Are linux servers more prone to be hit by a botnet
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Are linux servers more prone to be hit by a botnet
Hi,
I have concerns regarding the protection of the Linux servers. I heard in a video blog that a survey by an antivirus software company have found that the botnets that targetted Linux servers are more active. The detailed video blog can be found here. http://www.storagepipe.com/blog/DDoS...Force-Malware/ This< I think a major concern since cyber crimes are on the rise these days.
Is this really true?
I would appreciate suggestions to prevent such attacks.
Well, what does significantly more active mean? Does it mean that they propogate and infect more or do they perform more ip batch scans? Are there more than for wndows? Or are the ones coded for linux fewer and better coded making them more agressive?
I think the major concern here is that people use server to learn etc, i am guilty of that too. In the beginning there is so much to absorb and security settings may not have been learnt yet. So maybe those systems are a bit weak compared to professional production servers. Then add to it speed of connections lately. I have 1gig fiber up and down. My computer is valuable just because of that type of speed.
People always say windows is weak etc, but it has the same security rating as red hat. These articles can be a tad misleading.
Both windows and linux can be very secure. How they are configured and maintained is the problem.
But i do agree that botnets are a pain in the behind and they are nasty.
It is a bit like the ransomware stuff. Only people i know that got it was mucking around on darkweb with tor.
I would however take research by a antivirus company with a grain of salt. That is very generic and normally companies finding such things will put a name behind it, unless they are afraid they talk bollocks and other companies cannot verify their claim.
For the average computer user not messing with advanced features etc, linux is still a safer option than windows.
On average i get about 42000 port scans a day, at least those are the ones snort detect and block. That is just for http https email and ssh ports. The rest i do not bother cause they are all blocked.
Snort should stop most things getting in, if they get in, certain traffic patterns will get blocked while on the outbound route. After that there is the server firewall doing its job, and to contain things in case they get in, selinux doing what it does.
Is it easy to get in. No a typical script kiddie probably won't get through. Is it impossible, heck no. But then again, who will bothr actively hacking something like mine without valueble info...
The way to think of it, is not to stop a hack. It is impossible. Concentrate on how to recover when hacked. And do things in layers. Never rely on a single item to protect your machines. And to not run every possible service on a single machine. And do not do everything as root.
That advice has been preached for ages. It is old but the reason everyone repeats it is because it works for the majority of issues.
The biggest security risk for huge companies are always the user. Intentionally or inadvertantly causing issues. That is true wether using windows, linux, bsd or whatever else.
Last edited by ericson007; 01-19-2017 at 02:12 AM.
Windows Server out the box is as secure as any linux server install.
I'll even be controversial here and state that in my experience Windows Servers are more secure than linux servers!
Why? In my experience there are many more "wannabe" linux admins (and I use the term loosely!) that will public-face a linux server. We see it on this forum all the time, "How can I allow public traffic through my router so I can run my website at home?" (If you don't know how to configure a router to do that then you don't have the experience to securely run a server at home, just saying!)
If we're talking about botnets that want to exploit servers rather than user workstations then it makes much more sense to target linux servers rather than Windows based on sheer market share.
However, typically these botnet exploits will typically not be aimed at O/S vulnerabilities but application vulnerabilities. Indeed not even necessarily application vulnerabilities but third-level vulnerabilities, e.g. badly written web-app plugins or scripts.
Why target linux servers? Because a LOT of servers can be poorly monitored, as long as they ping and whatever site they are serving is visible then it could be ages before anyone notices anything wrong. They will also, in most likely-hood, be sitting in data-centers with nice connectivity.
As has been previously said, security is about layers, there's no one magic product, keep layering and layering.
It used to be the saying was "the only secure computer is the one that's turned off", although now with Wake-On-Lan able to remotely power up computers even that's not the case any more!
Agree with above. Then again, i am still a newb and make stupid mistakes. Those mistakes i try to mitigate and selinux did save my bacon a few times.
The reason though there are more people on about how to get the servers public is coz it is free. Who wants to pay a windows server license for that if they are experimenting.
I do think it is a good thing though. Everyone has to learn from somewhere. But i also think guides should not be followed blindly.
That may be a case where you can say windows is more secure because genrally it is deployed on company level and companies hire guys with training. So this is basically supporting what tententh said.
But i also do agree with both products being very very secure.
Last edited by ericson007; 01-19-2017 at 07:54 AM.
Simply put, the majority of web-servers are hosted on Unix/Linux which makes Unix/Linux a often target of DDoS attacks as well as other attacks (such as SQL injection in forum software, web-server exploits, SSH brute force, etc.) but these can more often than not, be solved easily. Hosting your website with a provider that offers DDoS protection is a good start against most common "attacks" (you can rarely do things for this locally unless you have a massive network capacity) or you can opt to use a CDN such as CloudFare which also protects you from various web-based attacks.
I would like to get the latest current information on how to deploy Snort in our particular situation.
We are running a commercial web site under VMWare cloud services at a cloud-hosting company. This has three Ubuntu VMs behind load-balancing that is provided by the cloud-host's infrastructure. Today, we spend several hours each and every day "swatting the ass-hats away" from the predecessor site. Obviously, we want both to reduce this and to do a much better job.
Snort seems to be an appropriate tool. I see that Cisco now owns the product and that it charges $399/year for a commercial subscription – which is no problem to the client – but of course I'd like to kick the tires with some free rules first.
One thing of particular interest is to detect and automatically stop "scraping."
I would therefore like to hear from – and receive up-to-date URLs from – anyone who is right now in the same situation that we are. You're managing a similar situation, right now, and you're using Snort or you'd recommend some other (open source) mixture of tools and techniques.
Hey there. I certainly do not configure snort by itself nor have i tried installing it by itself. I could not find a way for it to actively block intrusions, so unfortunately i have taken the easy route out.
I do have a small language school with online learning platform and website. Nothing big etc. Ibcertainly do not need commercial level equipment to run the server.
So i have a sturdy cpu, tons of ram and space, compared to home user situation. I then use kvm and the one vm runs pfsense. That is the main router and firewall appliance to my whole network.
Snort runs on the router as a package you can install from the repositories and they have already configured all the hooks etc to work with the firewall. So when snort picks up an alert. The ip is automatically put on the banned list for the time that you specify.
So sorry for not being specific, but, this certainly is something you can test on a virtual environment.
Does it fit your requirements... well not sure but in my case the network was designed around pfsense and in that situation, it does a more than fair job.
I would like to get the latest current information on how to deploy Snort in our particular situation.
We are running a commercial web site under VMWare cloud services at a cloud-hosting company. This has three Ubuntu VMs behind load-balancing that is provided by the cloud-host's infrastructure. Today, we spend several hours each and every day "swatting the ass-hats away" from the predecessor site. Obviously, we want both to reduce this and to do a much better job.
Snort seems to be an appropriate tool. I see that Cisco now owns the product and that it charges $399/year for a commercial subscription – which is no problem to the client – but of course I'd like to kick the tires with some free rules first.
One thing of particular interest is to detect and automatically stop "scraping."
I would therefore like to hear from – and receive up-to-date URLs from – anyone who is right now in the same situation that we are. You're managing a similar situation, right now, and you're using Snort or you'd recommend some other (open source) mixture of tools and techniques.
I use a combination of hosts and dns entries from http://www.malwaredomainlist.com/ and other free sources and populated on aiengine(https://bitbucket.org/camp0/aiengine) on a environment with vxlans. All the information is send to a database and later query for monitor issues. The main diference with snort and suricata is that is reprogramable on real time and you can do in python whatever you like.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.