I've been playing with my web server enough now that I'm comfortable with it. I looked in the access log file and noticed some random web requests. Some were spiders, and some were requests for files that (after a quick google search) are part of recent security exploits in IE (specifically requests for "img1big.gif" and "sjdif.exe") which failed of course. So I figured it was time to start seriously looking into security.

Specifically, there's one thing I've been fuzzy about: upgrading/applying security patches. Exactly, what is the routine for this, or is it a personal routine (like devising backup strategies)? I mean, you patch the source I imagine, but do you uninstall the original and then install the patched version immediately after? Do you install the patched version on top of the existing installation? And how do you know when/if a security patch is released? That I think is pretty easy enough: manually checking the website, but is there a central repository for these kinds of things such that checking for updates could be automated (via a shell script or some such thing)?

Please, point me to documentation if this kind of thing has already been described in detail. I ain't scared of no docs!

Well patching strategy is pretty much something you have to decide for yourself. Advisories are usually labeled with some kind of severity level, so that should give you a clue.

In general, any remote vulnerability that leads to arbitrary code execution is a FIX IMMEDIATELY type of situation. A remote DoS would depend on how likely you think you are to get hit and how severe the DoS condition is, but patching within a few days is highly recommended. Local exploits may or may not be as severe, depending on whether there are any other accounts on the server besides yours. If there are other accounts (especially if they belong to strangers), then treat any local exploit just the same as a remote exploit. If you have local users but they're trustworthy, then treat it as almost severe. If there are no local users, then you can afford a little more leaway, but certainly update during your normal maintenance window (most sites do this early Saturday or Sunday morning, like 2AM local time).

If you use source patches, then download and compile them right away. If it's not a PATCH IMMEDIATELY type of situation, leave a reminder (cron job to send you an e-mail, or something like that) with instructions of how to complete the update. If it's a binary update, then download and extract the update into a temp directory. Finsh the same way as with source patches.

As for how you find out about vulnerabilities, go to the website for your distro and see if they have official mailing lists. Usually there will be a security or security-announce list--make sure you subscribe. You could also subscribe to lists like bugtraq or full-disclosure, which will give you a heads-up on many exploits (not just the ones that affect you). Depending on your distro, there also might be an auto-update feature that you can enable, but usually those are only available from paid versions of the software, not the free downloads. Once again, check the website and/or documentation for your distro.

Would you have any suggestions about a Linux From Scratch system? In other words, I'm looking for pointers on how to maintain that kind of system: one that doesn't have access to an update utility (like Red Hat or others). I guess a better question would be: how does Red hat do it? Where do they go to find out when/if software is updated to plug an exploit. They've got to find it themselves before they can integrate it into an update.

And I guess that kind of answers part of the original post... It would seem that those update utilities would patch software in-place; kind of like Windows style patches that modify the executable. If they were patching the source code itself, then I would imagine it would take quite a while to update (i.e. extract the source, patch it, recompile, reinstall). That could take an exorbitant amount of time on slower systems for packages like Apache, Samba, or others. So I guess it's looking like for a custom distro like LFS that recompiling from source is the only viable way to update software with a security fix (because nobody else is going to have an executable-based patch that will fit your system). I can live with that.

Now, if there is a central repository (like some general security-based website) that makes announcements on security patches, it would make this a whole lot easier to keep track of.

====================================================================
"Would you have any suggestions about a Linux From Scratch system? In other words, I'm looking for pointers on how to maintain that kind of system: one that doesn't have access to an update utility (like Red Hat or others). I guess a better question would be: how does Red hat do it?"

redhat subscribution service: comandline :Update
for Redhate ^_^ u can also use some of the free ones like apt-get and yum

Slack uses swaret

debian use apt-get
====================================================================
Where do they go to find out when/if software is updated to plug an exploit. They've got to find it themselves before they can integrate it into an update.

THe linux distros some times keep track of bugs becuase they are chosen to be put into their isos.
Finding bugs are done by individual programers, white and black hats all over the net.
====================================================================
"And I guess that kind of answers part of the original post... It would seem that those update utilities would patch software in-place; kind of like Windows style patches that modify the executable. If they were patching the source code itself, then I would imagine it would take quite a while to update (i.e. extract the source, patch it, recompile, reinstall). "

I think your questions are kind of big ^^, i can write a eassay for u lol j/k
i recomand to pick a distrbution and ask about it, update services are sometimes free some times not, depends on the "business model".
====================================================================
Now, if there is a central repository (like some general security-based website) that makes

Answer for this questions here is a link http://www.ciac.org/ciac/

That's sort of the problem though. A Red Hat update utility will update a Red Hat based system. Similarly Slackware will update Slackware, and Debian updates Debian. I've got a Linux From Scratch system. It's a system compiled from source code and doesn't follow the format of any particular distribution. So those update programs won't work as far as I know. If I'm mistaken about this, someone please correct me.

I'd also like to "get my hands dirty" so I understand how the security update procedure works. An update utility could be very useful later, but right now I'm looking to learn the ins-and-outs so I can be self-sufficient if need be.

