Linux

Linux is more secure but not invulnerable

Jack Wallen believes Linux is more secure than other platforms, but it's only as secure as the packages installed.

linux.security.jpg

I've been working with and using Linux far longer than any other platform. Through those years, I've pretty much seen and used it all. Interestingly, my tune has changed on a number of things -- one opinion is about the relative security of Linux. Back in the day, I would have looked you in the face and said squarely, “There's no way anyone is going to hack a Linux server!” My tune now is a bit more somber, sober, and far more realistic. But before I get the chance to sing you that tune, let me set the stage.

Over the last week, I was called to check into why a CentOS server was behaving poorly. The server duty was for web/email. The shenanigans were first spotted when a particular email address on the server in question refused to authenticate. I logged into the cPanel, changed the email's password, and attempted to log into the user's webmail. The second I logged in, the password was automatically changed again.

So, I started digging around.

Unfortunately, the machine had been severely compromised through a PHP exploit. How did that happen? The machine was deployed and never updated. So, the PHP version being used had long since reached its end of life. Along with around 300 or so other packages that were sorely out of date, the machine was simply a sitting duck.

I decided to dig a bit deeper. There were a number of clients on the machine that used FTP. Nearly 50% of those clients still had the default FTP password, which was set up by the original engineer that deployed the machine. Even worse, FTP wasn't set up securely.

Here's a list of the problems I'd discovered thus far:

  • Out-of-date packages
  • PHP exploit
  • Weak FTP with default passwords

Finally, a few of the clients on the machine actually had access to the root user via the wheel group. At this point, I thought, “Why did the deploying engineer not send out invitations to nefarious users for an open house?”

It's not hard to see why this machine was compromised.

The biggest problem was that whoever did the hijack did so in such a way to completely obfuscate their work. None of the standard root kit tools came up with anything outside of some ownership changes. In the end, there was nothing I could do. The time and cost involved with getting the server back up and running, as is, couldn't be justified. Thankfully, the machine had been cloned and virtualized, so it was just a matter of finding out when the hack happened and spinning up a clean vm.

The lesson here is a tough one, because one of the biggest selling points of Linux is its security. But the truth of the matter is, if a machine is online, it's vulnerable -- and it can be hacked. If that machine isn't updated regularly, the chances of it being hacked are greatly increased. Using the Linux platform does not give you an automatic “Get out of jail free” card. Like any other platform, you must run regular updates and take proper security measures. Otherwise, you're inviting trouble.

Yes, I still think Linux is a much more secure platform than the alternatives. I would pit the Linux desktop against any others. But no matter how secure of a reputation it has, it's only as secure as the packages installed. So, if you have an exploitable PHP installed, if you employ weak scripting, or if you  fail to follow through on updates -- you will get hacked.

Don't learn this lesson the hard way. It'll be costly in terms of budget, precious data, and your  reputation. 

Do you agree that Linux is more secure than other platforms? Share your opinion in the discussion thread below.


About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

12 comments
unixfool
unixfool

From my understanding, just because a Linux machine may be susceptible to a PHP vulnerability doesn't mean it's the fault of Linux in general.  It's the Linux software that's faulty.  On a Linux system that doesn't have the affected PHP version installed (for example), or PHP not even installed, there is no issue.  I agree with the article in the general sense, but if you've always had the mindset of ensuring your software is updated, you'll have less of a problem with Linux machines when it comes to security (but you still may have other security related issues, such as what the article mentioned -- weak FTP implementation with default passwords, for example).

ParNeverhood
ParNeverhood

I have never bought into the idea that any operating system secure.  Proper security practices must be maintained.  I.e regular os patching, application patching, user validation/revalidation, active threat detection etc....

