On Wed, 2002-10-30 at 23:16, Dale Botkin wrote: > Actually this is a first for me. I've cleaned up a few after they'd been > hacked, but this is actually the first time one of mine has been gotten > into. It's also the first time I've personally put a Solaris box on the > net, though I do it for a living indirectly. Fortunately, I have some > very good Solaris guys working for me. But remember, I used to run an ISP > -- we had plenty of BSD and Linux machines up with no problems for several > years. And we were a BIG target. I've cleaned up four customer's systems -- two were Win2K, two were Linux. NEITHER had been put under a proper plan to patch them, keep them up to date, and none had backups. This was in supposedly PROFESSIONAL environments... obviously, they weren't professionals... (GRIN). The Unix machines were hit through human issues -- the customer had fired an admin and not changed passwords. I also saw one Unix machine hit through a year-out-of-date version of BIND back when it was going through its major security re-writes and being released almost daily. The Windows machines were hit through a combination of IIS and MS SQL Server. There are some realy really nasty security issues there when you mix those two products. > I can tell you that where I work there has never been an incident of a > UNIX machine being hacked -- not even once. There have been incidents of > another widely used OS getting hacked, though. Actually, it wasn't all > the OS's fault, since they were running IIS (a singularly bad idea), but > it's the same vendor. This was in spite of IDS, firewalls, etc -- when > there are massive holes that can be gotten to via port 80 there's a limit > to what you can do (regardless of the OS, as this recent incident proves). Many many many people believe firewalls protect them from everything. They don't and can't unless you've told them to DROP every packet. (GRIN) Firewalls are just a tool that helps along the way, but security of public systems, especially those that are "big targets" as Dale called them requires professionals that know what they're doing. I am amazed at how many small companies I've helped out who hired the first person who walked in off the street who said they had loaded *INSERT OS HERE*. Sad. > > The key point is that somebody has to know HOW to "properly configure" the > > *nix boxes and that is not a simple thing. Microsoft may be issuing multiple > > hole plugs, but any idiot can install them and they are then... plugging the > > holes... see? You don't have to know anything, just run windowsupdate on a > > regular basis. Actually configuration is simple. There is LOTS of documentation out there on it. SANS (www.sans.org) has good lists of the top vulnerabilities, and I wouldn't say running Windows Update properly secures a Windows box that's going in a high profile network connection really either. PROPERLY securing a Windows box requires just as much time and effort as a Unix box... and usually requires things like coaxing away what the Unix folks call "root priveleges" from Services like IIS and others on the Windows machine. > Here, just drink this Kool-Aid... 8-) That may work for you, but in a > production environment you simply can't do that. Too many things get > broken by the "fixes" too many times. Whichever OS you're using, you have > to have some really good people running them if you're going to get the > performance and reliability demanded in a production environment. At any > rate, in this case it was more a matter of not getting a patch for a known > hole in place quickly enough -- my bad, I was depending on the relative > obscurity of the box to keep it out of the way until I had time to get to > it. Obviously a bad idea. Point is, once a server is set up properly, > it's extremely rare that I have to touch it -- I average once a year or > so, between BIND, Sendmail, Apache and whatever else. Never the OS itself > so far. It's much better to automate this. Have the machine look for its own patches/updates. Then have it notify the admin. If you're uncomfortable with the machine actually installing those updates, as I am, it doesn't have to. Package installation control, documentation, and good backups are all key. > > At the office, I run a firewall and I use a little program called > > "WallWatcher" to log and report ever inappropriate port request and > > report it to http://www.dshield.org Believe me, most of the ports I > > see people trying on are *nix based port, NOT NT. What's an NT port? What's a Unix port? (GRIN) That's a phrase that makes no sense. Port 80 for HTTP, port 25 for mail, port 53 for DNS... all used on both systems... are you saying you're seeing people go after high ports that are typically running services on Unix systems only because Windows doesn't support them, or what? I'm truly confused by this statement. > Odd... the majority of what I see normally are ports used by Windowes > file sharing (137/139 mostly), and of course those incessant probes for > IIS holes launched by every broken IIS zombie server on the planet, and > there are hordes of them. My web server log is 90% IIS attacks, 10% real > traffic. It's disgusting. I told you about the redirect I put in... > 8-) Haha.. I have a similar redirect on a couple of machines if it's the one I'm thinking of... it's funny. Anyway... same here... 137/139 get the crap kicked out of them all day long, and tons and tones of buffer overflow attempts against Apache which are looking for standard IIS holes. I also see attempts against SSH, and generic port scans every day. > > Anyway, maybe I've just been lucky (knock wood) but I just don't have time > > to learn all the in's and out's of *nix. I offer a stable (so far) safe (so > > far) web server and I spend my time keeping the content up, not the server. This is fair. But you'll find there really aren't that many differences between Unix and Windows when it comes to network security... turn off unnecessary services, patch anything that's old or out of date, and firewall off whatever you're not using at both a real firewall and hosts. That covers about 99.999% of network security issues right there. What you're really saying is that you're not willing to take the time to learn Unix right now... and I can definitely respect that decision. We all have to choose how to spend our time. The part that worries me is your blanket statements -- if you don't know Unix security, it bugs me to see you giving opinions on it. You're highly respected here on the list and that counts for a lot -- people will believe you if you say "Unix is bad"... and it's not. > Well, so far I'm about 50-1, so I'm not feeling too bad, but it does just > kind of piss me off. And of course it has to be a remote box, too. By > the way, I should have the replacement drive and maybe a couple of CPUs to > ship this weekend. Let me know (offlist) if I should bother installing > SQL or not. Dale, do you have any idea how they cracked the last box? Post-mortem forensics are fun... (GRIN). -- Nate Duehr, nate@natetech.com -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email listserv@mitvma.mit.edu with SET PICList DIGEST in the body