Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oh the irony

dave562 (969951) writes | more than 4 years ago

Linux Business 1

I originally started reading Slashdot because of my curiosity about Linux. I've been on the internet since the early 1990s and have been working in corporate IT since the mid-1990s. My original experience with networking in a corporate environment was Novell Netware and I've since spent most of my time using Microsoft Windows servers. In the decade plus that I've been working in IT I've developed a fairly platform agnostic approach to meeting the needs of business. It's all about the best

I originally started reading Slashdot because of my curiosity about Linux. I've been on the internet since the early 1990s and have been working in corporate IT since the mid-1990s. My original experience with networking in a corporate environment was Novell Netware and I've since spent most of my time using Microsoft Windows servers. In the decade plus that I've been working in IT I've developed a fairly platform agnostic approach to meeting the needs of business. It's all about the best tool for the job as far as I'm concerned.

Recently where I work we have hired a new CFO and he oversees IT. He is a big proponent of OSS software and Linux. He hates Microsoft with a passion and believes that we should be replacing Windows boxes with Linux where ever possible. He wanted to use Subversion for version control on some budget documents, and of course he wanted to run it on Linux and have SSH access into the Linux box.

Being a Linux neophyte I went ahead and downloaded Ubuntu 8.04 LTS server. I used apt-get to get all of the updated versions of the software from the repository. I configured Subversion and setup the repository for the files. I setup SSH so that the CFO could use Tortoise and Putty to remotely access the files. Everything was working well up until this morning.

My users were calling and emailing with complaints of the internet being slow. Given that we upgraded to a 7.5MB connection over the weekend, my initial thought was that something was wrong with the ISP. I checked the firewall and saw that there were 65000+ open connections and the logs were filled with warnings of SYN floods coming from the Linux box. I logged into it, ran a netstat -a and found pages upon pages upon pages of open connections on port 22 to random boxes all over the internet. Sure enough, the Linux box was completely owned and being used to attack other boxes.

I find it ironic that here I am in a Windows shop with twenty plus servers running everything from SQL to IIS to Exchange on public facing connections. I have a few boxes with exposed terminal services connections so that vendors can get in an do remote support. I put one Linux box on the network and open it up to the internet and it lasts less than three months.

I find myself remembering all of the comments about how *nix is more secure by default. How OSS software is more secure because so many people are looking at the code. Microsoft software sucks and it's a huge target that is going to crumble as soon as you plug it into the network.

I realize that in this case a lot of what happened probably has to do with my own inexperience with Linux. If I had over a decade of experience using Linux day in and day out I'm sure that I wouldn't be in the situation that I'm in right now. I do consider myself a fairly competent network admin though. I did my best to harden the box. I only exposed SSH to the internet. I downloaded all of the latest software updates from the repository using the built in apt-get mechanism. Despite all of that, the box still got owned. So I write this journal entry to point out that nothing is simple. There are a lot of zealots out there who take it for granted that their OS of choice is secure and stable. They spout off about how it is perfect for everyone, and every job and fits in every situation. They take for granted that they've forgotten so many of the glitches, the gotchas, the key workarounds that are necessary in any sort of production environment.

Every software has bugs. Every software has exploits. Every software takes a skill set tailored to the package itself in order to properly use it. There really should be licenses to use software in business environments where sensitive data is involved. Even the best intentioned admins who are doing the best that they can do are bound to miss things. They don't miss them because they are incompetent or because they are malicious. They miss them because they don't have the experience to realize that they are missing things.

cancel ×

1 comment

There are some missing bits here... (1)

damn_registrars (1103043) | more than 4 years ago | (#29356213)

A few things that would be useful to know in determining what allowed this to happen:
  • What account was used when the box was owned?
  • What permissions did that account have?
  • How was it compromised - was there a dictionary attack on it that lead to someone (or some-bot) finding the password?
  • Was root access properly disabled so hackers couldn't ssh in as root?
  • What other services were enabled on the box in question (including services not open to the world)?
  • What tools were used on your box to launch the attack against the rest of the world?

You should be able to find most, if not all, of the answers to those questions in your log files and/or config files. I don't expect you to share the name of the account in my first question if it isn't root or a service. If, the answer to the first question is your customer's account, then I suspect one of the following is the source of your misery:

  • Customer used a terribly weak password that was quickly compromised
  • Customer shared their password with people who didn't have any right to know it
  • Customer had innappropriate permissions for their needs

Those are my initial thoughts based on what you wrote. I suspect the problem may have an obvious source, but you haven't really said enough yet to figure that out.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...