Feeds

back to article Fear not, Linux admins: There are TOOLS to help you

Most Linux distributions have a significant focus on security. This does not mean they are necessarily ready for production out of the box. Tools like SELinux, excellent firewall options, and robust access controls can make Linux exceptionally secure. Despite this, actually deploying a Linux system into production still requires …

COMMENTS

This topic is closed for new posts.
Alert

Re: For [Insert Diety here] sake

Your ssl keys better be protected or when one of your machines gets hit, it and every other machine you connect to will become part of someone's ssh scanning network.

SSH Communications' ssh server allows key and password but openssl currently only allows key or password. Both products allow the key to be password encrypted on the client end.

0
0
Vic
Silver badge

Re: For [Insert Diety here] sake

> Put a (metaphorical) land mine there - touch that port, immediately be blacklisted.

That upsets customers. They don't like being blacklisted for a single mistake...

Vic.

0
0
Vic
Silver badge

Re: For [Insert Diety here] sake

> you sure as all get-out don't run SSH on 22

I do. That's where my users expect to find my SSH daemon.

They don't get in without their keys, though.

Vic.

0
0
Silver badge
Linux

+1 for Webmin

OK, I'm never going to be a paid Linux sysadmin. But when I started dabbling with Linux, about 5 years ago now (slight pause for that to register) the one tool which I stumbled across which transformed my experience was Webmin.

Despite being able to remember DOS 2.0, I am unashamedly a GUI fan. My argument is a *good* GUI can help enforce some sort of understanding of what's going on underneath - a classic example being an input field that is greyed out unless a checkbox is ticked. The GUI shows you the relation between the two.

7
2
Bronze badge

GUI-SHMUI

The reason why CLI is alien to you is that Microsoft didn't do it right. DOS was a piece of junk, as was cmd.exe

Look at the vanilla terminal emulator official msdn tutorials use. Look at the ugly syntax there, you'll gather how much MSFT hated(s) the shell.

Power Shell is better but still "too innovative" for a shell with its OO idiocy.

4
0
Thumb Up

Re: GUI-SHMUI

@eulampios

"The reason why CLI is alien to you is that Microsoft didn't do it right. DOS was a piece of junk, as was cmd.exe"

Absolutely correct. It took me a couple of hours of trial and error to get NT4's 'ntbackup' and 'at' commands working back in 1997. All I wanted to do was set backups off at a certain time of day rather than running them manually. Quite a simple task on any other O/S but Microsoft had a fixation that we should all become point and click merchants.

2
0
Anonymous Coward

Re: GUI-SHMUI

Now, I'm a bit of a command line jockey in both Windows and UNIX/Linux, I'll freely admit that some Windows commands are odd, but there are also many UNIX/Linux commands which are also odd, or that don't correspond in terms of switches to other commands which do related tasks. There are commands which are massively under or over engineered (why does 'ls' need more switches than letters of the alphabet, for example.)

As for PowerShell being "too innovative" you don't get to make that accusation when you were saying the other day that ACLs are too complicated. It seems to be a common attitude amongst UNIX/Linux guys that they think that because they know UNIX/Linux, they magically know Windows and anything they don't understand is rubbish or not required. Let me tell you this is never the case, the last two companies I've worked for I have had to pick apart Windows products which were engineered by UNIX guys that just didn't work and in one case actually lost data, because there just wasn't the level of understanding of Windows that they thought they had.

Anyway, MS have always strived to make sure that everything is doable at the command line, the current version of Windows server offers no GUI options, the next version is command line by default, GUI as an option.

0
1
Bronze badge

@AC 24th July 2012 10:34 GMT

Hello AC,

FYI, "ls" is a command, it is not part of the shell. Shell is used to call, pipe it and glue it. I bet you can use it in PS too. And, btw, "many is not few". I know those I use quite often, if I need to do more, I'd do "man ls" or "info ls" and search through with "/" or "?"

PS has a few questionable things to consider:

1) While a shell should tend to be as simple as possible, OO interface makes it cool, not simple hence not very usable.

2) as I mentioned above take at (any) MSFT shell and look at the syntax, how do you like it, compared to any *nix shell? those long, hard to read names of the commands are not esthetically appealing. What about those long paths? Hasn't MS realized it could be done with linking to some path (like /bin or /usr/bin etc) and storing in a variable like PATH?

3) look a the ugly MS vanilla terminal emulator. One can tell about the attitude towards what you do by looking at your workplace.

4) take this Trevor Pott's article written for (as he points out below) LInux newbies & Windows admins. Why is much so fear before the CLI? Why bother about webadmin ? It's the habit, indeed. Now compare the average Linux and Windows tutorial, guess which is more heavy on GUI? Even Windows 2008R Core almost gui-less has some windowy interfaces left, just to make sure... Those newer ones you're referring to are said to be administered through rdp GUI interface, as advised by MS, right

5) when did MS finally decided they need a better shell? some 20 years later after the *nix guys got it. And Windows culture hates and tries to avoid the CLI and this is with the reason situated in the City of Redmond.

Windows products which were engineered by UNIX guys that just didn't work and in one case actually lost data

Should I tell you about Windows XP tools being incapable to neither see its own backups, nor its own ntfs partition once Windows could not boot.

0
0

Not all that useful...

You do make some good points, but you should point out that this advice is only of practical benefit if you're placing a Linux box directly on the internet without being behind a firewall. I doubt you'll find any serious Linux setup that isn't behind a dedicated firewall.

Tools like ClamAV are designed to scan files going through the Linux system that will end up on other systems - Windows and Macs etc. There are very few viruses and trojans for Linux. If you've updated your system in the past year then you're probably safe against the ones that do exist. However you should really mention tools like Chkrootkit which will actually check for this stuff, or Aide which works as an intrusion detection system.

Incidentally, as a Senior Linux sysadmin with over a decade of commercial experience, I would advise turning SELinux off on your CentOS boxes. It really is more trouble than it's worth. However, Apparmor on Debian/Ubuntu boxes isn't too shabby, so keep that one running.

1
1
Vic
Silver badge

Re: Not all that useful...

> I doubt you'll find any serious Linux setup that isn't behind a dedicated firewall.

I can point you at a few thousand...

> I would advise turning SELinux off on your CentOS boxes.

I wouldn't.

SELinux is very, very effective. Russell Coker used to publish his root password on his website and let you shell into his machine to play with it. It was quite a stunning demonstration.

SELinux often needs to be disabled because the admin doesn't understand it well enough - and that's fine, it's still a fairly new technology. But it should be left enabled if at all possible, because it really does stop bad stuff happening.

Vic.

5
0

Re: Not all that useful...

SELinux isn't new technology; it's at least a decade old. It is is badly designed and poorly documented technology though.

The point I was making, however, is beginner Linux admins ought to turn off SELinux because they'll try and do something simple and it won't work because of SELinux. There are other things they could do which aren't mentioned in this article which will make their systems more secure anyway and won't be such a pain-in-the-arse.

For one, CentOS has a stupid amount of services running as default, most of them ridiculous. If I remember correctly, one is a bluetooth service or something mad like that. The first step to securing a box is to stop unnecessary services. Another is not to run Webmin which, If I remember, has had some pretty nasty vulnerabilities in the past.

There are indeed thousands of Linux boxes directly on the net. In fact my personal server is. But when I say serious, I mean serious as in "Let's hire a sysadmin to look after this" type serious. I would expect at least a screened subnet type network setup for running a serious network system, whether Linux or any other OS. Not only does it aid security, but allows you to move from a server that's a single point of failure to something more highly available.

The conclusion is of course that this article is aimed at hobbyists rather than people employed as a sysadmin, therefore SELinux would be a hindrance.

0
0
Bronze badge

Re: Not all that useful...

Largely agree - SELinux shouldn't be disabled unless you REALLY know what you are doing. If you don't know what you are doing and it's getting in your way, you should learn enough about it to configure it's rules to make the problem go away.

Having said that - SELinux DOES cause quite an observable performance penalty. So if you really do know what you are doing and have made sure the system is otherwise suitable bolted down (or it isn't in a security-sensitive environment, e.g. not exposed to the internet), you can squeeze a bit more out of the machine by adding selinux=0 to your kernel command like (and/or putting SELINUX=disabled in your /etc/selinux/config).

