Is Linux as Secure as We'd Like to Think?

man_of_mr_e asks: "With all the recent brouhaha about Blaster and Sobig, there's been a lot of talk about how poor Windows security is, especially compared to the Linux we all know and love. But is this really true? The website defacement archive at Zone-h shows that Linux accounts for 61% of the defacements in the last 24 hours (note, this figure changes, so it might be different when you view it). An analysis of the last few weeks of their archive shows a similar percentage of exploited Linux systems. Note also that the 'Unknown' category is rather high, and certainly contains at least some Linux systems, further increasing the percentage. Why is this? Are we just deluding ourselves about our own security? Could there be a Linux 'Blaster' just waiting to happen?" While "defacements" don't necessarily mean "root level break-in", sometimes getting your foot in the door is enough. If this happens, wouldn't Linux then be just as exploitable as Windows? Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

Ha - Ha! (Nelson voice)

[Outland+Traveller]

Looks like some of that "defacement" is happening close to home.

view-source:http://www.zone-h.org/

DB connection failed ().

Re:I think its the apps

[BrynM]

I think website defacement and Linux security are 2 different issues all together.

Exactly! People tend to trust website "packages", like PHP-Nuke or site building applications a little too much. They tend to assume that someone has already fixed whatever security holes may be in it. When I installed PHP-Nuke (yes, I actually use it) I went through the PHP code with a fine toothed comb before I opened the site to the public. I found lots of potential SQL injection, external file call and global variable exploits that needed fixing. Since these sites usually end up being run on Linux and Apache, Linux and Apache get blamed when the site is defaced, when the actual weakness that led to the defacement was in the PHP/HTML pages themselves.

I don't expect everyone to know how to clean up security for a PHP site, but if they decide to use what they don't understand bad things will happen. If you know a novice that wants a site, start them out with some static HTML rather than let them use whatever code strikes their whim as "neat", "shiny" or "cool". Explain to them that they are learning how to eventually do the "shiny" stuff, but they need to learn how to use it safely first.

Re:Psychology plays a role

[KrispyKringle]

You make a good point; one of the explanations I've seen for statistics similar to those the article posting cites (61% of defaced machines being Linux) is that when an amateur wants to set up a personal website on his cable modem, he doesn't usually install IIS. He installs Linux and Apache. When he wants a really basic comment board or CMS, he uses PHP-Nuke. For his e-mail server, he uses Sendmail.

Yes, I've ran into hobbyists running IIS for fun--by which I mean I discovered his CodeRed infected box on my network--but the cost of a Windows Server license is prohibitive of amateur use, even if plenty of people just pirate it. So in the end, the inexperienced users with no time to spend securing their boxes turn to RedHat with Apache and Sendmail. Which isn't necessarily a bad thing. If I had to choose between Linux or Windows for which to leave alone without regular maintanance, the choice is pretty clear.

Re:Psychology plays a role

[Malc]

Rubbish. My employer bought a company that was deployed on RedHat 7.0. We are a MSFT only shop. Let me tell you, those RedHat servers were in worse condition than our Win2K boxes. The servers have been exploited as spam relays (very old formmail) amongst other things. It's pretty bad when a software engineer (me) has to come in and get a server running properly due to the incompetence of the IT staff. They had all kinds of stuff installed that should never have been there. They never cleaned things up. Based on that, I would say there are probably other Linux boxes out there administered by idiots.

Re:I think its the apps

[Karl+Cocknozzle]

I checked the MS article your Google search returned, but I think perhaps you're being a little disingenuous. Read this part (shoe-horned in at the very bottom of the page):

Internet Explorer 6 is preinstalled by default in all versions of Windows XP. To provide computer manufacturers greater flexibility in configuring desktop versions of Windows XP, Microsoft has made it possible for OEMs, administrators, and users to remove user access to Internet Explorer while leaving the Internet Explorer code intact and fully functional to ensure the functionality of programs and operating system functions that rely on it. For example, Windows XP supports an "IEAccess=off" switch in the Unattend.txt file, and Internet Explorer has been added to the Add/Remove Windows Components section of the Add/Remove Programs tool in Control Panel.

