn and Linux distros could probably learn from this.
I don't really agree with this point, but I'm willing to be swayed. Can you give an example of something that MS is doing that usefully improves security, and which could be applied to a linux server system?
On 10/9/07, Daniel Lawson <daniel(a)meta.net.nz> wrote:
It could just be an SQL injection vulnerability or arbitrary shell command execution vulnerability in some PHP plugin module of some web app framework, yet Linux as a whole gets blamed.
The thing is that Linux these days means what your distro ships with it. You could argue that Linux itself is just the kernel which is not very vulnerable, but also useless without programs such as Apache, PHP etc.
If Linux is "what your distro ships with", then you should cut it some slack, because last I checked distros didn't ship with broken (exploitable) PHP code on a public facing webserver.
Yes and this is part of the flaw if PHP code is constantly being exploited doesn't it mean that the language has an issue?? It would be interesting to see how much is user code exploits and how much is old software exploits (e.g. how Ubuntu local servers got hacked). I suspect a lot more of the latter as you can easily use scripts to find these.
Microsoft has put a lot of effort into lowering the attack space with Longhorn and Linux distros could probably learn from this.
I don't really agree with this point, but I'm willing to be swayed. Can you give an example of something that MS is doing that usefully improves security, and which could be applied to a linux server system?
I'm thinking of a couple of things offhand: - Server 2008 (and to a lesser degree 2003) has roles where it preselects the components, and only the components, needed for a role. - other software when installed still won't work (or be hacked) unless you configure it. I wasn't claiming Microsoft is more secure than Linux at all. I'm saying we can learn from Microsoft, just as they can learn from Linux. Microsoft does some things extremely badly and would be better off doing it the Linux way - e.g. user account security and it can't really be fixed despite attempts like UAC. -- Web1: http://wand.net.nz/~iam4/ Web2: http://www.jandi.co.nz Blog: http://iansblog.jandi.co.nz
If Linux is "what your distro ships with", then you should cut it some slack, because last I checked distros didn't ship with broken (exploitable) PHP code on a public facing webserver.
Yes and this is part of the flaw if PHP code is constantly being exploited doesn't it mean that the language has an issue??
PHP != Linux. PHP also runs on windows. PHP also isn't the only language you can write exploitable code in.
It would be interesting to see how much is user code exploits and how much is old software exploits (e.g. how Ubuntu local servers got hacked). I suspect a lot more of the latter as you can easily use scripts to find these.
Local exploits still need a vector to get onto the system. These vectors are most often either poor password security or vulnerable web apps.
Microsoft has put a lot of effort into lowering the attack space with Longhorn and Linux distros could probably learn from this.
I don't really agree with this point, but I'm willing to be swayed. Can you give an example of something that MS is doing that usefully improves security, and which could be applied to a linux server system?
I'm thinking of a couple of things offhand: - Server 2008 (and to a lesser degree 2003) has roles where it preselects the components, and only the components, needed for a role.
Ubuntu, Debian, Redhat, SuSE, all have "roles" where it preselects the components, and only the components, needed for that role. I'm sure other distros do as well. Gentoo just doesn't install anything - it's entirely up to the admin to install stuff. As an historical note, Debian has followed this model since Woody at least. I can't remember the potato installer, but I think it didn't have the tasksel stuff, just dumped you into dselect.
- other software when installed still won't work (or be hacked) unless you configure it.
Modern distros give services a basic configuration, and this typically involves limiting servers to only listen on localhost. There aren't a hell of a lot of services installed anyway.
I wasn't claiming Microsoft is more secure than Linux at all. I'm saying we can learn from Microsoft, just as they can learn from Linux. Microsoft does some things extremely badly and would be better off doing it the Linux way - e.g. user account security and it can't really be fixed despite attempts like UAC.
I understand that you're not claiming that MS in more secure. I'm disputing your claim that linux isn't already doing the same things MS is doing to limit vulnerabilities, where such techniques can actually be applied. Security is a concern for linux distributions, but I think they're doing a reasonably good job of it. Default security is definitely nothing like it was in the late 90's - RedHat 6.0 was a complete disaster, for example. Security is also a concern for the administrators, and that goes for windows admins as well as linux. Perhaps the problem here is that because linux is becoming "easier" to use and to run a server on, people are doing so without regard for security. This isn't a fault the distribution can fix - unless you don't allow your users to install anything at all, ever, in which case they'll just go run gentoo instead and screw themselves six kinds of sideways. Distributions can't protect against administrative stupidity.
