Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : RaQ550 Security

[infosec_buda]

I'm new to the Cobalt, and have some questions on the security of the box.

1. Even though the box uses open-source programs (apache, openSSH, PHP, etc..) Sun recommends only installing their patches for known vulnerabilities. So, while a cobalt box show a sendmail version of 8.11.6 (big security concerns), Sun says it's patched with all updates. Does anyone have concerns over this, or had a box exploited due to a known vulnerabilty that Sun didn't release the patch in time for?

2. Does anyone patch their box with the latest open-source releases? How does that effect the admin interface?

I'm asking the questions from a security standpoint - I find it odd that Sun relies on stackguard to prevent any buffer overflow attacks, and doesn't keep up with the open-source versions of the software... Any insight or experience with cobalt security would be helpful.

[infosec_buda]

Can anyone point to me a good Cobalt security resource? I desperately need information on how to secure a RaQ550 and implement intrusion prevention and detection measures. Help!!!

[mgphoto]

I'm going to make some comments here which will not be popular but they are my experience.

I have owned sun/cobalt servers since the RAQ3 At one time I owned 18 various Raqs.. There has never been a secure Raq since day 1. Often the patches are worst than the problem. Thankfully I am down to the last 3 customers that still use them. As soon as those customers leave I will throw the Raqs away. I won't even resell them as used gear.

Both Suns and Cobalt errors and misdeeds in the area of security are legendary. The only thing worst than a Raqs security issues is Suns support.

Take a look at any Cobalt forum. There are countless problems with the units and half the times the patches cause twice as many problems. I can’t count the number of times I have patched a Raq and 2 weeks later sun removes the patch and says “sorry about that”.

Not being rude to you here, but the only way to make a Raq secure on your network is to turn it off or sell it to someone else.

[infosec_buda]

Are RaQ's not secure due to the fact you must rely on Sun instead of just applying the open-source fixes and product updates? It seems to me your locked into the versions (sendmail, apache, PHP, etc..) that Sun provides, and since its all integrated into the pretty admin interface, you can't do much to implement newer, more secure versions of the software.

I certainly want to hear the horror stories, Michael! I'd also like to know what steps you attempted to take to lock the boxes down. Did you have too many exploits, and now your scrapping them to go with a more secure/robust solution?

Thanks Again, -Buddah

[mgphoto]

We actually do securuity installs for hosts and private clients using portsentry, tripwire, mailscanner and about 3 other programs.

The problem with the Cobalts is that half the time they come out with a new patch that creates more holes than it fixes or crashes the machine. There was one thread on the Sun forum with about 100 posters saying the new patched locked up or crashed their server. It took sun over a week to take the patch down. Their only response was to go back to the old setup.

We've seen clients who have been hacked to the point that the server was usless and one case where one script kiddie was relaying spam email for four weeks before they found out he was in their server.

The Sun system was a grat concept when it first came out. However too many companies have surpassed them. The system is just to rigid and complex and the hackers and the mischief makers are ahead of them on the curve.

We have gone to straight forwrd linux boxes. It has it's own set of security problems but rarely is it a major issue to correct or work around,

[Pingouin]

Quote:

Originally posted by mgphoto
As soon as those customers leave I will throw the Raqs away. I won't even resell them as used gear.

Mind throwing them in my direction or letting me know where you dispose of them ?

Seriously, I must say our own experience sadly makes me share these comments and opinions. We still use RAQs but also get standard Linux boxes and try to forget the fear of clicking on Sun Update and hoping no irreversible harm will happen to the GUIs.
Happened with the RAQ4s, happens with the RAQ 550 we now have...Sad but true.

[MGCJerry]

Quote:

Originally posted by mgphoto
Thankfully I am down to the last 3 customers that still use them. As soon as those customers leave I will throw the Raqs away. I won't even resell them as used gear.

Agreed with Pingouin, you wouldnt mind sending one off my way also? Find out how much shipping is and I'll come up with shipping if you really want to get rid of one.

I'm looking into setting up a easy to use server for my LAN so I can develop my scripts and so I can get apache and MySQL off my computer.

[NyteOwl]

Quote:

Originally posted by mgphoto
As soon as those customers leave I will throw the Raqs away. I won't even resell them as used gear.

Yes throw a couple this way as well