Linux Solutions

A few days ago I spoke on the Conficker/Downadup (C/D) worm that’s working its way around the world, infecting a huge number of Windows-based computers, and a recent story has revealed that if a Linux user who has the Wine software – a program that allows Linux users to download Windows programs – that they could be infected too.

The Superworm that has reportedly been attacking a patched vulnerability in Microsoft Windows, with a reported 6.5 million new infections in the past 4 days alone, bringing the total to an estimated 9 million machines infected.

There are a number of factors contributing to the worm’s growth. The Windows vulnerability allows for self replicating attacks in 2000, XP and Server 2003 version of the software, and the virus has been designed to exploit flash and network drives allowing it to spread across a local network at worrying pace even if just one computer is affected.

A large factor that has allowed the worm to grow is because of stubborn data managers and administrators of Windows-based systems who failed to listen to the warnings and download a security update. Microsoft released a patch to combat the worm over three months ago, but nearly one in three machines have not downloaded it, according to security company Qualys.

The C/D worm uses the autoplay function to load up files from removable devices using a simple autorun.inf file which can fool users into installing malicious code on their machines. This means that even Windows Beta 7 users could have been affected by the slithery culprit.

While autoplay can be turned off and autorun.inf files removed, the users can be easily deceived by the pop-up that appear once the removable device is plugged in. Once the worm is loaded on to a system it uses a complex algorithm based on public websites such as Google to contact their “home” servers and disables Windows Update automatically.

The clever part is that the algorithm changes every day, pointing to different domain names every day (up to 250) and are calculated using a public key – not unlike those used in security encryptions.

It would appear that no-one is safe as even a hospital in Sheffield, England has reported that more than 800 of its 7000 computers have been compromised by the worm – system administrators decided to turn off Windows security updates.

It’s easy to find a cheap security product on the internet these days. One look at the many websites that peddle free downloads and try now, buy later products and you’ll be presented with a myriad of options.

When it comes to your IT security, you should always choose the software that you believe will stop the biggest threat to your computer. When you’re on these download sites you should take your time to weigh up the benefits and pitfalls of each product carefully. Cost is generally the first thing people consider. Ultimately, you get what you pay for, but free open source products are getting better and better every few months.

Ideally you’d want an unlimited budget and you’d buy whatever you felt did everything required, and often open source software doesn’t quite cut the mustard. Evaluating every aspect of your selected product; what does it cover? Is technical support available? what about upgrades? Does the price increase after the first year? Is their really a big difference between the free version and the paid version?

Let’s look at disk encryption software. Can open source software provide a solid alternative to off the shelf products?

The first thing to consider is would you use any software that uses a proprietary encryption algorithm. At the core of any product with cryptographic services is a cryptographic module. This module generally does not have adequate testing and validation against established standards, so won’t provide the security level you require. With an open source alternative the cryptographic module will not be proprietary and is generally tightened up by a squad of security experts.

If the software is poorly designed the product will prove insecure, placing your valuable information at risk of theft or damage. The major advantage the many security experts cite is that with an open source security option, you are able to check the source code itself to ensure the encryption algorithms are implemented correctly.

This being said, just because you maybe prefer open source to ‘off the shelf’ products, you shouldn’t rest on your laurels. Even a good open source cryptographic module that has been badly implemented can lead to a serious vulnerability that could have dire consequences for your data.

You shouldn’t assume as well that it’s just the smaller open source developers that get in a mess. In May 2008, Debian has a major security failure in its GNU/Linux operating systems random number generator, making any OpenSSL keys generated during that past 20 months so predictable that they could be guessed in only a few hours.

A new Trojan that has the ability to tamper with multiple devices on a local network has been found by security researchers. The malware send users to impostor websites even if the machines are fully security shielded, or run non-Windows operating systems.

The malware is a spin off of the DNSChanger Trojan that researchers say is known to change the domain name settings of users’ systems. Researchers from the McAfee Avert Labs, claim the updated Trojan makes a single infected system pollute the DNS settings of however many computers are connected to the same local network by undermining its dynamic host configuration protocol, or DHCP, which dynamically allocates IP addresses.

Craig Schmugar from McAfee said that, “Systems that are not infected with the malware can still have the payload of communicating with the rogue DNS servers delivered to them. This is achieved without exploiting any security vulnerability.”

