Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Exploring the Misconceptions of Linux Security: Focus

Don’t Assume Systems Are Secure Because They are Running Linux – Administrators Must Make Them Secure.

Don’t Assume Systems Are Secure Because They are Running Linux – Administrators Must Make Them Secure.

PUNTA CANA – Several presentations at the Kaspersky Lab Security Analyst Summit focused on vulnerabilities in industrial control systems, point-of-sale systems, and airport security scanners. Considering many of these targeted systems invariably run some form of Windows or Android, it is quite easy for a Linux administrator to feel complacent.

Security isn’t just something only Windows users need to worry about. The past few years have clearly proven that the old assumption about Macs not getting malware was false. Linux users smirking, “Just switch to Linux,” and claiming the operating system is somehow “better” than others have to realize they are just as vulnerable to cyber-attacks as anyone else.

Linux Penguin Security“There is a perception out there that Linux systems don’t need additional security,” said David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab. This is a problem since Linux servers are increasingly coming under attack, he said.

The primary dangers facing Linux systems aren’t zero-day vulnerabilities or malware, but things like Trojanized applications, PHP backdoors, and malicious login attempts over SSH. If the computer has a weak password, or if one of the components, such as the SSH daemon or SSL server is configured incorrectly, then attackers will figure out a way to break in. Administrators can’t rely on network defenses such as intrusion detection systems of Web application firewall to detect when someone uploads an exploit kit or overwrites a file with a backdoored version.

Lest anyone feel inclined to dismiss the threats against Linux machines, especially servers, it’s important to realize that attacks have already happened. Just last year, attackers breached several Web servers and installed a version of the “itsoknoproblembro” toolkit in order to launch a series of powerful distributed denial-of-service attacks against banks and other financial institutions in the United States. The toolkit runs on both Linux and Windows, and considering how Linux and Apache dominate the Web server market, it takes simple mathematics to conclude that Linux servers were among the victims.

In November 2013, Symantec discovered that a group of sophisticated attackers developed a way to evade detection by using a Linux backdoor designed to hide communications.

A significant portion of the world’s data centers run Linux, and many organizations have some of their most critical applications running on these systems. Yet many of these systems are likely running outdated software. Because most Linux distributions don’t have a scheduled Patch Tuesday release as Windows systems do, updates are frequently applied on an ad hoc schedule. Many patch management systems in the enterprise don’t include Linux systems, which means administrators don’t have an easy way of knowing what versions are running or which ones need to be updated.

When it comes to securing a Linux machine, the answer is not installing an antivirus or some other security software. The key lies in hardening the operating system. The Linux operating system can be very secure, but what people don’t realize is that the default configuration is not secure at all, Jacoby said. For administrators to really benefit, they need to take the extra steps to turn on those security features, he said.

“The main problem is that these system administrators think their [Linux] systems are so secure, when they haven’t actually done anything to secure them,” Jacoby said.

For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don’t, Jacoby said.

Another example was the fact that one user could, by default, see the contents of another’s users directory, provided they know the directory name.  Users shouldn’t be able to see the files that belong to other users, but more importantly, they shouldn’t be allowed to execute those files either, Jacoby said. An attacker can just run through a list of common directory names, such as scripts, backup, shared, common, and main, and see which ones succeed. Considering that so many people don’t change the directory names for Web applications, such as their WordPress installation, figuring out the directory path isn’t all that difficult.

Many administrators claim their servers are secure because they installed SELinux, but they forget that SELinux is just a series of policies, which needs to be tweaked, Jacoby warned. For example, SELinux by default restricts SQL client connections from shell, but does not stop attempts from a PHP script, he said.

Instead of just saying the systems are secure because they are running Linux, it’s time for administrators to actually make them secure. “Linux by default is not secure, but if administrators take extra steps, it can be secure,” Jacoby said. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.