[CentOS] Thanks to every one

Thu Jul 20 15:11:59 UTC 2017
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Thu, July 20, 2017 8:07 am, Peter Larsen wrote:
> On 07/16/2017 12:30 PM, Andreas Benzler wrote:
>> - The firewall is placed in front of the cluster.
>> - After you have found a safe base for this, you freeze it.
> Sorry, but this statement really urks me in a wrong way. Why do you
> think a firewall is the ONLY part that needs to be provide security?
> That's the way I read this statement - that it doesn't matter anywhere
> else.  In addition, the majority of attacks and compromises come from
> INSIDE the firewall - ie. the "wannacry" and similar attacks are all
> distributed via email, executed on a local workstation and it propagates
> from there - your external firewall is not even hit before your
> servers/cluster is scanned.

I will second that. I personally run servers under assumption that bad
guys are already inside. Doesn't negate other measures as firewall, brute
force attack protection etc. But I've seen bad guys attempting to elevate
privileges (unsuccessfully) twice during last over decade and a half. Both
times I thanked myself for taking appropriate security measures.

I am really unimpressed how MicroSoft's misconception "safe internal
network" became widely spread over allegedly much more intelligent
community which Linux community is (or should be). There is nothing safe
on the network for me if:

1. there is at least one computer on this network which is installed and
maintained not by me (assuming all machines I maintained are secured
appropriately, include here sysadmins who do the same)

2. there is at least one user except for me (and my mate sysadmins who are
same security aware as hopefully I am)

In other words: if you are sysadmin, paranoia is one of the words in your
job description. I really find it difficult to have people take it to
their hearts (except sysadmins who _had_ an incident, and had to sweep up
after that, and had to tell their users that machine/cluster he
administers was hacked and why).

I hope, this helps someone.


> Another aspect here is all the other stuff outside the kernel. Even if
> you do "yum update" frequently if you don't restart, there are several
> daemons and features of your system that doesn't get patched - the code
> is in memory and changing the disk has no effect at all.
> Bottom line is, I would not be proud of tripple digit single server
> uptimes. It simply tells me, I can find lots of ways in - not that
> you're running a rock solid setup.
> --
>   Regards, Peter Larsen
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247