Safety net

Posted on 3 Jul 2002 at 16:24

1 of 5

Both these scenarios assume that you're running a server, be it an FTP or an email (SMTP) server. Most Linux systems run potloads of server processes. Unlike Windows NT or 2000, where a server machine is typically dedicated to providing email, file storage or some other individual service, Linux can happily juggle a couple of hundred different services concurrently without major problems. In fact, providing network services is the task for which Linux is best suited. Unfortunately, you need to know how to control this activity and secure the servers n otherwise they'll render your system vulnerable. Almost every Linux distribution comes with a ton of servers configured and running by default.
Root of the problem
A more serious type of assault is the so-called root exploit. A root exploit is one that gives the attacker access to an interactive shell (such as bash) running with root permissions. The special user 'root' is privileged: root will do anything it feels like doing to your machine. Ordinary user accounts are limited to working on files and processes that they have permission to access, but root can freely trample across access permissions, run any program or delete any file. A root shell gives one the ability to use this privilege level effectively. If an attacker uses a security hole to get a root shell on your machine, you have in effect lost control of it n they can do anything they want, including installing a different operating system on it.
Probably the commonest use of a root exploit today is to install a 'root kit'. This is a set of snooping tools designed to give the attacker the root password to other machines on the same network by monitoring the activities of users on the compromised machine. This is closely followed by the installation of Distributed Denial of Service (DDS) software n ownership of a large fleet of 'zombies' (compromised machines that are running DDS tools) gives a script kiddie the ability to shut down virtually any server on the internet.
Root exploits are usually more obscure than the simple attacks on unsecured servers described earlier. However, many of the Linux internet servers run with the root user ID. In some cases they can be tricked into crashing in such a way that they execute some arbitrary code uploaded by the attacker, such as a shell with root permissions. Feed such a shell the right script and you can do things such as add a guest account to the password list with full root permissions.
Attacks on network services are possible because the services are incorrectly secured. On the other hand, attacks aimed at gaining root access via bugs in the server software are typically possible because whoever owns the machine hasn't installed an essential bugfix. This is an important distinction. You would be unlucky to be the first victim of a new type of root exploit for which no patch is available.
The third and final type of attack sounds almost silly: logging in via Telnet or ssh and typing a password at random. It sounds silly until you realise that studies have shown that 50 percent of servers have one or more users whose password is their spouse's name, a child's name, their birthday, their pet dog's name or, worst of all, 'aaaaaa' or 'XXXX' or something similar. Password-guessing tools have been around for years and are easy to deploy. While a human being would get bored, an attack script can hammer at your front door for weeks on end until it finally guesses the right password for root or your own user ID.