We've all experienced the real-world equivalent of the phrase, "It's the little things that'll get you." Whether it's fixing our automobiles, debugging software or locking down our networks, it always seems to be those small oversights that either provide the solution or end up getting us into a world of hurt. Linux security is no different. Arguably the biggest (and littlest) problem when it comes to keeping Linux systems under wraps is weak passwords.
Dozens of the security breaches listed on the Privacy Rights Clearinghouse
That said, if a malicious insider or other attacker -- such as someone who's stolen a Linux-based laptop -- gains physical access to the system and thus the /etc/passwd and /etc/shadow files, all bets are off. John the Ripper hashes once thought to be secure are now in the hands of someone with ill-intent. John is especially powerful when run in incremental mode, which tries all character combinations, or when used with a good dictionary such as the BlackKnightList.
Some of the biggest Linux password weakness are Web-related. I've seen numerous situations where poorly-written Web applications, namely Common Gateway Interface (CGI), and misconfigured Apache instances have enabled public access of systems and their passwd file. I haven't been able to access a shadow file in this way, but given all the user accounts on a system, you can imagine the possibilities. At the very least, it gives the bad guys a leg up.
I've also seen situations where administrators configured anonymous File Transfer Protocol (FTP) sharing of entire server drives and forgot about it. No passwords at all is good for the bad guys and not at all good for business.
We're not just talking about "live" systems either. Unauthorized access to tape and disk image backups -- especially old or static backups you've may have put away "just in case" -- opens up an entirely new frontier to root out passwords.
Your best defense is prevention. You must have -- and enforce – a reasonable password policy that not only addresses password complexity but intruder lockout as well, regardless of the purpose or importance of the system. Furthermore, look beyond the OS to find areas with weak points. All it takes is one password weakness in an odd application on a seemingly unimportant system for someone to have a stepping stone into your environment.
Trust but verify. It's a tried and true principle of security and serves as a great eliminator of Linux password weaknesses we might otherwise overlook.
ABOUT THE AUTHOR: Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at email@example.com.
This was first published in December 2009