Re: Patch your damn computers already!!!

From: Bill Vermillion (bv_at_wjv.com)
Date: 11/06/05 

Date: Sun, 06 Nov 2005 03:25:01 GMT

In article <u64r6q60e.fsf_-_@irtnog.org>,
Matthew X. Economou <xenophon+usenet@irtnog.org> wrote:
>(I feel the need to rant. The person who posted the article to which
>I replied is merely an innocent bystander, so I trimmed the
>attribution so they don't think I'm picking on them.)
>
><soapbox>
>
> > You set it up, and it just runs and runs and runs. One of my
> > machines, I put in a rack in 2001, and since then, it's only
> > been rebooted once every time after a new 4-STABLE
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > release was cut. I update the ports on it about once
> > every four to six months and otherwise just leave it be.
> ^^^^^^^^^^^^^^^^^^^^^^^^

>Speaking as an infosec guy, every time I hear some Unix admin bragging
>about uptime, I cringe. Depending on your assessment of the risks,
>you should check for security-related updates daily and you should
>apply those patches on at least a quarterly basis, if not more
>frequently. Incremental security updates come out a lot more
>frequently than once per every stable release, and EVERY OPERATING
>SYSTEM and EVERY SOFTWARE PACKAGE, even my personal favorites, have
>critical security-related flaws that should be patched as soon as
>humanly possible. And with freebsd-update and portaudit emailing you
>nightly about known vulnerabilities (you DO have freebsd-update and
>portaudit installed, don't you?), there really isn't any excuse to act
>differently.

And I have machines I've kept up for along time. And I also get
the security reports. Most - if not the majority of the security
problem only require rebuilding a specific application or part of
the OS. Very few have required making a new kernel - and thus
having to reboot the system. I have always had the critical
patches for my servers fixed in about 12 hours after release.

But very few of the patches - except the ones for the fixes in lib
- required a kernel rebuild and reboot.

>(And unless you really know what the hell you are doing and can make
>absolutely certain that reloading a particular module or restarting a
>particular service really will remove any traces of the unpatched
>kernel/library code in memory, you should reboot when you patch.
>Period.)

It all depends upon what needed to be fixed. The security reports
are pretty thorough on what you do to fix the items.

>When your unpatched or otherwise unmaintained computers get hacked, it
>causes problems for the rest of us. Be a good network neighbor:
>Regardless of how leet you are or how totally awesome your choice of
>operating platform is, patch and reboot on a regular basis. Please!
>It's for the children! :)

I have had 1, that is ONE hack into a machine of the ones in our
small ISP. I had missed one patch - back in the days when telent
was used. I caught it the next morning as the daily security
reports showed a new program that was SUID - and it was
in the /dev directory.

Patch yes. Reboot is not neccessary for all things. Up time is
critical for the clients.

I've seen questions on the 'net about how to get rid of the daily
security reports and all the other things they think trivial that
are directed to 'root' on a daily basis. But I check those
everyday. A subscribe to the security alerts.

Many problems are brought on by the admins who 1) don't undestand
what they are doing 2) or perhaps don't think it is important.

And people have been hammering on our main site since it first came
up and totally overloaded the T1 from the ISP the owners were using
at that time. That was what prompted them to get their own
services and then wound up being an ISP. springbreak.com is also
one that is targeted to the groups that are most likely to want to
breakin.

It's all in your approach, but I disagree with 'reboot often'.
When the machines are a minimum of 1/2 hour drive time at 2AM and
much longer during daylight hours you reboot when you know you have
to, but not un-necessarily. And about the only time I had a
machien fail a remote reboot was that some idiot had been in the
rack, and had set something that was pressing on a key on the
keyboard, and the KVM was switched to that machine.

Needless to say they got read the riot act and were told that if
anything close to this happened againg their biometric access
would be turned off.

Bill 

-- 
Bill Vermillion - bv @ wjv . com

Relevant Pages

  • Re: Explorer 6 Update KB942615
    ... into Internet Explorer, Tool, Internet Options, Advanced and take the ... second reboot Norton was updating so when it was finished I cleaned the cache ... support calls that are associated with security updates. ... third-party firewall AND enable the Windows Firewall. ...
    (microsoft.public.windowsxp.general)
  • Re: Critical Updates
    ... reboot and try again, ignoring." ... 0 Microsoft Windows Malicious Software Removal Tool Finished On Wed ... Does the new line - "Security policy adjusted. ...
    (microsoft.public.windowsupdate)
  • Re: Cant change home page from msn.com
    ... Ok, I rebooted after uninstalling Zonelabs Zone Alarm, and ... So we know that NAV and Zone Alarm both ... installs - very security concious). ... Hopefully after the reboot, it will fix, ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Need to Disable Windows Security Center notice on reboot
    ... > McAfee firewall, antivirus, etc., so I disabled Windows ... I also disabled automatic updates. ... Control Panel/Security Center, click on the "Change the Way Security ... If this setting is reset at each reboot, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Firewall alert
    ... > Each time I start my notebook or reboot it the Security center pops up ... > to say My computer may be a risk from not having a firewall. ... nomail.afraid.org is setup specifically for use in USENET ...
    (microsoft.public.windowsxp.general)