[CentOS] what percent of time are there unpatched exploits against default config?

Thu Dec 29 03:38:30 UTC 2011
Craig White <craigwhite at azapple.com>

On Wed, 2011-12-28 at 00:40 -0700, Bennett Haselton wrote:
> On Tue, Dec 27, 2011 at 10:17 PM, Rilindo Foster <rilindo at me.com> wrote:

> > What was the nature of the break-in, if I may ask?
> >
> 
> I don't know how they did it, only that the hosting company had to take the
> server offline because they said it was sending a DOS attack to a remote
> host and using huge amounts of bandwidth in the process.  The top priority
> was to get the machine back online so they reformatted it and re-connected
> it, so there are no longer any logs showing what might have happened.
> (Although of course once the server is compromised, presumably the logs can
> be rewritten to say anything anyway.)
----
the top priority was to get the machine back online?

Seems to me that you threw away the only opportunity to find out what
you did wrong and to correct that so it doesn't happen again. You are
left to endlessly suffer the endless possibilities and the extreme
likelihood that it will happen again.

It shouldn't have taken more than 2 hours to figure out how they got in.

Next time - have them buy or ship them an external drive and have them
do a dd copy of your hard drive to the external drive so you have an
exact copy of the drive before you reformat/re-deploy.
----
> > Security is more than just updates and a strong password.

> Well that's what I'm trying to determine.  Is there any set of default
> settings that will make a server secure without requiring the admin to
> spend more than, say, 30 minutes per week on maintenance tasks like reading
> security newsletters, and applying patches?  And if there isn't, are there
> design changes that could make it so that it was?
> 
> Because if an OS/webserver/web app combination requires more than, say,
> half an hour per week of "maintenance", then for the vast majority of
> servers and VPSs on the Internet, the "maintenance" is not going to get
> done.  It doesn't matter what our opinion is about whose fault it is or
> whether admins "should" be more diligent.  The maintenance won't get done
> and the machines will continue to get hacked.  (And half an hour per week
> is probably a generous estimate of how much work most VPS admins would be
> willing to do.)
> 
> On the other hand, if the most common causes of breakins can be identified,
> maybe there's a way to stop those with good default settings and automated
> processes.  For example, if exploitable web apps are a common source of
> breakins, maybe the standard should be to have them auto-update themselves
> like the operating system.  (Last I checked, WordPress and similar programs
> could *check* if updates were available, and alert you next time you signed
> in, but they didn't actually patch themselves.  So if you never signed in
> to a web app on a site that you'd forgotten about, you might never realize
> it needed patching.)
----
please excuse my impertinence but it seems as though you want everyone
on the list to indulge in your speculation of the myriad of
possibilities for your servers lack of security when you deliberately
chose not to conclusively determine the problem.

As for the time needed to maintain a VPS, It sounds like you are
reselling shares of co-located servers to others... good luck with that.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.