2

There was a period a while back when a bunch of serious vulnerabilities were found. Heartbleed, Logjam, POODLE, FREAK, etc.

Nothing major like that has come up during the past year.

Question: If I setup a brand-new Linux VPS today with say Ubuntu 16.04 LTS -- with nginx webserver and Postfix/Dovecot mail server -- can I safely assume that I'm by default safe against all of those > 1 year old vulnerabilities?

SUPower
  • 21
  • 1

2 Answers2

2

The answer to this question as asked might be outdated tomorrow if something similar important hits the news.

Anyway, you can't simply assume you are safe unless you verified the following:

  • All the latest patches are installed. Don't just assume a freshly installed VPS is up to date.
  • Your services are configured in a secure manner, i.e. you didn't use some old config templates or excerpts from blogs or tutorials that run services in an insecure manner (as some of these attacks can be mitigated by changes to configuration files, e.g. for encryption methods).
  • Don't be fixated on the big things. Smaller issues exists and must be taken as serious, depending on your circumstances.

So, in short, the answer would be No.

Sven
  • 98,649
  • 14
  • 180
  • 226
0

The mentioned vulnerabilities have been patched by most Linux distributions. However, some of the vulnerabilities were not fixed by patches, but resolved by making post install config changes.

Heartbleed - OS level issue. Patched

LogJam - More of a browser issue. Patched

POODLE - Really user side issue to fix.

FREAK - OS level issue. Patched.

I would recommend checking the nginx site along with Postfix/Dovecot sites specifically for the areas of concern or what actions are to be taken to protect yourself.

For nginx after you configure your SSL certs go to Qualys to test. After the test completes Qualys gives you the exposed vulnerabilities and concerns. This should give you a place to start your research.

xguru
  • 193
  • 1
  • 7