On 12/27/2011 11:01 PM, Bennett Haselton wrote: > Yeah I know that most break-ins do happen using third-party web apps; > fortunately the servers I'm running don't have or need any of those. > > But then what about what my friend said: > "For example, there was a while back ( ~march ) a kernel exploit that > affected CentOS / RHEL. The patch came after 1-2 weeks of the security > announcement. The initial > announcement provided a simple work around until the new version is > released." > Is that an extremely rare freak occurrence? Or are you just saying it's > rare *compared* to breakins using web apps? Or am I misunderstanding what > my friend was referring to in the above paragraph? > There have been NO critical kernel updates. A critical update is one where someone can remotely execute items at the root users. Almost all critical updates are Firefox, Thunderbird, telnetd (does anyone still allow telnet?), or samba (never expose that directly to the internet either :D). There was one critical issue on CentOS-5.x for exim: http://rhn.redhat.com/errata/RHSA-2010-0970.html All the other issues (non-critical) will require the user to get a "user shell" and then elevate their privileges some way ================================================ If you want to know what the different classifications mean: https://access.redhat.com/security/updates/classification/ ================================================ If you want objective numbers for security exploits, here is some info for RHEL: http://www.redhat.com/security/data/metrics/ and http://www.awe.com/mark/blog/tags/metrics =============================================== If you want to search for a specific CVE: https://www.redhat.com/security/data/cve/ =============================================== CentOS is currently completely updated with all released updates for CentOS-4.9, CentOS-5.7, and CentOS-6.2. We also provide a CR repository for "Point Release" transitions (though, we will not always use the CR repo if we can get the point release out within 2-3 weeks). Here is info on the CR repository: http://wiki.centos.org/AdditionalResources/Repositories/CR ============================================= Long winded discussions on the list about people's opinions concerning security might help you make decisions on the best practices for setting up your server (do not allow ssh logins by password, limit logins by IP addresses (or at least block problem subnets), disable root logins directly, try to use SELinux for your web apps, etc.) ... but really, each install is unique. A google search will provide many suggestions for best security practices, here is what upstream recommends: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/pt-security.html The bottom line is, a default installation requires hardening. The amount of hardening needed depends on each individual install and its requirements. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20111228/3c14b922/attachment-0005.sig>