Forgot your password?
Linux Business

dave562's Journal: Oh the irony 1

Journal by dave562

I originally started reading Slashdot because of my curiosity about Linux. I've been on the internet since the early 1990s and have been working in corporate IT since the mid-1990s. My original experience with networking in a corporate environment was Novell Netware and I've since spent most of my time using Microsoft Windows servers. In the decade plus that I've been working in IT I've developed a fairly platform agnostic approach to meeting the needs of business. It's all about the best tool for the job as far as I'm concerned.

Recently where I work we have hired a new CFO and he oversees IT. He is a big proponent of OSS software and Linux. He hates Microsoft with a passion and believes that we should be replacing Windows boxes with Linux where ever possible. He wanted to use Subversion for version control on some budget documents, and of course he wanted to run it on Linux and have SSH access into the Linux box.

Being a Linux neophyte I went ahead and downloaded Ubuntu 8.04 LTS server. I used apt-get to get all of the updated versions of the software from the repository. I configured Subversion and setup the repository for the files. I setup SSH so that the CFO could use Tortoise and Putty to remotely access the files. Everything was working well up until this morning.

My users were calling and emailing with complaints of the internet being slow. Given that we upgraded to a 7.5MB connection over the weekend, my initial thought was that something was wrong with the ISP. I checked the firewall and saw that there were 65000+ open connections and the logs were filled with warnings of SYN floods coming from the Linux box. I logged into it, ran a netstat -a and found pages upon pages upon pages of open connections on port 22 to random boxes all over the internet. Sure enough, the Linux box was completely owned and being used to attack other boxes.

I find it ironic that here I am in a Windows shop with twenty plus servers running everything from SQL to IIS to Exchange on public facing connections. I have a few boxes with exposed terminal services connections so that vendors can get in an do remote support. I put one Linux box on the network and open it up to the internet and it lasts less than three months.

I find myself remembering all of the comments about how *nix is more secure by default. How OSS software is more secure because so many people are looking at the code. Microsoft software sucks and it's a huge target that is going to crumble as soon as you plug it into the network.

I realize that in this case a lot of what happened probably has to do with my own inexperience with Linux. If I had over a decade of experience using Linux day in and day out I'm sure that I wouldn't be in the situation that I'm in right now. I do consider myself a fairly competent network admin though. I did my best to harden the box. I only exposed SSH to the internet. I downloaded all of the latest software updates from the repository using the built in apt-get mechanism. Despite all of that, the box still got owned. So I write this journal entry to point out that nothing is simple. There are a lot of zealots out there who take it for granted that their OS of choice is secure and stable. They spout off about how it is perfect for everyone, and every job and fits in every situation. They take for granted that they've forgotten so many of the glitches, the gotchas, the key workarounds that are necessary in any sort of production environment.

Every software has bugs. Every software has exploits. Every software takes a skill set tailored to the package itself in order to properly use it. There really should be licenses to use software in business environments where sensitive data is involved. Even the best intentioned admins who are doing the best that they can do are bound to miss things. They don't miss them because they are incompetent or because they are malicious. They miss them because they don't have the experience to realize that they are missing things.

This discussion has been archived. No new comments can be posted.

Oh the irony

Comments Filter:
  • A few things that would be useful to know in determining what allowed this to happen:
    • What account was used when the box was owned?
    • What permissions did that account have?
    • How was it compromised - was there a dictionary attack on it that lead to someone (or some-bot) finding the password?
    • Was root access properly disabled so hackers couldn't ssh in as root?
    • What other services were enabled on the box in question (including services not open to the world)?
    • What tools were used on your box to launch the attack aga

The biggest mistake you can make is to believe that you are working for someone else.