September 22, 2004

Survivability of RHEL3

Liudvikas had an interesting post pointing to an entry from a RedHat blog in which Mark Cox points out some compelling evidence in which...

"... a full install of a Red Hat Enterprise Linux 3 box that was connected to the internet in November 2003 even without the firewall and without receiving updates would still remain uncompromised (and still running) to this day."
Of course 80% of all stats are made up, and this is coming from RedHat... but he brings up some interesting conclusions. I haven't confirmed his findings with reports on Bugtraq to see if RHEL3 has any other vulnerabilities to report... but these seems pretty much right if I recall.

When SANS did its last Survivability Report for Windows the findings showed that it would take only 20 minutes on average for a machine to be compromised remotely, less than the time it would take to download all the updates to protect against those flaws. ZDNet has an interesting article about that already. Of course, we are kinda comparing apples to oranges here, since we aren't doing RHEL3 against SBS2003 (the closest comparision you could make), but its interesting none the less.

So what do you think?

Posted by SilverStr at September 22, 2004 06:27 PM | TrackBack

hmmmm... thinking of the vulnerabilities that I've patched on my box.... Sasser not Win2k3 exploitable.... thinking...thinking.... if we put a sbs2k3 box on the web [now mind you I'd not but ANY box on the web without a firewall that's just being stupid as I've see the posts about the Apache web sites being taken over] but nevertheless ... I can't think of a code/red nimda style on our current sbs2k3? [you know remotely exploitable that ends up with your box saying "hacked by Chinese" on the web site]

IIS 6 has been pretty darn good...

But from a risk standpoint... why not limit connections and restrict access on any platform? Like I always say... it's the driver that makes the car safe... not necessarily the car.

Posted by: Susan at September 22, 2004 10:21 PM

I'd be interested in seeing a similar comparision between consumer boxes out there. I think that someone running RHE or SBS2003 would have at least an idea about securing it. However, the bigger concern these days is the desktop system, IE: RH:FC (or debian, or mandrake, or any of the "consumer" linux distros) vs XP, or 98, fully patched of course as we all know that an unpatched XP box is about as safe to put on the net as [put something witty here].

Maybe they already do that sort of study though :)

Posted by: Arcterex at September 22, 2004 11:08 PM

I'd love to see them do a time warp back when Redhat 6.0 was the latest craze and it came stock with wu-ftpd exploits and bind exploits.

No one I knew with this distrobution EVER updated their security. It was like taking candy from a baby and sadly this was back when I thought getting access to peoples computers just to look around was "cool" or "facinating".

Redhat can probably talk now, but I remember time and time again where their default distros were riddled with security holes. The ONLY reason Redhat is more secure now is the packages distributed with it. Proftpd has been very secure for a while now, bind has gone a decent amount of time without a serious exploit, and samba is pretty tight as well. Redhat can take very little credit for the stability of their system and the only credit they deserve is in bundling together a distro out of only high quality packages.

I've been using Slackware since 3.3 and they have a more superb record of being secure right out of the box. A couple of distros were hackable but nothing in the scope that Redhat was in it's worst.

Posted by: Jeremy Brayton at September 24, 2004 01:07 PM