neko

Linux is not very secure any more!...we had a major attack on one of our linux boxes (redhat) which involved a recompile of the kernel using a rootkit.

None of the freeBSD machines were touched because there seem to be very few rootkits available.

I'd say the major security issue with LINUX is going to be rootkits which really only work because the source is available.

How may rootkits are there for LINUX at the moment?....what would be the best way to protect against such an attack?

kriss

Shure rootkit's are a pain in the a**, but there are a few tools to track them down. F.x. is "chkrootkit". It scans your whole system, and tells you if anything is wrong.
Also, you have "tripwire" wich runs integrety check's on every file that should not be changed.

Oh, and there is some root kits to windows aswell (read it at an maildng list)

jasonlambert

Download and install chkrootkit from http://www.chkrootkit.org/

A RootKit does not facility in the initial penitration of your system. A rootkit is used after your machine has been attacked to provide an attacker with an easy "back door" to your system at a later date.

There are plenty of things you can do to help prevent root kits. You may wish to look at security enhanced linux from the NSA: http://www.nsa.gov/selinux/index.html

Also, you should make sure the attacker cannot get a shell on your mahine in the first place. This means turning off EVERYTHING which is not needed, putting a firewall in place, and ensuring those services you do make publicly available on your machine are locked down, and hardened where necessary.

Jason

patetobg

why don't you try grsecurity patch ?
you can make an ACL system that only lets the user's (i mean ANY user , even root ) to do a minimum of admin tasks , and that's it. You can hide everything you don't need to see .try it : www.grsecurity.net

Giro

I agree with J its not Linux its normally the configuration of the machine which means its normally the admins fault. If you lock down a linux box and update it reguarly its a very secure OS!!

flw

Just like windex, if you leave the default config and unpatched with no additonal protection like a firewall, AV (yes even for linux) your going to get hit sooner or later. Only a matter of when.

I've had a bot after one of my linux servers for over two years coming from different ip's but uses the same method/signiture so its clear its original source is the same for all ip's. It just keeps using the same tatic from different rooted servers. I just put the several precautions in place so it keeps banging away once attempt per day over and over. All this from just reading my log files daily. This seems to have become a lost concept which blows my mind. It's only one of several methods all net admin's should use in daily security checks. Some admin's seem to rely solely on IDS to do all the work for them. Artificial intelligence cannot replace human intelligent at this point.

This applies to all variations of linux, windex or netware. I can only assume it applies to other true Unix variations, VMS and other old but still alive Network OS's.

__________________
Dan

\"Keep your friends close and your enemies even closer\" from The Art of War by Sun Tzu\"

Darksat

Rootkits are a bit of a wory on any system but since the majority of linux machines being activly targeted are servers I would worry more about stuff like PHP web file browsers.
Generally linux usage is so low for desktops and so high for servers that apache is the primary target and if you infect a server with a web file browser you dont have to worry about bypassing firewalls or anything.
If I was into such naughty things as hacking thats what I would do.