brandon
brandon

Linux and Mac have become more and more targeted for attacks than ever before.  While Mac OS is FreeBSD based and Linux shares much of the same code neither operating system held a large market share (consumer base).  While most web servers are linux based they are often not monitored, hardened or updated and most the time it's not the OS but application based attacks.  For the last several years the security field and the bad guys have been attacking applications, like PHP, or adobe, java, OpenOffice, Firefox etc.  This makes many exploits available on multiple operating systems.  Now that these systems (mac / linux) have started to see a larger base of users due to a frustrated consumer and business market the bad guys have a reason to target those systems.  In many cases these users do not even run any anti-virus or firewall because they have the misconception of security.    As a linux, mac and windows user for almost 15 years I see all sorts of simple mistakes that can help keep you protected.  Such as patching the systems and third part apps, running anti-virus, firewall and hardening your system for it's use.  On thing Mac and Linux have done sense their birth was using the security model of least privilege, basically you start with the least amount of access and then have to elevate or run as root group to make serious changes.  While this presented some simple end user changes it prevents most exploits from being able to do anything but the basic user, helping keep your system safe.  Microsoft has typically employed the opposite , give the user everything then an admin has to take away access.  To compound that issue many Microsoft applications require running with full access so people are use to clicking yes run. So while BSD, Linux and Mac start out with some decent security the same recommendations for all computer systems apply, when done right they can be very secure systems.  Even Windows servers (2008+) can be very secure if done correctly, however most organizations (outside of government) do not even implement  the recommended security from Microsoft.  So to each their own, all systems work it depends on your needs, just be sure to not get comfy and let your guard down when you are not using a Windows based OS.

janitorman
janitorman

The common user has no idea how to keep a system secure. Plus, people hate updates, which is why I have them turned off. It's a crapshoot to do an update, you'll never know if one will remove features, introduce bugs, etc. Once a system is working fine, I don't want any updates, as they've caused problems many many times before for me. The constant updating of Linux software certainly doesn't help. I'm not saying it's a bad thing but maybe tagging the updates "Security" or 'feature' related would help.

I'd also like to see some sort of antivirus tool similar to the ones on Windows where you know it's working, (something like AVG or Avast) and a firewall similar to Zonealarm that's easy to use, and ASKS you (if that's the way you set it up) whether or not to let a program access the internet, and won't let you if the program has been maliciously "updated."

Maybe it's why the common user is still on Windows (or Mac, I suppose) where this kind of thing is more obvious, not having to open a DOS (or "terminal" I guess) window to deal with it, just a tray icon that lets you know it's doing its job. In my opinion this should be standard on all desktop distros, something like MS security essentials (I know, not a good example.)

marcushh777
marcushh777

This conversation always talks past itself because the laity out there doesn't know what "hacked" means. They are typically thinking in terms of what it meant to be "hacked" on a standard Windows system. 

Let's just set this straight right now... gnu/linux can not be "cracked" .  

Now let's set something else straight, you are correct to point out that a system is only as secure as its weakest link. Yes, sometimes packages have some zero-day vulnerability because of lazy programming, but that is beside the security of gnu/linux as a platform . . . and that is an important nuance to cover.

Another important point to cover is that vulnerabilities in gnu/linux are patched almost over-night... and in some cases I've seen it happen faster. There is no waiting around for six months for some Tuesday update schedule from a major corporation . . . nor any of that bologna.

I have been running gnu/linux since 1992, and seriously (in place of windows) since 1998. I have yet to receive malware, viri, spy-ware, trojans, nor back-door marketing schemes, &c. It just doesn't happen.  I do follow some simple rules, and I keep my systems up-to-date . . . from the kernel up. 

Gnu/Linux is only as vulnerable as you allow it to be... and you don't have to allow it to be !

Cheers

A. Silva Ledesma
A. Silva Ledesma

Linux has always been several times safer than the competition.
If we add the proper use of tools such as chroot, sudo, apparmor and folders having their rights "properly secure" linux security rises more.

I agree that the packages can be vulnerable if they are not updated, but we must isolate them and audit them.

Although I have a look from the safety standard, an article - weekly, almost alone - putting into question the security of the Linux world strikes me as something less than serious, almost worthless.

We all have it clear that half of the world servers running Linux?

I propose that if we talk about security this must be in the security thread. Since the above applies to all of our servers, regardless of the OS to run.

If it is for others 'hearts' feel comforted, this article should be moved to where it can benefit more.

ps.techrep
ps.techrep

While there are always going to be some problems with open source applications, there will ALWAYS be MORE problems with complacent users and administrators who don't understand that security starts with them..

filker0
filker0

As with all general purpose systems, security in Linux is only as good as the software on that system and the measures taken by the administrators to detect and respond to attacks.  Use of one time passwords for logins with root access (via sudo), chroot on httpd, and a tool that scanned the system for setuid and setgid images and reported any change (new files, changed files, deleted files), and a number of other measures goes a long way to protecting against zero day exploits, but you must keep the software up-to-date, at least for that software that is exposed to the internet.  You don't need to keep up with GCC or emacs releases, but PHP, Python, perl, apache, your MTA, file transfer and file sharing software all must have all security fixes installed promptly.

