Announcement

Collapse
No announcement yet.

How secure is Linux?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    How secure is Linux?

    So, someone comes up to you, and is shoulder surfing you going about your everyday PC use. Suddenly you hear they cry, "Ah, that's not Windows! What is it?!". An explanation that you're running Linux is likely to be met with a blank stare and a follow up question; "What's that? Why are you using it?" (assuming we're talking about Joe Public here).

    One of the points frequently made about Linux is not only do few people bother writing malicious code for it - the malicious code is going to have a tough time getting into your system. Long term, a computer running Linux might need reformatting for cosmetic reasons, but decreasing performance is unlikely to become an issue (whereas 1/2 months of Windows use drags the PC down).

    But just how secure is Linux? I think there might be a firewall running with the system, but for users installing and wanting a working system out of the box (read: myself), configuring it isn't something you bother with. As far as I'm aware, no one bothers running any AV software either (hopefully I can get a poll up on this issue). Certainly I don't, though coming over from Windows, it's something I'm considering.

    Just want to throw this one wide open really, and hear the opinions of ordinary users.
    26
    Yes, you're mad not to!
    3.85%
    1
    I'd like to, but have no idea where to start...
    7.69%
    2
    No, this is Linux, don't be ridiculous!
    38.46%
    10
    Meh, the added security is minimal, and it's not worth the effort.
    50.00%
    13

    #2
    The real answer is: As secure as you want it to be.

    It is natively far more secure than windows but can be made even more so with tools like a firewall if you feel the need. AFAIK there are no virus scanner programs for linux viruses because in the real world there aren't enough of them to justify it. There are a few that scan for windows viruses so you don't pass them on to windows users, but that's usually a server function and most linux users don't bother with them. I usually install rkhunter (rootkit protection) but that's about it.

    IMO, the main reason no one writes malicious code for linux is there are too many security features you would have to defeat. The first level of security linux offers involves the concept of file ownership and permissions. Even if you did find a linux virus, you'd have to give it your admin password and install it yourself.

    Other security things you can do: No root password (Kubuntu default), have a dedicated admin user account to do installations and updates and don't use your system with this account, use iptables, use a firewall, use non-standard ports for vulnerable functions (like ssh), turn off all unused ports/services, keep your system up to date, use virtual machines to access the internet...

    ...I'm sure there's more that I can't think of right now. There's even a linux (Xen) based distro which is security centric and adds additional levels of security called Qubes OS.
    Last edited by oshunluvr; Oct 15, 2012, 12:41 PM.

    Please Read Me

    Comment


      #3
      Personally, I run Kubuntu (12.04 for the next four years) just the way it installs itself, which is a "default" install. I turn off the ping echo in my wireless router, and Kubuntu locks all my accessible ports. For what it's worth, "ShieldsUp!" shows all ports as green (locked, no response to any ACKs). I don't save unrequested email attachments, to say nothing of marking them executable and then running them -- just about the only way malware could infect a Linux box that isn't running a Java VM or Adobe flash. I use to run chkrootkit and rkhunter as a daily cron but Kubuntu precise didn't install them and I decided not to.

      I used to run AV software for the sake of my Windows using friends, so that if I passed an email on to them they wouldn't get infected. BUT, most of my friends and relatives now run Kubuntu, so I removed the AV. About 6 months ago I stopped using KMail and now use gmail as my primary email client.

      In nearly 15 years of using Linux, half of them without any "protection", I have NEVER encountered a Linux virus or Trojan. I have both Flash and Java VM installed and have yet to see Linux malware. My ports show no attempts at breaking in.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        File sharing probe results on my system:

        Shields UP! is checking YOUR computer's Internet
        connection security . . . currently located at IP:

        216.152.181.127


        Please Stand By. . .
        Attempting connection to your computer. . .
        Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
        Your Internet port 139 does not appear to exist!
        One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
        Unable to connect with NetBIOS to your computer.
        All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.


        Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.


        Port

        Service

        Status
        Security Implications

        0

        <nil>

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        21

        FTP

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        22

        SSH

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        23

        Telnet

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        25

        SMTP

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        79

        Finger

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        80

        HTTP

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        110

        POP3

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        113

        IDENT

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        119

        NNTP

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        135

        RPC

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        139

        Net
        BIOS

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        143

        IMAP

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        389

        LDAP

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        443

        HTTPS

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        445

        MSFT
        DS

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1002

        ms-ils

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1024

        DCOM

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1025

        Host

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1026

        Host

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1027

        Host

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1028

        Host

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1029

        Host

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1030

        Host

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        1720

        H.323

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

        5000

        UPnP

        Stealth
        There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!
        And like GreyGeek, my system is in a default configuration as far as network security is concerned - no added firewall applications.
        Last edited by Snowhog; Oct 15, 2012, 05:23 PM.
        Windows no longer obstructs my view.
        Using Kubuntu Linux since March 23, 2007.
        "It is a capital mistake to theorize before one has data." - Sherlock Holmes

        Comment


          #5
          Hmm....my system is also standard Kubuntu but failed the Shields Up tests.

          Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

          Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

          Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
          And for the port report instead of listing my ports as Steath, they are listed as closed. Hmmm...

          Comment


            #6
            Originally posted by whatthefunk View Post
            Hmm....my system is also standard Kubuntu but failed the Shields Up tests.
            And for the port report instead of listing my ports as Steath, they are listed as closed. Hmmm...
            More than likely your wireless router is echoing the ping before Kubuntu sees it. So even with Kubuntu's iptables turning of ping echo your router will echo it unless you tell it not to.

            As for as some of your ports being too gabby, you may have installed an app which opened a hole.
            Do
            sudo netstat -lp
            and check its listing with your port address to see which app is being too mouthy.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              Three things.


              Windows vs. Linux

              Properly administered, there is no appreciable difference: both can be very resilent against attack. The key here, of course, is properly administered. It has taken Microsoft a long time (too long, really) to migrate both the OS and its customers away from the assumption that all users are administrators. Hell, even with Windows 8, the initial user is an admin. Furthermore, SMB networking relies on broadcasts for service discovery, so every SMB node by necessity listens on at least one port. These two aspects, put in place long before Internet access was common, are the primary reasons why Windows came to be regarded as insecure.

              A well-maintained Windows machine can be a secure machine. It takes only one non-default configuration:
              • (default) the Windows firewall -- blocks SMB traffic not on the LAN
              • (default) User Account Control -- raises a consent dialog when a human or a piece of code wants to perform an admin function
              • (default) Windows updates -- monthly fixes (all software has bugs)
              • (not default) standard user -- run with "normal," not admin, privileges


              Prevalence of malware

              Bad guys are lazy. They write for maximum attack spread. Because Windows desktops are everywhere and because many machines are not up to date, they're attractive targets. Linux has a legacy of being run in environments with stricter configuration policies and change control; greater care and feeding generally means less utility for misuse. You don't see too many pwn3d Windows servers for the same reasons you don't see many pwn3d Linux machines: better maintenance.

              But to assume that anything based on Linux is by definition more secure is a mistake. See: Android.


              Gibson "Research" and Shields Up

              Pure scare-ifying, and not taken seriously by anyone in the security community. I've written about this before.
              Last edited by SteveRiley; Oct 16, 2012, 12:07 AM.

              Comment


                #8
                Originally posted by oshunluvr View Post
                Even if you did find a linux virus, you'd have to give it your admin password and install it yourself.
                This is not true, there are ways in which to gain access to a linux computer without the admin password and still gain full root prevliges. However, unlike windows these holes tend to get fixed very quickly when discovered which is why its most important to keep your system up to date.

                Other security things you can do: No root password (Kubuntu default)
                More accuratly kubuntu locks the root user acount so doesn't bother to set a password (passwd -l root to lock the root acount)

                Originally posted by SteveRiley View Post
                Windows vs. Linux

                Properly administered, there is no appreciable difference:
                I agree, but I do find it far easier to properly administer linux over windows, or is that just me?

                Comment


                  #9
                  Just read your post S-R and was about to post my reply, but ... I already did, right under post in your link to your Gibson analysis!

                  Qq said there:
                  "Glad to see your take on the Gibson site, SteveRiley. I have also noticed the things you mentioned and quit using the site long ago. I'm no expert at all on these issues; good to see your knowledgeable review/analysis of it."
                  An intellectual says a simple thing in a hard way. An artist says a hard thing in a simple way. Charles Bukowski

                  Comment


                    #10
                    Originally posted by whatthefunk View Post
                    Hmm....my system is also standard Kubuntu but failed the Shields Up tests.



                    And for the port report instead of listing my ports as Steath, they are listed as closed. Hmmm...
                    The best level of security is to have closed ports. If the ports are closed no one can get in to your pc. The stealth option is the next best level of security.

                    Comment


                      #11
                      SteveRiley: I've read your rant on the other thread. It's informative, but where you say
                      Gibson is enamored of his "stealth" mode checks. In reality, there is no such thing. If your computer opens a connection to a destination socket (that is, the tuple IP_addressort), you will receive one of three responses:

                      connection allowed
                      connection refused
                      no response
                      Your quite right in that there is no "stealth mode" but the "no response" is, I'm assuming, Gibson's interpretation of what is "Stealth mode".

