Linux malware? That'll never happen. Ok, just this once then Russian security outfit Dr. Web says it's found new malware for Linux. The firms says the “Linux.Lady.1” trojan does the following three things: Collect information about an infected computer and transfer it to the command and control server. Download and launch a cryptocurrency mining utility. Attack other computers of …
WHAT ? There are Linux admins who have actually configured the oh-so-vaunted Linux server to accept external comms without authentication ? Count my gast flabbered. Must be ex-Windows admins.
In any case, the next time I view another condescending comment on lusers running Windows in admin mode, I will link to this article with relish.
WHAT ? There are Linux admins who have actually configured the oh-so-vaunted Linux server to accept external comms without authentication ? Count my gast flabbered. Must be ex-Windows admins.
Yes, they must be, because it requires killing off safe defaults. It's as hard to bring a Linux service online in an unsafe state as it easy to do so under Windows, except when it's Joomla (as that even now defaults to adding the password in cleartext to a joining email, and requires such to be disabled explicitly instead of the other way around). But that's not really Linux, that's more like adding Word to Windows and then observing that macro risks are still with us because it's only been like 20 years or so that that risk not only exists but is actively being abused in the wild..
Not that you need to ADD anything to have problems with Windows - why would you otherwise have to add extra anti-virus?
>> It's as hard to bring a Linux service online in an unsafe state as it easy to do so under Windows<<
Tell that to the MongoDB devs with their "defaulting to secure is too difficult for users" attitude.
But yeah, most linux users don't know how to secure windows just like most windows devs don't know how to secure linux. And if the last time you used Windows was NT you probably think it still defaults to everything open...
First, if you read the article, you need a poorly secured server running Redis.
Second, from Redis' own site:
"Redis is an open source (BSD licensed), in-memory data structure store, used as database, cache and message broker."
So, it isn't Linux!
Linux condescension"
I'm not so sure that an OS can even be condescending. Although MS seem to be doing their best with some of the messages that appear during install or first log-in.
Anyway, getting back to what your point actually is, just because there are some "squeaky wheel" Linux zealots doesn't mean that they all are.
The way I see it is that no operating system is totally safe and while Linux does make an attempt, in most distros that I've used over the years, to keep itself secure on installation, there are all sorts of reasons why you can never count on complete safety.
Most of those reasons relate to the people running the systems in question. Just as it is possible to construct a Windows system that doesn't rely on a user being logged in as admin all the time, it is just as possible for a Linux (or MacOS) system to be compromised by a user that insists on being logged in as root or has their own account added to the root group.
It's the reason why some distros are so keen on using sudo rather than encouraging a root login. You take control for as long as you actually need it and no longer.
"t's the reason why some distros are so keen on using sudo rather than encouraging a root login"
a fair compromise, if the 'sudoer' user's password isn't super-short/easily-guessed
And disallowing ALL root logins for sshd (or any OTHER remote access) should be THE DEFAULT, but isn't always. [it's easy, just one line in sshd_config]
"It's the reason why some distros are so keen on using sudo rather than encouraging a root login. You take control for as long as you actually need it and no longer."
I think there's a fairly complex history here. Ideally nothing should run with higher privileges than it requires. Your mail daemon should have a mail user ID, your printer daemon should run as a printer user such as lp etc. In old-style Unix there was a user bin to own most of the standard executables so root wasn't even needed for installations. Nowadays all the executables seem to be owned by root and in general root privileges seem to be needed for more admin that used to be the case.
Sudo seems to have been introduced in the wake of that - no need for all those separate IDs & passwords. IMV it's a bad compromise between security and convenience with logging thrown in as a some sort of gesture. It means, of course, that a member of sudoers can get root privilege with their own password; it's marginally better than running as root but it does mean that anyone who manages to get that otherwise ordinary user password need nothing else to gain full control of the system. Certainly a direct root login shouldn't be possible, but su to root with a root password and even then only when necessary; in a large installation someone only responsible for printers, for instance, should user a lesser ID such as lpadmin.
But sudo caters for allowing users just the elevated access they need, not to sudo to a root shell.
I was a Unix admin for many years and would never allow someone sudo to ALL unless it were me, and always require a password (which has a minimum length and complexity of course). If you're the admin of a Linux server, you generally know how these things work and don't break the golden rule of allowing people access to things they don't need.
The default sshd_config is to not allow root logins. Sometimes you do need to login as root, though, and in that case disallow password logins entirely and use a key pair. When I have sshd running and my IP address is external, logs generally show thousands of attempts (mostly from China, Korea and eastern Europe) of a root login. Even though they fail it's pretty scary how many automated hackers there are and it only takes one careless admin to allow them opportunity.
Man page for sshd_config is here https://linux.die.net/man/5/sshd_config and states the defaults, which are pretty secure. I'd still remove password logins on all accounts and edit the hosts.allow and hosts.deny files.
It is not the first time. It happened on Synology NAS, which run busybox (a special version of Linux for low power CPU/RAM)
Synolocker: https://www.symantec.com/security_response/writeup.jsp?docid=2014-080708-1950-99
Same mode of infection: PEBCAK. A colleague got it, of course he had a SSH open to the web with no filtering, standard port (22) and an obvious password. There were also some flaws that Synology patched after that (admin 'backdoor' password like).
"It happened on Synology NAS, which run busybox (a special version of Linux for low power CPU/RAM)"
There seems to be an implication here that busybody is a version of Linux. It isn't. It's an all-in-one replacement for many of the normal Unix-style command line utilities for low resource situations where low resource includes running out of small flash storage. It requires a kernel which is a separate entity.
