This is a bit long but...
Hobby box - lesson learned. But given the number of holes, guessing at the attack vector is only a guess. And it's no real use anyway if you're not going to actually patch the holes
Updating is not a major undertaking if you have a maintenance routine, keep up to date with vulnerabilities and apply updates as and when required. Do you follow the mailing lists, as recommended for FreeBSD users? Do you subscribe to the CERT mailing list (I highly recommend this as it will also give you work-arounds if a patch is unavailable or not possible to apply)?
If the answer to that is "no" then maybe you should.
Yes, holes are found daily. However it is fairly rare that they are exploited in the wild as soon as they are discovered. Also, throwing your hands up and saying "holes are discovered daily!" is not going to secure your boxes. You do what you can, and normally this is enough. If you get owned via a hole that has not been patched (a zero day), then so be it, but at least you tried. Getting owned via a hole that was patched 3 years ago is just being negligent.
The brakes on your car may not be sufficient to bring you to an emergency stop in every conceivable potential accident scenario either, but this doesn't mean that the car manufacturer just throws their hands in the air, says "these brakes won't stop the car in time every time!" and give up fitting brakes.
It's about risk management. Eliminating risk is virtually impossible, but you can significantly reduce the risk to a tiny fraction of what it would be if you were running totally unpatched.
Probably? I.e., you don't know? Security updates generally take perhaps 5-10 minutes to apply. Schedule a brief outage window, get it done. It's a lot less work than recovery from an intrusion.
Release upgrades take a while (say, an hour or two?) but this is why you do an upgrade in test first, find out what breaks and then do it in production once you're happy. However, release support schedules are well known and you have a year or more to work out your migration strategy in advance.
Yes this is work. It is work required to adequately support ANY platform - be it Windows, Linux, FreeBSD or whatever.
You're aware of FreeBSD-update?
The fact that you were unaware of the risks leads me to believe that you aren't following the CERT or FreeBSD mailing lists. I would recommend doing so, so that you are aware of the risks involved, when they are discovered so you can keep on top of things - rather than just leaving the box un-patched until somebody else owns it.
Tracking, reporting, classifying risk level, trends, etc. is all already done. You need to follow the relevant mailing lists.
In summary:
This is a learning phase most of us go through (I've been through it myself back in 1999, having had a Linux box get owned via an old version of sendmail).
Initially it's like "Yeah, unix is so much more secure than windows! I'm immune to all these threats!".
After a while, either being owned yourself of seeing others get owned, you realise it's not a magic bullet. Yes, FreeBSD is more secure than Windows out of the box - but no software is perfect, and thus far throughout the history of computing, it's only a matter of time before virtually all software has holes found in it.
Once those holes are found, they need to be either closed, or mitigated via some other method (filtering access, etc). If your box is on the internet, you ARE a target. If you're running unpatched, you will eventually get owned, no question - it's merely a matter of when.
kleinart said:
Hobby box - lesson learned. But given the number of holes, guessing at the attack vector is only a guess. And it's no real use anyway if you're not going to actually patch the holes
kleinart said:
Updating is not a major undertaking if you have a maintenance routine, keep up to date with vulnerabilities and apply updates as and when required. Do you follow the mailing lists, as recommended for FreeBSD users? Do you subscribe to the CERT mailing list (I highly recommend this as it will also give you work-arounds if a patch is unavailable or not possible to apply)?
If the answer to that is "no" then maybe you should.
Yes, holes are found daily. However it is fairly rare that they are exploited in the wild as soon as they are discovered. Also, throwing your hands up and saying "holes are discovered daily!" is not going to secure your boxes. You do what you can, and normally this is enough. If you get owned via a hole that has not been patched (a zero day), then so be it, but at least you tried. Getting owned via a hole that was patched 3 years ago is just being negligent.
The brakes on your car may not be sufficient to bring you to an emergency stop in every conceivable potential accident scenario either, but this doesn't mean that the car manufacturer just throws their hands in the air, says "these brakes won't stop the car in time every time!" and give up fitting brakes.
It's about risk management. Eliminating risk is virtually impossible, but you can significantly reduce the risk to a tiny fraction of what it would be if you were running totally unpatched.
kleinart said:
Probably? I.e., you don't know? Security updates generally take perhaps 5-10 minutes to apply. Schedule a brief outage window, get it done. It's a lot less work than recovery from an intrusion.
Release upgrades take a while (say, an hour or two?) but this is why you do an upgrade in test first, find out what breaks and then do it in production once you're happy. However, release support schedules are well known and you have a year or more to work out your migration strategy in advance.
Yes this is work. It is work required to adequately support ANY platform - be it Windows, Linux, FreeBSD or whatever.
kleinart said:
You're aware of FreeBSD-update?
The fact that you were unaware of the risks leads me to believe that you aren't following the CERT or FreeBSD mailing lists. I would recommend doing so, so that you are aware of the risks involved, when they are discovered so you can keep on top of things - rather than just leaving the box un-patched until somebody else owns it.
kleinart said:
Tracking, reporting, classifying risk level, trends, etc. is all already done. You need to follow the relevant mailing lists.
In summary:
This is a learning phase most of us go through (I've been through it myself back in 1999, having had a Linux box get owned via an old version of sendmail).
Initially it's like "Yeah, unix is so much more secure than windows! I'm immune to all these threats!".
After a while, either being owned yourself of seeing others get owned, you realise it's not a magic bullet. Yes, FreeBSD is more secure than Windows out of the box - but no software is perfect, and thus far throughout the history of computing, it's only a matter of time before virtually all software has holes found in it.
Once those holes are found, they need to be either closed, or mitigated via some other method (filtering access, etc). If your box is on the internet, you ARE a target. If you're running unpatched, you will eventually get owned, no question - it's merely a matter of when.