I want you to do a quick inventory of all the boxes, VPS, servers etc. you have root on.
Ok, now tell me, when is the last time you updated the one you almost forgot about? Is it vulnerable to ShellShock? Is it vulnerable to Heartbleed?
Go patch it now, I’ll wait.
Now, turn on automatic security updates on all the boxes you don’t log into at least every few days. (If I convinced you already, just skip at the bottom of this post to read how.)
It does not matter if you don’t care about those boxes. They WILL get owned and turned into a botnet that will make all of us on the Internet less secure. It’s a responsibility you have for managing a server on our Internet, together with making sure your mail server is not an open remailer and your DNS server can’t be used for DDoS reflection.
“But Filippo, automatic updates are going to break my box!”
No. Distribution security updates are MEANT not to break things. And trust me, not patching security vulnerabilities is going to disrupt your service way sooner than a breaking update (if that ever happens).
“But my box can’t reboot cleanly and resume service”
This is bad, there are countless things that can reboot your box, host mainteinance being the most likely, followed by kernel panics, out-of-memory… It’s just part of the mindless server setup having things start on boot.
Anyway, you can turn off automatic reboots and still get 70% of the benefits (maybe).
“Ok you sold it, how do I do it?”
Easy-peasy. Here are the instructions if you use Ubuntu (and I think it works also on Debian). If you know how to do it on other systems please email me!
/etc/apt/apt.conf.d/20auto-upgrades
1 2 | |
/etc/apt/apt.conf.d/50unattended-upgrades
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | |
1 2 | |