[CentOS] compilers a security risk?

nate centos at linuxpowered.net
Sun Mar 7 15:35:43 UTC 2010


Geoff Galitz wrote:

> Making the bar higher, even in little increments, is a basic tenant of
> systems security.  Never dismiss the power of baby steps.

Keep in mind diminishing returns with those baby steps.. Of the
~500-600 systems I've worked on over the past 10 years the only ones
that were confirmed to be compromised were ones that were placed directly
on the internet(not by me), and wasn't kept up to date with patches.
I think I worked on 3 such systems.

- keep up to date on patches
- if on the internet, lock ssh down to ssh key auth only, try to
  run a tight firewall on other ports.
- don't allow untrusted local accounts
- Run only well tested programs(especially when it comes to webapps) with
  a good track record wherever possible
- If at all possible do not put any server directly on the internet
  (98% of my systems reside behind load balancers, which is a form
   of firewall since only ports that are specifically opened are
   allowed through)

To-date I haven't needed things like NIDS/HIDS (too many false
positives), or things like SElinux(PITA). After this long, and so
many systems I don't think luck plays a big role at this point. The
servers I manage for my employer receive roughly 2 billion web hits
per day.

If you can manage those things, the chance of being compromised is
practically zero, barring some remote evil organization that has
bad guys specifically out to get you.

nate




More information about the CentOS mailing list