[techtalk] (Rant) Linux and security

[Martin.Caitlyn at epamail.epa.gov]

Hi, Kath,

Since I do Linux security (among other things) for a living, I'm going to
comment on some of the things in your rant.

> I scanned the machine (nmap-ed) as a favor for my friend and was totally
_unshocked_
> to find that this guy had basically a stock Linux (probably Red Hat)
install, with
> vulnerable ancient sendmail, sunrpc and telnet, amongst others

Every OS, without exception, has to be patched and kept current to have
even a prayer of being secure.  Red Hat is excellent at releasing security
patches for their old, legacy releases (back to 5.2 at present), which
differs from many other distributors.  So... Red Hat wasn't a bad choice,
the lack of patching was.  What really galls me is that an ISP can, for a
minimal cost (Red Hat Network subscription) have the patches done in a
pretty automated way, so the fact that your friend's box got hacked was due
to just plain irresponsibility on the part of the responsible sys admin.

> So many Linux distributions come out of box with so many unneccessary
services, EVEN when they are
> installed with the "Server" option.  WHY?  Even a Debian install with no
packages dselected in the installer
> has sunrpc open.  Is there a legitimate use for sunrpc?  I've never seen
or heard of one (albeit I am newer to *nix).

Actually, this has changed, at least with Red Hat and Mandrake.  Red Hat
7.1, by default, turns on *no* internet services whatsoever, which someone
actually complained about on here some weeks ago.  Mandrake 7.x/8 offers a
"high security" (formerly "paranod") option on install which does pretty
much the same thing.  I can't talk about Debian, since I don't use it, but
I suspect many of the better distros have already addressed this issue the
right way.

> While this is all fine and dandy for the user since he can run 800 nifty
services on the
> same box, I think the idea that "Linux is SOOO secure over NT" leads to a
false sense
>  of security that any Linux (or any OS for that issue) is 100% secure out
of box.

Linux *is* much more secure that NT/Win2K, provided it is properly
administered and kept up to date.  It is really hard (if not impossible) to
keep an MS box secure.  It is really easy with most Linux distros.  The
thing that is missing here, at an ISP most of all, is keeping up to date on
security patches.  No distributor or software company can anticipate every
possible way a system can be compromised.  The Linux community as a whole,
and Red Hat in particular, are great at issuing patches to plug holes just
about immediately.  That is all you can ask from an OS manufacturer or
distributor.

> I think the whole idea that some people market linux as being "ultra
secure" is false
> and misleading (well actually it is the truth).

As you say, it *is* secure if the admin knows how to secure it, as you do.
Most people know diddly about security.  Do you know how easy it is to
hijack some grandma's Win98 box connected to a DSL or cable modem
connection?  Do you know how often it happens?  At least with Linux some
security issues *are* now covered at install time.

> I think every boxed Linux distribution and every installer should have as
the last screen
>  a link to information about security resources and basic steps to take
to secure the machine.

Why don't you write some of them and suggest it?  Red Hat has good basic
security info on their site, so it's just adding a link in the next version
of the installer.  Most Linux distributors do take customer suggestions to
heart.  I know some of the changes on www.mandrakeexpert.com are a direct
result of my e-mails with the good folks at Mandrakesoft.  I know some
folks at Red Hat and they *do* listen.  I'd be really surprised if any of
the other distributors (with the possible exception of a couple of
oh-so-corporate-commercial ones, like Corel and Caldera) aren't equally
open to suggestions.  It's easy to rant.  Now turn this into something
positive and bring about some change.

> Hell, I think distribution managers should take the initiative and shut
off known vulnerable services
> by default and then later give the administrator the option to turn them
on one by one...

Done, at least in Red Hat 7.1.

All the best,
Caity