While our web site is not a security warning site (we strongly recommend subscribing to your distribution's security mailing list), we feel there are two serious Linux security problems of which you should be aware, even if you don't think your Linux box is a "server".
Both Apache and OpenSSH have had remotely exploitable vulnerabilities reported in the past week.
If you don't know for sure if your Linux box runs Apache or OpenSSH, you are at the greatest risk. We do not have space here to teach you about your package management tool. All we can say is take your system off the Net, learn how to check what you have installed and either remove these packages or upgrade them. Many Linux distributions come with services running "out of the box" and don't tell users about everything that is present. Do not assume that you're not running Apache or OpenSSH unless you know for sure how to check.
Please check your distribution's security page for an upgrade, and either install it now or, if for any reason you cannot upgrade, disconnect your systems running Apache or OpenSSH from the network until you deal with it or hire someone who can.
Do not take our word for it. Never type anything as root because you read it in some e-mail, even an e-mail with a respectable From address. Go to the source you trust for Linux packages.
You probably haven't read about these Apache and OpenSSH security problems on the mainstream news sites or seen them on TV. Nobody's web site is being defaced, and no viruses are spreading because of them. That's because in the world of free software, we fix problems early instead of waiting for them to bite us.
But these security holes will get some of us and show up in the mainstream media, probably starting early next week. Exploits are in the hands of a few people now and will be widespread within days. If these exploits are built into a worm, there will be a massive compromise of Linux systems everywhere very quickly. (An already-built worm that's only waiting for a plugin exploit to arm it could be out soon.)
On Monday morning, a big dumb story will appear in the Mainstream Media about how Open Source Security is Really Lame And Nobody Should Run Linux Ever, along with comments from all the proprietary OS vendors. There will be a screenshot of a defaced web site, or worse. Do you want to smirk at the inaccuracies in the story over your morning coffee, or do you want to spend Monday morning replacing your Linux boxes with something else because it was your web site?
Linux isn't the most secure of the popular OS choices because it's naturally secure; it's secure because we fix things before it's too late. Fix your systems now.
If you don't know how to make security fixes on your Linux systems or do not have permission to do them, remove the systems from the Net until you or someone else can fix them.
Check your distribution's security updates page for new Apache and OpenSSH packages. Install them.
If you're not on your distribution's security mailing list, subscribe now.
If you built Apache and OpenSSH from source, get the new versions and install them. Don't forget to replace the "spare" or "emergency" static sshd you might have running on a high port.
Don Marti is technical editor of Linux Journal.
Special Magazine Offer -- 2 Free Trial Issues!
Receive 2 free trial issues of Linux Journal as well as instant online access to current and past issues. There's NO RISK and NO OBLIGATION to buy. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Sorry, offer available in the US only. International orders, click here.
Delicious
Digg
Reddit
Newsvine
TechnoratiSubscribe now!
Recently Popular
| Linux HOWTO: Video Editing Magic with ffmpeg | Jul-23-08 |
| The new business of free radio | Jul-24-08 |
| Why We Must React to ACTA | Jul-24-08 |
| Chapter 16: Ubuntu and Your iPod | Aug-30-06 |
| Boot with GRUB | May-01-01 |
| Review: HP 2133 Mini-Note | Jul-16-08 |
Featured Videos
Non-linear video editing tools are great, but they're not always the best tool for the job. This is where a powerful tool like ffmpeg becomes useful. This tutorial by Elliot Isaacson covers the basics of transcoding video, as well as more advanced tricks like creating animations, screen captures, and slow motion effects.
Shawn Powers reviews the HP Mini-Note portable computer.
Thanks to our sponsor: Silicon Mechanics
Silicon Mechanics is a leading manufacturer of rackmount servers, storage, and high performance computing hardware. The best warranty offerings available are backed by experts dedicated to customer satisfaction.
From the Magazine
August 2008, #172
There's nuttin like a Cool Project to give you some relief from the summer heat, so get out your parka cuz we got a bunch of em. First up is the BUG, not a bug, The BUG. It's got a GPS, camera and more, in a hand-sized package that's user programmable. The BUG does everything. It's both a floor wax and a dessert topping. Get one now. Need a software version of a Swiss Army knife? Take a look at Billix, and don't leave home without it. Then, chew on this one, an X server on a Gumstix device driving an E-Ink display. Need more storage? How about 16 Terabytes? Can do.
And, of course, we have the usual cast of characters: Marcel, Reuven, Dave, Kyle, Doc, plus the new kid on the block Shawn Powers. But it doesn't stop there: build a MythTV box on a budget, build your own GIS system, set up the tools to monitor your enterprise and more. Finally, remember The War of the Worlds? Now you can play too.
