D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] PHP, Perl, server securing, etc.

 

On 24/06/10 12:34, Simon Waters wrote:
Aaron Trevena wrote:

a) Quite a few "windows" of vulnerability for IIS/SQL Server/ASP/etc
where servers or system software are shipped with unpatched
vulnerabilities and you needed to keep your server behind a firewall
blocking all services for hours or days until all the service packs
and patches have been applied (at some points in the last few years
tests have demonstrated a standard Windows Server install with no 3rd
party software being compromised within **minutes** of being plugged
into the internet)

My boss recently demonstrated this with W2KSP4 CD.

Installing Windows 2000 with a slipstream CD that included service pack
4 on a box exposed to the Internet (not clever, but he was just testing
if someone else's virtual server supports relevant aspects of W2K for a
legacy application) and by the time it loaded the latest Microsoft
Malware removal tool it had already been infected with something nasty,
so he had to redo it all after adding a virtual firewall to the virtual
server. Hardly news but it does make the point.

In the late 90s we used to set up (Solaris) servers on a private,
physically separate network and transfer them to the public network
once all patches were installed and the system had been hardened.

From the point at which the server was booted on the public network on
a previously unused IP address from a new RIPE PI netblock assignment
you'd have lost your money if you'd bet on it being more than fifteen
minutes before the machine was first scanned for vulnerabilities.

James

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html