[LINK] Security of old RedHat systems

[Craig Sanders]

On Sun, Dec 12, 2004 at 11:56:13PM +1100, Robin Whittle wrote:
> What thinketh the Link Institute on the question of whether Red Hat
> 7.x and 9.x systems have in some way become relatively immune to
> attack since the official Red Hat update services ended? I recognise
> that even asking this question may be a sign of lunacy.

wishful thinking, at least.

it depends entirely on what services you have running that are exposed to the
internet.  there may be vulnerabilities in them that are unknown today which 
will be discovered tomorrow, with an active exploit next month.

> I have three Red Hat systems at present and haven't done any updates
> on them since the official service finished - in March I think, or
> late 2003 for the older system.

then you are probably due to be compromised soon.  going without updates for
that long means it is nearly certain that there are already known and
exploitable vulnerabilities on your systems.

> I should update them to Free BSD or Debian - but it is probably two
> weeks work, after installing all the appropriate software, scripts
> etc. I have many things I would rather do than this!

well, you can either do it pre-emptively with all your data and config
files intact and uncompromised, or you can do it in a panicked rush
after your systems have been owned by a script-kiddie.

linux and free software/open source aren't magically immune to security
bugs and programming errors. the advantage of linux etc is the rapid
development model and the "with enough eyes looking, all bugs are
obvious" phenomenon, which results in quick discovery and even quicker
fixes for problems. if you deliberately choose not to take advantage of
this, then eventually you WILL get hacked.

for each server:

1. make a list of what services it provides, and make notes on any
non-standard or unusual configuration details 

2. backup the entire system

3. make another backup of just the config files, somewhere where they're
easy to get at and view,

4. repartition, reformat, and install the base debian system plus just
the packages you need.

5. use the backup of config files to speed up configuring the system

6. if you run the "stable" release rather than the "unstable" development
version of debian, make sure you have security.debian.org in
/etc/apt/sources.list in either case, update your system regularly.


do one system at a time, do it slow and carefully, and work to a plan.


note: the "testing" dist of debian is relatively safe to use now because debian
is very close to releasing it as the next "stable" release. but in normal
times, you are better off using either stable or unstable. both of these get
security updates, testing does not (at least, not immediately - the point of
testing is that no updates get to it until at least two weeks have passed
without a bug report, which often means that new & updated packages don't get
into testing for months....if at all).

stable gets backports of any security fixes.  i.e. the security fix is patched
in to the package version in stable.  it never gets new versions with new
features ("stable" means that it doesn't change once it has been released,
except for security patches).

unstable gets new packages, new versions, and security updates on am almost
daily basis.  "unstable" means "in flux, constantly changing" and is not
necessarily a reflection on reliability or quality (although there are rare
occasions when new packages have severe bugs).  it is, however, the best way to
stay months or even years ahead of the script kiddies.


> I keep an eye on BugTraq and maybe (probably . . . almost certainly) I
> missed something.  I don't recall seeing any packages I thought I was
> running on these machines which had serious security flaws.  (I am not
> concerned about protecting the machine from local users, since I am the
> local user.  I don't have Telnet of FTP enabled - it is all SSH and SCP.)

fair enough, but ssh has had security bugs in the past.  there is no guarantee
more wont be discovered in the future.

> I haven't done any updates for the best part of a year and I haven't had
> any of these machines hacked.
> 
> Have I been lucky?

yes.

> Or maybe these systems - or the subset of them I have installed - have
> had most of their security vulnerabilities found already.

it's possible, but extremely unlikely.  there may be none known now, but that
is no guarantee for the future.

if you insist on sticking with old software, then at least make sure your
firewall rules are tight. block access to ALL services that you don't want to
make available to the public. and think about using port-knocking software for
services that you need access to from outside but don't need or want to give
public access to (the idea with port-knocking[1] is that, e.g., the ssh port is
blocked by firewall rules until a "knock" is made on a specific sequence of
higher port numbers. at that point, the ssh port is opened for the IP address
that "knocked". it has it's pros and cons).

but that still won't protect you from security bugs in the services that you
have open to the public - dns, mail, web, etc etc.


[1] http://www.google.com.au/search?hl=en&q=tcp+port+knocking&btnG=Google+Search&meta=


> I don't believe hackers would be uninterested in finding
> vulnerabilities, since I think there are a huge number of servers
> running RH 7.2, 7.3 and 9.0.

you're right....so any vulnerabilities that are there WILL eventually be found.

it is extremely unlikely that there are no vulnerabilities to be found - all
software has bugs.  

> I would know if one of these machines had been hacked - because I run
> Tripwire on all three.  It checks the directory structure and file MD5s

good, but that only tells you after the fact, it doesn't stop the attack.


>   RH 7.2   Celeron 800 MHz Mailserver, nameserver etc., permanently

which NS software?  bind has had many holes in the past, and may have more in
the future.

>            with software RAID-1.  Handles all my email, IMAP mailboxes,
>            filtering etc. nightly backup to the next machine:

which MTA? (IIRC, you use postfix.  almost certainly safe).

which IMAP/POP daemon?  there have been numerous vulnerabilities in many of
them.  does it listen on the internet interface or is it restricted to just
localhost and the local network?

how is the backup done?  is it a potential hole which could allow access to
either machine.

>   RH 9.0   Not intensively used desktop machine - Pentium Pro has
>            never put a foot wrong.  (Sorry folks, I do most of my work
>            on a Win2k desktop and laptop.)

is it running any services which are exposed to the internet?

what about printing (lpr? lprng? cups? whatever) or file sharing (samba? nfs?)

is X configured for remote access (i.e XDMCP) or just local?

>   RH 9.0   Server at http://www.servepath.com in San Francisco.  USD$100
>            a month - for my websites.   

apache has had the odd vulnerability, and countless vulnerabilities have been
found in common CGI scripts.

again, what other services is it running that are exposed to the internet?


craig

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)