Sysadmin woes multiply

Another week, another security hole discovered, and even more work on top of your normal duties to plug it. Sounds familiar? Maybe it's just me, but security issues seem to make up a far greater proportion of your average sysadmin's duties than ever before.

Another week, another security hole discovered, and even more work on top of your normal duties to plug it. Sounds familiar? Maybe it’s just me, but security issues seem to make up a far greater proportion of your average sysadmin’s duties than ever before.Last week, Secure Shell (ssh), used extensively for remote access, was partly compromised (see Security Focus). It looks like the ssh protocol version 1.x is potentially vulnerable, and should no longer be used, so I disabled it on the servers I administer, allowing only protocol 2. This meant that I had to distribute updated ssh clients to users whose current programs only support protocol version 1.0.

The week before that, the BIND internet name server version 8.2.2 was found to have a serious security hole that could give an attacker root (superuser) privileges (see CERT Coordination Center). The recommended fix is to upgrade to either BIND 8.2.3 or 9.1.x.

On some server operating systems you just download a binary package (or new source) and install it over the old version. But, with the operating system on the servers in question, FreeBSD, it wasn’t quite that easy, because BIND is integrated into the system binaries.

Upgrading meant either downloading updated source for the system binaries and rebuilding and reinstalling, or using the newer BIND 9 name server. However, version 9 is a complete rewrite of BIND, with new features and options in the configuration files to figure out. It also behaves differently to BIND 8.x in a number of areas.

All in all, I ended up spending much more time on fixing just two security holes than expected. The worst thing is, it looks like sysadmins have to set aside more time in the future, because the probes and attacks show no sign of letting up.

As if direct attacks on the servers weren’t enough, there are also the clients to worry about. Some email and personal productivity application suites seem to do double-duty as virus disseminators, which in turn replicate across the internet … through your servers.

It’s not just the actual attempts that worry: governments around the world are currently attempting to deal with internet abuse, but the legislation isn’t always clear on the consequences; for example, for those responsible for compromised systems used in denial of service attacks. Governments have already demonstrated their inability to understand the necessary technical issues, so don’t expect much support from officialdom to go after net perps.

The private sector is a “threat” too: if users in your domain unwittingly send out viruses it could open up your organisation to legal action, if damage is done to the recipients.

Unfortunately, there is no easy solution to the security problem. Yes, you can install firewalls and implement draconian filtering (and cop flak from hampered users). That by itself creates more work, because you must monitor the defences and tweak them to fit changing threats (and user requirements).

Ultimately, however, it looks like IT security will become a specialised role, separate from the usual sysadmin duties, even in smaller enterprises. Time to prepare for a chief security officer career, perhaps?

Saarinen is a PC World New Zealand columnist and looks after an Auckland-based company's internet application servers.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaSecurity Focus

Show Comments
[]