Today, on OpenBSD's misc@ mailing list, a poster discovered that his new OpenBSD installation had been rapidly compromised. Nick Holland posted the following short essay in reply.
I thought it was a
brilliant response.
While you may not feel Mr. Holland's recommendations apply to you (and your skills, real or perceived), his point that mismanaged or mis-configured services can cause harm to others on the Internet is absolutely pertinent.
The entire post is
here, and the thread begins
here.
Quote:
> Ideas are going to be really appreciated, because i am not a technical guy.
ok, this is the unpopular answer, but here it is anyway: Stop. You should not be running your own web and mail server.
Years ago, I used to say that I could make a good case that anyone running a mail server or DNS server should require a license, for much the same reason as one should have a driver's license to drive on public roads: to indicate you have some minimum level of skill so you don't hurt others on the road....
...I exempted running a webserver because I felt that your average website was "safe" to other people...kinda like painting your own car -- you may do a lousy job, but no one has to look at your car/site. Well, these days of web applications pretty much means I was wrong, and yes, they are just as able to harm others on the Internet as mail and dns servers -- maybe even more so these days. If you don't know how to track down what happened -- and more importantly, don't know how to KEEP it from happening in the first place -- you should not be running services on the Internet. Using OpenBSD does not render your system unbreakable, any more than putting a five year old behind the wheel of a "safe" car makes them or the world "safe"....
...if you expose a service, you are under CONSTANT attack, if you have any kind of vulnerability, it WILL be exploited, and rather soon.
|