Even with all the measures I list above, I still had a machine hacked to the point where it was sending out spam (only for a few hours) from a BBS that I had set up as an experiment when I was developing a website for an organization a few years earlier -- I had updated PHP, but had forgotten about the BBS and had not updated that code.  My ISP blocked mail from my home network until I fixed the problem, and even then, they were not easily convinced to allow SMTP traffic from my home network again.  This was on a Linux server running on a home network with no public URL.

marcushh777
marcushh777

@unixfool Correct.

Your points are correct. To build on that (and to answer the post about not trusting updates) most distro maintainers (debian, ubuntu, mint, suse, redhat, &c) have an update scheme that segregates updates into classes that are in general categories from which you can choose. For instance, Mint Linux has several levels by number...  [1] security patches, mandatory updates that have been tested [2] recommended fixes that have been tested [3] fixes that have not been thoroughly tested but are not suspected to be a problem [ and so on ] 

The user/admin can decide (forinstance Mint Linux) whether to apply no updates, or level [1],  or [1]&[2], or [1]&[2]&[3]...  you get the idea.   Again, be smart. Look at the updates and try to determine whether you need them... whether they are recommended, whether they are community supported or distro supported, and so on.   You will not have problems (generally speaking) if you approach update strategies intelligently.  THINK

Cheers

marcushh777
marcushh777

@brandon "Linux and Mac have become more and more targeted for attacks than ever before. " -- brandon

Your statement is patently false. Not false because its not true, but false (deceptive) because even though it is true it is not a problem directly. This is the tired old incorrect theory that the reason Windows gets hacked and gnu/linux does not is that Windows has the huge market share and nobody is targeting Linux.  That theory is bologna, demonstrated by the fact that the majority of servers and hand-help devices today are running gnu/linux (of some flavor) and while they may be "targeted" they are not infiltrated. 

see my post to janitorman

Again, if you're stupid (not thinking) you can setup your system to be vulnerable. Don't do that. 

marcushh777
marcushh777

@janitorman Anti Virus Software and Firewall Software are NOT necessary...

...  on gnu/linux.

Your ideas are based on your Microsoft experience, where third parties were required to "protect" the OS from attacks.  The reason behind these third party protection schemes is poor design. The Unix operating system does not require anti-virus software because it does not have the inherent design flaws of the Windows system(s). 

On a properly setup system (gnu/linux, freeBSD, Mac OSX, or any other unix-like system) it is *very* difficult to infiltrate the system with data-grams from the outside that can propagate from system to system the way Windows viri/trojans do. This is because of the kernel, and because of the filesytem(s). Third party protection schemes are not required at all.  --this isn't just an opinion... its true.

On a unix-like system the kernel IS your firewall. Third party firewall(s) are also not necessary. Back in the day kernel control for datagrams was handled by ipchains... today it is handled by iptables.  In either case rules are setup in the kernel (controlled by the user/admin) to determine what datagrams may pass through the kernel... with pin-point precision (there isn't a better firewall).   Now, there are several good software packages (third party ... ) that provide easy convenient interfaces for the user to setup good rules which get translated into iptables.  An example is Firestarter. 

The bottom line here is that gnu/linux (nor any other unix-like system)  DOES NOT have the same security issues in design that the Windows sytem suffers from.  The inherent flaws in the Windows system have provided a good income for third party protection franchises for many years.  But, its just not needed on unix-like systems.

Having said all of that, if you give someone your root password you are going to get hacked. If you open ports to the outside and the code servicing those ports has zero-day vulnerabilities, well then you're screwed. If you download a trojan, make it executable, and then allow it to run with root privileges, then you are also screwed.  (get the point??)   In other words, you can be just a stupid with gnu/linux as you would be in any environment that requires thinking!    So, be smart.  THINK

Cheers

brandon
brandon

@filker0 A great way to monitor changes in Linux and even windows machines is an open source HIDS called OSSEC.  It can send you an email alert or to your snort or log collection system when critical system files are changed.  It's open source and a great way to know when someone changed something.

Editor's Picks