0
1

Re: Not all that useful...

A dedicated firewall is a linux box running iptables, or a proprietary piece of crap that does the same, but with more bandwidth limitations and no additional services.

Do you really want to put it behind yet another firewall ? because it's a linux box, so you know, according to your Senior advice ...

3
0

Re: Not all that useful...

Are you joking?

Look up some basic network design and then get back to me when you understand it. You are, like the author of the article, assuming that you have one server and it's directly on the internet. I mentioned things like high availability before, which is one aspect of good network design which is what you do if you're professional. How the hell do you get high availability with a single box whether or not it's got iptables on it?

0
1
Anonymous Coward

"For pain reduction, I recommend Webmin for experienced admins and first timers alike."

I just about knew you were going to say stupid stuff like that. It paints you one of those adherents to the idea that just because fancy GUIs make you feel safe, this must necessarily be a good thing for everybody else. This is curiously at odds with your powershell infatuation. Or maybe it isn't, but I don't really care.

Point is, you really don't get the point of simple stuff. Like, oh, system defaults. What else would you recommend linux distributions ship as a default instead of the IANA-assigned default port for SSH then? Suppose they pick some obviously much more secure port, say number 24. So people that run scanners take notice, and now scan 22 and 24. Congratulations, burned another port. And for what? A gazillion questions by confused newbies and angered admins why ssh doesn't "just work"? The centos crew must just love your wonderful suggestions.

Granted, allowing root login is a bit poor, but that too is something experienced admins will immediately amend to comply with their site's policies. Like, no password logins, no ssh logins anywhere from the outside except to one or two bastion hosts, that sort of thing. But none of that has much place in a default install.

In fact, I don't necessarily agree that a "firewall" is a good idea on a default install. The preceived necessity of such a thing mostly stems from shoddy code and defaults entirely unsuited to the open internet...by your favourite vendor. I say systems should be hardened enough to be reasonably safe out-of-the-box without packet filtering installed. That's not to say you shouldn't use one, there are many reasons why you might want to anyway, but I am saying the system should be solid enough without. If you ship then with a packet filter anyway, it's because your audience cannot be trusted to configure the system without opening themselves up to abuse. Like forgetting to limit the database in the lamp stack to localhost only, that sort of thing.

The rest is more listing of your preferences, without much of an argument at all why everybody else should agree with your tastes. You may have a point but you're not exactly exerting yourself making it.

The only thing I can really take away is a point you didn't actually make, and that is that it's a pity that SELinux isn't equipped with more accessible documentation and tools to make it work, leaving little option for everyone except experts in SELinux to just turn the cursed thing off and so do away with the obscure interference it causes, preventing many an app from "just working". If that could be achieved with little effort, then you are much less forced to know a gazillion tricks to work around SELinux' insufferability.

7
2

Re: "For pain reduction, I recommend Webmin for experienced admins and first timers alike."

I agree about SELinux, if the devs actually had a suggested config for their apps added as part of the package install process it would be a breeze.

0
0
Silver badge

I don't think it's a too unreasonable default config

If you install a server inside an enterprise it's likely that port 22 is going to be firewalled anyway. So for the sake of convenience I don't think it's unreasonable to enable it even though the root should not be. Most installers ask for user id for the administrator anyway and users are encourages to sudo from that.

3
0
Thumb Down

SSH on port 22

Always do it, but then I also run fail2ban which will block an IP for a day after 3 attempts. It can be quite amusing seeing some of the usernames bots attempt. I'm now a big fan of PKI too. Initially I used Webmin, but then after a while I got fed up with it not being flexible enough and learnt how to edit the configuration by hand - I haven't gone back.

Fail2ban is a great tool, and I use it to check against auth, mail, sql & http logs. The only issue is that one guy has a habit of locking himself out (from home) when he flattens his iPhone and gets his email credentials wrong.

I suppose I'm not really into the whole security by obscurity thing, though I might set up an SSH honeytrap on a non standard port and see how many hits it get.

