GregD's questions

I'm asking this question of the SF community based on the latest posting from Dreamhost (a significant webhosting provider here in the US) based on significant downtime suffered from them:

We run Debian OS and have used autoupdates to ensure security packages are installed as soon as they are available. We’ve had some breakage in the past from this approach, but nothing major. However last night’s autoupdate went badly wrong, removing essential packages from dedicated, VPS and some shared servers.

I'm curious because my approach has always been to never autoupdate my Windows Servers, test patches and track installed patches diligently. I even go so far as to let a couple of days pass after patch Tuesdays to see if anyone else is experiencing issues with a just released patch. Since I don't maintain *nix servers as a general rule, I was wondering if it's different for *nix?

Am I too conservative? What do you do?

Edited to add: Here is more info from their site

Our monitoring and support team flagged the issue fast, and we scrambled our admin, dev and NOC teams to reinstall the packages that had been removed by autoupdate, reboot servers, fix package dependencies, and test that individual services were live. Given the number of services affected, this took a long time to complete. Rest assured we had all hands working on the issue, but I know it was still a frustrating experience for customers.

To mitigate the risk of anything like this happening again, we’re immediately switching off autoupdates, and moving to a manual process where we’ll only push out Debian updates after significant testing.

I'm using host headers in IIS 6 to host multiple websites for the same IP address. Currently I have a need to access one of the websites by IP address rather than URL. Any idea how to do this?

I could take advantage of DNS Rewrite on my firewall but I don't have access to it right at the moment.

What are you sysadmins doing to make sure that your ability to remote admin a firewall is the safest it can be? What is the safest setup you have, short of only using the console connection and having to physically touch the firewall?

What, if any, steps do you take to minimize the potential of client personal computers being subject to e-discovery during potential lawsuits when their personal home computers are used for work?

What I have so far:

1. Don't allow remote access with personal devices.

2. Only allow web-based email access (through OWA).

3. Allow web-based VPN access to files and email w/out remote desktop or citrix support.

4. Allow full-blown VPN access.

1. Doesn't seem practical.
2. Nothing beyond cookies is stored on the local client machine.
3. Access to files via Web-based VPN means they're downloadable to client machine.
4. Just like the computer is sitting on the network. (From an e-discovery perspective is there a difference between web-based VPN and client or firewall-based VPN?)

Our users are understandably blinky about their personal computers being subject to e-discovery. Has anyone had to go through e-discovery because of a lawsuit? What policies do you have in place regarding this?

Edited to add

Not using their personal home computers for work is not really feasible. There are instances when they don't anticipate being sick, therefore do not lug home a work computer, and need to work from home through the vpn.