While a managed server running Linux is very secure compared to the alternatives, no operating system is invulnerable.
When it comes to choosing an operating system to use on a server, security is of paramount importance. General scuttlebutt has it that Linux is vastly more secure than alternatives — alternatives that aren’t based on Unix, at least. To a degree, this is true, but it’s far from the case that Linux is completely invulnerable. To think otherwise is to risk taking a complacent attitude to server security, which can lead to server owners being taken unawares when they end up being hacked.
We’re going to cut through the misleading flimflam promulgated by fanboys and the ill-informed so that you can make informed decisions about the security issues come with running a Linux server.
But There Are No Linux Viruses, Right?
Yes and no. From the start Unix, was designed to be a multi-user system. It was used in large organizations like universities where many individuals had accounts on the same system. To maintain the viability of such a network, Unix was designed to be suspicious of its users. It isn’t a “we’ll warn you, but then you can do what you want” sort of system. Unix requires users to explicitly identify themselves before they are able to change anything outside of a narrow range of files. Linux inherited this permissions structure. To get administrative access, you need the root password or a substitute like addition to the list of sudoers.
The Linux user permission model is granular and strict: that’s a problem for malware creators because although they may be able to get files onto the system, without adequate permissions those files will not be executed, and even if they are, unless they are given root permissions they can’t change anything vital on the system.
In general, Linux is a barren landscape for malware. There are Linux viruses, but they are usually proof-of-concept academic exercises rather than threats that will bother system administrators.
So, What’s The Problem?
While it’s true for the most part that you won’t have to worry about your Linux server “getting a virus”, that’s not the only security issue that system administrators have to deal with.
There are a couple of other classes of problems that can lead to a server being hacked.
Vulnerabilities In The Software
Modern software is extraordinarily complex, and, from time to time, mistakes are made that that open a server up to exploitation by hackers. For example, most Linux web servers run a LAMP stack: Linux, Apache, MySQL, and PHP (or other P-language, like Python). Vulnerabilities in these packages can allow hackers to inject malicious code or perform privilege escalation attacks in which they are able to gain root access.
You might think this is unfair because the software running on Linux isn’t strictly speaking Linux, that’s the kernel. But most server owners care about the whole package, not just the kernel, and besides, the kernel isn’t immune programming errors and to exploitation.
This one is even more frequent. Novice server users often make a couple of mistakes that can leave the door to their server wide open. They fail to update in a timely fashion and they use weak passwords.
In the previous section, we talked about software vulnerabilities. These are usually discovered and then fixed by updates, hopefully before the bad guys find out about them.
Hackers are very good at guessing passwords. They have large password databases that include all the most commonly used passwords. If the root account or users with administrative privileges have a weak password, it’s fairly trivial for hackers to use a brute force attack to gain access.
A properly managed Linux server that is kept up to date and uses secure passwords is very safe. It’s very unlikely that a hacker will find a chink in the armor of a well-configured system, and that’s part of what makes Linux the ideal server operating system.
In a future article we’ll take a look at Linux server best practices to help server admins ensure that their server stays safe, but, in the meantime, feel free to share your thoughts about Linux security in the comments below.