[LINK] Security of old RedHat systems
link at todd.inoz.com
Mon Dec 13 11:14:43 EST 2004
>2003 for the older system. I should update them to Free BSD or Debian -
>but it is probably two weeks work, after installing all the appropriate
>software, scripts etc. I have many things I would rather do than this!
Yeah I know this feeling!
But Robin, my advice, if it's working, don't fix it. You have firewall
processes in place, you're a smart cookie, you'll know if something isn't
right, then fix it.
Eventually, you can upgrade the OS and applications, when you need
to. When you need some major feature that makes your life even easier.
I'm security conscious, I have external security audits done on my machines
a few times a year to ensure that I'm not missing anything, and have never
had a weakness reported.
I haven't upgraded some of my machines for more than 9 years now. Some for
five. The next upgrade has been planned for two years, but I find little
benefit in wasting so much time updating something that is working just
fine. I'm not going to get much advantage out of any upgrade presently.
I'd like to upgrade my mail server so I can take advantage of some new
anti-spam processes (TMDA) but as I'm the one with the biggest spam hit,
it's not that big a deal right now.
>I keep an eye on BugTraq and maybe (probably . . . almost certainly) I
>missed something. I don't recall seeing any packages I thought I was
>running on these machines which had serious security flaws. (I am not
>concerned about protecting the machine from local users, since I am the
>local user. I don't have Telnet of FTP enabled - it is all SSH and SCP.)
Yep, you're probably mostly pretty safe. It's the IP layer that you have
your most serious vulnerability within.
>I haven't done any updates for the best part of a year and I haven't had
>any of these machines hacked.
>Have I been lucky?
Probably not. With the volume of probes and things these days, the
"hackers" tend to go for the easier and more widely used
I don't see many Unix Hack attempts these days, unless it's from someone I
know of, or have asked or given permission to hack. All the exploits are
DDoS for windows, broadcast, and windows SMB attacks, oh and lots of IIS
attacks which are a total waste of bandwidth.
If only hackers did a HEAD first to see what OS was being used on an IO
address and then discarded the IP address from wasted bandwidth, they might
hack faster and more efficiently and find more exploits.
But as I said, these aren't real hackers these days, they are mutants.
>Or maybe these systems - or the subset of them I have installed - have
>had most of their security vulnerabilities found already.
>I don't believe hackers would be uninterested in finding
>vulnerabilities, since I think there are a huge number of servers
>running RH 7.2, 7.3 and 9.0.
Yes, but nowhere near as many servers as there are windows machines which
are easier to exploit, gain privilege and add redirectors and other tools.
Why exploit a system in which you have to cover your tracks and manipulate
logs, when you can hack a system quickly and without log and tracking?
>I would know if one of these machines had been hacked - because I run
>Tripwire on all three. It checks the directory structure and file MD5s
>every against an encrypted database every day and emails me the results
>of any discrepancies. (It is hard to modify the default exclusion list
>to suit my machines, but once done, I think Tripwire does a great job.)
Not using Tripwire myself, but it sounds pretty detailed.
>A successful hack would surely change things in ways I would notice via
>these reports. I run Tripwire and the mailing script in a manner I made
>up myself, with the binary in a non-standard location and with a
>non-standard name, so I don't think that it is vulnerable to attack
>aimed at disabling or modifying the standard Tripwire arrangement.
Very sensible and something people need to consider when installing even
windows. I rarely do a "default" windows install. It can be a pain in the
neck 4 years later when you want to upgrade something and don't remember
where you pathed things, but it stops exploits - the very reason most of
the trojans hitting my workstation last week didn't work, because my paths
are non standard.
Even my unix systems are all "non-standard" and configured very carefully
to give me the advantage. I have a "standard" configuration I use and it
> fabulously reliable service, and I have potentially 32 IP
> addresses but I cut it back to 16 to reduce the amount of
> random traffic I was getting.
This is the most frustrating part of bandwidth today. I now block all
unused addresses at the firewall down to the port level.
Now that I have a really cool working ipredirect running on my Linux
firewall, I'm considering putting all my front line servers on non routable
addresses and using my firewall as a total translation server.
That will reduce arp requests on my server side of the LAN and keep hackers
out! If they get into anything using a non-standard request or buffer
overload or whatever they try and do, they'll get a redirect to a honeypot
> RH 9.0 Not intensively used desktop machine - Pentium Pro has
> never put a foot wrong. (Sorry folks, I do most of my work
> on a Win2k desktop and laptop.)
Ditto. I have an IBM laptop as my Linux workstation, but it's become a web
server, backup MySQL server and a few other things. It runs X of course,
but it's become such a central part of my office LAN it's really a server.
It has been structured to be removed from the LAN and taken on location
with a series of laptops so we have full office resources offsite :)
> RH 9.0 Server at http://www.servepath.com in San Francisco. USD$100
> a month - for my websites. However, I want to make it my
> main mailserver, set up an encrypted pipe via a cable modem
> to the first machine listed above, and so avoid the AUD$0.20
> per megabyte costs of Telstra Internet for email, including
> especially spam and viruses.
Why don't you use another ISP and get DSL instead? Some have unlimited
traffic for $100 a month :)
I can provide a referal if you like :)
More information about the Link