Since UNATTEND.TXT is the config file for an unattended installation of Windows, this is not really an uninstallation procedure so much as a way to keep a user from invoking Internet Explorer in a NEW Windows install. If you have a Windows XP machine that you bought pre-loaded with XP, the only way to take advantage of this is to re-install Windows. (And what do you want to bet MS has some language in their OEM deals that says any OEM actually using this switch will be sacrificed to satan.)

Not a very helpful feature for those of us who would like to be rid of it without starting from scratch.

Further, since the code is "Fully functional" you can assume any exploits in the IE code will also be "fully functional" whether you set this switch at setup or not.

Simple probability

[noda132]

There are some stats (look for the pretty pie charts) which can help explain the percentage, along with a few key thoughts and speculations:

• Most web sites run Linux.
• Linux boxes cause so little fuss it's easy to forget they're there (for better or for worse, most distributions, especially older ones, are very content to leave you alone). I've never run across a Windows server that didn't ask for personal attention at least once every hundred days.
• Website defacement is often a direct act, not a simple script which happens to take down a site. All operating systems being equal, a cracker would pick sites at random and crack them; Linux would get cracked more than any operating system, assuming the cracker is great.
• In any operating system, the security is only as tight as the administrator makes it. Well-secured servers are VERY hard to come by.
• A website defacement is not a remote root. It could be a simple cross-site scripting bug in some CGI/PHP/Perl code, which is not the fault of the operating system.

No.

[wasabii]

As has been said many times, security is only as good as the admin responsible for it. Yes, there can, and will be a Linux blaster... There might some day be a email worm too... but not like sobig.

Lets examine the reasons why blaster and not sobig. Blaster exploits a buffer overflow, requires no user interaction. Find a overflow in Apache, you'll have a worm. Not a whole lot admins can do to prepare for this except application level filtering. It will happen. Those of us who are "in the know" will be patched long before.

SoBig: This is a user spread virus. It does not exploit any vulnerbility. It mearly requires the User to click on the attachment and hit open. It relies on badly designed software, that allows a user to execute code legally, easily. Windows lets you click Open.

Contrast that to most unix mailers: You have to deliberatly save the file to disk, chmod +x it, and then run it with ./. Yeah, a bit harder eh? Nobody I know will be able to manage this.

About the web site defacements. Linux is more complicated to administer, I dont think anybody can argue that. Lately, people have been given this sense of "if I replace Windows with RedHat i will be more secure". That is not true. Security is up to the ADMIN and the ADMIN alone. I would venture to say that a Linux box is MORE dangerous in the wrong hands than a Windows box. Hence your 60%.

Nothing about this changes anything at all. Those "in the know", generally Unix admins, will not be exploited, weither on Windows or Unix.

This doesn't mean Unix doesn't raise the bar of your security... you just need an admin that knows how to use it for it to be even close to it's potential. With Windows you are always stuck at whatever MS deams "secure enough".... bar writing your own IIS filter or something. :D

What we need are more smart admins using Unix, not sucky admins that give us all a bad face.

My two cents.

Re:did you fix it for yourself, or for everyone?

[BrynM]

I'm working submitting the fixes I've created actually. I've only recently (in the last two months) started the site, so it's still in-process - code submissions and all.

It all came about because I am building a module for Nuke. I started looking at the code and decided to do some house cleaning. Most of the fixes I implemented are already in the public (look around at Nuke Forums or search for "php nuke exploit"), so I'm betting that Francisco Burzi (the creator of Nuke) is working on implementing them for the next version if they aren't already in. He's been good about including fixes as problems are found.

Most of the exploits are simple SQL injection exploits, which affect all PHP/SQL code and not just Nuke. Let's say you want to query user data from a MySQL table named USERS with the USERID as the criteria:

?php mysql_query("select * from USERS where USERID=5"); ?

This will work great for one user, but to make the code portable, you'll need to use a variable for the USERID, so it becomes:

?php mysql_query("select * from USERS where USERID=$USERVAR"); ?

When the variable is passed by an online form it will look like this:

http://foo.yoursite.com/file.php?USERVAR=5

Because PHP doesn't keep strict varaible types, $USERID could contain the number 5 just as easily as it can contain the string "foo". Since the variable is at the end of the SQL query, we can append SQL to the end of our URL like:

http://foo.yoursite.com/file.php?USERVAR=5%20or% 201=1

As a result, PHP will hand MySQL a query that says "select * from users where USERID=5 or 1=1" (remember that %20 is an URL encoded space). Since 1 will always equal 1, MySQL will dump every record in the table instead of just the one with a USERID of 5. The way to fix this is simple. Before your line of PHP with the query, just do a simple

?php $USERVAR=intval($USERVAR); ?