This Trojan is quite frightening. Imagine if you were to take your laptop to an internet café for example and it is infected by the new version of DNSChanger.

Another user comes in and connects to the same network, asking for an IP address. Your infected laptop injects as DHCP offer command that instructs the new user’s laptop to rout all DNS requests through a dodgy DNS server. The new user can not use his laptop to view trusted sites, as it would be an impostor site.

A user could take steps to avoid the Trojan. Schmugar suggests hard-coding a DNS server in a systems configuration settings. You can do this on a windows C or laptop by going in to your network connections (in control panel), scrolling down to Internet Protocol (TCP/IP) and clicking properties, then type in the primary and secondary for your DNS service.

Schmugar said that “the DHCP attack doesn’t exploit a vulnerability in either users machines or network hardware”, which allows it to work with a wide variety of everyday home routers. The Trojan uses a ndisprot.sys driver installed on the network. Then it sets up camp and monitors network traffic for DHCP requests and sends false information that contains the IP address to the DNS server.

Although the malware is not widespread, it is rather worrying that this kind of Trojan is on the horizon, and you could only imagine the chaos that would ensue if this got in to a large corporations network.

The US Computer Emergency Readiness Team is warning that attacks against Linux systems with compromised SSH keys are taking place.

The attacks use stolen SSH keys to take hold of a targeted machine and than gain root access by exploiting weaknesses in the kernel. A rootkit called Phalanx2 is then installed, which scans the system for more SSH keys. As each new SSH key is stolen new machines are vulnerable to attack.

The CERT advisory doesn’t mention the flaw in the Debian random number generator, but that is the likely entry point for attack. The flaw caused SSL keys generated for more than a year to be so predictable that they could be guessed in a matter of hours. Debian reportedly fixed the flaw in May.

After a Linux server using a weak key is identified and rooted, it gives up the keys it uses to connect to other servers. Attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. As well as this, attackers can identify other servers that have connected to the infected machine recently, information that could enable additional breaches.

Phalanx2 is the follow-on from a rootkit known as Phalanx. According to Packet Storm, Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides in files, processes and sockets, and includes tools for sniffing a tty program and connecting it with a backdoor. Phalanx2 has been updated to systematically steal SSH keys.

Happily Phalanx2 is relatively easy to detect. One way of telling is to type “ls” at a command prompt and if it fails to show directory “/etc/khubd.p2/”. Also the “/dev/shm/” directory could contain files used in the attack.

CERT advises that keys use strong passphrases or passwords to reduce the risk of a key being stolen.

“I’m still absolutely adamant this is a problem system administrators should have handled a long time ago,” said Bill Stearns, a security researcher and incident handler for the SANS Internet Storm Center. “It’s a really big issue. If they haven’t figured it out, someone will do it for them.”

A glitch in VMware’s most recent update had its customers up in arms this week. The problems were caused by a bug from the beta version of the software that engineers failed/forgot to remove which left VMware users unable to power on virtual machines running the hypervisor software.

The bug, referred to as a “time bomb”, is code that developers insert in beta software to push users to upgrade to an application’s final version. The code is a commonly used tool for developers; however it must be removed from anything into which it has been inserted prior to final release.

The virtualisation software maker released an “express patch” on Wednesday to fix the glitch. However, VMware customers have been left a little disgruntled, and the incident has made the company look a bit amateurish.

The way people look at VMware after the cock-up is “definitely not very good,” according to Gary Chen, a Yankee Group analyst.

“This is the most publicised issue they’ve had in their history, and it’s really the sort of embarrassing bug that never should have made it past QA (quality assurance),” he told said.

In a letter posted on the company’s blog, Paul Maritz, VMware’s recently appointed chief executive officer said: “Last night, we became aware of a code issue with the recently released update to ESX 3.5 and ESXi 3.5 (Update 2).”

According to Maritz, when the time clock in a server running the updated ESX 3.5 or ESXi 3.5 software registered 12:00 a.m. on August 12, 2008, the code caused the product license to expire. As a result of this, powered-off virtual machines could not be turned on; those that had been suspended could not be awakened from that mode; and machines could not migrate using Vmotion.

The problem has also occurred with a recent patch to ESX 3.5 or ESXi 3.5 Update 2. The company has begun a review of its QA processes, Maritz said. (Which means someone’s getting the sack)

To VMware’s credit that it took less than 24 hours to come up with a patch that seems to have corrected the problem, said Chen.

