The Honeypot Project has added fuel to the debate over which is more secure, Linux or Microsoft Windows. It found that unpatched Linux systems can be on the Internet for months before being successfully attacked, while Windows systems have been compromised in hours.
The international nonprofit security organization—with members from security companies like Foundstone Inc., Counterpane Internet Security Inc., and SecurityFocus—did not set out to show that Linux is more secure than Windows. Instead, noting a decline in “successful random attacks against Linux-based systems,” the group set out to ask the question, “Why is no one hacking Linux anymore?”
To explore this question, Honeypot Project members set up 12 “honeynets.” A honeynet consists of two or more “honeypots,” systems designed not to do any real work. Instead, their sole purpose is to detect and track any interactions with them, since any such interaction can be assumed to be a probe, scan, or attack. The honeynets were deployed in eight countries (the United States, India, the United Kingdom, Pakistan, Greece, Portugal, Brazil, and Germany) and consisted of a variety of systems accessible from anywhere on the Internet. Data was collected mostly during the latter half of 2004.
The study, deployed a total of 24 unpatched Unix honeypots, of which 19 were Linux, primarily Red Hat. (Specifically, there were nine Red Hat 9.0, five Red Hat 7.3, two Fedora Core 1 and one each of Red Hat 7.2, SUSE 7.2, and SUSE 6.3 installations.) The other five systems comprised two running Solaris SPARC 8, two with Solaris SPARC 9, and one with FreeBSD 4.4.
These honeypots were set up as servers with default settings and typical services such as HTTPS (Secure HTTP), FTP, and SMB (Server Message Block), with host-based firewalls that allowed inbound connections to these services. To make the systems more like those found in the real world, insecure or easily guessed passwords were used on several of them.
The honeynets were deliberately set up to be not especially attractive—they were primarily home or small-business networks. Moreover, they were not registered in the DNS or in search engines, so that if the systems were found, it would be by “primarily random or automated means.”
Of the systems, only four Linux (three RH 7.3 and one RH 9.0) and three Solaris honeypots were compromised. Two of the Linux systems were compromised by brute password guessing, not by a specific vulnerability.
The organization did note that these systems were not well known, and that more attractive targets, such as company Web servers, potentially had a shorter life expectancy. But the longevity of the Linux systems in the study “is all the more surprising when compared to vulnerable Windows systems. Data from the Symantec DeepSight Threat Management System indicates a vulnerable Win32 system has life expectancy not measured in months, but merely hours.”
Why the dramatic difference in life expectancy between Linux and Windows systems? The Honeypot Project suggests a number of possible explanations. One is that Linux distributions have become harder to compromise because newer versions have more secure defaults with fewer services enabled, are automatically running firewalls, and so on. Further, no matter which operating system is more secure, the huge installed base of Windows users means those systems are likely to be targeted more often. Still, knowing that it will be months rather than minutes before someone tries to break into our systems is little comfort to us. We believe you should choose the OS that suits your needs, and fortify it to withstand the attacks that will undoubtedly come.
A version of this story was first published in PC Magazine.