Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What are the risks for not updating the OS regularly?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What are the risks for not updating the OS regularly?

Go59954Go59954 Member
edited October 2011 in Help

For the following topic: http://www.lowendtalk.com/discussion/517/updating

I don't update my VPS operating system often, most of the time I update it when I rebuild the VPS! running:

apt-get update apt-get upgrade

or in Centos

yum -y update

But actually, I rarely have a VPS for that long!
So is it too risky to leave a VPS for months without running updates for OS?

Appreciate your help.

Comments

  • Well it all depends on what has updates. When a vulnerability is fixed that allows a attacker to gain root access, it's clearly important to update your system. This is why regular updating is a good idea. I've been burned in the past for not keeping systems up to date.

    There is also a small chance that some update might break your site so don't just update blindly without any testing.

    Thanked by 2Go59954 mrm2005
  • I never update however I've never had a VPS longer than a month due to slow response times, I/O etc

  • @cleonard: That's why I'm curious for the updating process, errors afterwards are nightmare for me. But I will try to follow up, I have VPSes paid for long terms which aren't updated since long time, and are expected to be in production for not less than months or a year to come.

    @Ixape: Somehow a problematic client I guess :P

  • Go59954 said: Somehow a problematic client I guess :P

    Have been with 10+ VPS hosts and only been warned for stuff once. :P

  • @Ixape You didn't get warning from BuyVM when you scrapped LowEndBox.com and consumed 2x as much bandwidth as all the other visitors put together?

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    LowEndAdmin said: @Ixape You didn't get warning from BuyVM when you scrapped LowEndBox.com and consumed 2x as much bandwidth as all the other visitors put together?

    That's terrible.

    Francisco

  • When it's so easy to do these days with apt or yum, why not keep your core system up to date???

    Will you get exploited if you don't? Maybe, maybe not. No-one can tell you for sure. If you do, you can always tell yourself, "Jeezus, I'm a crappy sysadmin. I got exploited 'cause I was too freekin' lazy to type a few characters into a bash prompt."

  • bretonbreton Member
    edited October 2011

    What are the risks for not updating the OS regularly?

    Security issues may be pretty serious, especially in apache, ssh and other services, looking outside.

  • leaving not updated boxes is über lame

  • @ksx4system said: leaving not updated boxes is über lame

    Period

  • LowEndAdmin said: @Ixape You didn't get warning from BuyVM when you scrapped LowEndBox.com and consumed 2x as much bandwidth as all the other visitors put together?

    Wait, what? Tell me more.

  • fanfan Veteran

    @ztec said: Wait, what? Tell me more.

    Same here, seems to be interesting.

  • kristalkristal Banned
    edited October 2011

    better upgrade coz yeah and then i can buy those hacked ftp's boxes and rdp's for 50c-1$ each

  • LeoLeo Member

    Security issues may be pretty serious, especially in apache, ssh and other services, looking outside.

    Last december Debian had a security issue in Exim that made it possible to gain root access from the outside by trying to send a special formed mail through the mailserver.

    I guess that most servers that where not updated was infected by rootkits within 2 weeks after the discovery of the issue.

    apticron is your friend.

  • kristal said: better upgrade coz yeah and then i can buy those hacked ftp's boxes and rdp's for 50c-1$ each

    So that's how you get to sell those proxies so cheap.

  • ztec said: So that's how you get to sell those proxies so cheap.

    ... well, that certainly makes you wonder, doesn't it <_<

  • drmikedrmike Member
    edited October 2011

    Could have sworn I had a post here...

    We'll tell your mom if you don't upgrade. That's your major risk. :)

    A number of my clients have been hacked over the years (edit: before they came to being our clients.). That I think is the number one reason why they're willing to pay the few extra bucks to host with us as we take care of all that. Running popular software that's a few versions behind and known security issues is what did them in.

    Better question to ask is what would happen if you didn't upgrade...

  • If you don't upgrade you always risk your system to get hacked..As it is always said "Prevention is better than cure".

  • It's really funny to see how people define "up-to-date" or "current". I mean I would not have the ball to call my system "up-to-date" or "current" if I were using RHEL/CentOS/SL/Debian 5&6... Maybe plus Ubuntu...

    There is only one "up-to-date" or "current" distro available (even if you are running the "stable" version):

    Arch.

