Decreasing vulnerability

Posted on Jan 18, 2005

In response to I doubt that Microsoft is alone in suffering this problem, Tony Finch sent a pointer to Know Your Enemy: Trends, a paper from The Honeynet Project which highlights a decrease in the success rate of attacks against Linux systems.

The executive summary includes:

The past 12-24 months has seen a significant downward shift in successful random attacks against Linux-based systems. Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months.

Compare this to data from Symantec, referenced in the paper:

Data from the Symantec Deepsight Threat Management System indicates a vulnerable Win32 system has life expectancy not measured in months, but merely hours.

As mentioned before, this certainly matches with my own experience.

Included in the data gathered is information about a small number of Solaris systems. Of two Solaris 8 and two Solaris 9 machines, three were compromised within three weeks. The report notes that these systems have, by default, a large number of services enabled and no built-in host based firewall.

Disabling services by default is something that has been discussed within Solaris Engineering for some time. In the past it was necessary to fiddle with /etc/inetd.conf, etc. to effect changes, which complicated upgrades and made maintaining a large number of systems more complex that is ideal. With SMF there are now administration tools to manage many services so, for example, given that I don’t use rlogin, it’s straightforward to get rid of it:

: tarte-tatin#; svcs rlogin       
STATE          STIME    FMRI
online         Jan_11   svc:/network/login:rlogin
: tarte-tatin#; svcadm disable rlogin 
: tarte-tatin#; svcs rlogin          
STATE          STIME    FMRI
disabled       11:10:59 svc:/network/login:rlogin
: tarte-tatin#; 

Modifying Solaris so that it’s secure by default is an ongoing effort. Expect to see more services disabled by default and perhaps some modifications to the installation process to ask the administrator on an appropriate level of openness. Of course, fitting this all together with the process used to upgrade from, say, Solaris 8 to Solaris 10 is all good fun :-)

If you’ve played with any of the more recent Solaris Express builds then you’ll know that the excellent IP Filter is now included. Obviating the need for administrators to locate a version on IP Filter for their systems is obviously a good thing, particularly given that there were often problems building the 64 bit version.