Hi, > "Nigel Henry" <cave.dnb2m9...@aliceadsl.fr> wrote: > > How do rootkits get installed on your machine? ... Would you have to > > have an Internet accessable webserver, or ssh server available? > > > Would it be by having a cavalier attitude ... I would have thought > > that you'd have to do something a bit foolish like running the > > machine as root ... but I may well be wrong. > > I'd say that rootkits can happen to anyone, with the possible > exception of serious security mavens who devote a lot of time and > energy to locking down the box. > > I have had three boxes 'kitted over the years. Two were running older > versions of Fedora, one was an early Red Hat. All were standard installs > with basic LAMP stacks added. All had been lightly hardened (unneeded > services shut down, ssh locked down etc). > > The lesson that I take from this is that some and perhaps all Linux > distros 'out of the box' contain security vulnerabilities that allow > them to be owned by a savvy attacker (I had a FreeBSD box that ran > for more than three years without ever being compromised, but that > had been expertly locked-down by someone else). Each of the boxes > was _more_ secure than the standard install, but both ended up being > owned. The FC6 box was compromised within a couple of weeks of being > set up, while the FC7 box held out for about a year. I was not able > to identify the means that the attackers used to drop a rootkit on > the boxes, but I'm pretty confident that it wasn't because I did any > of the bone-headed things that you describe. My guess is that the > exploits used a known vulnerability in either the distro or in some > of the very standard and widely-used software > (Apache, MySQL, PHP) that had been added. > > Incidentally, in the case of the Fedora compromises, rkhunter was > installed and successfully detected the intrusion. > > The experts on this list will correct me if I'm wrong, but my take > on this is that compromises needn't be due to sloppiness on the part > of the administrator. It's simply that standard installs are not inherently > secure. If you want to stay secure on the Internet, you need to go > the extra mile and devote serious time and energy to locking the box > down.
In 15 years of running Linux servers, I've had two occasions where two of my servers had been compromised with rootkits. Both cases were because of "new" attack methods which I was unaware of. The last (third) attempt was thwarted a couple of months ago because of my experiences from the other two successful compromises. I personally wouldn't say it takes that much time or effort to secure a box. Most distributions do come out of the box "open" to attack, but there's things like Trustix Linux which do not. Just by locking down a few of the well known services and ports will up the security of the server with only a few minutes work. For example, by default ssh listens on all interfaces and allows port 22 from anywhere. Lock it to listen on one interface and from certain source IP's and usernames. In terms of php and apache, there's good guides with how far you can go with securing those, with php you can lock the directory accesses using open_basedir, with Apache run it through fastcgi mode and secure the /tmp or /var/tmp directories, etc. Make these small things part of your standard build and even if they attempt to get in, they'll be thwarted. Remember, this isn't Windows :) there's a lot you can do to secure Linux with just some simple changes. Regards, Michael. > Angus ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
