New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What are the risks for not updating the OS regularly?
For the following topic: http://www.lowendtalk.com/discussion/517/updating
I don't update my VPS operating system often, most of the time I update it when I rebuild the VPS! running:
apt-get update apt-get upgrade
or in Centos
yum -y update
But actually, I rarely have a VPS for that long!
So is it too risky to leave a VPS for months without running updates for OS?
Appreciate your help.
Comments
Well it all depends on what has updates. When a vulnerability is fixed that allows a attacker to gain root access, it's clearly important to update your system. This is why regular updating is a good idea. I've been burned in the past for not keeping systems up to date.
There is also a small chance that some update might break your site so don't just update blindly without any testing.
I never update however I've never had a VPS longer than a month due to slow response times, I/O etc
@cleonard: That's why I'm curious for the updating process, errors afterwards are nightmare for me. But I will try to follow up, I have VPSes paid for long terms which aren't updated since long time, and are expected to be in production for not less than months or a year to come.
@Ixape: Somehow a problematic client I guess :P
Have been with 10+ VPS hosts and only been warned for stuff once. :P
@Ixape You didn't get warning from BuyVM when you scrapped LowEndBox.com and consumed 2x as much bandwidth as all the other visitors put together?
That's terrible.
Francisco
When it's so easy to do these days with apt or yum, why not keep your core system up to date???
Will you get exploited if you don't? Maybe, maybe not. No-one can tell you for sure. If you do, you can always tell yourself, "Jeezus, I'm a crappy sysadmin. I got exploited 'cause I was too freekin' lazy to type a few characters into a bash prompt."
Security issues may be pretty serious, especially in apache, ssh and other services, looking outside.
leaving not updated boxes is über lame
Period
Wait, what? Tell me more.
Same here, seems to be interesting.
better upgrade coz yeah and then i can buy those hacked ftp's boxes and rdp's for 50c-1$ each
Last december Debian had a security issue in Exim that made it possible to gain root access from the outside by trying to send a special formed mail through the mailserver.
I guess that most servers that where not updated was infected by rootkits within 2 weeks after the discovery of the issue.
apticron is your friend.
So that's how you get to sell those proxies so cheap.
... well, that certainly makes you wonder, doesn't it <_<
Could have sworn I had a post here...
We'll tell your mom if you don't upgrade. That's your major risk.
A number of my clients have been hacked over the years (edit: before they came to being our clients.). That I think is the number one reason why they're willing to pay the few extra bucks to host with us as we take care of all that. Running popular software that's a few versions behind and known security issues is what did them in.
Better question to ask is what would happen if you didn't upgrade...
If you don't upgrade you always risk your system to get hacked..As it is always said "Prevention is better than cure".
It's really funny to see how people define "up-to-date" or "current". I mean I would not have the ball to call my system "up-to-date" or "current" if I were using RHEL/CentOS/SL/Debian 5&6... Maybe plus Ubuntu...
There is only one "up-to-date" or "current" distro available (even if you are running the "stable" version):
Arch.
Period.
Wait, maybe Gentoo.
So, which one is more stable/secure?
Using old software + monkey patch (called "security updates") for old releases - "those distros"
Using current mainstream software (not alpha/testing though) w/ security updates built-in already - "THE Arch"
Obviously I'm an Arch fan but I'm just telling the truth.
Besides, it doesn't make sense if you do not upgrade your system. For servers I know some are just afraid of breaking them. But hey, you should have at least 2 servers and upgrade the backup one first. I see more problems not upgrading than keeping your servers "up-to-date" like CentOS or up-to-date like Arch.
Distroll
@ztec: nooo loool absolutely not, all my proxies are purchased and registered legally lol
@Aldryic: no no no
just recently i found an offer for them at that price, but i wouldnt get into some illegal activity
Hmmm, I might need to look into this Arch distro a little more closely. Sounds a bit easier than compiling the latest of everything.
As much as I like my Gentoo, I won't use it on my prod boxes. How often have you
emerge world
and then found out some things are broken due to deep dependency, or just incompatibility? For example your home grown application was designed for MySQL 5.0 and never tested against MySQL 5.1. A normalapt-get update
will not automatically move your platform to the next major version, but I think Arch/Gentoo equivalents would (with lots of warnings, of course).That's why you need at least 2 servers. Honestly, using Arch on OpenVZ is indeed a nightmare - probably the most dangerous task. Unless you know what exactly to fix RIGHT AFTER upgrade and BEFORE reboot, you will have a good chance to lose your VPS forever (no ssh, no console, etc.). If the host provider doesn't know how to or is not willing to help, it's gone.
The current widely used Arch template for OpenVZ is just TOO old. Any simple upgrade will destroy the whole system by default. First you need to use a special glibc repo for OVZ VPS, and then most importantly some rc scripts need to be modified before reboot, otherwise you will lose /dev/tty and so that neither ssh nor console connection can be established.
But once you figured it out, nothing needs to worry about. Backup server first, then production server. Before upgrade just remember to create a backup, that's it.
I don't know much about Gentoo on OpenVZ, but Debian/Ubuntu seem okay. Unless you use "apt-get dist-upgrade", the major version will remain the same.
I have git repo for all necessary changes/modifications and I keep it up-to-date. So each time I install a new Arch on OpenVZ I just git clone and copy. It's like the scripts you have for LEB/LET I guess.
Try Arch on KVM first. Avoid OVZ as much as possible (or you will have to trouble shoot a lot just like I did).
Arch runs great on KVM for me, I wouldn't touch it on OVZ though, typically too old of a kernel, it's not something I'd want to mess around with for production.
Does Arch finally have signed packages? Or... well, any kind of system to verify the integrity of the packages you're installing?
I run Arch on OpenVZ without any issue except for the problems that your encounter in Arch Linux on all platforms (did a fresh install + pacman -Syu + reboot and the only thing that broke is the locale.sh error they posted on their frontpage and the hostname since they removed net-utils). I do hate how the Arch devs remove and break a lot of stuff quite frequently because they tend to code for themselves, not the end-users.