Fully Patched

With all that automated ssh scanning going on, someone thought to set up a honey pot to see what the scanners are up to. (Well, I guess he already knew what they were up to, but wanted to see the intruders in action.)

In his words, he "set up a debian woody fully patched with both accounts activated, and got rooted some days later..." Subsequently, he clarified that sshd was the only service running on said boxen.

A long discussion followed, with various opinions expressed and questions raised:

• "you said you knew about some SSH scanning going on, then set up those accounts on a box. Now you are curious way (sic) that box got rooted?"
• Did you set up the admin account as root?
• Don't give shell access to people you do not trust.
• "In spite of many reports to the contrary, Linux is _not_ secure by default. Did you harden it?"
• Maybe you patched your system, but did you reboot it so that it was running the patched kernel?
• "You are running a custom kernel. If you run a custom kernel, obviously you don't benefit from the patches to the stock kernel."

Some of the above points sounded silly or facetious when you read them in their original mailing list-followup form, but I think they are all good points when presented in a list like this. ;-)

The key concern is: If one runs a fully-patched box, is one still susceptible to local root exploits? How bad is the situation?

Before one worries about that, though, one ought to make sure "fully patched" really means fully patched, imho.