[Info-vax] DNFS1ACP using 100% of CPU

Sum1 not at here.com
Sat Oct 12 20:36:06 EDT 2013 

On 2013-10-13 00:00:33 +0000, JF Mezei said:

> On 13-10-12 13:34, Stephen Hoffman wrote:
> 
>> You're correct that VMS is not a mass-market security target.
> 
> Botnets/hackers tend to look for vulnerabilities without really checking
> the OS type. For instance, a BIND vulnerability is tested on any server
> that responds to port 53.
> 
> As such, VMS is not any more immune to attempts than any other OS.
> 
> Where there is a huge difference is that VMS runs ancient versions of
> open source stuff like BIND and those versions do not contain the many
> security fixes that have since been issued and thus the VMS version
> remains vulnerable to those problems.
> 
> 
> Whereas Linux tends to be vulnerable for a couple of weeks before
> patches are available, VMS remains vulnerable for years.
> 
> A good port scanner will let you know what services OS-X is offering,
> and you can block unwanted ones at the router level or disable those
> services on OS-X.

Hi JF

Everything is behind a router and a firewall.  Only port 80 is exposed 
on OpenVMS.  Nothing is running except WASD, files are served by 
(dodgy!) NFS which OSX provides as read-only.  It has been like this 
for many years and I have seen attacks and scans come and go, but 
nothing in VMS TCP/IP or the WASD application or VMS seems to respond 
incorrectly.  I am comfortable that WASD is secure, I am *not* 
comfortable that Apache is.  I have functionality, albeit recently 
dodgy NFS performance, and security and I am not constantly looking for 
new patches to apply to Apache, PERL, PHP etc.  It is almost 
set-and-forget, it runs, people get their pages and nothing 
successfully attacks it.

It is an extremely simple setup without any attempt to make it pretty, 
flashy, drop-down anything…all just static pages served from read-only 
NFS sources.

Something may be vulnerable, but only port 80 is exposed and the 
underlying supporting infrastructure seems to be sound.  Having done 
this elsewhere on OSX, it takes more effort, maintenance and vigilence 
:)

More information about the Info-vax mailing list