lars at gmx.at
Thu Aug 11 19:22:38 GMT 2005
Dmitry Mityugov wrote:
>>>Apart from that, I must agree with Dave Horsfall - please provide an IP.
>>Is there a critical patch that you believe those machines would need?
>>Anything more serious than a potential denial of service attack?
Yes, I recommend all patches.
DOS is enough for me.
> Indeed. If the machine is properly firewalled, what kind of attack
> other than DoS can break it?
All those on vulnerabilites that were fixed in patches after the last one applied.
A firewall may or may not help you.
If the attack is on a jail to which you allow access through your firewall,
you've had it, e.g..
Or someone sends you a specially crafted file that exploits a vulnerability
described in FreeBSD-SA-05:11.gzip and/or FreeBSD-SA-05:14.bzip2.asc.
That's DOS, that kind of attack is serious enough for me to try to avoid.
Or someone gains root privileges via the vulnerability described in
FreeBSD-SA-05:16.zlib, FreeBSD-SA-05:17.devfs or FreeBSD-SA-05:18.zlib.
I mean it's great FreeBSD can sustain such a long uptime.
But, IMHO, it's nothing to brag about, since it simultaneously indicates
missing patches, which I find worse.
Planned downtime for maintenance is ok.
More information about the freebsd-questions