Unpatched Linux Lives 3 Months on Internet

Allnighterking writes "The Honeypot project Honeynet.org has released their study on the expected lifetime of an unpatched default Linux install. If some of you remember AvanteGarde recently did a study of its own with several versions of Windows products and found that the average lifetime was about four minutes. Internet Week has an article on the study and the PDF with the full details of the study is available on Honeynet.org. Needless to say, from my viewpoint this is a good reason to limit Windows installations in IT that any PHB and/or Smiling Man can understand. Have them put into a spreadsheet and see what this kind of security means to their bottom line."

Re:Distro choice

[dasunt]

It would be an interesting thing to see how the other dists would fare. I suspect Debian and Gentoo should survive quite a bit longer than those 3 months. After all, a default minimal Debian Woody installation is 34MB, compared to 0.5GB of Red Hat, and this means you simply don't have that many unnecessary services that can fail.

Due to age, I am guessing that a Debian woody installation would fall rather quickly -- its just too old. Sure, the minimal install is tiny, with almost nothing to hijack, but a typical default server install has far too many things listening on every interface.

I'm curious how long an older (3.4 or 3.3) version of OpenBSD would have faired with a typical (not default) setup.

(My server right now is running Debian Woody, and has been since Potato was stable.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Distro choice

[BladeMelbourne]

Red Hat may not be the underdog in the Linux world - and ppl love the underdog and hate the top dog. But I wouldn't call it insecure because some people call it "Microsoft Linux".

Why? I have never ever had any security problems. With or without iptables on. I have never used SELinux, I hear the security is beefed up.

I have never encountered a "failed service" on RH or FC. OK VMware sometimes comes close ;-) But security being affected doesn't enter the equation.

I would think an FC3 box with iptables, SELinux and unused services turned off would last much longer than all Debian boxes, except maybe unstable. But I dont have broadband at home, and the firewall at work is too beefy. So it's just a guess. Plus I dont want to be paying the electricity bill.

I will agree with you that RH/FC come with too many services turnes on after an install. And the minimal install size is far too big. But even on my 56 kbps modem, it's not unmanageable to keep up2date.

I really dont know why anyone would use RH9 or earlier. They are outdated. Says me who dualboots FC3 and Win98. lol. To each his own...

Merry Christmas :-)

Network services are what matters...

[jbms]

Although exploits of facilities implemented in standard linux kernels, such as arp requests or ICMP echo requests, are possible, they are far rarer than exploits of higher-level network services, such as HTTP or SSH. Consequently, a basic install of a distribution such as Gentoo, in which only those basic network services implemented in the kernel are active, would likely remain unexploited for years. Of course, this only shows that in the case of Linux, the `base install' does not provide for a very good test. (In practice, people are far more likely to use Microsoft Windows, or Linux distributions with a more expansive `base install' than Gentoo or Debian, in their base configurations.)

Re:Best security

[Isao]

it will not be connected to any outside network at all. your box will be. (Microsoft pulled this to give a high security rating to NT, i believe)

Not exactly. I don't want to be an MS apologist, but the TCSEC rating that MS got for Windows NT was indeed while it was not connected to a network. We all agree that is rather useless these days. The problem was the TCSEC (Orange Book) certification; it specifically does not cover networked systems. Networks are covered by the Red Book. This problem is one of the reasons the Common Criteria was created, which can certify systems including networks.

I've seen this

[anthony_dipierro]

Last time I moved I set up my laptop running Win2K on my new DSL connection without a firewall. It was just for 5-10 minutes or so, to set up the connection. Within those few minutes, I managed to pick up a worm. This was even with most of the latest patches already installed.

Firewalls/NAT greatly cuts down on your risk. Running firefox pretty much gets rid of the rest. But if you put Windows on the internet without a firewall and you're not a security expert who has done a thorough audit of your machine, you're asking for trouble.

Re:Distro choice

[Profane MuthaFucka]

I'd expect Woody to survive a very long time, as it's just too old.

You see, the packages in Woody are kept up-to-date in the security department. The age of the packages is irrelevant to the security of the packages. All security fixes are backported to the Debian stable distribution.

Re:Distro choice

[dasunt]

You see, the packages in Woody are kept up-to-date in the security department. The age of the packages is irrelevant to the security of the packages. All security fixes are backported to the Debian stable distribution.

I was referring to the test -- which did not involve any security updates.

In such a situation, an unpatched debian woody distro may fall rather quickly.