On Wed, Feb 08, 2006 at 10:20:43AM +0000, Jens Vagelpohl wrote: > > On 8 Feb 2006, at 09:43, JP Carballo wrote: > > >Alex Barnes wrote: > > > >>I think the "once it's working, leave it alone" advice is very sound > >>indeed :) > >> > >> > >A similar rule says "If it ain't broke, don't fix it." > > Until you realize some script kiddie has exploited another Apache/ > mod_ssl bug and is now remote-controlling your box. > > There are no hard and fast recipes here. Neither the "automatically > apply any and all updates" nor the "build and never look at it again"- > policies should be applied without taking the specific situation into > account. > > If your box is on the internet you simply cannot forego updates. > Period. If your box is completely walled off from the internet you > can be lax about it (unless you have to worry about attacks from the > inside).
If the box does voip then it is on a network. And thus an explotable target. You should also make it not trivial for an attacker to gain root even after some successful exploit, if possible. > > The best policy is probably one that is halfway between the two. > There are packages you only ever want to update "under parental > supervision", like kernels. Then there are packages where you want to > grab any update you can get ASAP, like Apache, or PHP, or SSH. Yum > allows you to express this in its configuration, you can exclude > packages from the automatic update. But first and formost, pick a distro on which you could trust to provide relieble updates that don't break. If you can't rely on the distro for apache, PHP, SSH and the kernel, you'll end up with a broken config. I assume that this is not the only box you'll have to maintain. And that you'll have better things to do than watchig bugtraq all day long. > > I personally run a nightly script that uses yum to determine if there > are updates. I apply them by hand. However, this is only feasible > because it runs on just two machines. Not sure about other distros. On $MY_DISTRO there is a package to run that automatically. Which is kind of expected because enough people have come to rely on the updates to apply the automatically. The least you should do is to download al the updates automaically, to mak th time required for applying them minimal. -- Tzafrir Cohen | [EMAIL PROTECTED] | VIM is http://tzafrir.org.il | | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849755 | | friend _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- Asterisk-Users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
