On Tue, Dec 27, 2011 at 8:33 PM, Gilbert Sebenste < sebenste at weather.admin.niu.edu> wrote: > On Tue, 27 Dec 2011, Bennett Haselton wrote: > > > Suppose I have a CentOS 5.7 machine running the default Apache with no > > extra modules enabled, and with the "yum-updatesd" service running to > pull > > down and install updates as soon as they become available from the > > repository. > > > > So the machine can still be broken into, if there is an unpatched exploit > > released in the wild, in the window of time before a patch is released > for > > that update. > > > > Roughly what percent of the time is there such an unpatched exploit in > the > > wild, so that the machine can be hacked by someone keeping up with the > > exploits? 5%? 50%? 95%? > > There's no way to give you an exact number, but let me put it this way: > > If you've disable as much as you can (which by default, most stuff is > disabled, so that's good), and you restart Apache after each update, > your chances of being broken into are better by things like SSH brute > force attacks. There's always a chance someone will get in, but when you > look at the security hole history of Apache, particularly over the past > few years, there have been numerous CVE's, but workarounds and they aren't > usually earth-shattering. Very few of them have. The latest version that > ships with 5.7 is as secure as they come. If it wasn't, most web sites > on the Internet would be hacked by now, as most run Apache > I was asking because I had a server that did get broken into, despite having yum-updatesd running and a strong password. He said that even if you apply all latest updates automatically, there were still windows of time where an exploit in the wild could be used to break into a machine; in particular he said: "For example, there was a while back ( ~march ) a kernel exploit that affected CentOS / RHEL. The patch came after 1-2 weeks of the security announcement. The initial announcement provided a simple work around until the new version is released." Was this a sufficiently high-profile incident that you know what he's referring to? If this kind of thing happens once a year or more, than surely this is a much greater threat than "brute forcing the SSH password"? That's what I'm talking about -- how often does this sort of thing happen, where you need to be subscribed to be a security mailing list in order to know what workaround to make to stay safe, as opposed to simply running yum-updatesd to install latest patches automatically. Bennett