This post originated from an RSS feed registered with Python Buzz by Ng Pheng Siong. Original Post: Fully Patched Feed Title: (render-blog Ng Pheng Siong) Feed URL: http://sandbox.rulemaker.net/ngps/rdf10_xml Feed Description: Just another this here thing blog. Latest Python Buzz Posts Latest Python Buzz Posts by Ng Pheng Siong Latest Posts From (render-blog Ng Pheng Siong)

With all that automated ssh scanning going on, someone thought to set up a honey pot to see what the scanners are up to. (Well, I guess he already knew what they were up to, but wanted to see the intruders in action.)

In his words, he "set up a debian woody fully patched with both accounts activated, and got rooted some days later..." Subsequently, he clarified that sshd was the only service running on said boxen.

A long discussion followed, with various opinions expressed and questions raised:

• "you said you knew about some SSH scanning going on, then set up those accounts on a box. Now you are curious way (sic) that box got rooted?"
• Did you set up the admin account as root?
• Don't give shell access to people you do not trust.
• "In spite of many reports to the contrary, Linux is _not_ secure by default. Did you harden it?"
• Maybe you patched your system, but did you reboot it so that it was running the patched kernel?
• "You are running a custom kernel. If you run a custom kernel, obviously you don't benefit from the patches to the stock kernel."

Some of the above points sounded silly or facetious when you read them in their original mailing list-followup form, but I think they are all good points when presented in a list like this. ;-)

The key concern is: If one runs a fully-patched box, is one still susceptible to local root exploits? How bad is the situation?

Before one worries about that, though, one ought to make sure "fully patched" really means fully patched, imho.