As you can tell, I'm a big fan of this, because it has saved my rear end on several occasions. Sometimes my fingers are too darned fat!
Posted on 08/26/2020 6:11:46 AM PDT by ShadowAce
Like all operating systems, Linux isn't perfectly secure. Nothing is. As security guru, Bruce Schneier said, "Security is a process, not a product." It's just that, generally speaking, Linux is more secure than its competitors. You couldn't tell that from recent headlines which harp on how insecure Linux is. But, if you take a closer look, you'll find most -- not all, but most -- of these stories are bogus.
For instance, Boothole sounded downright scary. You could get root access on any system! Oh no! Look again. The group which discovered it comes right out and says an attacker needs admin access in order for their exploit to do its dirty work.
Friends, if someone has root access to your system, you already have real trouble. Remember what I said about Linux not being perfect? Here's an example. The initial problem was real, albeit only really dangerous to an already hacked system. But several Linux distributors botched the initial fix so their systems wouldn't boot. That's bad.
Sometimes fixing something in a hurry can make matters worse and that's what happened here.
In another recent case, the FBI and NSA released a security alert about Russian malware, Drovorub. This program uses unsigned Linux kernel modules to attack systems. True, as McAfee CTO, Steve Grobman said, "The United States is a target-rich environment for potential cyber-attacks," but is production Linux run by anyone with a clue really in danger from it?
I don't think so.
First, this malware can only work on Linux distributions running the Linux 3.6.x kernel or earlier. Guess what? The Linux 3.6 kernel was released eight-years ago.
I suppose if you're still running the obsolete Red Hat Enterprise Linux (RHEL) 6 you might have to worry. Of course, the fix for signing Linux kernel modules has been available for RHEL 6 since 2012. Besides, most people are using Linux distros that are a wee bit newer than that.
In fact, let's make a little list of the top production Linux distros:
CentOS/RHEL 7 started with kernel 3.10. Debian 8 started with kernel 3.16. Ubuntu 13.04 started with kernel 3.8. SUSE Linux 12.3 started with kernel 3.7.10. All these years-old distros started life immune to this attack. All recent Linux versions are invulnerable to this malware.
But, wait! There's more. And this is the really annoying bit. Let's say you are still running the no longer supported Ubuntu 12.04, which is theoretically vulnerable. So what. As Red Hat's security team points out, "attackers [must] gain root privileges using another vulnerability before successful installation."
Once more for Linux to be compromised -- for your system to get a dose of Drovorub -- your system already had to be completely compromised. If an attacker already has root access, you are totally hosed.
Yes, there's a security problem here, but it's not a technical one. In the tech support business we like to call this kind of trouble: Problem Exists Between keyboard And chair (PEBKAC). So yes, if you have a complete idiot as a system administrator, you've got real trouble, but you can't blame Linux for it.
Let's look at another example: Doki, a new backdoor trojan. This time around, although described by many as a Linux problem, it's not. It can only successfully attack Linux systems when whoever set up the Docker containers exposed the management interface's application programming interface (API) on the internet.
That's dumb, but dumber still is that for it to get you, your server's firewall must be set to open up port 2375. Here's a lesson from networking security 101: Block all ports except the ones you must have open. And, while you're at it, set your firewall to reject all incoming connections that are not in response to outbound requests. If your administrator hasn't already done this, they're incompetent.
Finally, let's consider the recent sudo command problem. This sudo security vulnerability was real, it's since been patched, but it requires, again, a case of PEBKAC to work. In this case, you had to misconfigure sudo's set up so that any user could theoretically run sudo. Once again, if you already have an insecure system, it can always get worse.
There's a common theme here. The problems often aren't with Linux. The problems are with totally incompetent administrators. And, when I say "totally incompetent," that's exactly what I mean. We're not talking subtle, small mistakes that anyone might make. We're talking fundamental blunders.
Whether you're running Windows Server, Linux, NetBSD, whatever on your mission-critical systems, if you utterly fail at security, it doesn't matter how "secure" your operating system is. It's like leaving your car keys in an unlocked car, your system will be hacked, your car will be stolen.
So, enough with blaming Linux. Let's blame the real problem: Simple system administrator incompetence.
As you can tell, I'm a big fan of this, because it has saved my rear end on several occasions. Sometimes my fingers are too darned fat!
This comes with two, A regular backup program, and also Time shift. Time shift depending on the settings are for daily, weekly, monthly, or on demand. It does a full image that can be “restored back to” like the windows restore program does.
But windows only makes a restoration point when something is installed. Timeshift can be dialed in how often as auto and/or when you make any installations. Or on demand when you think you better do it before major changes. It really works well and can be tuned with detail.
Yep, Timshift is almost exactly the same thing. One or the other is probably rebranded off the other. I am finding out there is a lot of that in the Linux world... :)
As for the boot speed, I'm not really concerned about that. It could take half an hour to boot, and I wouldn't care since that only happens 3 times in an average year (if that).
dayglored--no worries. I knew it wasn't aimed at me. :)
I actually just researched creating unit files on the web. Some troubleshooting, and notes. :) As far as boot speed goes, It's somewhat of a concern for us as we patch/reboot monthly due to company policy. Also, we have network monitor that e-mails us when a server is not reachable via ping/ssh. Hence, boot speed during this process is good so we don't get inundated with e-mails.
Also, I have implemented a HPC (small one of only about 64 nodes) that will be heavily used in production. The faster I can get the nodes rebooted (when required) the better. It keeps users off of our backs as well. :)
“Document Viewer” on Mint is probably the same as on Fedora—It’s actually a program called evince.
Already installed Grsync. Will try it sometime. Thanks
Probably is, I am seeing that a lot. It’s FOSS, and in the FOSS world they make a couple minor changes and call it something different.
Same engine and drive train, just a different GUI paint job... lol
No doubt. I looked at the timeshift GUI and stuff, and think I actually like it better. However, I've got literally years invested in backintime, so I doubt I'll be switching!
I understand and don’t blame you, the GUI is pretty clean though, it looks like just icons and window size difference though.
Like I told Shadowace earlier, a lot of things with Linux are the same source engine and drive train, just a different GUI paint job and badging... lol
I really want to like Linux, but it seems that no matter what distro I use, it freezes after using it for a couple of hours. Kind of reminds me of the WinXP days. Tried Manjaro KDE, Mint Cinnamon, Pop OS downloaded KDE, Elementary OS, etc.
I have a Canon Pro 100 and Espson WF 7610 and no distro runs them correctly. So, I keep going back to Windows 10 Pro where I have an OS freeze maybe once a year.
Since I'm running Linux on server-class hardware at work, with uptimes measured in years, I know the OS is stable.
On the other hand, on my 10 year old laptop at home, I also run into the OS freeze issue. I believe that my hardware is not the best, and I will replace it shortly.
My oldest son dual boots Linux (exact same distro and version as me) and Windows and never locks up--but he runs much newer (and better) hardware than I do for his gaming.
I’m not having freezes on Windows 10. Hardware is just fine.
So, I keep going back to Windows 10 Pro where I have an OS freeze maybe once a year.
Once a year is nothing compared to once a day.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.