5
0
Silver badge

Re: SSH on port 22

"I might set up an SSH honeytrap on a non standard port and see how many hits it get."

I have SSH on a very non-standard port and with only one very unusual username allowed and never see any attempts on that port - on the other hand I see many on 22

0
0
Linux

Re: SSH on port 22

I always run SSH on port 22, as I manage and share work on too many systems to remember obscure port numbers. I disable root logins on SSH, run Denyhosts (equivalent of fail2ban) before I expose a system to the net by forwarding the port and enforce strong enough passwords so that 5 attempts won't make any dent on the number of guesses likely to be needed. The attacker has to guess login account names as well, and the logs show this doesn't happen successfully very often, though 15 addresses or so get blacklisted every day for trying on the typical SSH server I operate.

0
0
Trollface

"There are tools to help you"

The last junior tech I got lumped with was a tool, but was no help at all...

3
0
Bronze badge
Thumb Down

Re: "There are tools to help you"

Inb4 someone gives you a thumb-up for repeating the same joke as the article subheader... >:)

1
1
FAIL

Bugger. I missed that.

A tool am I...

0
0

I like webmin

It's handy for the initial config of a linux box and for getting an overview. For the low level stuff then I agree that cli is better.

I also tend to turn off the linux firewall though because these are internal boxes so don't need a firewall. Oddly enough, the only linux box with the firewall on is the one in the testlab as thats mimicing a live environment that uses hardware firewalls.

0
0

webmin is OK

or configuring DNS zones - it takes some of the grunt work out of generating IDs etc.

But for systems such as postfix or apache configs its a real PITA.

For me its far far easier to configure down from defaults and apply simple to understand configs.

Its also OK for configuring a basic shorewall but I like to add rules by hand as its more flexible.

and you get to add comments :-)

Jacqui

2
0
Thumb Up

Re: webmin is OK

@Jacqui

"and you get to add comments :-)"

That gets a big thumbs up from me.

This is what is missing from many GUI tools. Editing raw text files may be slower than point and click, but you can put a full change history in there.

0
0
Silver badge

One of te best things about linux

Is that you cant just install it and click on a few buttons without understanding anything about it.

Well you can on a user desktop, to be sure, but not as a server.

That forces sysadmins to be sufficiently competent to not make at least the more basic of mistakes.

Dumbing down critical tasks is not necessarily a Good Thing.

2
1
Bronze badge

SSH and Mitigating Brute Force Dictionary Attacks

There are reasonbly elegant ways to mitigate SSH brute force attacks that are available out of the box.

For example, if your machine has IP address 10.0.0.1, you could apply iptables rules along the following lines:

iptables -t filter -A INPUT -d 10.0.0.1/32 -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name filter_10.0.0.1_22 --rsource

iptables -t filter -A INPUT -d 10.0.0.1/32 -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name filter_10.0.0.1_22 --rsource -j DROP

iptables -t filter -A INPUT -d 10.0.0.1/32 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

This will effectively limit the number of ssh connection attempts for a particular IP to 1/minute which will make brute force dictionary password attacks unfeasible (unless somebody is running a large botnet from which they are brute forcing the attack).

If you are particularly bloody minded and have the TARPIT iptables target patched into your kernel, you could replace "-j DROP" above with "-j TARPIT" for good measure, which will also tie up the attacker's connections on IP stack level while making the attacking process get stuck waiting for a response.

Of course, this doesn't mean it's OK to run with direct root ssh access enabled. :)

You could apply something similar on a leyer further up the networking stack, for example to mitigate brute force attacks on your blog account login:

-A INPUT -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -m string --string "/wp-login.php" --algo bm --to 64 -m recent --set --name filter_10.0.0.1_80 --rsource

-A INPUT -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -m string --string "/wp-login.php" --algo bm --to 64 -m recent --update --seconds 120 --hitcount 3 --rttl --name filter_10.0.0.1_80 --rsource -j DROP

Again, you can replace "-j DROP" with "-j TARPIT" if you have TARPIT patched in.

