The Linux Letter for June
How secure is your system? Not
just your Linux system, but any computer that you use? Do you
use unique, cryptic passwords when you log into your home
network? Do you share your hard drives on your computer that's
connected to a cable modem? Are you running the latest version
of your network-enabled operating system?
Probably not. All of that
stuff is hard to do. And it's not that you don't care about
security, right? Anyway, who's interested in breaking into your
You'd be surprised.
Here at the NOSPIN NOC,
(Network Operations Center), we use Linux on all but one
computer (there's a lone system running Windows 2000). Even
though all of the systems are freely accessible from the
Internet, I know that Linux is a very secure operating system.
Secure, that is, as long as I, as a system administrator install
the latest versions of critical programs and keep abreast of
Well, the systems were not as
secure as I thought. How did I know? Because one day, I noticed
that Internet bandwidth in the NOC was very low. And it had been
low for a few days. So I did some investigating and discovered
that people were using one of the computers…on accounts that I
My first reaction was to pull
the system off the network. Then I looked closely at the
computer. I discovered that my "secure" Linux system
had been so thoroughly penetrated that over a dozen people had
gained access to it…as root!
How did it happen? I wasn't
security conscious. The system that was cracked was running an
old version of RedHat Linux that hadn't been updated with any
security patches. So, somebody discovered that the copy of amd
that was running had a vulnerability and exploited it. After
gaining root access, the cracker created new accounts and used
the system to run scripts that probed even more computers for
I also discovered that certain
critical programs had been modified. The ps command had been
replaced by a script that simply generated a bogus list of
processes so that I, as root, could not see what programs the
intruder was running. And the shutdown command did nothing but
erase all of the log files.
Fortunately, I was able to
examine and backup the logs before the data was lost.
Unfortunately, the intruder was doing his work from domains
outside the US, notably Malaysia and Singapore. Only one ISP was
in the US, but that account had been stolen.
So I started doing my
homework. I discovered that the default installation of RedHat
runs processes and opens ports that just aren't necessary for
the normal, day-to-day operation of a computer. The program that
caused all the trouble, AMD, is used for automounting NFS
shares…but none of the systems in the NOC use NFS. I found
that several ports were open that didn't need to be. The
computer didn't provide ftp or web services, yet ports 21 and 80
were wide open.
So I took a conservative
approach to securing the system. I closed every port that wasn't
absolutely necessary. I shut down any service that wasn't in
use. And I upgraded the operating system to the latest version
of RedHat Linux and applied the security patches. I changed
passwords to random alphanumeric strings.
Then I did the same thing to
every other computer on the network. Does that make the network
secure? Well, the best assumption is that no network is
completely secure. So, I make backups of all critical data and
look at the system logs every day. So far, the network is
Do you need to do the same
thing? Maybe not. If your system connects to the Internet with a
dialup modem, then you have the safety of a fairly random IP,
making it harder for a cracker to break into your system. But if
your Internet access is provided by cable or DSL and you have a
static IP, then you should consider isolating your computer with
a firewall. You can do it with the built-in firewall tools that
come with Linux, with a third party firewall application for
Windows, such as WinGate, or for Linux, like NetMax.
If you don't want to use a
firewall, then protect your machine by turning off every
networking service that you don't absolutely need. Keep your
software current. Be aware of what's happening with your
computer. If it's running slowly, doing things differently than
before, or something doesn't feel right, then look for evidence
of tampering. A program like Tripwire is just the thing to help
you keep track of any changes to your operating system's files.
You can learn plenty about
securing your Linux system at the Linux Security web site at http://www.linuxsecurity.com
Remember, if you don't pay
attention to security issues, you'll increase your exposure to
damage. And, like everything else, cleaning up is harder than