Slashdot Mirror
Is Your OS Tough Enough?
LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."
These results mirror what I typically see on my workstation. I run a couple of websites on my workstation including our laboratory website, and my blog. Logs are monitored constantly with a nice tool called mkconsole that displays the logs transparently on my desktop. Several times a week, there is an attack. Most however are either scripted or fairly primitive, although last week there was a sophisticated attack that that bounced through a compromised Windows machine on campus. We tracked it back to an AOL user on the East coast and reported his IP address to the sysadmins. They sent an email back to me letting me know that they would follow it up. I've not heard anything else since, but in addition to using a more secure OS, one should also maintain a vigilance of your systems to help keep things under control and if you do use Windows, PLEASE keep it patched with recent security releases.
The truth is that if somebody really does want to get into your system, it can happen. In addition to using a secure OS and keeping the security updates current, securing physical access is your next line of defense.
Visit Jonesblog and say hello.
That's interesting, because Sendmail has (for a number of years now, I believe) been configured to deny all relays by default. Same with iMS, SIMS, S1MS, NMS, etc.
Turn. Off. Unused. Services.
The most hilarious thing to me when someone gets hacked is looking at their box and a simple nmap shows every port under gods lcd monitor open.
Is not life a hundred times too short for us to bore ourselves? -Friedrich Wilhelm Nietzsche
"Windows XP Service Pack 1
Attacks: 4,857
Results: Attacked successfully within 18 minutes by the Blaster and Sasser worms. Within an hour, the computer was taken over and began attacking other Windows machines."
OK, running P2P software is a slight hassle, but it isn't that hard to expose ports on a case-by-case basis. Certainly a lot simpler than fucking around with firewall softare.
Since a good firmware-based router costs less than a full suite of security software, this is a no-brainer.
Of course, it doesn't work with the "Spirit of the Internet" that says that every system on the net can provide services to or use services from any other system. But you know what? That "spirit" is long gone -- it only worked when the Internet was an academic toy.
The attacks are more than just pinging/scanning, which was separately tracked.
Can be avoided by plugging in a hardware firewall that does NAT between the cable/DSL modem and any computers. Operating system be damned.
I've seen Linksys BEFW's go for $10 on E-Bay.
Or go whole hog and get the Motorola SURFboard SBG900, combination DOCSIS 2.0 cable modem/wireless-G AP/firewall.
-Charles
Learning HOW to think is more important than learning WHAT to think.
Only one open gate in the default install, in more than 8 years!
Cthulhu Saves.
FC has no services running by default that connect to the internet unless you specify otherwise. Also you have complete control over every program installed at installation time. Regardless, an entire FC3 install with all the thousands of applications takes up approx 4 gigs, thats really not much for what your getting. A server install is something like 800 mb, and thats before you cut off the fat. I always do a full install because its nice to just have everything you need, a program sitting on my harddrive isn't doing anyone any harm.
FC3's firewall is also set up very well and has been noted to have one of the best default setups out of many of the linux distros. Some of the other protections included in FC3 are SElinux which has policies for all major services and exec-shield is also extensively used. All major services connecting out are compiled with switches that randomize the memory allocation, which may have the negative side affect of taking a little longer to start because it can't prelink, but it really helps against many attacks because every machine has its memory mapped in different locations. The amount of security that Red Hat puts into FC3 while still leaving it so functional is pretty amazing. Most of the vulnerabilities found usually can't do much harm after you consider the layers of security and the other standard security measures, i.e. users and setting up perms correctly. Its nice to know though that the latest outbreak of [insert worm here] *probably* won't affect you.
Regards,
Steve
IIS vs Apache doesn't mean shit, most of the apache sites are from large hosters, hence millions of sites with just a few boxes making the numbers meaningless. besides which apache runs on many things other than Linux including windows.
Most companies, however, chose to pay a Linux vendor in order to receive security patches.
My golden rule:
apt-get update
apt-get upgrade
Once a week. For free.
"And then I visited Wikipedia
Don't forget that their idea of being "attacked" included regular-old port scans and pings. Looks like they they just plum configured the network badly...
Or it means that RH9 wasn't logging portscans and pings... which, AFIK, it didn't do with any of the default firewalls. It is only newer distros that log potentially malicious traffic.
I drink to make other people interesting!
I run two Windows boxes behind a BSD router. To avoid the pain of having to change my natd.conf file every time I want to try a new P2P app, I simply forward large group of ports to each of my Windows boxes. Ports 5000-8999 go to one and 9009-12999 got to the other. No *Windows* services run on these ports, so I don't lose any sleep over it.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
The point was to test the "Out of Box" experience. XP with SP2 what users get out of the box now. The firewall is on by default and the automatic update is the default selection.
