> Well one of the lessons of the recent threads seems to be that there is > a lot of disagreement over what constitutes a "misconfigured server". > Some people consider a server misconfigured if it doesn't use a firewall > to limit access to sshd, some people consider it misconfigured if sshd > uses passwords instead of keys, some people consider the server > misconfigured if it doesn't use SELinux, etc. Because there are > mutually contradictory definitions of "misconfigured", if you find out > that a server was broken into you can always come up with a reason, > after the fact, why the server should be considered "misconfigured", > depending on whose definition you use. Well, first you need to select security baseline and apply it to server. (for example: http://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL_5.0-5.1_Benchmark_v1.1.2.pdf) > > But there seems to be some consensus, at least, that exploits do get > found which allow apache to run arbitrary code (even under its > unprivileged account), and exploits do get found that elevate an > unprivileged user to root privileges. So you could offer, for example, > a bounty for anyone who finds a way to elevate the privilege of an > unprivileged account. That's a lot less powerful than a complete > exploit that can be used against any server on the Internet, but it's > the kind of thing an attacker might use as part of a larger exploit. So > would you feel safer using CentOS/Red Hat if Red Hat, for example, > offered a prize to anyone who could find a privilege-escalation exploit > like that? Knowing that it would reduce the chance of a black hat > finding the exploit and using it as part of an attack? well, not really. -- Eero