                      I believe that at the end of the day this site highlights the possible breaches in security from Windows machines and if it gets the users to "beef up" the security of their systems than surely that's a good thing.

                      Comment


                        #12
                        Originally posted by james147 View Post
                        I agree, but I do find it far easier to properly administer linux over windows, or is that just me?
                        Maybe it's more a measure of that which one is familiar with? When I first started experimenting with Linux, my lack of knowledge really made things appear difficult. Now I'm pretty comfortable with many of the ins and outs. I'm actually beginning to forget some Windows admin stuff, especially XP!

                        Comment


                          #13
                          Originally posted by ArminasAnarchy View Post
                          Just want to throw this one wide open really, and hear the opinions of ordinary users.
                          IME a major vector for malware are for inexperienced users is downloaded software. Maybe they get some file in a format that their system doesn't recognize. Or they're told "use xyz", or "xyz is cool". They google it to find what looks a reputable site, done. Even non-criminal sites may slip in adware, so it's easy for malware to disguise itself.
                          Windows users have been falling into versions of this hole for decades. A good Linux distro's repositories make it much more secure.
                          Regards, John Little
                          Regards, John Little

                          Comment


                            #14
                            Originally posted by nickstonefan View Post
                            The best level of security is to have closed ports. If the ports are closed no one can get in to your pc. The stealth option is the next best level of security.
                            Originally posted by nickstonefan View Post
                            Your quite right in that there is no "stealth mode" but the "no response" is, I'm assuming, Gibson's interpretation of what is "Stealth mode".

                            I believe that at the end of the day this site highlights the possible breaches in security from Windows machines and if it gets the users to "beef up" the security of their systems than surely that's a good thing.
                            Gibson's fixation on ports is just one example of how he demonstrates a skewed understanding of security and risk. His notion of "stealthed" ports has created a lot of confusion but really solved nothing. Furthermore, since so many products decided that they needed to implement stealth, TCP/IP has been broken.

                            Here's an experiment. Most of you probably are running CUPS, if you have a default Kubuntu install. The CUPS service runs a deamon that creates a listening socket on port 631/tcp. You can even talk to it. Watch:
                            Code:
                            steve@t520:~$ [B]telnet localhost 631[/B]
                            Trying 127.0.0.1...
                            Connected to localhost.
                            Escape character is '^]'.
                            Here's the conversation:
                            Code:
                            steve@t520:~$ [B]sudo tcpdump -ti lo[/B]
                            1. IP localhost.50721 > localhost.ipp: Flags [S], seq 719613933, win 32792, options [...], length 0
                            2. IP localhost.ipp > localhost.50721: Flags [S.], seq 3311305689, ack 719613934, win 32768, options [...], length 0
                            3. IP localhost.50721 > localhost.ipp: Flags [.], ack 1, win 257, options [...], length 0
                            I've added line numbers to facilitate discussion, and omitted the options so that the lines don't wrap.

                            1. TCP SYN-flag from the client to the service listening on 631/tcp.
                            2. TCP ACK and TCP SYN-flag from the service to the client.
                            3. TCP ACK from the client to the service. This completes the TCP three-way handshake.

                            Now I'll close the connection:
                            Code:
                            [B]^][/B]
                            telnet> [B]quit[/B]
                            Connection closed.
                            steve@t520:~$
                            And here's the conversation:
                            Code:
                            4. IP localhost.50721 > localhost.ipp: Flags [F.], seq 1, ack 1, win 257, options [...], length 0
                            5. IP localhost.ipp > localhost.50721: Flags [F.], seq 1, ack 2, win 256, options [...], length 0
                            6. IP localhost.50721 > localhost.ipp: Flags [.], ack 2, win 257, options [...], length 0
                            4. TCP FIN-flag from the client to the service.
                            5. TCP ACK and FIN-flag from the service to the client.
                            6. TCP ACK from the client to the service. This completes the TCP four-way teardown.


                            Now I'm going to try to connect to some random port that has no listening socket:
                            Code:
                            steve@t520:~$ [B]telnet localhost 9999[/B]
                            Trying 127.0.0.1...
                            telnet: Unable to connect to remote host: Connection refused
                            steve@t520:~$
                            And the conversation:
                            Code:
                            steve@t520:~$ [B]sudo tcpdump -ti lo[/B]
                            1. IP localhost.54943 > localhost.9999: Flags [S], seq 2300475951, win 32792, options [...], length 0
                            2. IP localhost.9999 > localhost.54943: Flags [R.], seq 0, ack 2300475952, win 0, length 0
                            1. TCP SYN-flag from the client to the service listening on 631/tcp.
                            2. TCP RST-flag from the service to the client. The server resets the connection because nothing is listening on the specified port.

