On Dec 27, 2011, at 11:29 PM, Bennett Haselton <bennett at peacefire.org> wrote: > On Tue, Dec 27, 2011 at 8:33 PM, Gilbert Sebenste < > sebenste at weather.admin.niu.edu> wrote: > >> On Tue, 27 Dec 2011, Bennett Haselton wrote: >> >>> Suppose I have a CentOS 5.7 machine running the default Apache with no >>> extra modules enabled, and with the "yum-updatesd" service running to >> pull >>> down and install updates as soon as they become available from the >>> repository. >>> >>> So the machine can still be broken into, if there is an unpatched exploit >>> released in the wild, in the window of time before a patch is released >> for >>> that update. >>> >>> Roughly what percent of the time is there such an unpatched exploit in >> the >>> wild, so that the machine can be hacked by someone keeping up with the >>> exploits? 5%? 50%? 95%? >> >> There's no way to give you an exact number, but let me put it this way: >> >> If you've disable as much as you can (which by default, most stuff is >> disabled, so that's good), and you restart Apache after each update, >> your chances of being broken into are better by things like SSH brute >> force attacks. There's always a chance someone will get in, but when you >> look at the security hole history of Apache, particularly over the past >> few years, there have been numerous CVE's, but workarounds and they aren't >> usually earth-shattering. Very few of them have. The latest version that >> ships with 5.7 is as secure as they come. If it wasn't, most web sites >> on the Internet would be hacked by now, as most run Apache >> > > I was asking because I had a server that did get broken into, despite > having yum-updatesd running and a strong password. He said that even if > you apply all latest updates automatically, there were still windows of > time where an exploit in the wild could be used to break into a machine; in > particular he said: > > "For example, there was a while back ( ~march ) a kernel exploit that > affected CentOS / RHEL. The patch came after 1-2 weeks of the security > announcement. The initial announcement provided a simple work around until > the new version is released." > What was the nature of the break-in, if I may ask? Security is more than just updates and a strong password. - Rilindo Foster http://monzell.com http://www.linkedin.com/pub/rilindo-foster/2/b32/43b