Also, from a (purely analytical) security perspective, you're adding a middle-man between your security fix and your software. Can you, as the administrator, completely trust the update utility is applying the security fix exactly as it was released by the developers? I'm not suggesting any of the distros are going to slip in some malicious code, but the possibility exists (disgruntled employee looking to hurt the company, a cracker breaks into the system and changes the update, or any number of other things).

Yeah, I do programming myself and understand that either security analysts (white hats) or crackers (black hats) will discover exploits. At some point though, one of the developers/project leads needs to make an announcement; the equivalent of saying "Hey everybody! We know about a new security hole, and here's a patch to fix it. Come and get it!" Where do the developers make this kind of announcement? On their project's website? Is there an organized "clearinghouse" where developers can post these updates so administrators can check one site? That's what I'm getting at here. The distributions either have to hunt down the announcements by monitoring each software package's website (impractical in my opinion), monitor a central site that collects those announcements (hard to coordinate, but possible), or join a mailing list for each software package that makes these kinds of announcements (most likely, but seems sort of inefficient). Somebody somewhere has to inform the distribution maintainers that a security fix is available; where do the distribution maintainers get that information?

Thanks for the link. I'll definitely check it out.

And feel free to ump an essay on me. Or perhaps, a link to the essay

There is no central website for security updates. There are lots of reasons for this, but they vary from simply the fact that different people report bugs or flaws to different sites (for instance, someone in Russia might report a vulnerability to a Russian security site first), to the fact that different sites have competing philosophies of how to publish vulnerabilities, to the fact that many security sites are run by security companies that want to make themselves look good and not give too much credit to their competition. Just face it, there isn't one central place.

I already mentioned some places, like the Bugtraq mailing list at www.SecurityFocus.com, and the Full Disclosure at lists.netsys.com. Other sites would be www.cert.org, xforce.iss.net, www.packetstormsecurity.org, etc. Additionally you can find archives of many security mailing lists at www.seclists.org.

The absolute best source will always be your distro's site though, because ultimately they're the ones releasing the patches. Even if you know about a problem you won't be able to patch it until your distro puts out a patch (but there are often work-arounds suggested in vulnerability disclosures).

The way distro projects find out about vulnerabilities is by reading the lists and sites I mentioned above, but usually the problem will be reported to them privately before it's posted in public, so many times they already know about the problem before it shows up any where else.

Ok, no central site. That's fine. I had thought there might be an open source initiative style site regarding security patches for source code. Something where package developers could send a security update, and post a hash code on the project website for you to verify against the patch you download from the central site. It's not that huge a deal, but kills the idea I had of writing a shell script to wget security pages and parse them to determine if a patch was available for software that I was using.

I'll admit that I didn't look into the bugtraq mailing list right away because I read your original post as indicating those mailing lists were distribution specific. A Linux From Scratch system does not follow any standard distribution, and it would be impossible for anyone to release an update tool that would work for all Linux From Scratch systems.

You guys are giving me a good number of sites to check out, and I very much appreciate the help. I have some reading to do it seems. Thanks again.

Well if LFS is really a "do it yourself" OS, then you should probably know what you're doing if you choose to go that route. Perhaps a distro with packages would be appropriate until you learn the ropes, so to speak.

Actually, that's one of the reasons to build an LFS system: to learn about the system and understand what's going on. Building the system is relatively easy because you're just following software compilation instructions.

The education really begins when you start configuring software, services, and everything else. Going into LFS I figured the worst possible route necessary to keep updated was to:

1. Record each software package compiled and installed including patch level
2. tar up the source directory and shove it somewhere out of sight
3. Monitor the projects' sites for security updates or general patches
4. Download any applicable patches
5. Un-tar original build directory
6. Apply patch
7. Compile
8. Reinstall
9. Re-archive the build directory
10. Update software version and/or patch level in records
11. goto #3

I can handle all of that, but from an effort perspective, it's quite intense. I mean, #3 gets to be quite a chore when you've installed a lot of software. It might be possible to limit those checks to software interacting with the outside world (like Apache, an ftp server, or any specialized service). However, if you offer something like SSH for your system, all of a sudden you have to keep a lookout for exploits in basic system software (coreutils, diff, kbd, etc.: *any* software installed on the system).

Basically the point of the post was to get my bearings. I was curious to know if anyone decided to try and tackle this type of problem (the central site idea), or if some sort of standard method existed for updating a system (perhaps some script or utility that could automate steps 5-9 above). Most importantly though, I needed to find my source for information. Since I can't rely on a distribution maintainer, I needed to locate their information resource.

You guys have helped me with that. So now the task is to go about orienting myself with the information provided and the manner in which it is provided. In other words, I just have to get experience with the material.

Sorry for the late repely was watching Spider man 2 ^^ in a cold movie theater

Actually number3 is some what easy, use a combination of bookmarks and RSS feeds that should you keep you up on the software updates and stuff.
"3. Monitor the projects' sites for security updates or general patches"
Keep only the important sites, you dont have to mon everything, keep 2 linux general sites, and couple product specific sites.

I personally recommand a distro your comfy with and use their own update tools, its fast and easy. And You yourself install the important packages from source, and monitor them closely (ie like apache or bind).

Good luck