Linux Security

I’m a big fan of the Honeynet Project (and a member of their board of directors). They don’t have a security product; they do security research. Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them.

They just released a report about the security of Linux:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.

It’s also important to remember that this paper focuses on vulnerable systems. The Honeynet researchers deployed almost 20 vulnerable systems to monitor hacker tactics, and found that no one was hacking the systems. That’s the real story: the hackers aren’t bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months.

Why? My guess is a combination of two reasons. One, Linux is that much more secure than Windows. Two, the bad guys are focusing on Windows—more bang for the buck.

See also here and here.

Posted on January 6, 2005 at 1:45 PM18 Comments


Nick January 6, 2005 3:57 PM

Just a request, can you put [PDF] next to PDF links at least, its not nice having acrobat try to embed itself into my aggregator and cause an aggrevating wait.

I wonder though, do you think linux holes would be as significant and frequent as windows currently if you set an equal amount of attackers upon each to find flaws.

Quadro January 6, 2005 6:03 PM

I think this may have more to do with the changing dynamics of the internet than with any software itself. It seems to me that major websites (such as Amazon and Google, as mentioned above) are becoming less vulnerable to direct hacking. I don’t know why this is, but there seem to be less news stories about security compromises at large sites. Therefore, malicious hackers have turned to other methods of disrupting these sites. With the great increase in broadband connections, it may be easiest to simply hijack a network of home computers to run a DDOS attack (or perhaps an open relay to send spam, or any other type of attack that depends only on a connection), especially since home users are less likely to find infections. Since most home users run Windows, those who wish to compromise home computers, a group which I would suppose contains a large number of hackers, target Windows. Anyone who visits GRC ( has probably read about hackers using compromised home Windows systems to launch DDOS attacks, and more interested readers may recall Steve Gibson’s crusade against inclusion of raw sockets in Windows XP. Due to the spread of Windows XP installations, hackers who desire raw socket capability can use Windows systems, eliminating one of the biggest reasons to attack a Linux (or any other *nix) computer. Therefore, it seems obvious that hackers would shift their attacks from Linux to Windows, given the ease of hacking Windows.

Javier Kohen January 6, 2005 6:43 PM

I sure hope that the hackers don’t give up on Linux. I would feel safer knowing that someone was actively testing its security.

Diego January 6, 2005 8:43 PM

Well… testing security of Linux servers won’t stop, as they run Open Source software, and the source code can be examined by anyone, so finding vulnerabilities is much easier than in Windows software.

Anyway, in a few years, there will be no other operating systems than Unix-compatible ones =).

Dirk Wetter January 7, 2005 2:50 AM

You were only citing it, but I somehow doubt they were using Suse 6.2. It’s not a “commonly used configuration” either. This doesn’t shed a good light on the report either, since this distro is 5.5 years old. BTW: What is a “server build of Suse 6.2/RH 9.0″?. Maybe “Suse 6.2” is a typo, reading later in the text it more seems like a textual convolution of Suse 7.2 and Suse 6.3. Which are as rotten old as RH 7.2, 7.3 .

Simon Johnson January 7, 2005 3:01 AM

I think a lot of people are missing the point here. I dont think Bruce is saying linux is fundamentally more secure than Windows.

He’s just commenting on the statistics of the real-world. People simply aren’t breaking into these machines because it isn’t cost effective. I think that’s mighty interesting!

The authors of this study would never claim to make a strong assertion about the security of linux. After all, do we judge the quality of a safe by the amount of time before a random attacker decides to break in to it? I think not.


Dirk Wetter January 7, 2005 3:27 AM

One shouldn’t combine results of this research with those of others, because the circumstances might not be exactly the same. A scientist wouldn’t do a comparison like this. Instead a deployment of windows systems would be needed to draw a good conclusion. In fact (2nd paragraph) it seems the honeynet project did this somehow, but are not presenting the data. Not being a windows fan and looking at a portscan data I gathered, I doubt somehow that RH 7.[23] has this dramatic difference in life expectancy you conclude (minutes vs. months), compared to a Win32 system also just sitting around.

