[CentOS] Thanks to every one

m.roth at 5-cent.us m.roth at 5-cent.us
Thu Jul 20 15:27:16 UTC 2017


Valeri Galtsev wrote:
>
> On Thu, July 20, 2017 8:07 am, Peter Larsen wrote:
>> On 07/16/2017 12:30 PM, Andreas Benzler wrote:
>>> - The firewall is placed in front of the cluster.
>>> - After you have found a safe base for this, you freeze it.
>>
>> Sorry, but this statement really urks me in a wrong way. Why do you
>> think a firewall is the ONLY part that needs to be provide security?
>> That's the way I read this statement - that it doesn't matter anywhere
>> else.  In addition, the majority of attacks and compromises come from
>> INSIDE the firewall - ie. the "wannacry" and similar attacks are all
>> distributed via email, executed on a local workstation and it propagates
>> from there - your external firewall is not even hit before your
>> servers/cluster is scanned.
>
> I will second that. I personally run servers under assumption that bad
> guys are already inside. Doesn't negate other measures as firewall, brute
> force attack protection etc. But I've seen bad guys attempting to elevate
> privileges (unsuccessfully) twice during last over decade and a half. Both
> times I thanked myself for taking appropriate security measures.
<snip>
A cluster for heavy duty computing, of which I run several, is a whole
'nother ballgame. I think I mentioned, but let me recap: 1. only a few
people have access to the systems (/bin/noLogin, otherwise); 2) my users
have jobs that can be running one, two, or even three weeks straight. And
several users' jobs can overlap. We cannot update something that might
affect the running jobs (like, say, glibc).

Now, some things, like say bind, no problem. But more serious things might
break their jobs, and that's not acceptable. We make arrangements to
update a few times a year.

Note that there was an update to, I believe, glibc early in 6.x that *did*
break computations - results with the update were different than the glibc
before that, so we have to be cautious.

As most folks here where I work know, my job here is to keep the
researchers going, not to run systems to run systems (another group here
does seem to feel the latter way....) Oh, and my personal mission
statement is xkcd 705. <g>

       mark




More information about the CentOS mailing list