|Steve Bertrand||Dec 2, 2003 12:26 pm|
|Tom Rhodes||Dec 2, 2003 12:30 pm|
|Eric Anderson||Dec 2, 2003 12:30 pm|
|Steve Bertrand||Dec 2, 2003 12:33 pm|
|Eric Anderson||Dec 2, 2003 12:35 pm|
|Steve Bertrand||Dec 2, 2003 12:41 pm|
|Roger 'Rocky' Vetterberg||Dec 2, 2003 12:53 pm|
|twig les||Dec 2, 2003 1:47 pm|
|Roger 'Rocky' Vetterberg||Dec 3, 2003 1:48 am|
|Paul Robinson||Dec 3, 2003 5:10 am|
|Roger 'Rocky' Vetterberg||Dec 3, 2003 5:48 am|
|Dan Langille||Dec 3, 2003 5:51 am|
|Eric Anderson||Dec 3, 2003 6:03 am|
|Mike Hoskins||Dec 3, 2003 4:15 pm|
|Mike Hoskins||Dec 3, 2003 4:24 pm|
|Daniela||Dec 4, 2003 10:52 am|
|From:||Roger 'Rocky' Vetterberg (list...@401.cx)|
|Date:||Dec 3, 2003 5:48:26 am|
Paul Robinson wrote:
Dirk Meyer wrote:
Local system status: 1:59AM up 1212 days, 17:50, 0 users, load averages: 0.00, 0.00, 0.00
Now, please don't take this the wrong way Dirk, but I need to use you to make a point here.
1. Uptimes of 1,200 days says wonderful things about FreeBSD. 2. Uptimes of 1,200 days says terrible things about the administrators of those boxes.
You were attempting to make point 1, and yes, FreeBSD is very stable and that's all very impressive. However, point 2 needs some consideration. There are good reasons to be keeping track of -STABLE and even more reasons to be keeping track of -RELEASE. You can't have been doing either of those for the last 4 years. That, in my opinion, leaves you vulnerable in a few ways.
Of course, the real answer here is to work on a way of allowing for an "upgrade" to happen without re-booting the machine, thereby getting kerenel patching without losing service or uptime. However, until we get to that point, consider patching at least once a quarter to a recent -RELEASE or even better, -STABLE cvsup, and go from there.
I have to jump in and defend Dirk here, since I frequently get the exact same kind of comments when I tell people about the 900 days uptime on some openbsd boxes I admin. These boxes are pure bridges, sitting in front of other boxes and doing simple bridging with some filtering. They have no IP addresses on any of the interfaces and they have no services running, not even sshd. The only way to access them is via local console, or in some cases via serial console.
I have checked the archives, and I cant find a single patch or exploit the last 4 years that would help the functionality or security of these boxes. Now, does my 900 days uptime still say terrible things about me as an administrator?
I do take for granted that the machine Dirk mentioned in the original post is unreachable or in some other way impossible to penetrate similar to my bridges. If it is not, and is indeed reachable from the internet, then I fully agree with Paul and must question Dirk's administrator skills. Todays internet is to hostile for systems that isnt frequently and regularly patched and maintained.