Slashdot Mirror
Linux Most Attacked Server?
Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."
Does this count the number of Windows machines that were 'compromised' by BLASTER and its children? If someone gets a binary on my server and controls what my server does ( in this case, replicating the worm ), then I'd call that hacked. Just because a worm did it vs. a human doesn't mean anything. More direct hacks on Linux machines might just mean that there was much more human effort expended.
I want to delete my account but Slashdot doesn't allow it.
So, I wonder....the interesting statistic to me would be what percentage of attacks against each platform are successful? This statistic is not explicitly stated. Also did they include OS X as part of the study?
Visit Jonesblog and say hello.
Well, you could probably conclude that, because vulnerabilities in Linux and Linux software are usually detected and fixed sooner, and Windows vulnerabilities depend on Microsoft deploying the fix (which might take a while, as we know), we have different cases of who is to blame.
First, In the Windows case, shit might happen because it takes longer for a proper fix to appear (though, on the last DCOM-related vulnerabilities, we should give credit to MS for the quick response to the problem). If a patch does not exist, the admin can not do as much (unless he has a proper firewall).
In the Linux case, patches are generally avilable quicker, and upgrade functionality like Debian's apt-get makes it fairly easy to update the systems. I would guess that most holes that lead to the attacks mentioned in the article have long been patched, and it was merely the admin's fault for not watching his system.
So, I would say (though it's a subjective opinion) that Linux systems can be much more secure, even if attack _attempts_ on Linux systems were to occur more often than on Windows systems. But it all depends on the administrators. Windows systems, on the other hand, might let you get in a situation where you depend solely on Microsoft to respond to the security problem -- not a very nice situation.
Oh, and yes, there are more viruses for Windows, but that includes the 'dumb end-user' type such as SoBig, which are purely unrelated to server attacks. And those, I'm more than sure, will _not_ appear an Linux systems since I do not know of an email client that makes it so easy for a user to execute incoming garbage straight away.
I really wonder whether there are more known attacks to Windows _server_ systems than to Linux systems if you exclude all those Desktop-user viruses. Anybody know?
"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
I must confess that the first linux server that I set up was hacked for the very reason mentioned: my ambition exceeded my knowledge.
Imagine my chagrin when I got email from a couple of companies stating that an attack had been launched on their servers from my system! Let me tell you, I fixed that right quick!
I find it interesting to note the low number of Unix boxes that the article mentions as attack victims. Based on the experience of my own personal ignorance, I figure Unix operators are probobly more savvy, ergo tighter security and fewer successful attacks. Personally, I haven't been able to figure out how to configure a Unix server in a usable manner (having tried FreeBSD and failed miserably). I find Linux easier to work with, which, perhaps, invites disaster when someone with limited savvy (such as I, once upon a time) decides to roll out a server and expose it to the wild west Internet.
[For those who wonder, the incident involved someone setting up an IRC server app on my system, which then attempted to install itself, apparantly, on other systems that were better-secured than my own. Thereafter, I put everything behind a linux firewall that was locked down tighter than a nun's dainty underthings. I hope this humble and frank admission of ignorance will learn y'all to lock those ports down TIGHT!]
Mmmmmm... Bold, yet refreshing!
I call bullshit. Most Windows problems are patched long before they're exploited. See Code Red, Nimda, Blaster, etc. All of these were fixed long before they were exploited, and yet long after the worms first appeared people were still being hit. While I will agree that there is a possibility of patches taking a while to appear from closed-source software (and that it has happened, usually regarding Internet Explorer), that has been the case only in a very minority of important patches. As well, though you call out Debian's apt-get for making it fairly easy to update systems, Microsoft has Windows Update (and they freely-available provide software to run your own Windows Update site, so that you can verify patches before pushing them out to your site). Therefore, your argument is a red herring.
Bingo! 99.999% of all of the problems with both Linux and Windows being insecure have stemmed not from late patches, but from administrators not keeping on top of security for their machines.
It's false to say that Linux will not ever be affected by such viruses, because it's quite possible. Even with proper separation of user rights and administrator rights, a user can still royally screw himself and his data. More, all it takes is one unpatched local root exploit ("I'm not too worried about local exploits, because they're local" is an attitude that will get you in trouble if you have users ...), a malicious binary that exploits it, and a dumb user. As well, with more users wanting to use Linux, the need will come for user-friendly desktop apps (what do users want to do? easily open e-mail attachments. Better code that properly, our you're going to be as bad as Outlook Express ...). Users will also want to be able to easily install software (see Lindows, and how at least initially it suggested you not only run as root, but without a password!). There's work to do on Linux before it will be acceptable to Joe Sixpack or Bettie Secretary, and unless developers keep their wits about them they can (and will!) fall into the same problems seen in Windows.
Needless to say, the regular server administrator for that site is in an uncomfortable spot now.
and to this day none of them have gotten owned.
:), but am fully aware that it is not if but when it will happen again. With that mindset I now have a plan to recover from a attack and am vigilant about looking for updates and possible attacks.
Not that you know of anyway.
When I was a linux noob I had two boxes rooted(one was set up to email bomb mirablis, who blocked my IP and ended up reversing the bomb on my box because of returned mail which is how I noticed the problem...pretty damn funny when you think about it). I traced it back to security hole in wu-ftp. I have sinced learned
Not that I am arguing with linx > windows, but just because its Apache doesnt mean its linux.
members are seeing something, your seeing an ad
Per the initial write-up: "...all successful and verifiable digital attacks against on-line servers targeted Linux..." (my emphasis)
The key word here is 'verifiable'. It is much easier to detect and validate that someone has hacked a Linux box, than a Windows box. We don't know the following that would lead more credence to any claims:
1. What is the ratio of M$ to Linux boxes that were attacked that we don't know about? (undetected and still infected - I would argue this number is much larger on the M$ side)
2. How were the percentages arrived at? If there are more Linux servers on the network than Windows servers, then we can not quantify 'percentage of total servers' and have it mean anything useful in terms of total numbers of attacks because, statistically, Linux attacks will outnumber Windows attacks given a standard distribution; since most script kiddie tools run on, and target Winblows machines, a 21% of total attacks on a few windows machines is more significant than a 67% of total attacks on a much larger group of Linux machines.
Social science numbers have no intrinsic value, except to the uninformed.
"Figures never lie, but liers tend to figure." - Longfellow
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Then I guess they just went down in quality.
A trivial demonstration of the problem is to take the number of reported virus infections with Sobig and friends. Compare with the mi2g figures about proven break ins. Note weird difference in size of windows numbers.
As to web sites they *appear* to count each web site affected. So a single linux breakin on a big hosting site scores 10,000 while nobody hosts 10,000 sites on a windows box.
One of the problems with a lot of these metrics is the lack of a fair, formal and neutral third party methodology for analysis of such data that can handle the way proprietary vendors forget to reveal most bugs but just roll them quietly into updates, the difference between vendors in quantity of material and remove overlaps.
Unfortnately that isn't likely to change. There is a marketing game being played by many vendors and security is simply another buzzword and another set of statistics to "optimise". Customers are expendable.
I guess the final thing we all should notice. The number isnt zero. That only emphasizes the need to get more stuff like SELinux out and equivalent other OS products. Preferably before the bad guys mix something like Sobig or slammer with something that does actual damage, potentially hardware damage.