***Disclaimer***

Disclaimer: The Wizard of 'OZ' makes no money from 'OZ' - The 'Other' Side of the Rainbow. 'OZ' is 100 % paid ad-free

Wednesday, October 02, 2013

Linux is more secure but not invulnerable

By Jack Wallen in Linux and Open Source


Tux, the Linux Mascot


Jack Wallen believes Linux is more secure than other platforms, but it's only as secure as the packages installed.


I've been working with and using Linux far longer than any other platform. Through those years, I've pretty much seen and used it all. Interestingly, my tune has changed on a number of things -- one opinion is about the relative security of Linux. Back in the day, I would have looked you in the face and said squarely, “There's no way anyone is going to hack a Linux server!” My tune now is a bit more somber, sober, and far more realistic. But before I get the chance to sing you that tune, let me set the stage.

Over the last week, I was called to check into why a CentOS server was behaving poorly. The server duty was for web/email. The shenanigans were first spotted when a particular email address on the server in question refused to authenticate. I logged into the cPanel, changed the email's password, and attempted to log into the user's webmail. The second I logged in, the password was automatically changed again.


So, I started digging around.


Unfortunately, the machine had been severely compromised through a PHP exploit. How did that happen? The machine was deployed and never updated. So, the PHP version being used had long since reached its end of life. Along with around 300 or so other packages that were sorely out of date, the machine was simply a sitting duck.


I decided to dig a bit deeper. There were a number of clients on the machine that used FTP. Nearly 50% of those clients still had the default FTP password, which was set up by the original engineer that deployed the machine. Even worse, FTP wasn't set up securely.


Here's a list of the problems I'd discovered thus far:


* Out-of-date packages

* PHP exploit
* Weak FTP with default passwords

Finally, a few of the clients on the machine actually had access to the root user via the wheel group. At this point, I thought, “Why did the deploying engineer not send out invitations to nefarious users for an open house?”


It's not hard to see why this machine was compromised.


The biggest problem was that whoever did the hijack did so in such a way to completely obfuscate their work. None of the standard root kit tools came up with anything outside of some ownership changes. In the end, there was nothing I could do. The time and cost involved with getting the server back up and running, as is, couldn't be justified. Thankfully, the machine had been cloned and virtualized, so it was just a matter of finding out when the hack happened and spinning up a clean vm.


The lesson here is a tough one, because one of the biggest selling points of Linux is its security. But the truth of the matter is, if a machine is online, it's vulnerable -- and it can be hacked. If that machine isn't updated regularly, the chances of it being hacked are greatly increased. Using the Linux platform does not give you an automatic “Get out of jail free” card. Like any other platform, you must run regular updates and take proper security measures. Otherwise, you're inviting trouble.


Yes, I still think Linux is a much more secure platform than the alternatives. I would pit the Linux desktop against any others. But no matter how secure of a reputation it has, it's only as secure as the packages installed. So, if you have an exploitable PHP installed, if you employ weak scripting, or if you fail to follow through on updates -- you will get hacked.


Don't learn this lesson the hard way. It'll be costly in terms of budget, precious data, and your reputation.

About Jack Wallen 
Jack Wallen
Jack Wallen is an award-winning writer for Techrepublic and Linux.com. As an avid promoter/user of the Linux OS, Jack tries to convert as many users to open source as possible. His current favorite flavor of Linux is Bodhi Linux (a melding of Ubuntu ... 

No comments: