Protect,your,web,assets,Linux, technology Protect your web assets - Is Linux still safe?
Active shredder safety technology for the small office. Shreds 15sheets per pass into 5/32" x 1-1/2" cross-cut particles (Security Level3). Patented SafeSense® Technology stops shredding when hands touch thepaper opening. Designated shredde The electronic cigarette is not new. People who buy electronic cigarette knows that this product has been in the market for years now. Despite some sectors apparently trying to shoot the product down from the shelves, the popularity of elect
The Register is reporting that Linux servers have beenrecruited into a botnet. In May we saw TROJ/JSRedir-R and many variants thereofattacking web servers.Last November SophosLabs reported that after more thansix years there are still over 10 thousand Linux hosts infected withLinux/Rst-B. What does this all mean? What it means is that non-Windows hostsare vulnerable, contribute to the global security problem and cannot be ignored.Thereare viruses and worms for Linux; however, the greatest threat posed by Linux isits primary use as a server for many mission-critical, sensitive, andpublic-facing applications.According to netcraft.com Apache has a 47.17 percentmarket share as of August 2009 (mostly Linux). There are three primary means bywhich attackers are compromising Linux hosts.I will outline each of these andprovide advice on what you might do to protect your Linux assets from intruders.Problem: Password guessing SSH attacks.Too many systems use trivial passwordsand predictable usernames for critical accounts.As mentioned in the SophosLabsblog on Linux/Rst-B, by guessing accounts such as root, apache, mysql, wwwuserand other stock accounts, bots are able to automatically scour the internet andfind weak systems to exploit. Solution: Use non-standard account names.Dontallow keyboard interactive logins on your OpenSSH server, and require the useof password-protected keys.This will eliminate close to 100% of attacks withvery little effort.University of Georgia has a great Linux tutorial, andUniversity of California at Berkeley has a tutorial for Windows. Problem:Compromised FTP passwords.FTP does not encrypt credentials when sent across thewire.A combination of methods are being used to steal FTP passwords includingmalware on Windows hosts to scrape FTP passwords from client computers andsniffing network traffic in search of FTP transactions.The primary reason touse authenticated FTP these days is updating web content. Solution: Stop usingFTP...Really.Its long past its due date and its time to move on to SCP and SFTP.Windowsusers who are familiar with many of the graphical FTP clients out there willfind a comfortable friend in WinSCP.Another best practice to follow is nevertell applications on any operating system to Remember my password.I have seen alot of malware on Windows that specifically hunts down these stored passwordsto send back to the criminals for their dastardly uses. Problem: Insecure webapplications.Every week I receive a list from the SANS Institute containing allthe known web-based applications that have had vulnerabilities discovered sincethe previous week.The list is very long, and not updating any one of them canallow an attacker to compromise your host. Solution: Carefully audit allsoftware used in hosting applications to the open internet.Subscribe to thesecurity mailing lists for all utilized applications including BIND, Apache andall web hosted applications.By subscribing to lists like SANS mentioned above,you can do a quick weekly audit to see if applications you depend on have reportedvulnerabilities.The best defense is to stay on top of where your weaknesses maybe, and to patch early and often.
Protect,your,web,assets,Linux,