[CentOS] what percent of time are there unpatched exploits against default config?

Alex Milojkovic centos at businessforce.ca
Sun Jan 1 01:06:36 UTC 2012

Yes, but this is left to every server admin to do. Then if some don't do it
and get hacked it pretty much defeats the rest if their "home" based servers
are used as bots.
What I'm talking about is a national policy using perimeter routers and
better netblock allocation.
The reason netblocks should be better organized is that if you have many
rules in your router it takes time to process the rules.
If you have 10,000 lines of rules in out firewall it takes some time to go
through them.
It's easy enough to copy a bunch of CIDR addresses and add them, but I just
see it as unnecessary overhead for your router.
If you choke the whole thing at the source, there is no way anyone sitting
in "that" place to access anything on under your watch.
It's like international relations.
You like me, I like you, you have an embassy in my town, I have an embassy
in your town.
You peeve me off, I close my embassy and close my Internet pipe too.
They should add Internet pipe to the table.
I'm oversimplifying, but that's the idea.
Internet was such a great thing and everyone was enamored with it so quickly
because it opened so many possibilities that no one thought about the doors
we didn't want to open.
I think some of these changes are coming.

Happy New Year Y'all !

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
Of Drew
Sent: Saturday, December 31, 2011 2:07 PM
To: CentOS mailing list
Subject: Re: [CentOS] what percent of time are there unpatched exploits
against default config?

> IP address allocation needs to be done smarter so that geographical
regions can be isolated easier. And at some point it probably will be.

There already is that capability to some extent. Between geoip and the
RIR's, one can get a pretty good handle on which /8 or /16 blocks need to be
blocked at your firewall. In fact the linux based router's we use have a
specific "Country Blocking" feature which I use to block large swathes of
the Net from our systems.


"Nothing in life is to be feared. It is only to be understood."
--Marie Curie
CentOS mailing list
CentOS at centos.org

More information about the CentOS mailing list