You can also drop access attempts to known attack targets (which you hopefully don't have publically reachable on your servers):

-A INPUT -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -m string --string "phpmyadmin" --algo bm --to 1024 -j DROP

Or drop access attempts from unmasqueraded penetration testing tools (you'd be amazed how many script kiddies don't bother changing the agent string):

-A INPUT -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -m string --string "ZmEu" --algo bm --to 1024 -j DROP

And in those last two cases, again, you can replace "-j DROP" with "-j TARPIT".

All pretty basic stuff and all the tools required ship in the base distro. It's not the tool you have, it's what you do with it that counts. ;)

4
1
Bronze badge
Mushroom

Linux - Exceptionally Secure??!! LOL

Linux in fact has the worst security of any commonly used OS, and is years behind Microsoft for instance.

The average distribution has ten times as many vulnerabilites than a Microsoft OS and twice as many as OS-X. See Secunia.org http://secunia.com/advisories/product/12192/

Linux having far higher vulnerability counts also holds true with a 'package adjusted' Linux that only provides the equivalent functionality of a Microsoft Server OS.

For an example of the impact of this in a market sector where Linux is actually used (so not desktops) - see http://www.zone-h.org/news/id/4737

You are many times more vulnerable running Linux, even allowing for market share.

0
22
Silver badge

Re: Linux - Exceptionally Secure??!! LOL

We've heard you dribble on before about this - most adults KNOW that you are wrong.

Otherwise there is an icon for Troll

3
0
Silver badge
Trollface

Re: Linux - Exceptionally Secure??!! LOL

If you are going to spout crap, at least spout crap that can't be immediately disproved by going to the link you provided.

http://secunia.com/advisories/graph/?type=sol&period=2012&prod=12192

12 advisories this year, all patched.

7
0
Silver badge
Linux

Re: Linux - Exceptionally Secure??!! LOL

> The average distribution has ten times as many vulnerabilites than a Microsoft OS and twice as many as OS-X.

You can kid yourself all you like. That won't alter the fact that 99.9% of the malware that exists is for WinDOS.

You are trying to confuse the issue by conflating every single little bug that never hurt anyone with Windows worms that have managed to effectively disable the entire Internet. Of course they're not the same thing.

So you're not kidding anyone.

6
0
Bronze badge

Re: Linux - Exceptionally Secure??!! LOL

Is that you Loverock Davidson???

I guess you are too ashamed to use your ZDNet "handle" here?

2
1
Bronze badge

even worse

It could be Ed Bott himself!!!

1
0
Bronze badge

@ Trevor Pott 's reasoning

We should downvote our current and respected author Trevor Pott, since he insinuated:

CentOS doesn't have any default activated anti-malware... Linux systems....play host to some pretty nasty pieces of software. My preferred front line defences are the ever popular ClamAV and LMD.

Indeed, the anti-malware tools are Windows oriented indeed. When using those, you want to protect your Windows clients (more frequently with mail servers, not web servers). The whole idea of the at times very resource demanding database of the known bad things plus some questionable empirical methods with both high false positive and false negative outcomes do not very well agree with KISS and what the entire *nix administration stands on. Other more reasonable and open tools like SELinux/AppArmor should be used instead ( a properly set up system is taken for granted).

A Windows admin decided to write about Linux. It is pretty laudable, however should be taken with the appropriate grain of salt.

1
0
Gold badge

Re: @ Trevor Pott 's reasoning

Linux systems never get compromised? That's a larf. They most certainly do; almost always through some badly coded PHP something or other. (To be fair, they also tend to compromise windows systems.)

Yes, you generally need anti-malware on Linux systems. If for no other reason than to ensure that your web applications haven't been hijacked by someone looking to poison the rest of the net. Or do you have even the remotest shred of evidence to say that every single compromised website is IIS based? How do you dismiss a decade's worth of evidence that shows several thousands new LAMP systems compromised every month?

I’m legitimately curious.

