On Tue, 27 Dec 2011, Bennett Haselton wrote: > Suppose I have a CentOS 5.7 machine running the default Apache with no > extra modules enabled, and with the "yum-updatesd" service running to pull > down and install updates as soon as they become available from the > repository. > > So the machine can still be broken into, if there is an unpatched exploit > released in the wild, in the window of time before a patch is released for > that update. > > Roughly what percent of the time is there such an unpatched exploit in the > wild, so that the machine can be hacked by someone keeping up with the > exploits? 5%? 50%? 95%? There's no way to give you an exact number, but let me put it this way: If you've disable as much as you can (which by default, most stuff is disabled, so that's good), and you restart Apache after each update, your chances of being broken into are better by things like SSH brute force attacks. There's always a chance someone will get in, but when you look at the security hole history of Apache, particularly over the past few years, there have been numerous CVE's, but workarounds and they aren't usually earth-shattering. Very few of them have. The latest version that ships with 5.7 is as secure as they come. If it wasn't, most web sites on the Internet would be hacked by now, as most run Apache. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** *******************************************************************************