[kwlug-disc] Security arguments

Tue Sep 22 10:58:57 EDT 2009

On Tue, Sep 22, 2009 at 10:26 AM, Raul Suarez <rarsa at yahoo.com> wrote:

> Hi,
>
> I made the mistake of making an of the cuff remark regarding web server
> security without doing my homework.
>
> One of the arguments from Khalid in his Apache presentation was that there
> were more Apache servers but still more attacks on windows servers,
> disproving the theory that Linux is not attacked because it just has a low
> market share. What I understood was that the IIS breaches were more frequent
> and more public and I took that understanding at face value.
>

> Of course I may need to eat my hat as this person brought up this link,
>
>
> http://www.h-online.com/news/Linux-web-servers-broken-into-most-often--/110341
>
> I've said in the past that facts should trump FUD and I've tried to be very
> objective when talking about Linux to maintain credibility but now I feel
> that that link breaks one of my "strong" arguments.
>
> I know that facts and interpretation of the facts aren't always the same
> thing. Even facts could be perceived differently depending on the angle you
> look at them at.
>
> Up until now I've been convinced by what I've seen that Linux is safer than
> Windows but my Linux experience is on the desktop. Now I realize that I've
> extrapolated that to servers without having first hand experience.
>
> The question is clear and open:
>
> What are the facts, hopefully statistically based, that prove that Linux
> Web servers are safer than Windows Web servers?
> Or even that Apache is more secure than IIS?
>
> I think it's a valid question and one that may help us better position our
> arguments in favour of Linux.
> Raul Suarez
>
>
> Technology consultant
> Software, Hardware and Practices
> _________________
> http://rarsa.blogspot.com/
> An eclectic collection of random thoughts
>

The argument is still valid: "Apache [open source] despite being the most
widely used web server, has less expolits than Microsoft IIS [closed
source]".

Let us ignore the desktop for now, and focus on servers.

We don't see worms targeting Apache on Linux, but we did see worms targeting
Microsoft IIS and MS-SQL (Nimda, Code Red, and many others).

Apache on its own is very solid. In combination with Linux it is still very
solid.

Where the weakness lies is in cheap shared hosting, the $4.99 a month
unlimited bandwidth, unlimited disk space, ...etc.. Some admins are lax and
don't apply security updates. But what really compounds the issue is end
users who are not computer people, downloading and installing some
application (be it a CMS, forum software, blog platform, ...etc.) and then
not updating it ever after that. The result is in a year or two, known
exploits are used by bots or script kiddies, and hence sites get defaced.

Weaknesses include SQL injection, Cross Site Request Forgeries (XSRF), Cross
Site Scripting (CSS), and many others. See here
http://en.wikipedia.org/wiki/Category:Web_security_exploits. If you write
your own software that will live in a hostile environment (the web), then
you have to know them all, or use a framework that makes it less prone to
have these. If you are like most people and use software that you download,
then subscribe to their security mailing list and stay up to date all the
time.

Note the similarity with the Windows desktop where users are the weakest
link (e.g. clicking on an attachment in an email from someone they don't
know).

Add to that laxness of admins the enabling of unencrypted protocols, such as
FTP, and you have more that one attack vector. There are applications that
store online passwords (forgot its name) that people use, then if their PC
gets exploited, then their online accounts are broken into using this
application that happily has all the FTP accounts.

Since most hosting is on Apache, by sheer market share, the figures show
more defacement on Apache, although the exploit is not in the Apache level.

There has not been any worms that target Apache, but we have seen a few that
target IIS specifically.

Examples:

http://www.cert.org/advisories/CA-2001-11.html
http://www.viruslist.com/en/viruslist.html?id=4226

The only time my home server got attacked was when I was running Mandrake,
and did not update a package (awstats). The exploit dropped an IRC server in
/tmp, and ate a lot of CPU, but did not do any other damage. Ever since I
switched to Ubuntu/Debian, there has been no such thing, since it is easier
to stay up to date.

The only time I had a site defaced was on shared hosting where FTP was
enabled, and I can't keep the stack is up to date.
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20090922/bd105db4/attachment.htm>