1
0
Bronze badge

Re: @ Trevor Pott 's reasoning

Trevor, in any case, now tell me how much any of these AV tools apply to any of those compromises? Do they look for some "common" *nix malware known to cause any of the said compromises? If you think they might, you're very wrong. If one gets a "malware" because he/she downloaded&installed some crap from an insecure source having logged in as root... the best remedy is the GB tools (good beating)

As far as the compromises are concerned they are of mainly two (+ one) types:

-I) unknown 0-day (at the time) vulnerability in the software -- happens pretty rarely, call it "many pairs of eyes over very few" advantage. AppArmor and SELinux (and good policies) are your best friends to mitigate the risks therein.

-II) poor security policies, like root ssh login, poor passwords, or password ssh logins, systematic disgust of security updates, too many unneeded features, modules and apps running -- to mention just a few

-gamma) with php taken too much ad liberty (without the suhosin patch) by non-experienced admins all of the above should be cited as a separate one.

Although, Windows might involve similar risks, the anti malware would be helpful for none of those with Linux/BSD administration. Suggesting AV to fight those is very unprofessional indeed. Nevertheless, in the Windows parallel world where the fundamental constants are proclaimed to differ very much, it is a part of a pretty well paid profession.

1
1
Gold badge

Re: @ Trevor Pott 's reasoning

@eulampios: ClamAV is actually quite terrible at finding website compromises. It does find some however, and is better than nothing. LMD does a far better job, but isn't included in the primary repositories.

The issues of the type I am discussing are neither "you must be logged on as root and download some Trojan by using Linux as a desktop" issues nor are they 0-days. In nearly every case, malware on Linux occurs because someone forgot to - or couldn't, because of chained dependencies - patch.

In most cases it is a flaw in some PHP application that an admin has installed on their Apache setup. A privilege escalation bug or some other issue allows someone access to the webserver. They then alter the extant CMS/Application/whatever to include links to malware, typically as part of a drive-by-download attack targeting Windows (though increasingly Mac) users.

In general, this sort of malware does not compromise the Linux system itself. IMHO, anti-malware trying to defend the Linux operating system itself is completely pointless. Every available anti-malware package for Linux is so woefully inadequate that if and when your Linux system is compromised you nuke the whole thing are start over. (It’s quicker than defanging the thing.)

No, anti-malware on Linux is almost exclusively for cleaning e-mail and cleaning compromised websites. Generally compromised websites targeting windows systems.

I wouldn’t prescribe anti-malware for Linux for the same reasons as I would Windows. Frankly, Windows anti-malware is far more robust. It has to be; Windows has so many deep flaws (and is such an attractive target due to market share size) that there are many vectors to infect the OS itself.

Linux has a smaller attack surface in getting at the OS + core packages proper. That said, when it is infected, it’s pretty much a total loss. When a Windows system is compromised, even a half-assed Windows admin can clean the thing in ~80% of cases with less than an hour’s applied effort. (Assuming you ignore “the progress bar is going” in the effort calculations; most admins go do something else while waiting for progress bars.)

When a Linux system is compromised, this isn’t really the case. In these instances the malware is generally (by necessity) significantly more complex than your typical Windows software, written by people who know far more about the OS than the sysadmin trying to defend the thing.

Comb through the logs for long enough, test permissions and run fuzzers on enough things and you might figure out what was compromised, how, how many friends it downloaded, what they affected, etc. Then you can kill it pretty easily. In that timeframe however you could just have backed up your core configs/data, reinstalled and been on your merry way. (This isn’t remotely as easy on Windows; even with folder redirection, AD, etc, backing up configs can be a PITA.)

So, to re-cap: anti-malware is generally necessary on Linux for the two most common roles that Linux sees. Namely, e-mail (either as a pre-filter or actual server,) or web hosting. The actual usefulness of anti-malware is different than it would be on Windows, but it is still recommended nonetheless.

1
0
Bronze badge
Mushroom

Re: Linux - Exceptionally Secure??!! LOL

3557 Vulnerabilities in total for SUSE10. QED.

For reference, even Windows XP only has about 450 and Windows 7 about 200. OS-X has about 1600

0
8
Bronze badge
Mushroom

Re: Linux - Exceptionally Secure??!! LOL

That there is Malware for Windows desktops is because people actually use Windows versus the ~1% Linux share in that space.

Where Liinux is used as a high market share - like webservers - it is hacked to shreds.

The facts stand in terms of security as measured by vulnerabilities, Linux sucks. All other things being equal it is much easier to hack Linux.

0
8
Bronze badge
Mushroom

Re: Linux - Exceptionally Secure??!! LOL

I think you have forgotten that the worst Internet worm ever was on UNIX systems and took out the whole internet at the time for a couple of days....

0
6
Bronze badge

@your rubbish

Richto, amigo. Not even checking your numbers...

1) vulnerabilities can be severe and not that severe

2) it is important to note, how fast those severe ones are fixed, and Microsoft is not a good example here

3) Windows XP/VIsta/7 has probably 1% of software apps any Linux/BSD distro can offer

4) XP and VIsta and still 7 need no vulnerabilities to become a good target due to the poor design and some idiotic decisions

2
0
Silver badge

Re: Linux - Exceptionally Secure??!! LOL

"things being equal it is much easier to hack Linux."

Off you go then - see how far you get !

2
0
Anonymous Coward

Re: Linux - Exceptionally Secure??!! LOL

! worst Internet worm ever was on UNIX systems "

You do realize that was in 1988 - you were probably in nappies then !

2
0
Gold badge
FAIL

"All other things being equal it is much easier to hack Linux."

What

The

Fuck?

If you honestly believe this - honestly and truly - please go back to the article proper and select "email the author." I will post for you a CentOS 6.2 Virtual Machine DEFAULT INSTALL hosted on an external IP address. I will use *NONE* of the security measures mentionned in this article. I will even turn the firwall off.

You can hack away to your heart's content. I will monitor all of the packets in and out (naturally) to see exactly how you "hack" my off-the-shelf, completely unsecured virtual machine. I will bet you a barrel of ale you cannot do it.

On the other hand, I could post a Windows 7 system (fully patched) default install to an external address and with the firewall turned off I don't even need you to hack it. Within a week an IP address from China will have done it for you.

Hell, there are a few hundred IRC servers where you can buy zero-day software to do exactly that for $100 USD.

"Easier to hack Linux" my ASCII.

2
0
Bronze badge
Mushroom

Re: @your rubbish

1.) Current Windows OSs have fewer and less severe vulnerabilities than Enterprise Linux distributions, and this has been the case every year since 2003

2.) That on average are fixed faster with fewer days at risk compared to Linux.

3.) The above still holds with a 'feature set' adjusted Linux distrubition to match the content of Windows

4.) 7 onwards is inherently more secure in pretty much every way than Linux. Older OSs it varies, but i did say current versions. things like secure boot chain, ASLR, NoExecute came first in Windows. Linux had to implement bolts ons like SEL to even come close to what is out of the box in Windows.

See http://blogs.technet.com/b/security/archive/2012/03/20/trustworthy-computing-learning-about-threats-over-10-years-part-5.aspx

http://blogs.technet.com/b/security/archive/2008/10/27/download-h1-2008-desktop-vuln-report.aspx

http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx

0
7
Bronze badge
Mushroom

Re: "All other things being equal it is much easier to hack Linux."

Good luck hacking a current Windows server. Statistics prove you are many times more likely to be hacking running Linux as an internet facing server: http://www.zone-h.org/news/id/4737

0
6
Gold badge

Re: "All other things being equal it is much easier to hack Linux."

A) I have hacked the current Windows Servers. 2008R2 (fully patched) as well as 2012. (They fixed the bug.) Sometimes you just dtumble across zero-days...

B) Considering Linux systems are oftem left unpatched as "fire and forget" systems, sure, I'll buy that more people manage to bust into a webapp on a Linux system than compromise Windows. Busting out of that web app to compromise the Linux system? I doubt that.

It also still isn't comparing like for like. Compare a modern Windows to a modern Entriprise Linux. Out of the box, fully patched...firewall off. That is not a contest Windows wins.

1
0

Who is this article aimed at?

The target audience seems to be homebrew amateur running linux server in the bedroom just to tinker.

1
2
Gold badge

Re: Who is this article aimed at?

Article is aimed at Windows admins who are cautiously branching out by deploying a few Linux systems.

5
0
This topic is closed for new posts.