GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Dragon Curve · 08-22-2003, 07:25 PM

Quote:

Originally posted by Phil21
We do...

Actually any critical stuff that you use are default install on (apache, php, ssh, openssl, etc. etc.) will automatically get patched as soon as there is an upgrade available. This check is performed once every 8 hours or so.

For critical things like the latest apache remote exploit, we of course do pre-emptive testing of customer machines. If someone has an unmanaged box we no longer have access to, we e-mail them and offer to fix it if they like.

It's actually more tricky than it sounds. Many people once getting a ded box decide they don't want the apache install it comes with, or the php install, or whatever, and go compile/install their own. In these cases it's not something we can come around and fix instally behind the scenes, because we need to consult w/ the customer first to figure out what if any modifications were made. If we didn't do the due-diligance, we would break things, which is arguable worse than fixing it in the first place.

If we fully manage a box though, it's cake. Usually all machines on our network are patched within hours of an exploit being announced.

-Phil

Erm, latest Apache exploit? The only major "exploit" for Apache recently was for <=2.0.45 which was just a DoS and you needed DAV or mod_proxy enabled which isn't by default.

Other than that, the only one previous to that was the chunk-encoding overflow which only really affected BSD (I've never seen a POC on Linux, don't think that was possible).

Re kernel patches, you should upgrade your kernel every time a new kernel is released. Upgrading 3-4 years apart is stupid and insecure.

People have these blind ideas that security is defined by the number of patches you've grabbed lately. While this helps, it cannot in any way guarantee your security. For starters, there are a very reasonable amount of exploits floating around out there that are totally private. Apart from this, any competent hacker will be able to develop his own methods of breaking the box.

Unless you have a competent system administrator and audit all your web applications and the like, hacking by misconfiguration is rather trivial. There is rarely a case where a box not administrated by a certified sysadmin, which is in constant use, is not breakable via misconfiguration.