[CentOS] what percent of time are there unpatched exploits against default config?

Thu Dec 29 08:17:28 UTC 2011
Bennett Haselton <bennett at peacefire.org>

On Wed, Dec 28, 2011 at 6:10 AM, Johnny Hughes <johnny at centos.org> wrote:

> On 12/27/2011 10:42 PM, Bennett Haselton wrote:
> > Everything installed on the machine had been installed with "yum".  So I
> > assumed that meant that it would also be updated by "yum" if an update
> was
> > available from the distro.
> >
>
> 1.  Are you running PHP apps on the web server?  Perl apps?  Bad code in
> dynamic apps is the main way security breaches happen if via apache.
> And in those cases is usually the ability to execute some script
> (sometimes one that the bad guys upload first) that is the issue.  Many
> times this happens because programmers of the dynamic (php, perl,
> python, ruby, etc.) do not properly vet the input of some form or other
> item.
>

The only popular third-party script on the server was glype from
www.glype.com.  I don't know if it's popular enough (compared to, say,
WordPress) to make it worthwhile for the bad guys to have developed an
exploit against it.  On the other hand, if they used an automated tool that
can be pointed to *any* PHP script and probe it for weaknesses, they could
have found something.


>
>


>

2.  Why have password logins at all?  Using a secure ssh key only for
> logins makes the most sense.
>

Well that's something that I'm curious about the reasoning behind -- if
you're already using a completely random 12-character password, why would
it be any more secure to use an ssh key?  Even though the ssh key is more
random, they're both sufficiently random that it would take at least
hundreds of years to get in by trial and error.


>
>
3.  Please do not top post.
>

My bad.  Gmail default. :)

>
>