We all know that passwords aren’t a good authentication strategy. We use them because they’re what we know, they’re convenient, and they require next to no setup and management. But, one would think system administrators and Linux experts would understand the limitations of passwords and at least choose long and random passwords. If the recent success of the XOR Botnet is anything to go by, Linux server admins are — at least in many cases — no more careful than the average CMS user when it comes to choosing passwords.
The XOR botnet — first discovered last year — is responsible for DDoS attacks ranging in potency from a few gigabytes per second to enormous floods of data peaking at 150 gbps. It’s a Linux-based botnet and the mechanism of its propagation is quite simple — brute force attacks against Linux machines’ SSH servers. With a properly chosen password, the likelihood of a successful brute force entry is vanishingly small. That the malware is able to propagate is evidence that many system administrators aren’t doing a good job of password hygiene.
It should be noted that many of the infected machines are routers and other “appliances” running embedded Linux systems, and the finger wagging in those cases should be directed towards device manufacturers who think that it’s a really good idea to run SSH services with default usernames and passwords, but the success of brute force attacks against Linux servers should at least give server administrators pause for thought.
According to the Akamai group, which recently issued a report on the XOR botnet:
“A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts. As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.”
One of the ways in which server administrators can improve the security of their servers is to switch away from password-based authentication for SSH. SSH includes a mechanism for key-based authentication that would make compromising servers much harder.
Key-based authentication relies on public key cryptography. SSH users generate a key pair consisting of a public and a private key. The public key is uploaded to the server; the private key is kept on the local machine. When the user attempts to log in, SSH will determine if they have access to the private key. When coupled with the denial of password-based logins, this system makes it practically impossible for an attacker to compromise a server in the way that the XOR botnet propagates.
It’s not completely secure: with a targeted attack against the user’s’ local machine an attacker might conceivably manage to steal the private certificate. However, botnets like XOR depend on volume — the attacks are indiscriminate and opportunistic, not targeted. As we’ve said before, in large part security is about increasing the cost to attackers.
For more details, take a look at this excellent guide to key-based SSH authentication, which goes into more detail about how it works and how to implement key-based authentication on Linux servers.