Les wrote:
On Tue, 2007-11-27 at 16:46 +0900, John Summerfield wrote:
Ed Greshko wrote:
Mail List wrote:
SNIP
Run half. You eliminate one half immediately.
Enable to okay part, and half the other. Repeat until done.
This is why I do not do automatic updates, ever. I've been saying since
RHN was introduced, back around Valhalla's time, it was a bad idea.
Automatic downloading is good. I like to see what changes, and what's
proposed to change. Even security fixes aren't necessarily urgent.
I think that today the issues surrounding security might make them more
urgent than in times past.
Things like worms and DNS attacks make vulnerable systems a liability to
everyone on the network, excluding only those folks where a firewall
might mitigate such attacks, assuming that the firewall is setup to
properly eliminate such hacks. Otherwise the common user should
probably rely upon security updates daily, to protect not only
themselves, but everyone else as well.
Worms only affect those with Internet-facing servers. I've not heard of
any DNS attacks for some time, but AFAIK the only DNS server I run that
could be affected is also Internet-facing. Others could conceivably be
corrupted by other DNS servers, but they only refer to official servers
or those of my IAP.
In my case at herakles.homelinux.org, I run CentOS4, with Apache, smtp,
imap, openvpn, imap and ssh open to the world. I regularly update my
firewall to block ssh and smtp from locations that offend me, and
typically block the entire network block (saves time sanitizing China)
as revealed by whois. ssh is further constrained to a low connexion rate.
That is to say, I only have a few services that could be cracked by the
ungodly. If they get into one of those, they next have to contend with
selinux.
They need root access if they want to install their own servers, not
because it's difficult to _install_ the software, but they need to turn
off the firewall to send packets on unexpected ports, the firewall
limits traffic in all directions.
I'm sure my system's not entirely impenetrable, but for sure it's
difficult, and not worth the trouble just to extend a botnet.
An additional point is that, on systems I control, the list of users is
limited to Mr & Mrs S, and the latter finds email and web browsing a
challenge, and google is beyond human comprehension.
I'm probably at about one extreme of the range of home users. The other
is the person who plugs in an (say) ADSL router following instructions
and running no services. They aren't in urgent need of security fixes
either.
It seems to me the greatest danger to Linux systems belonging to most
people here is the updates we receive, and that's particularly true for
consumer-grade Linux - Fedora, Ubuntu (long life maybe excepted), OpenSUSE.
The best countermeasure I know is to review the list of fixes before
applying them. If something breaks, at least I know what has changed.
Looking at installed packages on my server (which does have a desktop),
I see updates to kernels (twice), httpd, perl, bind, mod-ssl,
cyrus-sasl-plain that _might_ be prone to attack from the Internet.
since the end of July, when there was a great mass of changes - probably
the latest dot-release.
kernel - changes were for broken device drivers, irrelevant to me, and
to autofs which is not internet-facing.
perl - changelog entries insufficient
cyrus-sasl-plain - hard to say, may have been vuln to DoS
httpd - cosmetic
mod-ssl cosmetic + CVE-2007-3304.
bind* - cryptography problem, not relevant to me
So there's nothing in the past few months, there have been no essential
updates to my server. Why should I take a risk any of them by allowing
them on automatically?
oh, I have another Internet-facing server. You cannot send email to
herakles.homelinux.org unless you are at one of the few locations where
my firewall directs traffic to the server that handles that traffic.
My other Linux systems are well-protected behind my firewall and no
urgent need of any updates.
This crashing at 4:00 am may well be the result of an update,
thoughtlessly applied.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
