On Thu, July 20, 2017 8:07 am, Peter Larsen wrote:
On 07/16/2017 12:30 PM, Andreas Benzler wrote:
- The firewall is placed in front of the cluster.
- After you have found a safe base for this, you freeze it.
Sorry, but this statement really urks me in a wrong way. Why do you think a firewall is the ONLY part that needs to be provide security? That's the way I read this statement - that it doesn't matter anywhere else. In addition, the majority of attacks and compromises come from INSIDE the firewall - ie. the "wannacry" and similar attacks are all distributed via email, executed on a local workstation and it propagates from there - your external firewall is not even hit before your servers/cluster is scanned.
I will second that. I personally run servers under assumption that bad guys are already inside. Doesn't negate other measures as firewall, brute force attack protection etc. But I've seen bad guys attempting to elevate privileges (unsuccessfully) twice during last over decade and a half. Both times I thanked myself for taking appropriate security measures.
I am really unimpressed how MicroSoft's misconception "safe internal network" became widely spread over allegedly much more intelligent community which Linux community is (or should be). There is nothing safe on the network for me if:
1. there is at least one computer on this network which is installed and maintained not by me (assuming all machines I maintained are secured appropriately, include here sysadmins who do the same)
2. there is at least one user except for me (and my mate sysadmins who are same security aware as hopefully I am)
In other words: if you are sysadmin, paranoia is one of the words in your job description. I really find it difficult to have people take it to their hearts (except sysadmins who _had_ an incident, and had to sweep up after that, and had to tell their users that machine/cluster he administers was hacked and why).
I hope, this helps someone.
Valeri
Another aspect here is all the other stuff outside the kernel. Even if you do "yum update" frequently if you don't restart, there are several daemons and features of your system that doesn't get patched - the code is in memory and changing the disk has no effect at all.
Bottom line is, I would not be proud of tripple digit single server uptimes. It simply tells me, I can find lots of ways in - not that you're running a rock solid setup.
-- Regards, Peter Larsen
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++