Linux is secure…right?


![](http://blog.trendmicro.com/wp-content/uploads/2017/04/Linux_blog_Trend_Micro-300x255.png) **_“There are no threats for Linux servers. Aren’t they built to be secure?”_** **_“Linux servers are secure and hardened, why do we need additional security controls on those?”_** **_“I do understand there are threats out there but I am not aware of any major attacks on Linux servers”_** If you find yourself nodding as you read these statements, you’re not alone. There is a common belief that Linux servers are more secure and less vulnerable than Windows servers. Although there is some truth in the belief, the reality is that Linux servers (and the applications they host) also have vulnerabilities and by ignoring this, you are putting your business at unnecessary risk. **Widespread and increasing use** There was a time not too long ago when Linux was a ‘geek’ OS, the domain of command line management and limited enterprise use. Those days are definitely gone, clearly illustrated by things like Gartner pegging the global OS growth for Linux at 13.5%[1], as well as the prevalence of Linux in the public cloud environment, as demonstrated by the fact that [approximately 90% of workloads in AWS EC2](<http://thecloudmarket.com/stats#/by_platform_definition>) are running some variant of Linux. With such widespread use for sensitive enterprise applications, it’s no small wonder that there is an increasing focus on attacking Linux servers, as evidenced in the recent ransomware attack in South Korea that used a [Linux-focused ransomware attack called Erebus](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures>) that impacted the web sites, databases, and multi-media files of 3,400 businesses. **Secure, but still vulnerable** With more and more servers moving beyond the enterprise boundary and into the cloud, network protection at the host-level becomes increasingly important, as workloads need to defend themselves vs. having a perimeter around them. And remember, workloads include the applications that sit on top of Linux…it’s more than just the OS. Having a host-based Intrusion Prevention System (IPS) will help protect against vulnerabilities in core operating system AND the application stack running on top. Great examples of network-accessible vulnerabilities with wide-spread impacts are the recent [Apache Struts-2](<http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/>) issue, Heartbleed and Shellshock, but there are many more. And just because a vulnerability, like Heartbleed, is a couple years old doesn’t mean that applications and servers are not still vulnerable. In a recent Shodan survey, it showed that Heartbleed was still an available vulnerability on more than 180,000 servers around the world, with the majority of them in the US! [1] Gartner, “Market Share Analysis: Server Operating Systems, Worldwide, 2016”, ID#G00318388, May 26, 2017 ![](http://blog.trendmicro.com/wp-content/uploads/2017/04/blog-5-1024x656.jpg) If you run a web server on Linux (running on at least 37 percent of the web servers out there according to [W3Techs](<https://w3techs.com/technologies/details/os-linux/all/all>)), you need protection against vulnerabilities affecting them, including Apache, Nginx, etc. ** ** | **Vulnerabilities Covered in and after 2014 (approx.)** | **Before 2014 (approx.)** | **Total** ---|---|---|--- **Non-Windows OS and Core Services** | **80** | **230** | **310** **Web Servers** | **114** | **472** | **586** **Application Servers** | **255** | **319** | **574** **Web Console/Management Interfaces** | **113** | **453** | **566** **Database Servers** | **10** | **218** | **228** **DHCP, FTP, DNS servers** | **9** | **82** | **91** _Table 1: Vulnerabilities Protected by Deep Security_ It is very important to not confuse vulnerabilities with threats. While there may be fewer known threats for Linux, if you look at the National Vulnerability Database, there are a similar number of vulnerabilities reported for both [Linux](<https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=linux>), and [Windows](<https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=windows>) operating systems. **Malware, designed for Linux** Contrary to popular belief, there is a lot of malware for the Linux platform. While the numbers in comparison to Microsoft Windows are not quite as high, there are still tens of thousands of pieces of malware designed for Linux, including the [Erebus ransomware](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures>) mentioned above. Deploying ONLY anti-malware is inadequate for protecting servers. However, most attacks on datacenters that lead to breach involve the installation of malware as part of the attack chain. This is why compliance and security frameworks such as PCI-DSS (Section #3), SANS CIS Critical Security Controls (Section #8), and NIST Cybersecurity Framework (Section DE.CM-4) all continue to recommend anti-malware as a best practice. **Layered security for Linux workloads** It’s clear that there is no silver bullet when it comes to server security, and that businesses should be using a layered security approach to protect vulnerable Linux workloads. Beyond anti-malware and IPS, there are a number of controls that will help to build a robust Linux strategy: | * Application Control: helps ‘lock down’ the Linux host to prevent any unknown process or script from running. This prevents the malware from running in the first place or attackers from taking advantage of backdoors that it might have placed on the server. * Integrity Monitoring: A new threat is likely to make changes to the system somewhere (ports, protocol changes, files), so it’s important to watch for these. Integrity monitoring helps with monitoring the system for any changes outside of an authorized change window, which tend to be few for typical production workloads. * Log Inspection: Scans log files and provides a continuous monitoring process to help identify threats early in the cycle. Attacks like SQL Injection, command injection, attacks against APIs can be seen in the logs and then action taken. ---|--- | The lesson we learn here is that although Linux is a more secure and reliable operating system option, it’s not your cure-all solution when it comes to security. Like any other OS, some assembly and maintenance is required, and it’s your responsibility to adopt a multi-layered security strategy, including managing regular updates and adding additional security controls to protect the servers AND the applications running on them. To learn more about Linux vulnerabilities and how to protect against them using Trend Micro Deep Security, [read our short research paper here.](<https://www.trendmicro.com/aws/wp-content/uploads/2017/03/Why_Security_for_Linux_Servers_June2017.pdf>)