The Register is reporting today that Linux servers have been recruited into a botnet.
In May we saw TROJ/JSRedir-R and many variants thereof attacking web servers. Last November SophosLabs reported that after more than six years there are still over 10 thousand Linux hosts infected with Linux/Rst-B.
What does this all mean? What it means is that non-Windows hosts are vulnerable, contribute to the global security problem and cannot be ignored. There are viruses and worms for Linux; however, the greatest threat posed by Linux is its primary use as a server for many mission-critical, sensitive, and public-facing applications. According to netcraft.com Apache has a 47.17 percent market share as of August 2009 (mostly Linux).
There are three primary means by which attackers are compromising Linux hosts. I will outline each of these and provide advice on what you might do to protect your Linux assets from intruders.
Problem: Password guessing SSH attacks. Too many systems use trivial passwords and predictable usernames for critical accounts. As mentioned in the SophosLabs blog on Linux/Rst-B, by guessing accounts such as root, apache, mysql, wwwuser and other stock accounts, bots are able to automatically scour the internet and find weak systems to exploit.
Solution: Use non-standard account names. Don’t allow keyboard interactive logins on your OpenSSH server, and require the use of password-protected keys. This will eliminate close to 100% of attacks with very little effort. University of Georgia has a great Linux tutorial, and University of California at Berkeley has a tutorial for Windows.
Problem: Compromised FTP passwords. FTP does not encrypt credentials when sent across the wire. A combination of methods are being used to steal FTP passwords including malware on Windows hosts to scrape FTP passwords from client computers and sniffing network traffic in search of FTP transactions. The primary reason to use authenticated FTP these days is updating web content.
Solution: Stop using FTP… Really. It’s long past its due date and it’s time to move on to SCP and SFTP. Windows users who are familiar with many of the graphical FTP clients out there will find a comfortable friend in WinSCP. Another best practice to follow is never tell applications on any operating system to “Remember my password”. I have seen a lot of malware on Windows that specifically hunts down these stored passwords to send back to the criminals for their dastardly uses.
Problem: Insecure web applications. Every week I receive a list from the SANS Institute containing all the known web-based applications that have had vulnerabilities discovered since the previous week. The list is very long, and not updating any one of them can allow an attacker to compromise your host.
Solution: Carefully audit all software used in hosting applications to the open internet. Subscribe to the security mailing lists for all utilized applications including BIND, Apache and all web hosted applications. By subscribing to lists like SANS mentioned above, you can do a quick weekly audit to see if applications you depend on have reported vulnerabilities. The best defense is to stay on top of where your weaknesses may be, and to patch early and often.