Welcome to WebmasterWorld Guest from 54.198.90.50

Forum Moderators: bakedjake

Message Too Old, No Replies

Staying on top of security

     
2:23 am on Jan 18, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:July 28, 2003
posts:65
votes: 0


A server of mine recently got hacked through a vulnerability that came out for proftpd, which in turn got our server blacklisted on certain big mailing domains. This has been a painful learning process but now thats its mostly wrapped up I'm left with the task of knowing about the vulnerabilities as they come out so that I can patch them before I get hacked.

Does anyone out there know the best way to stay on top of 0-day exploits that come out ONLY for the services you are running?

I thought maybe securityfocus.org would have some sort of mailing list or RSS feed at the very least but I did not see anything like that on their site.

I really do not want to sign up to the mailing lists for all the different services I run because I really don't care about 99% of the stuff that goes out on those lists.

I just want a simple way to keep on top of security issues that arise for my services (apache, proftpd, qmail, vpopmail, courier imap, assp, php, mysql, Freebsd system)

Any Ideas?
12:47 pm on Jan 18, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5067
votes: 11


Don't most linux distro's now have an auto-update system? I don't bother with notifications, I simply have my server check that all it's services are up to date every day, and install any updates.
7:25 pm on Jan 18, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:July 28, 2003
posts:65
votes: 0


0.o

That sounds crazy because of dependencies... Maybe freebsd is different as far as that goes but Idk how I feel about daily auto-updates of services.
8:12 pm on Jan 18, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5067
votes: 11


There's ways you can roll back the updates if they're a problem.
9:48 pm on Jan 20, 2011 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2889
votes: 5


FreeBSD is different from Linux. It is not distributed in pre-compiled packages, but in full source. Updates have to be compiled. This has the advantage that you always have binaries which are optimally compiled for your working environment, but auto updating is problematic.
10:42 pm on Jan 20, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5067
votes: 11


Well that sounds quaint.

Kudos to the hardcore, but I'm looking to the get job done. All these gui's and auto-updates let me work like a windows user. Mostly it works and I don't have to think.
2:34 am on Jan 21, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5067
votes: 11


And I forgot to add :).
1:44 pm on Feb 9, 2011 (gmt 0)

New User

10+ Year Member

joined:Aug 31, 2004
posts:26
votes: 0


wheel wrote:

Kudos to the hardcore, but I'm looking to the get job done. All these gui's and auto-updates let me work like a windows user. Mostly it works and I don't have to think.

This is actually sort of true in the Linux world now...CentOS and RHEL do a pretty good job of making sure that your auto-update process won't break things. They're usually many versions behind "latest" for any given software pkg, and they're not super speedy about getting security patches in...but they usually don't break your server.


digitsix asked:

I just want a simple way to keep on top of security issues that arise for my services (apache, proftpd, qmail, vpopmail, courier imap, assp, php, mysql, Freebsd system)

You'll never stay on top of 0-day vulnerabilities, by definition. But unless you're a bank or other high-value target, you won't get hit by 0-day exploits either. So what you really want to do is stay on top of security patches for the packages you use.

Some of the communities you list maintain security-only mailing lists and/or RSS feeds. That might be step 1.

More generally, you might be able to find a service (sourceforge?) that will notify you when a new version of a cared-about software package is released. You might have to check the release notes for security-related bugfixes and decide whether to update on a case-by-case basis. But it's a start.

If you're on FreeBSD, there are positives and negatives. Positive: you can update your ports tree via script to see if any packages you care about have rev'ed. Negative: ports sometimes lag official releases by a few days... but for big important stuff like you listed, you'll probably have good luck.
4:28 am on Feb 15, 2011 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2485
votes: 30


hat sounds crazy because of dependencies... Maybe freebsd is different as far as that goes but Idk how I feel about daily auto-updates of services.


Linux package managers, which handle installs and updates, take care of dependencies fairly well. It has been years since an update broke any system of mine, and that was an Ubuntu desktop - a Debian or RHEL server should be a lot more robust.