On 10/10/07, Daniel Lawson <daniel(a)meta.net.nz> wrote:
If Linux is "what your distro ships with", then you should cut it some slack, because last I checked distros didn't ship with broken (exploitable) PHP code on a public facing webserver.
Yes and this is part of the flaw if PHP code is constantly being exploited doesn't it mean that the language has an issue??
PHP != Linux. PHP also runs on windows. PHP also isn't the only language you can write exploitable code in.
I'll comment on this part mostly as I agree with the rest of what you're saying/or don't want to drag it all out. The original article talked about Linux systems, not Linux so PHP is a concern if running on Linux. Agree with what you're saying that PHP is cross platform tool - see today's news for example: http://www.news.com/8301-13580_3-9793871-39.html?part=rss&subj=news&tag=2547-1_3-0-20
Distributions can't protect against administrative stupidity.
Yes - and that was my main point really (and Lindsay's). Don't assume just because you run Linux, that you can't be hacked. -- Web1: http://wand.net.nz/~iam4/ Web2: http://www.jandi.co.nz Blog: http://iansblog.jandi.co.nz
From my Cisco world experience, I have come across vulnerabilities with IOS, not a huge amount, but they are there. Due to the complexity by nature with the number of features that the IOS has to offer, there will be security vulnerabilities, but if the switch or router was configured
Just taking this back to the original thread... My views simply come down to peoples ability to secure a box, whether it's Linux or Windows, or whether it's an OS on a specific appliance, eg. IOS on Cisco Routers/switches. While with Windows, the options are a bit more limited, and patching is really the only best defence against having vulnerabilities to hackers/crackers can exploit other than making sure there is a solid firewall on the network boundary. Linux OTOH can be set up so, for example, the MySQL database could only be accessed via 127.0.0.1 if it was only for the local webserver, or opened up only to the hosts that need to access the database server. Furthermore, IPTables could be set up so that requests to TCP/3306 is accepted by the authorised hosts and denied by everyone else, and better still, those hosts would be sited on a dedicated network interface or vLAN so the IPTables can restrict by layer3 port which protects from spoofing. Also, services that aren't needed are disabled, for example, would you have samba running on a colocated webserver ? In saying that, it's also very important to keep the Linux system up to date. properly, then the chance of the vulnerability being exploited is vastly reduced if not eliminated. In saying that, I would also take heed with Ian's caution. But I would also consider taking other steps in securing a box. On Mon, 2007-10-08 at 13:15 +1300, Ian McDonald wrote:
http://www.osnews.com/story.php?news_id=18738
The moral of the story is that unsecured (particularly unpatched) Linux boxes are just as bad (or worse) than Windows boxes.
I've seen a lot of people just install Linux machines and leave them running. Yes they run forever, but that doesn't make them secure. It seems like Linux is now more and more a target.
Linux OTOH can be set up so, for example, the MySQL database could only be accessed via 127.0.0.1 if it was only for the local webserver, or opened up only to the hosts that need to access the database server.
Windows can be set up the same way, it just typically isn't. Many linux distros (particularly the ones intended for desktop users) have a policy of 'no open ports' and a lot of software like MySQL is similarly preconfigured to only listen to localhost. My experience with Windows, all sorts of completely unnecessary things end up listening on all interfaces, simply because on the chance that you happen to need those services, they'll already be installed and accessable. Hello slammer! That's great from an 'everything just works' perspective, perhaps.. but it's terrible from a security perspective.
Linux OTOH can be set up so, for example, the MySQL database could only be accessed via 127.0.0.1 if it was only for the local webserver, or opened up only to the hosts that need to access the database server. Furthermore, IPTables could be set up so that requests to TCP/3306 is accepted by the authorised hosts and denied by everyone else, and better still, those hosts would be sited on a dedicated network interface or vLAN so the IPTables can restrict by layer3 port which protects from spoofing.
All of which is irrelevant if the attack vector is a broken PHPNuke or awstats installation. (It seems that web scripts are the most common way in, as they're very wide-spread, not updated regularly on hosts (if upgrading is a pain), and often not audited well.)
From there, you can get a local shell as a user. It becomes an issue of what you can do from there. Wreak havoc as the apache user, for starters, and quite possibly use a local root exploit.
Did you update your kernel? Did you reboot? Rebooting is tedious, and requires a scheduled outage. Maybe I'll just leave it till next week.. Or don't care about becoming root, and just use the box as a drone on an IRC network. Nothing stopping people doing these things on IIS, either. Craig
participants (6)
-
Bruce Kingsbury -
Craig Box -
Daniel Lawson -
David McNab -
Ian McDonald -
Lindsay Druett