Re: A question of Security

Steve Shah (sshah@alteon.com)
Thu, 16 Dec 1999 10:14:30 -0800


On Wed, Dec 15, 1999 at 05:14:19PM -0800, David W. Robinson wrote:
> I am currently trying to convince our network people of the safety of
> using a Linux machine as an internet server, running Apache and
> Realmedia Streaming Media. What I am looking for is evidence,
> articles, papers etc that compares the security of a linux server against
> the security of a box running Solaris and other common Unix
> Operating systems. Can anyone help by pointing me in the right
> direction, or sending me material to use in the defense of Linux?

Most OS's are as secure as you make them. This means being
vigilant about monitoring and letting paranoia take
command. Trying to find a paper on which OS is more secure will
be difficult because no OS is perfect and most breakins occur
because of administrative mistakes, not technical flaws in the
software.

Most common mistake: Poorly written CGI scripts. The contest that
ZD Labs held between NT and Linux was flawed because the hole
that the intruder got into wasn't in the OS, it was in the CGI
script. One point to argue is that Unix based systems give you
some damage control since the CGI script can run as a
non-priviledged user. (Apache as a whole runs as a non-privledged
user.)

Second mistake: Un-encrypted remote access. Whether this is by
web interfaces or telnet -- you send a password over the net in
cleartext, some bored hack sitting inbetween is going to listen
to it. If you're a commercial shop, break down and buy SSH for
remote logins. If you're going to have webified administrative
tools, make sure you have SSL support in the web server. It
doesn't matter what OS is underneath if your password to the web
admin tool gets compromised.

Third mistake: Leaving unnecessary services on. Do a quick
netstat -an on your box -- what ports are you listening to? Are
you listening to port 111? Do you need to have portmapper
running? Do you need to offer NFS or NIS services? On most
internet services, this is a firm NO. If you don't need it, turn
it off. Malicious folks can't exploit what isn't there. NT is
just as vulnerable there with file and print sharing on by
default. In short, you need enough control of the system that you
can look at all the listening ports and selectively turn off what
you don't need. In the end, you should be able to name off every
port that the system is listening to and explain why it is
necessary. Once you've got this list nailed down, track the
development of all the software listening to those packages and
look for security updates. Again, NT is just as vulnerable here
-- Microsoft regularly releases security hotfixes.

Fourth mistake: Potentially dangerous services that need to be
accessable to your internal network aren't firewalled off from
the outside. This problem applies to both NT and Unix. For
example, if you need to have remote file sharing turned on, make
sure outsiders can't access it. Under Linux 2.2, you can do this
with ipchains. I'm not sure of an equivilant under NT, but a
second box acting as a firewall is going to be necessary.

Fifth mistake: Not updating software to the latest secure
versions. It's frightening to see the number of servers out there
that are running really old versions of Sendmail or BIND or
... NT is no exception to the rule. Older versions of IIS had
some serious security flaws and you'll still see them out there.

All of these mistakes can apply to any OS. The reason selecting
Linux over another OS (esp. NT) is that all of the tools to help
you secure your system come with most distributions. Furthermore,
Linux gives you a fine grained control over these details. NT, by
design, is meant to hide the "ugly details" away from you which
means possible "surprises" later on.

If your server is going to be co-located, the ability to do
remote upgrades should also be of concern. With Linux, you can
login to the system via ssh and perform administration on it as
if you were on its console. And except for the kernel, there are
no upgrades that require a reboot.

-Steve
(whose personal co-lo'd Linux server has been up 201 days)

--
______________________________________________________________________________
Steve Shah (sshah@alteon.com) | Alteon Web Systems Inc. (Developer/Sysadmin)
    http://www.alteon.com     |   Voice: 408.360.5500  Fax: 408.360.5500
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
New to Linux Administration? Check out Linux Administration: A Beginners Guide

- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu