0

It seems to me that there's some sort of "race condition" when you install a new Linux OS (this applies to every OS, but I'll restrict this question to Linux only). When you download the OS for a fresh installation, the image is usually out-of-date. In OS's that have a rolling release policy, the downloaded image is not very old, but in other cases it might be out-of-date by several months. Before you have a secure installation, you need to update it, which usually means that you need to connect to the internet. At this point, when you connect to the internet an before the update is complete, the OS might be vulnerable for a short time (usually minutes or hours).

  • Is this something we should worry about for common Linux OS's? I would suppose that remotely exploitable vulnerabilities during this process are non-existent, unless the Linux distribution is really screwed up by default and has insecure services running by default.
  • Would it be enough to just block all incoming connections before connecting to the internet? That is: 1) install, 2) set firewall to reject all incoming connections, 3) run updates.
  • Are there any best practices to follow to avoid this problem? I know in theory you could download the updates from another machine, and then install them offline, but that seems cumbersome (you'd first need to find out what packages should be downloaded, and for this you'd probably need to test the fresh installation in a VM, etc.)
reed
  • 15,398
  • 6
  • 43
  • 64
  • I would say usually this is nothing to worry about. At least, I have never heard of a case where "We installed our OS and in the 10 minutes before updates rolled out, we were hacked" was a contributing factor. Usually it's more akin to "We didn't update for 7 years, but we were really planning on doing it some day" –  Mar 25 '20 at 08:35

2 Answers2

1

It's a good idea to make sure the system runs in a controlled environment until it is fully updated. Make sure that the system is not running any services that accept incoming connections, and that the system does not make any outgoing connections to any servers (except the update servers), until the system is updated. Even better, if the system is behind a hardware firewall that prevents any incoming connections from external hosts from reaching the system. With such a controlled environment, the window of opportunity is very small for an attacker who is trying to exploit a vulnerability in the yet-to-be updated system.

There are actually Windows XP systems that have been running for years in similar controlled environments, without being compromised, even through Windows XP has been end of life since 2014.

mti2935
  • 19,868
  • 2
  • 45
  • 64
0

We had the same situation when installing our server cluster, to avoid such security issues our process was as following:

  • Set up switch with two port groups with different VLANs (internal, external)
  • Install nodes with the internal network only (1st NIC of servers)
  • Set up firewall rules to block all incoming traffic
  • Set up 2nd NIC of servers with respective external IPs
  • Test that the firewall rules work as expected (connect notebook configured with IP of the external IP block, run port scan on external IPs of servers)
  • Connect external switch port group to the internet, install updates
andaris
  • 81
  • 2