Decreasing vulnerability
In response to I doubt that Microsoft is alone in suffering this problem, Tony Finch sent a pointer to Know Your Enemy: Trends, a paper from The Honeynet Project which highlights a decrease in the success rate of attacks against Linux systems.
The executive summary includes:
The past 12-24 months has seen a significant downward shift in successful random attacks against Linux-based systems. Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months.
Compare this to data from Symantec, referenced in the paper:
Data from the Symantec Deepsight Threat Management System indicates a vulnerable Win32 system has life expectancy not measured in months, but merely hours.
As mentioned before, this certainly matches with my own experience.
Included in the data gathered is information about a small number of Solaris systems. Of two Solaris 8 and two Solaris 9 machines, three were compromised within three weeks. The report notes that these systems have, by default, a large number of services enabled and no built-in host based firewall.
Disabling services by default is something that has been discussed
within Solaris Engineering for some time. In the past it was
necessary to fiddle with /etc/inetd.conf
, etc. to effect changes,
which complicated upgrades and made maintaining a large number of
systems more complex that is ideal. With SMF there are now
administration tools to manage many services so, for example, given
that I don’t use rlogin
, it’s straightforward to get rid of it:
: tarte-tatin#; svcs rlogin
STATE STIME FMRI
online Jan_11 svc:/network/login:rlogin
: tarte-tatin#; svcadm disable rlogin
: tarte-tatin#; svcs rlogin
STATE STIME FMRI
disabled 11:10:59 svc:/network/login:rlogin
: tarte-tatin#;
Modifying Solaris so that it’s secure by default is an ongoing effort. Expect to see more services disabled by default and perhaps some modifications to the installation process to ask the administrator on an appropriate level of openness. Of course, fitting this all together with the process used to upgrade from, say, Solaris 8 to Solaris 10 is all good fun :-)
If you’ve played with any of the more recent Solaris Express builds then you’ll know that the excellent IP Filter is now included. Obviating the need for administrators to locate a version on IP Filter for their systems is obviously a good thing, particularly given that there were often problems building the 64 bit version.