Filepro-list Digest, Vol 42, Issue 43

Bill Campbell bill at celestial.com
Thu Jul 26 12:46:09 PDT 2007 

On Thu, Jul 26, 2007, Jay R. Ashworth wrote:
>On Thu, Jul 26, 2007 at 12:12:57PM -0700, Bill Campbell wrote:
>> On Thu, Jul 26, 2007, Jay R. Ashworth wrote:
>> >On Thu, Jul 26, 2007 at 02:36:56PM -0400, Boaz Bezborodko wrote:
>> >> But this will only help a little in getting more people on Linux.  Linux 
>> >> is just too easy to break by the average user and too difficult to just 
>> >> get up and running. 
>> >
>> >You wanna expand on that a bit, Bo?
>> >
>> >Cause, in my 23 years of experience, I've *never* had a user break a
>> >*nix machine.  Ever.  I'm only had 6 panics in that time, and 4 of them
>> >were bad hardware.  1 a bad driver, and I never did trace down the
>> >other one.
>> 
>> I've had user *nix machines cracked via the 'Net because of users with weak
>> passwords and shell accounts.  Usually they haven't managed to gain root
>> access, but have installed IRC servers running at user levels which can be
>> annoying.
>
>Ok, so the machine isn't "broken", it's just running things you didn't
>want because it's administrator is sloppy and a) didn't run a
>password-strength tester on password changes, b) didn't run a password
>cracker to look for Joe's, b) didn't firewall the machine so that
>unwanted traffic couldn't get in and out.
>
>The point here, of course, is that administrators *can*
>deterministically do those things on *nix.

That depends on the user base.  I've never seen an ISP that has been able
to enforce good passwords and keep their customers.  My nightly maintenance
routines check for crackable passwords, and I would say that at least 75%
of the user's passwords at any ISP are going to be guessable.

We normally set the user's shell to /bin/false (but I did have to fix a
machine where somebody had linked that to /bin/bash).

We rarely have seen problems like this on our business client's machines as
we can be a lot more draconian with them.  We only allow user access via
secure shell, and then only allow password authentication in a few rare
cases where an outside web developer can't figure out how to generate
public/private keys on their Windows box.  Where we do allow password
authentication, ssh access is tightly restricted with tcp_wrappers and
/etc/hosts.allow.

No matter how fool-proof an admin tries to make the system, they keep
finding better fools.

>> >Average uptime: until we had to change some piece of hardware; usually
>> >every 6-9 months; I have broken a year a few times.
>> 
>> My best uptime was a FreeBSD 4.8 machine that hit 900 days before a 3am
>> power outage that didn't wake me to turn on the generator took all our
>> systems down when the UPS batteries drained.  Most of our systems now have
>> an uptime of 245 days now since that was when the power last went out.
>
>Got any windows machines, Bill?  ;-)

Not to speak of.  Everything here is Linux, FreeBSD, or OS X.

>> >My last Linux install: SuSE 10.2 from DVD.  Human time: about an hour;
>> >machine time, about 2.5 hours.
>> 
>> I timed a fully automatic kickstart install of CentOS 5 yesterday at 45
>> minutes, of which about 2 minutes was the human time to boot from CD, and
>> enter ``linux ks=cdrom:/ks.cfg'' to start it.  This is a network install
>> from a local server here.
>> 
>> Autoyast installs of SuSE Linux Enterprise 10 take about the same.
>
>This was an older slower box.  :-)

This was an AMD Athlon 1400+ 1GB RAM and with a pretty generic IDE drive.
Installation was over a 10/100 NIC from a file server running SLES9 on an
AMD Athlon(tm) 64 Processor 3000+ 2GB RAM, and a 74GB WD SATA drive.

Bill
--
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

Nobody wants to be called common people, especially common people.
    Will Rogers

More information about the Filepro-list mailing list