“From what I’ve heard, the patch fixes the problem. You do have to give kudos to VMware for addressing the issue so quickly,” he noted.

Some users have turned to VMware’s Communities discussion pages to vent. “As a VMware Enterprise Partner and VMware Authorized Consultant, I can tell you this IS a big deal for VMware to release a product that has such grave consequences for even a relatively small portion of the total VMware user population,” wrote one user.

“A small percentage does not diminish the severity of problem for affected users and the upmost urgency is expected from a company that caters to enterprise customers who don’t have ‘downtime’ in their corporate dictionary anymore.

“Bugs happen,” the poster continued. “However, I believe this could have been prevented by not rushing an update to market which was intended to be free and compete with [Microsoft’s] Hyper V. This will no doubt teach VMware a lesson and unfortunately will cast doubt about the reliability of VMware in the enterprise. It’s a shame a clearly superior product is going to get bad publicity from this oversight. Let’s give them credit and hope they learn from their mistakes.”

Chen pointed out that most customers were glad of the quick response time from VMware: “The issue was fixed quickly, and there was lots of communication as to the status, cause and future changes to prevent another incident,” he said.

“However, some faith has been lost, as most customers I’ve talked to are disappointed that a bug like this made it past QA. Many admins have been pushing virtualisation to their executives, and this doesn’t help their case,” Chen added.

“Virtualisation is still in the emerging stages, and enterprise reliability is a huge issue that can only be proven over time,” said Chen. “Vendors have been pushing the idea that it is enterprise-ready, and an incident like this hurts not only VMware but the entire virtualisation movement. Virtualisation is inevitable and will certainly continue to proceed, but people will slow down and think more about how to protect themselves against things like this.”

“More and more people are using it, and a major incident, whether a bug or a security hack, could freeze your entire infrastructure. I think people will begin to re-evaluate their options and contingency plans for an incident like this, including perhaps diversifying their infrastructure and adopting multiple hypervisors,” Chen concluded.

A security researcher recently disclosed vulnerability in widely used Linux distributions where attackers can guess cryptographic keys, possibly leading to the forgery of digital signatures and theft of confidential information.

HD Moore, best known as the exploit researcher who creates the Metasploit penetration testing framework, called the vulnerability in Debian and Unbuntu systems “ugly” and said it would be a big job for administrators to find every flawed key, and then re-issue them.

The bug, which was noted on Tuesday by the Debian Project, is in the random number generator used to produce a variety of digital keys, including SSH (Secure Shell) keys and SSL (Secure Socket Layer) certificates.

In Moore’s blog yesterday he boasted that it was relatively easy to “guess” keys and claimed he was able to generate 1024- and 2048-bit keys in about two hours. However, He estimated that an 8192-bit RSA key set would take some 3,100 hours (about 129 days) to generate.

Moore also published several key-generating tools - collectively dubbed “Toys” - that included a shared library and a key generation script.

With this news hitting the internet, other researcher’s began to post notices on their web sites. Bojan Zdrnia, an analyst at the Internet Storm Center (ISC) said, “This is very, very, very serious and scary.”

“The development of automated scripts exploiting keys looks like a real threat to SSH servers around the world,” he added.

Symantec Corp. also warned customers of its DeepSight threat network of the vulnerability noting that, another hacker “Markus M” published a tool that automates brute-force attacks of the key weakness to the Full Disclosure security mailing list.

It’s not just users running Debian-based systems who are at risk, Moore cautioned, but virtually anyone. If data copied to other platforms has been secured by keys generated on a Debian distribution, that data could be snatched.

“There’s a lot of different areas that you’re going to have to look, not just within Debian,” Moore said. “Administrators will have to audit every single key. Even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system.”
Moore, ISC’s Zdrnja and others have recommended that Debian and Ubuntu users patch their systems - updates are available - and that users and administrators regenerate all keys produced on a Debian system between September 2006 and May 13, 2008. The September 2006 date, said Moore, was when the first builds that included the flaw were made available.

Although he said the situation is serious, Moore doubted that there would be general and widespread attacks. Instead, he said the most likely outcome would be targeted attacks on systems that administered large numbers of Debian users.

