Slashdot Mirror
Linux Getting Harder To Crack
AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."
In case you want some facts to backup my previous troll: check it out yall It even links the same website.
AntiFA: An abbreviation for Anti First Amendment.
I just read an article at the Register (linking to an old article on http://www.usatoday.com/money/industries/technolog y/2004-11-29-honeypot_x.htm about un-patched XP sp1 machines only surviving for 4 minutes when connected to a broadband connection. Within 10 hours the hackers had an IRC channel running on the machines.
Tongue: A variety of meat, rarely served because it crosses the line between a cut of beef and a piece of dead cow.
because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer.
To create a zombie for a DDoS attack, to host child pornography or warez, to use as a spam relay. All of these and more are reasons home computers are attacked. All they want are more systems in their arsenal, to make them more resilient and more effective. It doesn't make much difference if it's a home PC or a workstation in some office somewhere.
Lol I meant, "Least to Most"
Really messed that post up.
This is just another example of how hardening keeps your servers from getting compromised. Red Hat and SuSE Linux systems now ship with every remote service in xinetd deactivated and most have a default firewall active at installation. This partly reflects the lessons we've learned with Bastille Linux, a hardening program for SuSE, Debian, Fedora, RHEL, HP-UX, and OS X. What's interesting is that while new releases of HP-UX are shipping with Bastille pre-loaded and runnable at installation, giving the user easy hardening at install time, Sun's still been releasing servers with 50+ network ports listening, including deprecated services like tnamed (Trivial named). The Linux vendors have been leading the older Unix vendors, mostly because users influence them more. But hardening is becoming a more popular practice in all operating systems now... - Jay Beale
Red Hat, on the other hand, has moved to both turning no remotely-accessible inetd/xinetd services on by default and offers an easy install-time firewall that works transparently on workstations and very simple servers. The difference in exposure of vulnerabilities to attackers is tremendous. The vulnerabilities may still be there, but the attacker often can't get to them or can't get the same level of privilege out of them. For instance, running OpenSSH in privilege-separated mode the way most Linux distros do now means that some exploits don't work, while others only grant the attacker non-root access.
Linux vendors/creators have led the commercial Unix world in pre-install hardening - I like to think this is due in part to the success of Bastille Linux, a hardening program for SuSE, Red Hat/Fedora, Debian, and Mandrake Linux, as well as HP-UX and Mac OS X. Bastille ships on recent HP-UX O/S's, is available from both Debian and SuSE as a vendor-supplied package.
I think that the most secure OS is the one easiest to keep up-to-date because the most common reason for hacking is uninstalled patches.
:)
The worst OS I've ever had the displeasure to patch is Solaris (8 - maybe it's better now). 35 patches. Had to calculate patch dependancies and install them one by one. 5 of them needed "immediate reboot", another 15 or so needed to be installed in single user mode. A Solaris server take a LONG time to boot. That's a lot of unwanted downtime.. I'm not surprised that most Solaris systems out there (even very critical ones) are waaay behind security patch schedule..
Compare that to "apt-get update && apt-get upgrade". Rarely even needs a reboot..
Luckily I'm not forced to use Solaris anymore.
My other account has a 3-digit UID.
I do mean NAT/hardware firewall/router thingy. And, yeah, my point was that there are enough unprotected boxes out there that it doesn't make sense to hack through said NAT/firewall device, unless there was sure to be something tempting on the other side, in much the same way that having a deadbolt will protect you from most home breakins.
You're thinking of router in the "linksys little blue box" sense of the word.
How do you think your traffic gets from point A to point B on the net, though? Routers.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
It doesn't matter necessarily that the office workstatations are NAT'ed. Just firewall that subnet from the outside world. They can still have their own public IP, but still have restricted incoming connections set by the border router...
Technically it's more PAT (port address translation) rather than NAT (network address translation).
On cisco it's also the "nat overload".
NAT leave you somewhat vulnerable it's a mapping address for address (many to many). Don't feel secure with NAT without firewalling.
PAT is much more closed (many to one).
It's also true that everyone say NAT when they do PAT.
That's not what the article said. It tested unpatched boxes in all cases. The Linux, Solaris and Windows boxen were all default installations, with no security patches or add-ons.
Good, inexpensive web hosting
I'm not saying that routers should be banned, that'd be stupid. I'm just backing up the post that claimed that all attacks have come through routers. They were undoubtly making the point that people think of those little blue boxes as the only routers out there.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Anyone who has even done basic high school statistics can tell you that the numbers in these reports are absolutely statistically insignificant. They don't mean a thing.
The "little blue box" is usually both a router AND a hub, and uses NAT (not much good to Joe HomeUser otherwise, since he probably bought it to link up his computers in a home network and connect them all to the net through a single i.p. address). This is enough to deter the script kiddies, unless you've gone and left all your services running without restriction or simply port-forwarded everything under the sun to a computer on your home network without thinking about it.
Combine the little blue box with a firewall, however (e.g., ZoneAlarm) and you've just defeated 99.9% of the so-called 'hackers' out there. Because when all is said and done they're nothing more than little brats who've jacked someone else's code and used it, and they themselves have no friggin' clue how any of this works, much less how to write code themselves. In fact, I'm willing to bet if you asked most of these 'hackers' whether the little blue box was a router or hub or both, they'd just stare at you blankly.
All you need to do from this point on is a) DON'T user IE, and b) don't friggin' download crap from an untrusted source! I admit I rarely use my Windows partition (mostly for gaming, or after gaming when I'm too lazy to reboot or haul my ass to one of my other machines, like right now) but I've never had a successful hack of my system despite the fact that nowadays it's almost constantly being scanned for vulnerabilities.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Our VMS administrator still uses telnet to do administration, thinking that it's secure enough. Personally I use ssh. However, in order to change our passwords once they expires, we have to use telnet. SSH stops working.
Just because the bozo in the above story didn't know what to do once in was in the box, doesn't mean that other bozos won't be more ambitious or do more sniffing.
No. You make to many assumptions in your post. What you are saying is somewhat akin to claiming humanity will someday reach a point where violence is non-existant.
... then the bad guys will have it too. So the story goes on.
If the security gets better (just like it has over the past 40 years) its because the good guys are usually behind by a few steps, if they weren't behind they wouldnt know what to secure, or why. Even given the assumption that security somehow catches up with what the people attacking the systems are doing your also assuming that the people doing the attacking wont be able to adapt and break the new security.
Any security made by a person and implemented on a computer can be broken by a person with a computer.
"There are huge powerful upsides to a monoculture."
Not when it comes to security there aint. In the "oooh shiney" world of point-and-click userland sure its helpful, but anything beneficial from this aspect can also be gained from using open standards and open formats.
"ask your self exactly what is it that a security professional can do that it is theoretically impossible to automate."
Adapt, interact in an intelligent way, grow. Last I checked we still hadnt created a sentient intelligence yet, and in order to compete with sentient intelligence we have to use sentient intelligence. Once we create true AI
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
I think "many to one" describes mapping many internal IPs to one external IP (the public interface on the router).
:p
I'd say you have NAT with port forwarding. Apparently for purists it's PAT. For the moderates it's probably both since they'd see PAT as a special case of NAT (only one external address).
I'm sorry if I haven't offended anyone