homepage Welcome to WebmasterWorld Guest from 54.196.168.78
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Staying on top of security
digitsix




msg:4254488
 2:23 am on Jan 18, 2011 (gmt 0)

A server of mine recently got hacked through a vulnerability that came out for proftpd, which in turn got our server blacklisted on certain big mailing domains. This has been a painful learning process but now thats its mostly wrapped up I'm left with the task of knowing about the vulnerabilities as they come out so that I can patch them before I get hacked.

Does anyone out there know the best way to stay on top of 0-day exploits that come out ONLY for the services you are running?

I thought maybe securityfocus.org would have some sort of mailing list or RSS feed at the very least but I did not see anything like that on their site.

I really do not want to sign up to the mailing lists for all the different services I run because I really don't care about 99% of the stuff that goes out on those lists.

I just want a simple way to keep on top of security issues that arise for my services (apache, proftpd, qmail, vpopmail, courier imap, assp, php, mysql, Freebsd system)

Any Ideas?

 

wheel




msg:4254594
 12:47 pm on Jan 18, 2011 (gmt 0)

Don't most linux distro's now have an auto-update system? I don't bother with notifications, I simply have my server check that all it's services are up to date every day, and install any updates.

digitsix




msg:4254773
 7:25 pm on Jan 18, 2011 (gmt 0)

0.o

That sounds crazy because of dependencies... Maybe freebsd is different as far as that goes but Idk how I feel about daily auto-updates of services.

wheel




msg:4254803
 8:12 pm on Jan 18, 2011 (gmt 0)

There's ways you can roll back the updates if they're a problem.

lammert




msg:4255939
 9:48 pm on Jan 20, 2011 (gmt 0)

FreeBSD is different from Linux. It is not distributed in pre-compiled packages, but in full source. Updates have to be compiled. This has the advantage that you always have binaries which are optimally compiled for your working environment, but auto updating is problematic.

wheel




msg:4255957
 10:42 pm on Jan 20, 2011 (gmt 0)

Well that sounds quaint.

Kudos to the hardcore, but I'm looking to the get job done. All these gui's and auto-updates let me work like a windows user. Mostly it works and I don't have to think.

wheel




msg:4256011
 2:34 am on Jan 21, 2011 (gmt 0)

And I forgot to add :).

quesera




msg:4264615
 1:44 pm on Feb 9, 2011 (gmt 0)

wheel wrote:

Kudos to the hardcore, but I'm looking to the get job done. All these gui's and auto-updates let me work like a windows user. Mostly it works and I don't have to think.

This is actually sort of true in the Linux world now...CentOS and RHEL do a pretty good job of making sure that your auto-update process won't break things. They're usually many versions behind "latest" for any given software pkg, and they're not super speedy about getting security patches in...but they usually don't break your server.


digitsix asked:

I just want a simple way to keep on top of security issues that arise for my services (apache, proftpd, qmail, vpopmail, courier imap, assp, php, mysql, Freebsd system)

You'll never stay on top of 0-day vulnerabilities, by definition. But unless you're a bank or other high-value target, you won't get hit by 0-day exploits either. So what you really want to do is stay on top of security patches for the packages you use.

Some of the communities you list maintain security-only mailing lists and/or RSS feeds. That might be step 1.

More generally, you might be able to find a service (sourceforge?) that will notify you when a new version of a cared-about software package is released. You might have to check the release notes for security-related bugfixes and decide whether to update on a case-by-case basis. But it's a start.

If you're on FreeBSD, there are positives and negatives. Positive: you can update your ports tree via script to see if any packages you care about have rev'ed. Negative: ports sometimes lag official releases by a few days... but for big important stuff like you listed, you'll probably have good luck.

graeme_p




msg:4267165
 4:28 am on Feb 15, 2011 (gmt 0)

hat sounds crazy because of dependencies... Maybe freebsd is different as far as that goes but Idk how I feel about daily auto-updates of services.


Linux package managers, which handle installs and updates, take care of dependencies fairly well. It has been years since an update broke any system of mine, and that was an Ubuntu desktop - a Debian or RHEL server should be a lot more robust.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved