[techtalk] (Rant) Linux and security

[kath]

My friend works for an ISP.  Last week, a machine (a server at a company they provide high speed access for) was compromised and was used to launch attacks at others and I believe used as a slave in DDoS attacks (His network was extremely slow and once the user unplugged the compromised machine, his network speed issues cleared up).  Of course, the receiver of the attacks complained and my friend's ISP had to call the user.

I scanned the machine (nmap-ed) as a favor for my friend and was totally _unshocked_ to find that this guy had basically a stock Linux (probably Red Hat) install, with vulnerable ancient sendmail, sunrpc and telnet, amongst others.  The ISP employee talking on the phone to this user simply told him to format the machine, which I wish he hadn't, so myself and my friend could have done a forensics and figured out what was going on and how to prevent it.  Now this guy will basically reinstall his distro with the same vulnerable services

Now the fact this person was hacked did not shock me.  What does shock me is the following:

So many Linux distributions come out of box with so many unneccessary services, EVEN when they are installed with the "Server" option.  WHY?  Even a Debian install with no packages dselected in the installer has sunrpc open.  Is there a legitimate use for sunrpc?  I've never seen or heard of one (albeit I am newer to *nix).

While this is all fine and dandy for the user since he can run 800 nifty services on the same box, I think the idea that "Linux is SOOO secure over NT" leads to a false sense of security that any Linux (or any OS for that issue) is 100% secure out of box.

After I was almost compromised a few weeks ago in an attack that scared the !@^& out of me (coordinated assault from machines in Japan and Germany), I went totally ape about security (and this is my home cable modem linux router they were attacking).  Now I had never considered a home cable modem linux router a target (well, until I read about the grc.com attacks), but now I was a security deiti on the warpath.  I had never been that much into security prior, but now I was totally in tune with it.

I formatted the box (even though I don't believe they got in), reinstalled Debian with no packages dselected, went around terminating default services until there were no services running, installing snort and portsentry, brought up the daemons one by one, doing a gestapo-ish firewall rules set and more.

I think the whole idea that some people market linux as being "ultra secure" is false and misleading (well actually it is the truth).  I think every boxed Linux distribution and every installer should have as the last screen a link to information about security resources and basic steps to take to secure the machine.  

Hell, I think distribution managers should take the initiative and shut off known vulnerable services by default and then later give the administrator the option to turn them on one by one... but only with a giant caveat message and a link (or maybe an automatic thing) to grab the latest patched version.  Debian sort of does this with the idea of apt-get upgrade, but by default it only pulls packages out of stable (rarely updated) and adding testing or security sources are not readily shown how or explained unless you do the un-newbish thing of RTFMing or going online.

Now I know some of you might say "TRY OPENBSD ITS ULTRA SECURE!@!@#!Y at I#&".  The problem with OBSD (even though I enjoy playing with it), is that it isn't marketed to the mainstream.  Most companies, especially new ones that don't necessarily have experienced server admins (well sometimes experience is bad if they are set on only using one type of OS), will default to WindowsNT/2000 or Red Hat.  OBSD does not also have the user friendlyness some people need (Even tho I think any *nix admin should be able to work with commandline, a basic text only installer and man pages), so it isn't used.    

I know one reason the sysadmin for my local school district uses NT is because it is so easy without much learning.  Once, we were trying to add an second IP to a network card in the main linux web server and scanning doc files for the command.  Just to taunt us, he walked over to an NT4 machine and did it in less than 20 seconds.  Of course, this is an admin that applies service packs and hotfixes once in a bluemoon =o

I dunno why this rilies me up, I just get frustrated sometimes.

- kath

p.s. this post doesn't fit my normal style of short and to the point.  Would it have been better if I used diagrams or even unrelated clip art to liven it up? ;p
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxchix.org/pipermail/techtalk/attachments/20010630/2e692553/attachment.xhtml