Recently, a Russian security researcher discovered a 100-node Linux "cluster" that was running a botnet which was, in turn, connected to a group of desktop machines. Altogether these machines were serving up malware.
Yes, that's right, a cluster of Linux servers that were running genuine websites had been hacked to include a secondary server (nginx) to combine together as a botnet server. How did this happen, you ask? Traditionally, desktop machines are turned into botnet servers when the user unwittingly clicks on a URL that then inserts the malicious code into the users machine. This is how, in 2006, over 20,000 Windows machines were turned into botnet servers. But for this to happen to a Linux server? There is one explanation — careless, lazy administration.
Anyone who has read any of my columns long enough knows how I feel about Linux and its security. But even the security offered by Linux isn't enough. Because of Linux's solid reputation, many Linux administrators get their servers up and running and just leave them alone. No updates, no security, no nothing. They just set them up in a corner of a room and forget about them. "Set it and forget it." That was the catch phrase bandying about the Linux community some time ago. But it's an irresponsible idea.
Hackers today are smart. They know Linux. But these aren't the hackers made into cliches of themselves in the mid 90's. These aren't pimply kids called SerialThriller or ZeroCool. These hackers are professionals whose living is dependent upon cracking open the security of any given server. And lazy administrators, no matter what operating system, may as well hand them the keys to the kingdom.
There is a reason updates happen, especially in the server world. On my Linux servers I have installed, I keep careful watch over updates. For certain tools (like Apache) the updates don't come very often, but when they do, I install them right away. Why? Because keeping these types of attacks at bay is critical to keeping a business up and running safely and without the danger of being shut down until the issue is resolved.
But how did the hackers get into these servers? Stolen FTP passwords, which helped them inject hidden iframes into legitimate sites. OK that sounds like it could be bad, but dangerous? It is when the administrator allowed FTP access open for the root user. So the hackers were able to crack the root password through FTP. Of course, once the hackers had the root password, that was all she wrote (as my dear mother always said). Maybe they should have used vsftpd (which is a much more secure FTP server), or better yet ProFTPD, which chroots all FTP users to lock them into their directories and does not allow access to the root account at all.
My point here is that even though you are a Linux administrator does not mean you can be lazy and "set it and forget it". You still have a responsibility for the security of your site and servers. It's these types of lazy administrators that could cause Linux to lose the reputation it has fought very hard to gain of being secure. Linux is a secure OS and Linux servers are powerful and secure servers. But a lazy administrator is nothing more than a watchman asleep at his post — eventually someone that shouldn't be in the building is going to walk through the door and wreck havoc. Don't be a lazy Linux administrator. Don't set and forget your servers. Don't neglect updates and security. Don't be a part of the problem, be part of the solution.
This was published in 
1
Xxtjaxx - 22/09/09
Thats why I use ProFTP and do my cron'd updates daily around 6 and 8 am while it happens Im eitheer asleep or somewhere else. but ofyourse everything is logfged to the root-user dir so that Isimply get the output of each of the daily updates. Thansk to debian that makes it soo easy to keep yourself secure.
» Report offensive content
2
DDevine - 22/09/09
Yes, there is some lazy and also down-right stupid Linux admins around, but I still see that the overwhelming majority of lazy admins are Microsoft based admins. I see a lot of networks in my job and nearly every time I am left wondering how the hell the admin could let get that bad or implement and maintain horribly bad solutions.
I think lazy admins are criminals, no better than theives. They are willing to sell off the company's information to the first cracker.
» Report offensive content
3
JP - 22/09/09
This is exactly why the root user should be locked away with no access to it from anywhere. Allowing any kind of remote root access is a major security faux pas.
Updates do matter as software is written by humans who are proven to be imperfect.
Good article.
» Report offensive content
4
krishoneil - 22/09/09
better than ftp is use SCP or SFTP. Secure reliable and runs over ssh.
» Report offensive content
5
ipoz - 22/09/09
While I was editing some html files for my client I came across very odd javascript at the bottom of the file. I downloaded this file from the client's we site. When I checked the other html files I found the same/similar script. To my horror, I realised that the Linux web server was hacked and the files were modified. I had to work overnight to clean all the mess.
The next day I received a mail (claiming to be from the web hosting firm) asking me to click to a hyperlink to change my password. The hacker realised that his/her tracks were discovered and trying his/her luck once more.
» Report offensive content
6
dr. Hannibal Lecter - 22/09/09
The same thing happened to me, "set it and forget it"..all was well until our CEO got an email warning the company of a paypal phishing site on our server. Boy that was embarrassing.. :-/
Lesson learned!
p.s. I believe the correct phrase is "wreak havoc", not "wreck havoc". ;)
» Report offensive content
7
Dohn Joe - 23/09/09
The funniest part about this is that you have to be exceptionally lazy and incompetent to take it in the chute while running linux (server or otherwise).
Windows...securing that environment is a minimum $1,500,000/year endeavour...
» Report offensive content
8
Romase - 04/10/09
site best
» Report offensive content