GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Phil21 · 08-22-2003, 07:36 PM

Upgrading the kernel every time a new release comes around IMO is stupid and unneccessary.

Unless there are documented (even in theory) problems with kernel code, it's nigh on insanely improbable that there is a remote attack available. (If you have local users you don't trust, or give out FTP accounts, etc. - anything that users have system level access to, I would be more paranoid here).

Upgrading like that will over time cause you more problems than it fixes. Our policy is to wait 3-5 weeks after a kernel is released, and note any new bugs that surface that may impact us. We also note any improvements made to the kernel, and upgrade as we see fit there.

That said, we usually are running the latest kernel on most machines 2-3 months after release. We usually schedule kernel upgrades w/ other maintaince windows and systems get rebooted when otherwise unavailable anyways.

And yes, I would fully agree that misconfiguration/inexperience is by far and away the #1 reason systems are penetrable. By default our dedicated machines come with only apache, ftpd, and sshd installed as services, so a customer would have to actively do something to change that. No matter what we do though, we can't protect people from themselves. No matter how many times we explain permissions, or why folks should learn unix security basics before opening that file provided in user input with PHP, people still insist on "knowing better".

-Phil

08-22-2003, 07:36 PM
Phil21 Confirmed User Join Date: May 2001 Location: ICQ: 25285313 Posts: 993	Upgrading the kernel every time a new release comes around IMO is stupid and unneccessary. Unless there are documented (even in theory) problems with kernel code, it's nigh on insanely improbable that there is a remote attack available. (If you have local users you don't trust, or give out FTP accounts, etc. - anything that users have system level access to, I would be more paranoid here). Upgrading like that will over time cause you more problems than it fixes. Our policy is to wait 3-5 weeks after a kernel is released, and note any new bugs that surface that may impact us. We also note any improvements made to the kernel, and upgrade as we see fit there. That said, we usually are running the latest kernel on most machines 2-3 months after release. We usually schedule kernel upgrades w/ other maintaince windows and systems get rebooted when otherwise unavailable anyways. And yes, I would fully agree that misconfiguration/inexperience is by far and away the #1 reason systems are penetrable. By default our dedicated machines come with only apache, ftpd, and sshd installed as services, so a customer would have to actively do something to change that. No matter what we do though, we can't protect people from themselves. No matter how many times we explain permissions, or why folks should learn unix security basics before opening that file provided in user input with PHP, people still insist on "knowing better". -Phil __________________ Quality affordable hosting.