The same way that many "Windows" issues are caused by people ignoring all the dam warnings and running as full admin.
Well, that's the default so you can't really blame people for just using the product as it comes out of the box (or off a medium or network). In addition, try running it as a user and see just how easy that is (pretty close to impossible for the consumer versions).
That being said, it is worth observing that running it as admin only creates security problems with Microsoft Windows? Apple's OSX pretty much does the same thing, yet has far fewer issues (and, I may add, is ALSO an utter pain to run with just user rights).
" In addition, try running it as a user and see just how easy that is (pretty close to impossible for the consumer versions)."
Tell that to the tens/hundreds of thousands using it everyday in corporate/enterprise situations who seem to get by just fine.
Hyperbole?
We used to call Admin and Standard user accounts 'Distracted' and 'Undistracted' accounts.
"try running it as a user and see just how easy that is"
Been using Windows NT and its successors with an ordinary account since version 3.1. No harder than Linux. (Specifically, you or someone friendly needs to have an administrative account for occasional use, like installing software or working around the incompetence of (mainly Microsoft) developers who *themselves* ran as admin and so don't know how shit their product is. That apart, the OS works fine. Never understood why MS have "pants down, bent over" as the OOBE.)
"Never understood why MS have "pants down, bent over" as the OOBE."
I often remark on this and state that MS needs to change the initial setup to make a separate admin and user account instead. But I usually get shouted down by all the folks that previously commented smugly that all other OS's tend to have this very method as standard.
(Shrugs)
But I usually get shouted down by all the folks that previously commented smugly that all other OS's tend to have this very method as standard.
Why? It's not the perfect solution but, as you say, other OSs do it. Personally I wouldn't shout down a reasonable idea just because Microsoft don't currently do it. If they were to put this into a system, even the execrable Windows 10, it would be at least one reason to cheer.
Yes, in principle running Windows as an ordinary user without admin rights is quite straightforward. However in the real world (and particularly in the SME world where most work actually gets done) people have to run applications... not just Office and Internet Explorer, but horribly written monstrosities of programs often ancient in origin and specific to particular tasks or areas of industry.
Nine times out of ten these pieces of junk will simply not work without full admin rights, or if they do they don't work correctly.
And how is poor application design a Windows issue?
All the comments like this I hear at work come from Unix-trained admins who refuse to understand the Windows security model is fundamentally different than the Unix one, and they are hoist on their own smug petard time and again when the windows team run circles round the Unix guys (who are, before you scream and leap, "my side").
"Nine times out of ten these pieces of junk will simply not work without full admin rights, or if they do they don't work correctly."
Right Click "Run As Admin"
Heck even create an account for that application. Edit shortcut. Set to Run As....
Been doing that since XP.
I've been linux advocate for almost 25 years. I've been an *enterprise* linux admin for 15. I have background in... Mainframe (MVS/zOS/IMS/CICS/mq, VAX, networking, hardware support (Printers/Tapedrives/SNx controllers), HPUX, Solaris. I've built hundreds of PCs over the years for family and close friends (for new kids in the it biz DO NOT do that).
Simply put, if you *investigate* and *work* at it any application can be installed in it's own user account on any OS, there tends to be a ch**ton of work *prior* to the install and there has to be relevantly appropriate comprehension on the part of the installer at run time, but it *can* be done in almost *all* cases. In some *very* few cases special permissions (both *nix and *dows) may be needed on specific binaries to keep things operational.
Major issue: most admins/app owners have insufficient TIME.
Time to INVESTIGATE
Time to LEARN
Time to work on DOING IT RIGHT.
I've had almost 30 years in IT getting various portions of my anatomy singed off in various ways. I now have sufficient karma to tell folks to go to hell while I figure out how to do it well. If not *right*.
If you install and run as (root/Administrator) any application, the first time someone finds a hole in that application, your entire *environment* is immediately at risk in any case.
<Yes, I'm seriously a grumpy old fart this morning. Send me to fix a raid 5 array with one dead disk and one failing on write commit errors. BACKUPS!>
"The problem is instead between the ears of those who run Redis without requiring a password for connections."
That surely isn't a linux problem.
"Dr. Web reckons its own anti-virus for Linux will squash Linux.Lady.1 flat in no time."
I don't have any experience with Dr. Web, and I've never felt the need to seek out an AV for my linux installations. Do any of the commentards here have any info re: Dr. Web that they'd care to share?
"That surely isn't a Linux problem."
Yup. Here we have some application set up to run insecurely by default and suddenly it becomes a vehicle for selling some nostrum for the OS on which it runs, despite said OS having a reputation for not needing such nostrums. I think I detect a salesman at work and adjust my cynicism levels accordingly.
This post has been deleted by its author
Instead of staying on topic, almost everyone jumps into the ridiculous argument of UNIX vs Windows.
Really guys? If you're distracted by such idiocy, just how good can you be at administrating an operating system? I would hope you'd be more professional and not let some post agitate you.
You'd serve yourself better by taking these articles and using them as "lessons learned" to ensure your systems are secure. Just because you believe your systems are securely configured doesn't make it so.
"everyone jumps into the ridiculous argument of UNIX vs Windows."
I feel like we're really close to a final answer on that debate that we can all agree upon. I think if I stay up all night typing posts about all linux users being involuntary virgins that will help move things along to a final conclusive answer by tomorrow.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
