Re: recently started crashing 4 am

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Les wrote:
On Tue, 2007-11-27 at 16:46 +0900, John Summerfield wrote:
Ed Greshko wrote:
Mail List wrote:
SNIP
Run half. You eliminate one half immediately.

Enable to okay part, and half the other. Repeat until done.


This is why I do not do automatic updates, ever. I've been saying since RHN was introduced, back around Valhalla's time, it was a bad idea. Automatic downloading is good. I like to see what changes, and what's proposed to change. Even security fixes aren't necessarily urgent.

I think that today the issues surrounding security might make them more
urgent than in times past.
Things like worms and DNS attacks make vulnerable systems a liability to
everyone on the network, excluding only those folks where a firewall
might mitigate such attacks, assuming that the firewall is setup to
properly eliminate such hacks.  Otherwise the common user should
probably rely upon security updates daily, to protect not only
themselves, but everyone else as well.

Worms only affect those with Internet-facing servers. I've not heard of any DNS attacks for some time, but AFAIK the only DNS server I run that could be affected is also Internet-facing. Others could conceivably be corrupted by other DNS servers, but they only refer to official servers or those of my IAP.

In my case at herakles.homelinux.org, I run CentOS4, with Apache, smtp, imap, openvpn, imap and ssh open to the world. I regularly update my firewall to block ssh and smtp from locations that offend me, and typically block the entire network block (saves time sanitizing China) as revealed by whois. ssh is further constrained to a low connexion rate.

That is to say, I only have a few services that could be cracked by the ungodly. If they get into one of those, they next have to contend with selinux.

They need root access if they want to install their own servers, not because it's difficult to _install_ the software, but they need to turn off the firewall to send packets on unexpected ports, the firewall limits traffic in all directions.

I'm sure my system's not entirely impenetrable, but for sure it's difficult, and not worth the trouble just to extend a botnet.

An additional point is that, on systems I control, the list of users is limited to Mr & Mrs S, and the latter finds email and web browsing a challenge, and google is beyond human comprehension.

I'm probably at about one extreme of the range of home users. The other is the person who plugs in an (say) ADSL router following instructions and running no services. They aren't in urgent need of security fixes either.

It seems to me the greatest danger to Linux systems belonging to most people here is the updates we receive, and that's particularly true for consumer-grade Linux - Fedora, Ubuntu (long life maybe excepted), OpenSUSE.

The best countermeasure I know is to review the list of fixes before applying them. If something breaks, at least I know what has changed.


Looking at installed packages on my server (which does have a desktop), I see updates to kernels (twice), httpd, perl, bind, mod-ssl, cyrus-sasl-plain that _might_ be prone to attack from the Internet. since the end of July, when there was a great mass of changes - probably the latest dot-release.

kernel - changes were for broken device drivers, irrelevant to me, and to autofs which is not internet-facing.

perl - changelog entries insufficient

cyrus-sasl-plain - hard to say, may have been vuln to DoS

httpd - cosmetic

mod-ssl cosmetic + CVE-2007-3304.

bind* - cryptography problem, not relevant to me

So there's nothing in the past few months, there have been no essential updates to my server. Why should I take a risk any of them by allowing them on automatically?

oh, I have another Internet-facing server. You cannot send email to herakles.homelinux.org unless you are at one of the few locations where my firewall directs traffic to the server that handles that traffic.

My other Linux systems are well-protected behind my firewall and no urgent need of any updates.

This crashing at 4:00 am may well be the result of an update, thoughtlessly applied.


--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux