[PLUG] Joe Jobbed

Ed Sawicki ed at alcpress.com
Sun Oct 7 09:17:23 UTC 2007


Ronald Chmara wrote:
> On Oct 5, 2007, at 9:29 AM, alan wrote:
>> On Fri, 5 Oct 2007, Rich Shepard wrote:
>>> On Fri, 5 Oct 2007, Michael Rasmussen wrote:
>>>> "The vast majority of the threats we saw were rootkitted Linux  
>>>> boxes,
>>>> which was rather startling. We expected Microsoft boxes," he said.
>>>   Unpatched boxes ... for whatever reason? No firewalls or IP  
>>> table rules?
>>> Other reasons?
>> Hosting sites that do not install Yum.  (I know of at least one.)   
>> I blame
>> Plesk.
> 
> I don't.
> 
> I blame lazy distros, who don't keep on top of security (Cent,  
> Debian, Ubuntu, RHEL... the whole lot of 'em are to blame).
> I blame lazy admins, who think that uptime is more important than  
> security upgrades (if you are running a machine a year old, maybe you  
> *deserve* to be rootkit'ed).
> I blame users (and admins) who don't understand that a disturbingly  
> large number of "web applications" are complete and total rubbish  
> (Joomla, WordPress, phpBB, phpNuke, Plesk, phpMyAdmin, cPanel... the  
> list is insane) when it comes to security.

I agree with this.

> So, here's a quick survey:
> Who has a web server that was running PHP 5.2.4, openSSL 0.9.8d,  
> Apache 2.2.6, and a 2.6.22.9 kernel *before* I sent this message?
> (I expect crickets, but will buy a beer (or quite a few) for anybody  
> who is keeping *actually* current, rather than "distro-current"....  
> Python- and Perl-centric servers can apply, but only if they are  
> running the latest security-fix sources as well.)

What about those of us that don't use PHP for our Web apps because
of it's abysmal security track record? Do we get a beer?

What about those of us who keep on top of the bugs fixed in
the kernel and only upgrade when we're affected?

I don't use Apache for serving all my Web content. My Web proxy
directs requests to the Web server whose features best match
the content. Absolutely static content is served by publicfile.
thttpd serves content that requires includes. Apache is used
for everything else but this is a small percentage of the total
number of Web pages. A Web site might be served by 3 web servers.
Certainly this is worth a beer.


> If not, *why* not, because those *are* the latest security patches  
> for those very simple, *core*, pieces of most linux web servers?

Most people on this list use distributions. They expect that the
distributor will keep all the software current. If they try to
keep their systems more current than the distribution they can
mess things up unless they know what they're doing. I think it's
unrealistic to expect them to take on this task, especially when
they're running sites where a rare break-in is not going to
bankrupt a business or leak national secrets.

Ed




More information about the PLUG mailing list