My friend works for an ISP. Last week,
a machine (a server at a company they provide high speed access for) was
compromised and was used to launch attacks at others and I believe used as a
slave in DDoS attacks (His network was extremely slow and once the
user unplugged the compromised machine, his network speed issues cleared
up). Of course, the receiver of the attacks complained and my friend's ISP
had to call the user.
I scanned the machine (nmap-ed) as a favor
for my friend and was totally _unshocked_ to find that this guy had
basically a stock Linux (probably Red Hat) install, with vulnerable ancient
sendmail, sunrpc and telnet, amongst others. The ISP
employee talking on the phone to this user simply told him to format the
machine, which I wish he hadn't, so myself and my friend could have done a
forensics and figured out what was going on and how to prevent it. Now
this guy will basically reinstall his distro with the same vulnerable
services
Now the fact this person was hacked did not shock
me. What does shock me is the following:
So many Linux distributions come out of box with so
many unneccessary services, EVEN when they are installed with
the "Server" option. WHY? Even a Debian install with no
packages dselected in the installer has sunrpc open. Is there a legitimate
use for sunrpc? I've never seen or heard of one (albeit I am newer to
*nix).
While this is all fine and dandy for the user since
he can run 800 nifty services on the same box, I think the idea that "Linux is
SOOO secure over NT" leads to a false sense of security that any Linux (or any
OS for that issue) is 100% secure out of box.
After I was almost compromised a few weeks ago in
an attack that scared the !@^& out of me (coordinated assault from machines
in Japan and Germany), I went totally ape about security (and this is my home
cable modem linux router they were attacking). Now I had never considered
a home cable modem linux router a target (well, until I read about the grc.com
attacks), but now I was a security deiti on the warpath. I had never been
that much into security prior, but now I was totally in tune with
it.
I formatted the box (even though I don't believe
they got in), reinstalled Debian with no packages dselected, went around
terminating default services until there were no services running, installing
snort and portsentry, brought up the daemons one by one, doing a gestapo-ish
firewall rules set and more.
I think the whole idea that some people market
linux as being "ultra secure" is false and misleading (well actually it is the
truth). I think every boxed Linux distribution and every installer should
have as the last screen a link to information about security resources and basic
steps to take to secure the machine.
Hell, I think distribution managers should take the
initiative and shut off known vulnerable services by default and then later give
the administrator the option to turn them on one by one... but only with a giant
caveat message and a link (or maybe an automatic thing) to grab the latest
patched version. Debian sort of does this with the idea of apt-get
upgrade, but by default it only pulls packages out of stable (rarely updated)
and adding testing or security sources are not readily shown how or explained
unless you do the un-newbish thing of RTFMing or going online.
Now I know some of you might say "TRY OPENBSD ITS
ULTRA SECURE!@!@#!Y@I#&". The problem with OBSD (even though I enjoy
playing with it), is that it isn't marketed to the mainstream. Most
companies, especially new ones that don't necessarily have experienced server
admins (well sometimes experience is bad if they are set on only using one type
of OS), will default to WindowsNT/2000 or Red Hat. OBSD does not also have
the user friendlyness some people need (Even tho I think any *nix admin should
be able to work with commandline, a basic text only installer and man pages), so
it isn't used.
I know one reason the sysadmin for my local school
district uses NT is because it is so easy without much learning. Once, we
were trying to add an second IP to a network card in the
main linux web server and scanning doc files for the command.
Just to taunt us, he walked over to an NT4 machine and did it in less than 20
seconds. Of course, this is an admin that applies service packs and
hotfixes once in a bluemoon =o
I dunno why this rilies me up, I just get
frustrated sometimes.
- kath
p.s. this post doesn't fit my normal style of short
and to the point. Would it have been better if I used diagrams or even
unrelated clip art to liven it up? ;p
|
- Re: [techtalk] (Rant) Linux and security kath
- Re: [techtalk] (Rant) Linux and security Martin . Caitlyn