Moore also discounted any connection between the Debian vulnerability and his disclosures, and brute-force attacks some vendors, including Symantec, have been tracking the last 24 hours.

“The timing is definitely funny,” he acknowledged, but said the difference - the attacks have been against user-generated passwords, not authentication keys - means the two events are probably just coincidental.

For those who follow the development of Linux and the companies that have a heavy exposure to the operating code, you will surely have come across Red Hat. This company is one of the largest developers and distributors of Linux based systems and at the forefront of many developments over the years. So how large is Red Hat?

Red Hat is actually listed on the US NASDAQ technology based stock market with a current market value in the region of $4 billion. While the share rice is currently near the 12 months high at $21, the shares have been as high as $160 in 2000 and as low as $3 in 2001. These wild swings have often reflected the prospects and marketability of Linux, although the company does also develop other open source systems to compliment their main Linux based brands – the recently released JAVA open source code being one of the more recent additions.

The Red Hat company has seen turnover increase from $278 million in 2006 to $523 million in 2008, but unfortunately profits have not gone in the same direction. The Group reported net income for 2006 of some $79 million, only to see 2007 figures fall to just under $60 million and then rebound back to $76 million for the year ended February 2008. Even though we have seen a major slump in worldwide stock markets over the last 12 months, the fact that the Red Hat share price is nudging its 12 month high says a lot for the prospects for the company.

Many analysts are forecasting a very productive and lucrative time over the next couple of years for Red Hat, a time when Linux is knocking on the door of the mass market and Red Hat is at the front of the queue.

It seems that the news for Linux just gets better and better with a commitment from Dell, HP and Lenovo that they will “strongly encourage” the production and delivery of open-source drivers which make use of the Linux kernel. So what does this mean?

The Linux kernel is the heart beat of the operation system and allows the operating system to communicate with hardware and software to ensure the smooth running of your computer system. The fact that the likes of Dell, HP and Lenovo are set to champion their cause is a major boost to an operating system which seems to be going from strength to strength.

While there have always been Linux drivers which will allow your system to communicate with other hardware and software, the move to open source drivers is a big step. This now means that the code for Linux based drivers will be in the market place and allow any skilled third party to make amendments, rather than returning to the original creator of the driver.

The move to open source drivers is the next step in the attack on the likes of Windows, which retains total control over access to their inner Windows kernel (for obvious commercial reasons). While the Linux Foundation have been very vocal in their support of the Linux operating system, the take up by Dell, HP and Lenovo allows someone else (majors in the industry) to pick up the baton and run with it on behalf of the Foundation.

There are still many who have doubts about the ability of Linux to move into the mainstream, but each increase in exposure and each addition to the Linux “fan club” is a step forward. The next few years are critical for Linux and it will be interesting to see how it develops.

While on the surface it might sound a little bizarre, Linux actually working with their main competitor Microsoft, is there an ulterior motive behind the recent overtures from the Linux Foundation?

Jim Zemlin, who is currently the head of the Linux Foundation, recently held out the hand of friendship to the Foundation’s arch enemy and most vocal critic, Microsoft in a move which has got many people wondering what is happening. The whole ethos of Linux is total at odds with the Microsoft way of business, the creation of wealth and profit and the ongoing protection of their customer base. Linux on the other hand is open source code and as such is open to use by each an every programmer in the world.

However, on closer inspection it seems that Microsoft recently filed a number of claims with the courts with regards to patents which they believe they hold on parts of the Linux code. While Microsoft has not as yet released the identity of the code in question, they seem to be trying to bully the Foundation into some kind of agreement. In direct response to this threat, which Linux are confident is unfounded, the Foundation seem more than willing to discuss the matter further with Microsoft, forcing their hand in public.

While Microsoft has yet to respond to this invitation it seems highly unlikely that they will be prepared to let the Linux Foundation anywhere near their customers, office or contacts. Whether Linux were looking to enter the Microsoft Group via the back door or secretly see some kind of legal basis to the argument is unsure, but it has got the industry talking.

In the world of computing and programming especially, patent and copyright law cases come and go, with Linux often an “easy target” for many. While the Foundation has actually had their day in court as a consequence of action by other parties, to date nothing has ever been proved and they have won every action ever taken against them.

Linux Operating System is known as most secure and most popular OS all around and very much stable too. Data Security in Linux Server could be maintained by making an effective data security strategy. Corporate data security could be implemented by applying proper data security strategy for Linux Server.