Brian Parsons January 7, 2005 9:21 AM

Could a contributing factor be that holes in linux systems are more readily fixed – in part because the security fixes come from multiple sources and not one (Microsoft)?

The typical linux user is probably more attune to malware running on the system and faster to detect it as well. This isn’t a slam on Windows users – it is more an observation that the Windows OS obfuscates system processes from the user more so than linux and malware can run undetected for longer periods of time.

Andrew January 7, 2005 10:07 AM

This study also does not go into detail about how the Windows systems were setup vs the Linux ones.

While I am sure the majority of automated scanning is trying to go after Windows, since most Windows users (read – Consumers) are negligent about patching until XP SP2 (which turns autoupdate on), as an ealier reader said that is not an indication of the quality of the OS.

It is more of an indication of the threat level presented to each OS.

Also, it would be interesting to compare Windows 2003 to RH Enterprise, with both in an unpatched, but locked down state.

I would wager both would hold up nicely.

The thing I do not like about these articles / studies is they are clearly biased and have an anti-MS agenda, instead of doing a true scientific analysis.

IMHO they would conclude that while Linux DOES have more remote, root-level access vulns (check out secunia if you don’t believe me) than Windows 2003, Linux admins are more viligilant about installing only the services and apps they need and locking down their systems. They would find Windows admins need to learn from their Linux comprades about this practice, while the Linux zealots should not be so sure of themselves and continue to not patch their systems with the latest kernel vuln that comes out about once a month…

Tasuki Yamamoto January 7, 2005 1:40 PM

Replying to Quadro: raw sockets have, for all practical purposes, been removed from Windows XP as of Service Pack 2. In particular, it is not possible to transmit TCP data over a raw socket. To quote Microsoft:

“We have removed support for TCP sends over RAW sockets in SP2. We surveyed applications and found the only apps using this on XP were people writing attack tools.”

Cypherpunk January 7, 2005 3:18 PM

How about an out of the box Windows machine running XP SP2 (I assume they are shipping with that by now)? Just turn it on and put it on the net, don’t use it. Will it be compromised, and how fast?

Phil January 10, 2005 8:06 AM

Cypherpunk: “How about an out of the box Windows machine running XP SP2 (I assume they are shipping with that by now)?”

I just got a brand new HP laptop after Christmas. Although the system restore CD says it contains XP SP2, the hard drive shipped inside the system only had SP1 installed. It would appear that HP may be moving towards having SP2 installed by default, but they haven’t quite got there yet.

Clive Robinson January 10, 2005 8:50 AM

Just a thought,

Maybe the majority of visable attacks these days are by Script Kiddies or their equivalent.

As the majority of these use Windows of some vintage, the chances are that the scripts they run are going to be focused on that area.

I think what we need to see is a break down of the types of attack normalised against earlier stats to give more meaningfull trends.

After all I would be less worried by an increase in script kiddy activites (for which patches are usually available) than I would be for zero day attacks (for which patches are generally not available).

plucas January 10, 2005 2:28 PM

Well… testing security of Linux
servers won’t stop, as they run Open
Source software, and the source code can
be examined by anyone, so finding
vulnerabilities is much easier than in
Windows software.

Security vs obscurity. You read his blog, might want to check out his books, too. Unless you’re joking around.

Tony January 11, 2005 7:58 AM

Unpopularity of Linux doesn’t explain why the time has gone from 72 hours to 3 months. Linux was just as much a minority then as it is now. Maybe I’m missing something.

Can anyone explain to me why Linux is less sexy recently to hack? Otherwise, I’m just going to assume its security really is better.

Davi Ottenheimer January 20, 2005 12:02 AM

Well, this might help clarify the issue:,1294,66022,00.html

“According to a four-year analysis of the 5.7 million lines of Linux source code conducted by five Stanford University computer science researchers, the Linux kernel programming code is better and more secure than the programming code of most proprietary software.”

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.