Re: Found, a new rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Sat, 2006-04-01 at 11:19 -0600, Les Mikesell wrote:
> On Sat, 2006-04-01 at 10:28, Craig White wrote:
> > I hear people talk about the lack of security in Windows but it seems to
> > me, exposing a Linux system to the Internet with shell accounts and weak
> > passwords is far more insecure than a typical Windows system.
> There's about 50,000 reasons you are wrong, mostly in the form
> of windows viruses that attack the rpc and similar services.
> On windows you don't need the equivalent of shell access since
> you can do anything through the remote management console.  As
> long as unpatched exploits exist (and they are still being
> found), passwords don't matter.  Even without exploits, anything
> running with domain admin privileges can do anything/anywhere
> and if you don't have a domain the same is true for machines
> that share the same admin password.  Thus even if the rpc,
> netbios, and http ports are firewalled, if you can get an
> admin to execute a trojan or open an email that auto-executes,
> you've got access to the whole network.
but Microsoft is learning - I suspect you haven't used a Windows 2003
server lately because they have made it painful to do web browsing.

Your point does assume that one is actually using the computer to do web
browsing and email and that would be plainly stupid on a Windows server
that is exposed to the Internet.

On top of that, and clearly getting way off the subject, I make sure
that all my Windows users are restricted accounts just because I don't
have the time or the energy to continually clean up the mess that comes
with running Windows as a privileged account.

I'm not stating that Windows is secure and poor administration
techniques on any OS are going to get people into a world of hurt...I'm
interested in raising the level of awareness for Linux users since their
skill sets or lack thereof might actually impact the perception of
others who don't understand and think that someone that knows how to
access a shell are skilled computer administrators and we often see
evidence that this isn't the case right here on the list. Hence this
thread - which evidently started as a warning to the users of this list,
which upon the smallest amount of inspection demonstrated that the
administrators of this system were their own worst firewall
system, no dmz, unnecessary shell accounts, weak passwords, poor ssh
implementation, etc. Add them all together and you've got a compromised
box where the system admin starts to blunder about blaming 'spoiled
users' because of the simplified passwords.

This is the bottom line...if you are going to expose a system to the

- use a commercial firewall if you don't have a thorough understanding
of what constitutes a firewall computer that you can assemble yourself.
A firewall system should not have shell accounts, compilers, etc.

- put exposed servers in a DMZ if you care about the data on your LAN
because a compromised system on your LAN should cause you to call in a
full security audit which would be time consuming and expensive. Why
subject your LAN to authorized use?

- investigate methodologies that don't require shell access. If all
people need to do is upload documents, try using anonymous ftp and
script a 'scrape' of the uploaded documents from the upload directory to
be mailed/copied elsewhere. If that isn't feasible, write a
php/perl/ruby html page that allows users to html upload files and does
proper notification to users that file has been uploaded. Shell access
is rarely ever needed on an exposed system.

- use a central authentication mechanism such as kerberos, LDAP, (or
better yet, the combination of the two) where you can set up a password
policy once and have it apply everywhere. If you are going to put shell
access on publicly exposed systems, you must learn to require strong
passwords, either by policy or by control.

- learn to configure ssh to block incessant attempts by others to break
in - many such methods have been discussed on list.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux