[LINK] Security of old RedHat systems

[Adam Todd]

>2003 for the older system.  I should update them to Free BSD or Debian -
>but it is probably two weeks work, after installing all the appropriate
>software, scripts etc.  I have many things I would rather do than this!

Yeah I know this feeling!

But Robin, my advice, if it's working, don't fix it.  You have firewall 
processes in place, you're a smart cookie, you'll know if something isn't 
right, then fix it.

Eventually, you can upgrade the OS and applications, when you need 
to.  When you need some major feature that makes your life even easier.

I'm security conscious, I have external security audits done on my machines 
a few times a year to ensure that I'm not missing anything, and have never 
had a weakness reported.

I haven't upgraded some of my machines for more than 9 years now.  Some for 
five.  The next upgrade has been planned for two years, but I find little 
benefit in wasting so much time updating something that is working just 
fine.  I'm not going to get much advantage out of any upgrade presently.

I'd like to upgrade my mail server so I can take advantage of some new 
anti-spam processes (TMDA) but as I'm the one with the biggest spam hit, 
it's not that big a deal right now.

>I keep an eye on BugTraq and maybe (probably . . . almost certainly) I
>missed something.  I don't recall seeing any packages I thought I was
>running on these machines which had serious security flaws.  (I am not
>concerned about protecting the machine from local users, since I am the
>local user.  I don't have Telnet of FTP enabled - it is all SSH and SCP.)

Yep, you're probably mostly pretty safe.  It's the IP layer that you have 
your most serious vulnerability within.

>I haven't done any updates for the best part of a year and I haven't had
>any of these machines hacked.
>
>Have I been lucky?

Probably not.  With the volume of probes and things these days, the 
"hackers" tend to go for the easier and more widely used 
vulnerability.  Windows.

I don't see many Unix Hack attempts these days, unless it's from someone I 
know of, or have asked or given permission to hack.  All the exploits are 
DDoS for windows, broadcast, and windows SMB attacks, oh and lots of IIS 
attacks which are a total waste of bandwidth.

If only hackers did a HEAD first to see what OS was being used on an IO 
address and then discarded the IP address from wasted bandwidth, they might 
hack faster and more efficiently and find more exploits.

But as I said, these aren't real hackers these days, they are mutants.

>Or maybe these systems - or the subset of them I have installed - have
>had most of their security vulnerabilities found already.

Maybe :)

>I don't believe hackers would be uninterested in finding
>vulnerabilities, since I think there are a huge number of servers
>running RH 7.2, 7.3 and 9.0.

Yes, but nowhere near as many servers as there are windows machines which 
are easier to exploit, gain privilege and add redirectors and other tools.

Why exploit a system in which you have to cover your tracks and manipulate 
logs, when you can hack a system quickly and without log and tracking?

>I would know if one of these machines had been hacked - because I run
>Tripwire on all three.  It checks the directory structure and file MD5s
>every against an encrypted database every day and emails me the results
>of any discrepancies.  (It is hard to modify the default exclusion list
>to suit my machines, but once done, I think Tripwire does a great job.)

Not using Tripwire myself, but it sounds pretty detailed.

>A successful hack would surely change things in ways I would notice via
>these reports.  I run Tripwire and the mailing script in a manner I made
>up myself, with the binary in a non-standard location and with a
>non-standard name, so I don't think that it is vulnerable to attack
>aimed at disabling or modifying the standard Tripwire arrangement.

Very sensible and something people need to consider when installing even 
windows.  I rarely do a "default" windows install.  It can be a pain in the 
neck 4 years later when you want to upgrade something and don't remember 
where you pathed things, but it stops exploits - the very reason most of 
the trojans hitting my workstation last week didn't work, because my paths 
are non standard.

Even my unix systems are all "non-standard" and configured very carefully 
to give me the advantage.  I have a "standard" configuration I use and it 
works.

>            fabulously reliable service, and I have potentially 32 IP
>            addresses but I cut it back to 16 to reduce the amount of
>            random traffic I was getting.

This is the most frustrating part of bandwidth today.  I now block all 
unused addresses at the firewall down to the port level.

Now that I have a really cool working ipredirect running on my Linux 
firewall, I'm considering putting all my front line servers on non routable 
addresses and using my firewall as a total translation server.

That will reduce arp requests on my server side of the LAN and keep hackers 
out!  If they get into anything using a non-standard request or buffer 
overload or whatever they try and do, they'll get a redirect to a honeypot 
machine :)

>   RH 9.0   Not intensively used desktop machine - Pentium Pro has
>            never put a foot wrong.  (Sorry folks, I do most of my work
>            on a Win2k desktop and laptop.)

Ditto.  I have an IBM laptop as my Linux workstation, but it's become a web 
server, backup MySQL server and a few other things.  It runs X of course, 
but it's become such a central part of my office LAN it's really a server.

It has been structured to be removed from the LAN and taken on location 
with a series of laptops so we have full office resources offsite :)

>   RH 9.0   Server at http://www.servepath.com in San Francisco.  USD$100
>            a month - for my websites.   However, I want to make it my
>            main mailserver, set up an encrypted pipe via a cable modem
>            to the first machine listed above, and so avoid the AUD$0.20
>            per megabyte costs of Telstra Internet for email, including
>            especially spam and viruses.

Why don't you use another ISP and get DSL instead?  Some have unlimited 
traffic for $100 a month :)

I can provide a referal if you like :)