Comments on: 57 Simple Sys Admin Mistakes that Someday You’ll Regret

By: Rob

Rob — Wed, 25 Apr 2012 17:15:38 +0000

Nice list, thanks for compiling that! Here are a few other simple, but very, very useful ones:
*Never* use the “root” account when logging into a system remotely, not even when using SSH. SSh is secure and all, but the PermitRootLogin option should always be set to “No”. This way, if you do have someone sniffing on your network and exploiting SSH in some way, they’re still not gonna be able to sniff your root password. Also, just logging in as root “because it’ll allow you to do anything with no trouble” just isn’t an excuse and should be considered very, very bad practice. Also, on my own server, I’ve seen lots and lots of script kiddies establishing a connection to my sshd and trying to brute force my root password. Well, that’s never gonna lead to success once remote root logins are disabled, even if the attacker would guess the correct password for root.
Another no-brainer that’s caused lots of trouble in the past is not checking file permissions. If, say, you edit the config file of a daemon and then put it in its appropriate directory, you’ll most likely want that file to belong to that daemon’s service user. Otherwise, you’ll end up with annoying “permission denied” errors and services not being able to launch directory. This can also be a huge pain when you set up a mail service, but forget to assign the right permissions / ownerships to the directory where mail should be saved…
My last suggestion is especially related to apt-based systems, such as Debian and Ubuntu. The apt-packaging system is sweet and easy to use, and can save a lot of compiling and installation time. Another thing that makes apt so “sweet” is the fact that it makes it very easy to deploy updates and apply security patches. Thus, my simple suggestion is to take advantage of that! Install a tool such as Apticron, which can check your apt repositories for updates on a daily basis, and will conveniently send out an EMail whenever an update is available. Take the time to read through the (mostly brief) changelogs, then log in and install the updates. This will take you about 2 minutes. I do not, however, recommend using any software that will update your system automatically. It’s never good to lose control of what is going on on your system.
Not sure if everyone will agree with me on these points, just my 2 cents really!
Happy hacking everyone.

By: lewax00

lewax00 — Mon, 23 Apr 2012 23:09:40 +0000

And you think Bing doesn’t? I have news for you: if a service is free, you aren’t the customer, you’re the product.

By: Dave

Dave — Mon, 23 Apr 2012 18:09:41 +0000

These tips are great. However; if you work for more than a small organization where you are the admin, engineer, help desk, and have employees who never receive any training you will break a lot of the rules. Unless of course you like working 16 hour days.

By: Roberto

Roberto — Thu, 19 Apr 2012 15:26:36 +0000

The only reason to use Google, is to be phished and data mined.

By: Christina Goggi

Christina Goggi — Thu, 19 Apr 2012 13:01:08 +0000

Hi Dude, there are two schools of thought on this controversial topic, but my own experiences have taught me that it is less risky to apply an untested patch than to not patch at all. The vast majority of incidents I have worked came down to someone exploiting an unpatched vulnerability.

Often, when a patch does cause a problem, it causes that problem with third party software, or non-standard configs, so if your servers are fairly vanilla, the risk is pretty low. Even with testing, if there is a problem with a patch, it may not show up until someone performs a task you didn’t test for, like a month end closing, or a full backup, or an alignment of the flux capacitor, or a future update of your antivirus software, so at the end of the day, testing may reduce the risk of a patch introducing a problem but it cannot eliminate it.

By: Richard Hobbs

Richard Hobbs — Thu, 19 Apr 2012 09:13:28 +0000

Point 41 is very true. However I would be poorer as I spend a lot of time fixing virus attacks when a user has disabled the anti-virus.

By: Dude

Dude — Wed, 18 Apr 2012 18:45:20 +0000

nice list!

50. Deploying an untested patch is only fractionally worse than…

51. Skipping a patch.

I have heard just deploy all patches as soon as possible, because exploits are developed in record time now a days. Finding the time to test every patch for every software for every configuration is impossible. If you have good nightly backups you can roll back updates in most cases and issues with patches are few and far between, at least for major vendors.

Or am I way off?

By: Bill Gates

Bill Gates — Wed, 18 Apr 2012 16:27:53 +0000

Writing all your passwords in a little book and then accidentally throwing it away with the junk mail on your desk.

By: Erik

Erik — Wed, 18 Apr 2012 16:19:56 +0000

The only reason to use Bing, is to search for Google. Much the same: the only reason to use IE is to download Firefox / Chrome.

By: Christina Goggi

Christina Goggi — Wed, 18 Apr 2012 15:23:30 +0000

Hah! Good one!