Since our exploit relies on $USERVAR being interpreted as a string, it will fail as PHP intval() will discard everything in the variable from the first encountered non-integer onward. Thus malicious value of "5 or 1=1" becomes the number 5 again. There are a lot of places where this needs to be fixed and I haven't found them all yet. I'm working on a list that I plan to give to Francisco rather than have him try to keep track of me telling him about many individual ones and lose something along the way. Many nuke users have already fixed these themselves as well. There are other checks that need to be done for string variables, but I've already veered way too far offtopic.

I would be quite the selfish bastard to only fix the security holes for my use and no one else's. I'm glad you asked though. It never hurts to remind OSS users of their responsibilities should they touch the code. ;)

The woes of small business consulting

[swb]

I wish this were so funny. The last two VARs that a business I know of has gotten accounting systems from have configured the systems so that all of the users did log in as root.

If you've ever installed systems (of any kind) for small businesses (~50 people), you'd know why this was such a temptation and often a functional necessity.

Many of them have no full-time technical staff. The typical scenerio is a "operations manager" who spends most of their time dealing with production issues; a "back office" person (who's usually the consumer of the system, often the head financial person); and then whoever ends up being the technial liason, which in my experience is whatever office flunky can get WebShots installed the best or who has the copier repair phone number.

It's sad, but I've done a ton of installs where basically everyone who uses the system is root/wheel/administrator and there are no permissions. If I'm lucky and can figure out there's no one to even reliably change tapes before the equipment is set up, I have it do alternate full backups on different physical disks; I figure it's better than a burned up tape.

It keeps you in business, but it kind of sucks, since it's apparent that nobody really gives a shit...

The Problem with most Windows users...

[xQuarkDS9x]

The problem with most Windows users - whether they run 95/98/ME/NT/XP/2000 is that they DON'T understand how to lock down the system or that alternatives exist to Microsoft software. They don't know jack s*** about a firewall or better alternatives to Microsoft software that is often more secure, not to mention actually VIRUS scanning email attachments and downloads..

If you have to do e-mail - a very good and secure e-mail client is Pegasus Mail which does NOT blindly open up email attachments and run code like Outlook does.

Get a decent firewall like Sygate PRO or if you must even ZoneAlarm PRO and make sure it's configured properly. Again some windows users would have problems even with something so simple as this sadly.

Want to avoid the nasty crap in Internet Explorer or other browsers? Get a proxy like Proxomitron and JD5000 Filters for Proxomitron which then allows you lock down all that nasty MS crap like VB/ActiveX/Flash/Forced Download scripts/ADS and more that cause problems.

But as everyone else has mentioned here - all it takes is a moron to run a windows box - linux box or hell even a MAC OS X box and not keep up to date with patches. If he/she doesn't know what they are doing any of the three will be insecure.

Also with Microsoft a lot of users I believe are afraid to get the patches - because you keep seeing more and more supposed "horror stories" of how a patch broke Windows or a "feature". Same crap could also apply to same user running a Linux box.

Re:Psychology plays a role

[icepick]

Sure if you don't mind the concurrent 5 connection limit.

Worm potential

[MeanMF]

Are there other reasons why the likelihood of a "Sobig" or an "ILUVYOU" would be lower for Linux than Windows?

I think the biggest reason that something like Sobig is unlikely is that there are so few Linux machines on the Internet as compared to Windows machines, and since a majority of Linux installations are on servers an awful lot of them are behind firewalls. Worms like this spread by seeking out more systems to infect. If 95% of the systems are running Windows, a worm can spread a lot faster than if it is looking for a fraction of that other 5%. A similar worm on Linux would take a _lot_ longer to spread and would give us more time to react and put a stop to it.

Re:Worm potential

[gutbucket]

Worms like this spread by seeking out more systems to infect. If 95% of the systems are running Windows, a worm can spread a lot faster than if it is looking for a fraction of that other 5%. A similar worm on Linux would take a _lot_ longer to spread and would give us more time to react and put a stop to it.

