I've been working with and using Linux far longer than any other platform. Through those years, I've pretty much seen and used it all. Interestingly, my tune has changed on a number of things — one opinion is about the relative security of Linux. Back in the day, I would have looked you in the face and said squarely, “There's no way anyone is going to hack a Linux server!” My tune now is a bit more somber, sober, and far more realistic. But before I get the chance to sing you that tune, let me set the stage.
Over the last week, I was called to check into why a CentOS server was behaving poorly. The server duty was for web/email. The shenanigans were first spotted when a particular email address on the server in question refused to authenticate. I logged into the cPanel, changed the email's password, and attempted to log into the user's webmail. The second I logged in, the password was automatically changed again.
So, I started digging around.
Unfortunately, the machine had been severely compromised through a PHP exploit. How did that happen? The machine was deployed and never updated. So, the PHP version being used had long since reached its end of life. Along with around 300 or so other packages that were sorely out of date, the machine was simply a sitting duck.
I decided to dig a bit deeper. There were a number of clients on the machine that used FTP. Nearly 50% of those clients still had the default FTP password, which was set up by the original engineer that deployed the machine. Even worse, FTP wasn't set up securely.
Here's a list of the problems I'd discovered thus far:
- Out-of-date packages
- PHP exploit
- Weak FTP with default passwords
Finally, a few of the clients on the machine actually had access to the root user via the wheel group. At this point, I thought, “Why did the deploying engineer not send out invitations to nefarious users for an open house?”
It's not hard to see why this machine was compromised.
The biggest problem was that whoever did the hijack did so in such a way to completely obfuscate their work. None of the standard root kit tools came up with anything outside of some ownership changes. In the end, there was nothing I could do. The time and cost involved with getting the server back up and running, as is, couldn't be justified. Thankfully, the machine had been cloned and virtualized, so it was just a matter of finding out when the hack happened and spinning up a clean vm.
The lesson here is a tough one, because one of the biggest selling points of Linux is its security. But the truth of the matter is, if a machine is online, it's vulnerable — and it can be hacked. If that machine isn't updated regularly, the chances of it being hacked are greatly increased. Using the Linux platform does not give you an automatic “Get out of jail free” card. Like any other platform, you must run regular updates and take proper security measures. Otherwise, you're inviting trouble.
Yes, I still think Linux is a much more secure platform than the alternatives. I would pit the Linux desktop against any others. But no matter how secure of a reputation it has, it's only as secure as the packages installed. So, if you have an exploitable PHP installed, if you employ weak scripting, or if you fail to follow through on updates — you will get hacked.
Don't learn this lesson the hard way. It'll be costly in terms of budget, precious data, and your reputation.
Do you agree that Linux is more secure than other platforms? Share your opinion in the discussion thread below.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.