recently started crashing 4 am

John Summerfield debian at herakles.homelinux.org
Tue Nov 27 22:48:12 UTC 2007 

Les wrote:
> On Tue, 2007-11-27 at 16:46 +0900, John Summerfield wrote:
>> Ed Greshko wrote:
>>> Mail List wrote:
> SNIP
>> Run half. You eliminate one half immediately.
>>
>> Enable to okay part, and half the other. Repeat until done.
>>
>>
>> This is why I do not do automatic updates, ever. I've been saying since 
>> RHN was introduced, back around Valhalla's time, it was a bad idea. 
>> Automatic downloading is good. I like to see what changes, and what's 
>> proposed to change. Even security fixes aren't necessarily urgent.
>>
> I think that today the issues surrounding security might make them more
> urgent than in times past.
> Things like worms and DNS attacks make vulnerable systems a liability to
> everyone on the network, excluding only those folks where a firewall
> might mitigate such attacks, assuming that the firewall is setup to
> properly eliminate such hacks.  Otherwise the common user should
> probably rely upon security updates daily, to protect not only
> themselves, but everyone else as well.

Worms only affect those with Internet-facing servers. I've not heard of 
any DNS attacks for some time, but AFAIK the only DNS server I run that 
could be affected is also Internet-facing. Others could conceivably be 
corrupted by other DNS servers, but they only refer to official servers 
or those of my IAP.

In my case at herakles.homelinux.org, I run CentOS4, with Apache, smtp, 
imap, openvpn, imap and ssh open to the world. I regularly update my 
firewall to block ssh and smtp from locations that offend me, and 
typically block the entire network block (saves time sanitizing China) 
as revealed by whois. ssh is further constrained to a low connexion rate.

That is to say, I only have a few services that could be cracked by the 
ungodly. If they get into one of those, they next have to contend with 
selinux.

They need root access if they want to install their own servers, not 
because it's difficult to _install_ the software, but they need to turn 
off the firewall to send packets on unexpected ports, the firewall 
limits traffic in all directions.

I'm sure my system's not entirely impenetrable, but for sure it's 
difficult, and not worth the trouble just to extend a botnet.

An additional point is that, on systems I control, the list of users is 
limited to Mr & Mrs S, and the latter finds email and web browsing a 
challenge, and google is beyond human comprehension.

I'm probably at about one extreme of the range of home users. The other 
is the person who plugs in an (say) ADSL router following instructions 
and running no services. They aren't in urgent need of security fixes 
either.

It seems to me the greatest danger to Linux systems belonging to most 
people here is the updates we receive, and that's particularly true for 
consumer-grade Linux - Fedora, Ubuntu (long life maybe excepted), OpenSUSE.

The best countermeasure I know is to review the list of fixes before 
applying them. If something breaks, at least I know what has changed.


Looking at installed packages on my server (which does have a desktop), 
I see updates to kernels (twice), httpd, perl, bind, mod-ssl, 
cyrus-sasl-plain that _might_ be prone to attack from the Internet. 
since the end of July, when there was a great mass of changes - probably 
the latest dot-release.

kernel - changes were for broken device drivers, irrelevant to me, and 
to autofs which is not internet-facing.

perl - changelog entries insufficient

cyrus-sasl-plain - hard to say, may have been vuln to DoS

httpd - cosmetic

mod-ssl cosmetic + CVE-2007-3304.

bind* - cryptography problem, not relevant to me

So there's nothing in the past few months, there have been no essential 
updates to my server. Why should I take a risk any of them by allowing 
them on automatically?

oh, I have another Internet-facing server. You cannot send email to 
herakles.homelinux.org unless you are at one of the few locations where 
my firewall directs traffic to the server that handles that traffic.

My other Linux systems are well-protected behind my firewall and no 
urgent need of any updates.

This crashing at 4:00 am may well be the result of an update, 
thoughtlessly applied.


-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list