                            Gibson would call this a "closed" port. But this is a foreign concept to TCP/IP: ports are not "open" or "closed." On a host, ports are either in use or not. A connection request to a port not in use results in the computer's IP stack telling you so: "nothing here, sorry."

                            Once upon a time, firewalls behaved the same way. However, firewalls can also silently drop invalid incoming connection requests rather than replying with a reset. Here's an example, where I connect to the external interface of my firewall and specify a port that's not publishing anything:
                            Code:
                            steve@t520:~$ [B]telnet rileyz.net 9999[/B]
                            Trying 174.61.253.106...
                            [B]^C[/B]
                            Nothing happens, and I press Ctrl+C to kill telnet.

                            Here's the conversation:
                            Code:
                            steve@t520:~$ [B]sudo tcpdump -ti eth0[/B]
                            [B]^C[/B]
                            Is it really nothing? No. My computer sends SYN-flag datagrams, but since my firewall isn't publishing anything on port 9999/tcp, and my firewall doesn't send RST-flag replies, my computer receives nothing in response. So TCPdump displays nothing. The connection remains in a half-open state until I press Ctrl+C.

                            This is what Gibson calls a "stealthed" port. But is there really such a thing? No. Keep reading.

                            Only in the context of a firewall does it make sense to use "open" or "closed" to describe a port state. A port is open if there exists a rule that allows inbound connections to pass through the firewall to something behind it. A port is closed if no such rule exists. But whereas hosts respond with "nothing here, sorry" when incoming connections fail, firewalls nowadays simply drop the connection requests on the floor.

                            Why silently drop? Some time ago, it became fashionable to worry about whether that "nothing here, sorry" error might reveal tantalizing clues to an attacker. Gibson latched onto this, and decided that it was somehow more secure if a computer could act like a firewall when it receives incoming requests to ports that have no services. He invented the term "stealth" to describe the behavior, on a host, of a "closed" port on a firewall. So then he had to redefine "closed" -- which, remember, means nothing from the perspective of a host -- to reflect the "not in use" meaning on a host.

                            But a host can't act like a firewall: TCP/IP doesn't behave this way. A non-response to an incoming connection is a very early form of security theater that every firewall manufacturer decided it needed. Host-based firewalls adopted this feature very quickly. Zone Alarm was one of the first to do so, and Gibson made a lot of money shilling for it. To make a host act like a firewall requires installing additional software.

                            But this behavior breaks TCP/IP. The protocol was not designed to maintain lots of half-open connections. I can exhaust the resources of a firewall by sending a bunch of SYN-flags to ports that are open, cause the firewall to reply with its ACK/SYN-flags, and never send the final ACKs. The firewall will maintain each half-open connection for four minutes (two times the MSL, or maximum segment lifetime of two minutes). Similarly, I can exhaust the resources of a client by getting malware on the box that creates half-open connections on every usable port.

                            Why has a non-response been considered more secure than "nothing here, sorry"? It's based on the flawed assumption that hiding is useful or even possible. For actual servers that you actually want to receive connections, hiding is useless. Trying to maintain "stealth" when you want to have even one "open" port is just silly. Imagine you have a Windows HTTP server behind a firewall. The firewall has a single rule that allows connections to the server's port 80/tcp. If someone now tries to connect to port 139/tcp, who cares whether the firewall drops the requests or replies with an RST-flag? In both cases the connection is refused, which is the goal. "Stealth" is not more secure, and "closed" is not less secure. They're equivalent.

                            Hiding might make sense only when the computer has no need to listen for anything incoming. However, your computer is obviously still making outbound connections, and the moment you do that, your computer's presence -- its public IP address -- becomes known. Really, then, it's impossible to hide on the Internet. Given this, attempts to achieve "stealth" even on client PCs is just security theater.

                            Wow, this post got really long. If you've slogged your way through all of it, thanks much. Unfortunately, it takes much time and many words to explain why seemingly good and simple ideas like "stealth" actually make no sense at all.
                            Last edited by SteveRiley; Oct 16, 2012, 10:31 PM.

                            Comment


                              #15
                              Wow. Informative, and I mean that. Nice post.
                              Windows no longer obstructs my view.
                              Using Kubuntu Linux since March 23, 2007.
                              "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                              Comment

                              Working...
                              X