SP2 was such a large step forward in terms of user security that I'm sure they sleep quite well. This is yet more proof that these three OSs are now on even footing in terms of security.
Also you have complete control over every program installed at installation time.
Which install mode are you using? The recent FC releases don't give you this option during the X-based GUI installs, just a choice of package groups that have further options.
Religious adherence to evolution? Are you trying to be Ironic?
Don't look now but.... http://devolab.cse.msu.edu/software/avida/
The evolutionaries are one step ahead of you!
It may sound crazy, but Windows 3.1x will stand up to the test very easily out of the box. Just run the Shields Up test on grc.com and you'll find that Windows 3.1x has NO ports open by default, not even port 139 which is open on all versions of Windows from 95 onward.
Ok, I'm responding to an ac, but oh well -
Which OS is propagating the viruses/trojans/malware?
Windows.
Which OS does it infect?
Windows.
Yes, other oses were attacked - [by windows zombies] - but not compromised, in fact there are very limited examples of exploits propagating through other oses aside from windows [I can find 7 linux viruses, all of which do not propagate nor are effective to any measurable extent].
It is likely in the future that one may find a way to compromise a linux/mac in the same way, but that day has yet to come.
And that is why we question findings that windows is more secure than linux. It is GLARINGLY obvious that this is untrue to anyone sane.
ymmv
Did Windows 3.1 even have listening services by default? I recall having to add a separate TCP/IP stack, and being able to choose from several different vendors (which would bundle their daemons along with the stack).. I recall Chameleon, some FTP.com stuff, Trumpet Winsock...
It's hard to remote sploit something that isn't even listening....
Here's a useful link for securing Windows Systems: Black Viper.com
However, it's not a "true" firewall. The first version of OS X to come with a firewall was panther, aka 10.3. OS X just does not run any unnecessary services like file sharing, printer sharing, web, ssh, or whatever; HOWEVER, it provides an incredibly easy method to turn these services on, along with the firewall.
I hate sigs...
The Morris Worm
But for your desktop machine, who cares?
Everybody should for two reasons:
One: Minimizing your configuration to have only what you need is a basic security principle. Software that isn't installed doesn't have to be patched, configured, audited, and otherwise watched. This is more important considered in light of item two.
Two: You should use good security practices on all systems / devices to establish a defense in depth. You are begging for trouble if your entire security plan is: use a firewall. All it takes for your maximum software machine to be owned is for a new exploit to come out that your firewall doesn't block, or a trojan that you let through. That may not happen often, but it does happen.
If you don't use it or need it, get rid of it, and then patch, properly configure, maintain, and audit the rest.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
You can simply turn on the XP firewall that comes with XP out of the box.
It is more then enough to keep you safe and secure until you get your windows updates. The time to infection is a heck of a long time with that turned on. That it isn't turned on by default was a mistake but to say that XP out of the box will be infected before you have the ability to update is outright incorrect.
In the second, there are those who turned off (or had a "helpful" tech turn off) their automatic updates and have no idea how to update their system.
This isn't an entirely stupid thing to do - if someone is on a pay-per-minute dialup connection, they don't *want* to be automatically downloading hundreds of megabytes of updates. (Especially if a lot of those updates are to add stuff they don't need/want - i.e. DRM for Media Player, etc).
http://blog.nexusuk.org
From the article
"Microsoft responded that the tests prove that any operating system is vulnerable when not patched."
No. They KINDA show that only Microsoft products are vulnerable when not patched.
For what it's worth, IMHO, I think that SOME of the home users that don't patch their installs of MSXP are afraid that MS is trying to slip in some software that would automagically inventory thier MP3 collection, hacked software, etc and somehow "break" thier computer. I think many people think of MS operating systems as a "deal with the devil". They really DON'T want to use Windows, but isn't that Linux thing for computer gurus and really hard to use? It's really hard to combat that kind of FUD. If it wasn't, a HUGE number of corporate users would be using a *nix based solution, if only to shrink desktop support staff.
As a networking professional, I can tell you that the constant rolling out of virus and OS patching to our user base DOES impact network traffic and "regular job" throughput, but the top brass sees this as a necessary evil. But of course my corporation has MS stock in it's portfolio....
nmap is a good one to try, nessus may be better even (tho it is a bit more complex to setup properly) since it can do some more thorough probing of enabled services and also make you aware of basic misconfigurations in those.