Re: *** spammers

On Mon, 09 Jan 2006 22:21:13 +0000, Mike <mike@xxxxxxxxxxxx> wrote:

I wonder why you feel that a public telnet server is a bad idea. I
did not have any "guest" or "anonymous" login set up for either FTP or
Telnet. There are many systems on the Internet that are capable of
being remotely accessed via Telnet.

>You held the logs locally, then. A more experienced administrator
>might have chosen to send syslog records to another machine where they
>couldn't have been altered retrospectively.
>
>>The reason I initially chose Linux for my servers was because I
>>believed it less vulnerable to attack. Boy, was I wrong!
>
>You had one unfortunate experience, perhaps due to inexperience, and
>this has coloured your opinion. Linux and the various versions of
>unix are in fact several orders of magnitude less vulnerable to
>attack. Without knowing the details of your experience, I suspect
>that a fix to the exploit used to gain access to your system was
>available at the time but you weren't aware of it.

Sure, just about any system can be made safe if the administrator has
intimate knowlege of the system and all the potential vulnerabilities
and applies all the available patches and blocks. That is hardly the
same as claiming that the system is inherantly safe - which implies
that an *inexperienced* user would be able to create a safe system.

>>After
>>replacing it with a Windoze system that does the same thing, I have
>>suffered only one relatively minor attack in the past 2 years.

>Good, although I wonder what you mean by "attack". My firewall sees
>typically several thousand attempts per day to exploit known
>vulnerabilities in Windows.

Poor wording - I meant that it has not been compromised. I get a lot
of attempts to exploit vulnerabilities that do not exist in my systems
because of the regular automatic updates that is available for Windoze
without me needing to spend hours searching the Internet for
information. The patches are installed automatically without me
needing to read through reams of nerdish information and seeking out
patches and applying them by hand. The automatic patches may not do
as good a job as an experienced Linux expert could apply after
spending a few hours of research a day, but they do not involve me in
needing to spend that sort of time or understand every nuance of the
OS.

>>ISTM that most Windoze nasties are geared toward infecting computers
>>that people are using as a client station (via files that the user
>>opens and web pages accessed etc.), whilst Linux nasties are geared
>>toward computers used as servers rather than depending on the user's
>>actions, and infect via ports that have to be open (DNS, HTTP, POP3
>>etc.) by exploiting vulnerabilities in the running service.
>
>None of those ports have to be open. The first rule of computer
>security is to open only those ports that need to be open. This is a
>concept that Windows hasn't yet taken on board! There will be no
>vulnerabilities to exploit if the administrator keeps up to date with
>security announcements.

Yes - and just as you have pointed out that you have to become an
experienced administrator to make a Linux system safe rather than
simply using the default setup that came out of the box, so is it even
easier to switch off the open ports that Windoze sets up as default.

Don't get me wrong - I am not a Windoze apologist and consider it a
cumbersome and bloated system with many faults. It is just that I
also do not see Linux as being a vastly superior system that is a
panacea for all of Windoze's ills. To me, a computer is a tool rather
than an end in itself, and I no more wish to have to become expert in
all the details of operating systems than I would want to have to
understand all the intricacies of drop-forging and metal treatment
etc. before I can use a pair of pliars with confidence.

One thing that I do like tremendously about Linux is that it is not
made up of bloated and inefficient software that has to be provided
with faster and faster CPUs and more and more memory in order to
overcome its poor design. Low-grade machines that would be useless
for running the current Windoze systems can run Linux with resources
to spare, and perform faster than a Windoze system on a PC with 4
times the hardware performance. I just don't want to spend the time
required to become expert enough to set up a usable secure system. To
put a new application on a Windoze system typically involves loading a
CD and making a cup of coffee while it automatically installs itself.
A new application on a Linux system typically involves hours of
research to figure out how to install it, followed by days of tweaking
and trial-and-error in order to get it working. It took me two weeks
and many hours searching out snippets of information and following
enigmatic clues before I could make even elementary changes to my
Dreambox - though in that case it is a hobby rather than business so I
don't mind the work (it is enjoyable). Totally different to a
situation where my marketing department needs to get a new application
up & running ASAP - and the users trained in its use.

--
Cynic

.