    Period.

    Wait, maybe Gentoo.

    So, which one is more stable/secure?

    1. Using old software + monkey patch (called "security updates") for old releases - "those distros"

    2. Using current mainstream software (not alpha/testing though) w/ security updates built-in already - "THE Arch"

    Obviously I'm an Arch fan but I'm just telling the truth.

    Besides, it doesn't make sense if you do not upgrade your system. For servers I know some are just afraid of breaking them. But hey, you should have at least 2 servers and upgrade the backup one first. I see more problems not upgrading than keeping your servers "up-to-date" like CentOS or up-to-date like Arch.

  • danielfeng said: There is only one "up-to-date" or "current" distro available (even if you are running the "stable" version):

    Arch.

    Distroll :)

  • kristalkristal Banned
    edited October 2011

    @ztec: nooo loool absolutely not, all my proxies are purchased and registered legally lol

    @Aldryic: no no no


    just recently i found an offer for them at that price, but i wouldnt get into some illegal activity

  • Hmmm, I might need to look into this Arch distro a little more closely. Sounds a bit easier than compiling the latest of everything.

  • danielfeng said: which one is more stable

    1. Those are not just "old software", but also stable platform, where other applications and software depend upon.
    2. Those are not "monkey patching". but well tested against a stable platform (rather than a rolling platform).
    3. Latest and greatest are not always the most stable.

    As much as I like my Gentoo, I won't use it on my prod boxes. How often have you emerge world and then found out some things are broken due to deep dependency, or just incompatibility? For example your home grown application was designed for MySQL 5.0 and never tested against MySQL 5.1. A normal apt-get update will not automatically move your platform to the next major version, but I think Arch/Gentoo equivalents would (with lots of warnings, of course).

  • @LowEndAdmin said: As much as I like my Gentoo, I won't use it on my prod boxes. How often have you emerge world and then found out some things are broken due to deep dependency, or just incompatibility? For example your home grown application was designed for MySQL 5.0 and never tested against MySQL 5.1. A normal apt-get update will not automatically move your platform to the next major version, but I think Arch/Gentoo equivalents would (with lots of warnings, of course).

    That's why you need at least 2 servers. Honestly, using Arch on OpenVZ is indeed a nightmare - probably the most dangerous task. Unless you know what exactly to fix RIGHT AFTER upgrade and BEFORE reboot, you will have a good chance to lose your VPS forever (no ssh, no console, etc.). If the host provider doesn't know how to or is not willing to help, it's gone.

    The current widely used Arch template for OpenVZ is just TOO old. Any simple upgrade will destroy the whole system by default. First you need to use a special glibc repo for OVZ VPS, and then most importantly some rc scripts need to be modified before reboot, otherwise you will lose /dev/tty and so that neither ssh nor console connection can be established.

    But once you figured it out, nothing needs to worry about. Backup server first, then production server. Before upgrade just remember to create a backup, that's it.

    I don't know much about Gentoo on OpenVZ, but Debian/Ubuntu seem okay. Unless you use "apt-get dist-upgrade", the major version will remain the same.

    I have git repo for all necessary changes/modifications and I keep it up-to-date. So each time I install a new Arch on OpenVZ I just git clone and copy. It's like the scripts you have for LEB/LET I guess.

  • @cleonard said: Hmmm, I might need to look into this Arch distro a little more closely. Sounds a bit easier than compiling the latest of everything.

    Try Arch on KVM first. Avoid OVZ as much as possible (or you will have to trouble shoot a lot just like I did).

  • Arch runs great on KVM for me, I wouldn't touch it on OVZ though, typically too old of a kernel, it's not something I'd want to mess around with for production.

  • Does Arch finally have signed packages? Or... well, any kind of system to verify the integrity of the packages you're installing?

  • KuJoeKuJoe Member, Host Rep
    edited November 2011

    I run Arch on OpenVZ without any issue except for the problems that your encounter in Arch Linux on all platforms (did a fresh install + pacman -Syu + reboot and the only thing that broke is the locale.sh error they posted on their frontpage and the hostname since they removed net-utils). I do hate how the Arch devs remove and break a lot of stuff quite frequently because they tend to code for themselves, not the end-users.

Sign In or Register to comment.