There are many Linux distributions are there and most popular among them are Red Hat, Debian, Ubuntu and SuSE etc. This article contains basics of security for Linux Red Hat 9.

We assume that you have installed Linux OS with x11(GUI for Red Hat). Graphical User Interface should not be enabled for to get best level security.
You can use find / -name filename command to locate or find a file and pico or vi to edit a file.
Securing You Linux Box:

First of all you need to secure your Linux box by taking some actions to prevent unauthorized users access. It is necessary to secure Linux box because server monitoring could be viewed using Linux box.
Change Root Password:
Changing root password within 30 days is a good idea and you should use highest security level terms as Linux root password. To reset Linux root password passwd command is used while logged in as root.

One thing is very dangerous with respect to security that to be able to run an application as different user like with suid( set user ID) command an unauthorized user can run application same like privileged user and can access and edit /etc/passwd file. You should find files which are using suid and file with an s in permission column runs with suid.

# ls -alF `find / -perm -4000` > /root/suid.txt

You may get the following result on server of this command in /root/suid.txt.

-rwsr-xr-x 1 root root 60104 Feb 1 2007 /bin/mount*
-rwsr-xr-x 1 root root 35192 Feb 18 2007 /bin/ping*
-rwsr-xr-x 1 root root 19116 Feb 8 2007 /bin/su*
-rwsr-xr-x 1 root root 30664 Feb 1 2007 /bin/umount*
-r-sr-xr-x 1 root root 120264 Feb 9 2007 /sbin/pwdb_chkpwd*
-r-sr-xr-x 1 root root 16992 Feb 9 2007 /sbin/unix_chkpwd*
-rwsr-xr-x 1 root root 37528 Dec 17 2007 /usr/bin/at*
-rwsr-xr-x 1 root root 34296 Apr 27 2007 /usr/bin/chage*
-rws–x–x 1 root root 12072 Feb 1 2007 /usr/bin/chfn*
-rws–x–x 1 root root 11496 Feb 1 2007 /usr/bin/chsh*
-rwsr-xr-x 1 root root 21080 Feb 15 2007 /usr/bin/crontab*
-rwsr-xr-x 1 root root 36100 Mar 27 2007 /usr/bin/gpasswd*
-rwsr-xr-x 1 root root 19927 Feb 17 2007 /usr/bin/lppasswd*
-rws–x–x 1 root root 4764 Feb 1 2007 /usr/bin/newgrp*
-r-s–x–x 1 root root 15104 Mar 13 2007 /usr/bin/passwd*
-rwsr-xr-x 1 root root 14588 Jul 24 2006 /usr/bin/rcp*
-rwsr-xr-x 1 root root 10940 Jul 24 2006 /usr/bin/rlogin*
-rwsr-xr-x 1 root root 7932 Jul 24 2006 /usr/bin/rsh*
-rwsr-xr-x 1 root root 219932 Feb 4 2007 /usr/bin/ssh*
—s–x–x 1 root root 84680 Feb 18 2007 /usr/bin/sudo*
-rwsr-xr-x 1 root root 32673 Apr 18 2007 /usr/sbin/ping6*
-r-sr-xr-x 1 root root 451280 Feb 8 2007 /usr/sbin/sendmail.sendmail*
-rwsr-xr-x 1 root root 20140 Mar 14 2007 /usr/sbin/traceroute*
-rwsr-xr-x 1 root root 13994 Feb 18 2007 /usr/sbin/traceroute6*
-rws–x–x 1 root root 22388 Feb 15 2007 /usr/sbin/userhelper*

-rwsr-xr-x 1 root root 17461 Feb 19 2007 /usr/sbin/usernetctl*

Some Linux System Administrator recommend disabling ping and traceroute services which is not necessary. However, you should disable the following
/usr/bin/chage, /usr/bin/chfn, /usr/bins/chsh, /bin/mount,
/bin/umount, /usr/bin/gpasswd, /usr/sbin/usernetctl, /usr/sbin/traceroute, /usr/sbin/traceroute6, /usr/bin/newgrp, /usr/sbin/ping6, and /bin/ping.

When you have disabled suid then files can be executed only by owner. To disable suid use the following command.

#chmod 111 /path/to/file
#chattr +I /path/to/file