[CentOS] what percent of time are there unpatched exploits against default config?

Ned Slider ned at unixmail.co.uk
Thu Dec 29 16:47:43 UTC 2011


On 29/12/11 03:38, Craig White wrote:
> On Wed, 2011-12-28 at 00:40 -0700, Bennett Haselton wrote:
>> On Tue, Dec 27, 2011 at 10:17 PM, Rilindo Foster<rilindo at me.com>  wrote:
>
>>> What was the nature of the break-in, if I may ask?
>>>
>>
>> I don't know how they did it, only that the hosting company had to take the
>> server offline because they said it was sending a DOS attack to a remote
>> host and using huge amounts of bandwidth in the process.  The top priority
>> was to get the machine back online so they reformatted it and re-connected
>> it, so there are no longer any logs showing what might have happened.
>> (Although of course once the server is compromised, presumably the logs can
>> be rewritten to say anything anyway.)
> ----
> the top priority was to get the machine back online?
>
> Seems to me that you threw away the only opportunity to find out what
> you did wrong and to correct that so it doesn't happen again. You are
> left to endlessly suffer the endless possibilities and the extreme
> likelihood that it will happen again.
>


I'm with Craig on this, you need to re-evaluate your priorities.

Top priority is to ensure it doesn't happen again. In order to achieve 
the top priority it is important to understand what happened and how it 
happened. If you don't understand that how do you expect to possibly 
prevent it happening again.

The "problem" is that your security was flawed - that is what you need 
to fix. A symptom of the problem was the DoS attack. That will only ever 
be fixed by addressing the problem that caused it. You have confused the 
symptom with the problem.

A symptom of the DoS attack was excessively high bandwidth usage and 
that is probably why your host intervened - they probably don't care 
your server was hacked and they probably don't care you are DoSing 
someone else - all they care about is you're using too much of their 
bandwidth. That all sounds to me like you need to choose another more 
responsible hosting provider.

Last priority is getting the server back online after you have fixed the 
problem.

Case in point - earlier this year kernel.org had a break in. Did they a) 
make it top priority to get kernel.org back online as quickly as 
possible, or b) take the time necessary to fully investigate the 
incident and put in place procedures so as to prevent it happening 
again. I'll give you a clue - the website was off line for well over a 
month.

Lets consider an analogy, the regular highway vs the information 
superhighway. Are you allowed to run a vehicle on the highway that isn't 
fit for purpose? No, because it endangers others. But you expect to be 
able to put a server on the information superhighway that isn't fit for 
purpose and expect no repercussions.

If I were a large (rich) corporation and I experienced a DoS attack of 
the nature your server participated in I would sue you for damages, and 
my job would be made significantly easier if I could demonstrate wilful 
neglect on your part to take even the most rudimentary steps to ensure 
your server was fit for purpose and not a danger to others. Sooner or 
later someone big will sue someone little for this kind of neglect and 
the whole game will change. Do you have the funds to defend such an 
action? Until then security will continue to remain as an afterthought 
and/or inconvenience.

Your wilful neglect makes you complicit and puts me at risk as we both 
share the same Internet. Ignorance is no defence in law. Act responsibly 
or get off the net. You may find this harsh but next time it might be my 
servers on the other end of your DoS attack.

Disclaimer: my rant is aimed as much towards the thousands of others out 
there that would no doubt have done exactly as you did, as it is 
directly at you, so please don't take it as a personal attack of your 
actions as it is not intended as such.





More information about the CentOS mailing list