95% of the Linux systems out there don't share 99% of their configuration. 99% of the Windows out there share 99% of their DNA. They are clones. There is a build... and there is precious little ability to deviate from that build.

For 10 given linux systems you'll find 22 different configs (that's right, twenty-two, including backups, failsafes and testsets, if you're a good admin...)

Re:Psychology plays a role

[Tony-A]

Unix is simply designed and developed much more with security and securability in mind.

From an old fart, I gotta take exception to that.
The design is from Multics, which is arguably secure, down to something that is doable on a departmental minicomputer. The design doesn't preclude some degree of security but all the emphasis is on getting something useful done. That said, Unix probably does manage to get the most useable security out of the fewest bits theoretically possible. I suspect that Unix is as simple as it can be and have any pretense to security.

NT does have security "features". It has lots of them, and they take lots of bits. They are stuck in strange places. If I have a lot of files to manage, I will not be using those features. I do a DIR. I see date and time and file size. No security information whatever. Must not be important.

Unix, if I do just an ls, just gives back the file names. If I do an ls -l to see dates and file sizes, back comes a mess of x's and hyphens. Must be important. Further, these are in my face every time I'm looking at files.

Multics was designed to be secure.
Unix wasn't.
Windows was designed to be able to claim the most "features"

Copy a directory from one place to another, where you don't have permission to read some of the files or write some of the targets.
Windows will give a pop-up and die when it runs into trouble.
Unix will copy what it can and give you the error messages with it dying breath.
Windows security. Even a little bit can be too much.
Unix security. I haven't seen it get in the way, and I haven't really got into groups yet. (Big gripe. I can't have NT users and groups with the same name. Stupid.)

Re:did you fix it for yourself, or for everyone?

[Anml4ixoye]

>Most of the exploits are simple SQL injection
>exploits, which affect all PHP/SQL code and not
>just Nuke

Actually, that affect just about any web language where developers trust inputted code.

I personally think that is one of the biggest challenges with the web. You have people who have had no formal training in programming, design, etc being able to build these complex applications. Often times the test cases don't take into effect anything other than the user doing what she is supposed to.

For example, we recently had to have quite a lengthy discussion at work about why Javascript should *not* be relied on to format user input code, nor can just Javascript and HTTP_REFERER. On the web, there is no such thing as client side validation, except as a nicety. If you aren't doing proper server-side validation, you're dead in the water.

One further note: if you are checking user authentication by the SELECT * FROM users WHERE username = $username and password = $password be sure to check that the password returned from the query matches that which was submitted. That foils quite a few injection attacks very simply.

people use the M$ concept with linux

[igorko]

UNIX and lookalikes weren't designed for the would-be user. Still, most users just migrated from M$ will be happy with the out-of-the-box install of RedHat-latest and Apache. That is simply not the way to go. A UNIX takes a lot of time to configure and then administer, and if this isn't done, you might as well pronounce yourself a windows admin.

The key concept of UNIX are it's building blocks: you build it from the ground up, not the other way around. A good server install should use the linuxfromscratch OS, with as little installed as absolutely needed. Then you hardify, using your KNOWLEDGE of the system. That's what most users think comes with linux by default. Wrong.

With M$, you get to do what M$ thinks you will do. With linux, you get to do what you want to. The downside is you must know what you want and how to get there.
-i

Today on Zone-H

[xutopia]

40 single IP
17 mass defacements

Win 2000 (98.2)

Linux (1.8)

Re:Psychology plays a role

[mausmalone]

Also when you say comprehensive user security model can you elaborate? IE: ACL's, chroots, jails etc etc. I find it hard to believe that NT3.1 and every version of windows based on it has a such a model.

Actually, he can't elaborate on it... it's just there. It's not like you run a configurator to use it... you just open the permissions and change them. User policies have been in NT since 3.1 and have gotten more and more robust with each version. I've used them to actually increase users' permissions (i.e. Burning CD's requires admisinstrative access normally, but simple power users needed it too... so rather than elevate them, give them burner access). I've had little reason to edit user permissions and policies as the default groups usually get the job done. Windows has everything you need built in to allow you to very specifically decide what a user can and cannot do/access, but there's no real way to cite examples of such tools... they're just tabs on a dialog box.