لطفا منتظر باشید ...
Keeping the System Up to
Date
Many compromised systems owe their inglorious compromised
status to lack of appropriate maintenance. A few minutes spent checking for and
installing software updates on a regular basis can save uncountable hours of
work later, because updated software frequently includes fixes for security
bugs. If you update buggy software quickly enough, would-be intruders will not
be able to exploit security vulnerabilities.
The
Importance of Server Updates
Software bugs can take many forms and have many different
types of effects. Bugs can corrupt data, crash the affected program, or make
the program behave in some odd way. Some bugs are security-related. They may
allow a person to write arbitrary files in arbitrary locations (potentially
overwriting critical configuration files), or give the abuser the ability to
run programs under some other username. In sum, such bugs can compromise the
system, giving a normal user superuser privileges.Servers, like any other program, can be buggy. Buggy servers
are particularly important because they're potentially more accessible than are
buggy local programs. If a non-network program (say, man ) contains a security-related bug, only
local users can exploit the bug. Assuming your users are trustworthy, and
assuming a cracker hasn't gained local access to your system, such a bug won't
cause harm. (Of course, those assumptions aren't always valid, so fixing such
bugs is important.) Many servers, by contrast, are accessible to the world at
large. If a flaw in a Web server allows any user to take control of the
computer, then that Web server is vulnerable to attack from just about anybody.
Thus, security bugs in servers are particularly critical, and it's vital you
protect yourself against them.The problem is exacerbated by the fact that many servers run
as root . If a program (server or
nonserver) that runs as an ordinary user is compromised, chances are little
damage can be done with it. For instance, such a program can't ordinarily
rewrite your /etc/passwd file.
If a program that runs as root
is compromised, though, the attacker has much greater power; if such a program
can be made to write arbitrary files, changing /etc/passwd
is very possible. Many servers need root
privileges to function correctly. For instance, root access is needed to provide login services, or even to
listen to the first 1024 ports, on which most servers run. (A super server runs
as root , but can spawn a server
that runs as another user, even when it serves a sub-1024 port.) For all of these reasons, it's critical that you keep your
servers up to date. You don't necessarily need to perform every server update,
because many server updates exist to add features or fix nonsecurity bugs that
might not affect you. You should upgrade whenever an update emerges that fixes
a security bug, though.
How
to Monitor for Updated Software
There are several ways to look for updated software packages: Software package Web sites and mailing
lists Most software packages, including most servers, have official Web
sites, mailing lists, and occasionally newsgroups or other communication
forums. You can monitor these resources on a regular basis to locate software
updates. This approach can be tedious, though; a Linux system may have a dozen
or more servers installed, and monitoring all the relevant forums can be
difficult at best. This approach is best reserved for unusual packagesthose
that aren't part of your normal distribution's software mixand perhaps for
very popular servers you might be running. Your distribution's Web site
All distributions have Web pages that include information on software updates. Distribution
maintainers do the work of monitoring various security resources, including the
Web pages for the individual server packages included in the distribution. This
provides you with a one-stop location for security and other update
information. The drawback is that it may take some time for a security fix to
filter down from its original source to your distribution's Web page. In a
best-case scenario, the delay might be just a few minutes, but it's more likely
to be a few hours or even days. Generic security information sources
The upcoming section, "
describes resources for information on security-related developments. These can
be extremely useful and important. They usually include information on
workarounds to problems, if they exist, so you may be able to take steps to
minimize the risk before an official fix is available. You'll have to go back
to the program maintainer or your distribution's updates page to obtain fixed
software, though.In most cases, some combination of the last
two approaches is a good way to keep an eye on security developments. Reading
your servers' Web sites can also be important, particularly if you're using
unusual servers that aren't officially supported by your distribution. A quick
check of two or three Web pages or newsgroups once a day can save untold hours
of work recovering from a break-in. Even a once-a-week check is better than
nothing, and a periodic comparison of installed packages against the latest
versions available can help catch updates that might have slipped through the
cracks, as it were.
Automatic Software Update Procedures
Unfortunately, manually checking for software
updates can be tedious at best. For this reason, there are several tools
available to help automate the process. These include the following: apt-get This program is a standard part of the Debian distribution and its
derivatives. It's used for installing software, and it can also check for
updates to already installed packages. Specifically, typing apt-get update followed by apt-get
dist-upgrade will retrieve updated package
information and then upgrade any packages that have newer versions. Replace the
second command with apt-get
-s -u upgrade to receive a report on new
packages without actually installing them. Using apt-get in this way will
only work, however, if you list at least one Debian package distribution site
in the /etc/apt/sources.list file. There are also ports of apt-get (part of the
larger apt package) for RPM-based systems, such as the one created by
Connectiva ( target="_blank">http://distro.conectiva.com/projetos/42 ) and apt4rpm ( http://apt4rpm.sourceforge.net ). Red Hat's Update
Agent Red Hat uses a package it calls the
Update Agent to help keep systems up to date. This package requires you to
register with Red Hat, and the program sends information on your computer's
hardware and software to Red Hat. It can then keep your system updated.
Configuration and use of the program is moderately complex, so you should
consult its documentation at
many ways, because they can help protect you against security breaches. They
aren't without their drawbacks, though. By giving an automatic process control
of your computer, you're entrusting it with a huge responsibility. Automatic
updates can and do fail in various ways. For instance, an updated package might
include a new bug or an incompatibility with another important package
(especially if you've mixed packages from your distribution with others you
build yourself or install from tarballs). It's also conceivable that a cracker
could break into the automatic update site or a DNS server in order to deliver
modified packages. Because Debian packages sometimes include installation
scripts that require human interaction, you shouldn't run apt-get in a
cron job or other automated procedure; you should run it manually, even if you
plan to do so on a regular basis. (Using apt-get -s -u upgrade in a cron job should be safe, though.) These tools don't always differentiate
between security updates and others that are less critical, but which might
cause problems for your system.On the whole, automated software updates can be quick and
convenient, but I recommend using them only in a strictly supervised manner.
Ideally, you should be able to authorize individual upgrades so as to head off
problems due to an overzealous update agent. This is an area of active
development, so it's likely that these tools will become more sophisticated and
helpful in the future.
