The Linux Letter for May 8,
2000
Welcome to a very much delayed
issue of The Letter! School takes its toll, and I haven't been
able to churn anything out for a while. So hopefully the wait
was worth it.
Unless you've been hiding
under a rock for the past week, you know about the ILOVEYOU
worm that cruised the Internet last week wreaking havoc
on computers that run Microsoft Outlook as their email client.
The worm, actually a Visual Basic script, deleted some files,
renamed others and then attempted to send itself to every email
address in the address book. Since some of the affected files
were critical system files, this particular program caused a lot
of trouble.
Every time one of these things
pops up, virus awareness increases. Generally, there is a lot of
barn door closing as IT departments scurry to install anti-virus
software, or update the out-of-date software they already have.
Obviously, it's too little too late.
And every time a virus hits
the news, I get emails and phone calls asking about Linux's
vulnerability to a virus. And my stock answer is, "Probably
not."
Why?
On a properly administered
system (and that's significant), important system programs are
protected from malicious tampering. The daemons and other
"low level" programs and scripts are generally
protected from being changed by anyone other than root. And to
be root, you need the password.
That's not to say that a
user's files couldn't become infected. Alan Cox, a man who
should certainly know a thing or two about Linux, says that a
virus can be written for any operating system. But since Linux
was designed as a multi-user operating system, security is very
tight.
What Linux, like any other
operating system, is vulnerable to is a worm. The ILOVEYOU
worm, improperly called a virus, is such a thing. A worm is a
self-propagating program. Classically, worms were designed to
grow and consume resources of a computer or a network, but the
term has lately come to apply to programs that simply replicate
themselves across networks.
The worm enters the system,
perhaps disguised as an innocuous file attachment, as was ILOVEYOU.
Then it runs and performs whatever task it was designed to do.
But the important thing here is that under Linux, the only files
that the program can affect are those that are owned by the
user. And that's where smart system administration comes in.
You should never, NEVER log in
as root. If you can absolutely help it at all, don't log in as
root. Think of the root account as the fire alarm that evacuates
a 100 story skyscraper. You'd better have an extremely good
reason for using it.
If a program needs to be
installed using root privileges, make sure that you know that it
is safe. Compare file sizes, dates, checksums…anything that
you can to make sure that you are convinced that what you are
installing is what you mean to install. If you can't verify the
integrity of a piece of software, then think twice about using
it.
Guard your password. Make sure
that the root password is a combination of numbers and upper and
lowercase letters. It should be as random as possible and as
long as possible.
Know your users. Examine your
system logs. Look at what ports are open to the Internet. Your
system can be as secure or as insecure as you desire. In the
end, a little bit of common sense and a small dose of paranoia
can go a long way toward preventing costly system downtime.
OK, maybe it's been a little bit longer
than a week since the last tip, but this one's appropriate.
You've finally decided to take control of
how your system talks to the outside world. But you want to know
just what ports are open. One way is to use the netstat command:
netstat -na
Stand back, though, because you'll probably
get a flood of information that may not be all that easy to
understand. Try this instead:
lsof | grep inet
The command sorts through all of the open
devices and shows you only those connected to the Internet.
I use RedHat Linux, and under RedHat 6.2,
you'll find netstat in /bin/. lsof lives under /usr/sbin.
Happy computing!
Drew Dunn
