Recently, a Russian security researcher discovered a 100-node Linux “cluster” that was running a botnet which was, in turn, connected to a group of desktop machines. All together these machines were serving up malware. Yes, that’s right, a cluster of Linux servers that were running genuine Web sites had been hacked to include a secondary server (nginx) to combine together as a botnet server. How did this happen, you ask? Traditionally desktop machines are turned into botnet servers when the user unwittingly clicks on a URL that then inserts the malicious code into the users machine. This is how, in 2006, over 20,000 Windows machines were turned into botnet servers. But for this to happen to a Linux server? There is one explanation - careless, lazy administration.
Anyone who has read any of my columns long enough knows how I feel about Linux and its security. But even the security offered by Linux isn’t enough. Because of Linux’ solid reputation, many Linux administrators get their servers up and running and just leave them alone. No updates, no security, no nothing. They just set them up in a corner of a room and forget about them. “Set it and forget it.” That was the catch phrase bandying about the Linux community some time ago. But it’s an irresponsible idea.
Hackers today are smart. They know Linux. But these aren’t the hackers made into cliches of themselves in the mid 90s. These aren’t pimply kids called SerialThriller or ZeroCool. These hackers are professionals who’s living is dependent upon cracking open the security of any given server. And lazy administrators, no matter what operating system, may as well hand them the keys to the kingdom.
There is a reason updates happen, especially in the server world. On my Linux servers I have installed, I keep careful watch over updates. For certain tools (like Apache) the updates don’t come very often, but when they do, I install them right away. Why? Because keeping these types of attacks at bay is critical to keeping a business up and running safely and without the danger of being shut down until the issue is resolved.
But how did the hackers get into these servers? Stolen FTP passwords, which helped them inject hidden iframes into legitimate sites. Okay that sounds like it could be bad, but dangerous? It is when the administrator allowed FTP access open for the root user. So the hackers were able to crack the root password through FTP. Of course, once the hackers had the root password, that was all she wrote (as my dear mother always said.) Maybe they should have used vsftpd (which is a much more secure FTP server), or better yet ProFTPD, which chroots all FTP users to lock them into their directories and does not allow access to the root account at all.
What is the biggest factor in server break ins?
My point here is that even though you are a Linux administrator does not mean you can be lazy and “set it and forget it.” You still have a responsibility for the security of your site and servers. It’s these types of lazy administrators that could cause Linux to lose the reputation it has fought very hard to gain of being secure. Linux is a secure OS and Linux servers are powerful and secure servers. But a lazy administrator is nothing more than a watchman asleep at his post - eventually someone that shouldn’t be in the building is going to walk through the door and wreck havoc. Don’t be a lazy Linux administrator. Don’t set and forget your servers. Don’t neglect updates and security. Don’t be a part of the problem, be part of the solution.
