- Sunday, 22 November 2009
- INQ Mobile
- RSS
Today is a nice place to visit but you can't stay here for long
Lazy Linux sysadmins make systems insecure
SOME LAZY Linux administrators are living in a dreamworld where they believe their systems are secure just because they use Linux, according to an insecurity expert.
Peter Hansteen claims that a third round of low-intensity, distributed bruteforce password attacks is now in progress because of sloppy admin practices on Linux systems. So far about a thousand servers have been compromised.
Writing in his blog, Hansteen said that many systems administrators seem to believe that they cannot be attacked successfully because they are not running a bug-ridden proprietary operating system.
He said the latest wave of attacks is quite easy to stop, if systems admins pay attention.
The likely culprit is a piece of Linux malware known as dt_ssh5.
The attack depends on systems admins who have a maintenance regime that's disorganised enough that it lets weak passwords exist and software with known and exploitable bugs is left in place.
Then all it takes is at least one common userid like root with a guessable password.
Weak passwords are words that appear in the dictionary, for example. Strong passwords are not words that appear in the dictionary and typically are at least eight characters long and include both uppercase and lowercase alphabetic characters along with both numeric and symbol characters.
Hansteen said that systems admins might have oversold the security of Linux in a bid to interest "the suits" in using it, and that a downside of this in careless admin habits might be showing.
While bugs are easier to find and fix when the source code is available and the Linux security model is far better than the security nightmare that is Windows, there are always security worries.
For example one of the hosts now trying to gain illegitimate access to one of his systems was originally set up as a "spam washer".
Setting up a Linux box to filter spam is likely a good idea, but when your spam washer has been hijacked and tries to break into other people's systems, you urgently need to get your act together, he said.
While there are no self-propagating worms on Linux and the operating system is secure enough that there might never be any, Linux systems are potentially just as vulnerable as others to slow bruteforce password attacks. µ
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
its just having worked with MS for so long you forget it can be worth it.
That you can't fix stupid.
Of course, anyone who has their root account enabled for login over the Internet don't have a clue on System Administration either. No reason to have root accessible. Or run SSH on port 22. Or allowing password-based authentication at all. Or, with the availability of OpenVPN, having SSH be Internet facing altogether.
Ive said this numerous times that any OS is only as secure as the admin who configures and MAINTAINS it. There is no set it and forget it OS. Be it Windows, Linux, or Unix all require doing additional work to lock down and open appropriate ports, accounts/access, applications, surrounding equipment, physical access, Patch Management, and services/daemons that are running on the boxes to name just a few.
None are actually superior however some are inferior that rely on security through obscurity (Apple). Windows makes it easier but most admins are Lazy if not competent enough. There is a lot of Lazy and Useless in the IT world. Paper MCSE's and Agencies please stop requesting MCSE certification because the exams answers are floating around on the web or being passed around via sneakernet. I cant even bother with certification any more. I have known MCSE's who dont even own a computer.
Noticed this in april. Easy fix is to change the port ssh listens on. Next thing to do would be to add a few lines to your iptables to drop any packets from any host that requests a connection unsuccessfully on any port greater than 5 for 2 minutes or more.
Also, a handy PAM module that will track connect attempts and block/log failures from particular IPs:
http://www.hexten.net/wiki/index.php/Pam_abl
Ever heard of port knocking? Look it up and use it you lazy bastards.
If Windows and OSX are bug-ridden proprietary systems, we could safely state that Linux is a bug-ridden open-source system.
I don't know how the hell having a public source code would make its sysadmins less cautious.
That's just against common-sense.