FOOD FOR THOUGHT to YUM Update or to not YUM Update, that is the question

[knotworking]

I know the standard advice is to not mess with a working system, but I still don't feel comfortable when my system is telling me there are 133 Packages that need updating (and this is after running the PIAF auto-update script at SSH login). None of the packages are for the kernel or firmware, would it be so wrong to allow YUM to do it's thing?

 

[briankelly63]

Generally if you are behind a firewall you won't gain much from security updates. If there is a serious memory leak or functionally issue then I would do a full backup, better yet clone the whole drive and then do such an update when you can afford for it to be down for a while. Or update the identical cloned system and then swap back.
I always assume worst case.

Your PBX is somewhere between a PC & a Smart Washing Machine. Closer to washing machine is the necessity for updates.

 

[knotworking]

Thanks Brain. It's a good point, I have plenty of devices with embedded *nix operating systems that never get updated. I admin a dedicated web server, after Poodle, Heartbleed and all the other exploits/vulnerabilities that I continually have to deal with, I'm very conditioned to always keep things up-to-date. I need to compartmentalize that urge....

 

[Dave Gray]

Ummm, I disagree. That exact reasoning is why, for example, routers are being compromised on a wholesale basis.

If your washing machine is connected to the internet, you bloody better keep up with the manufacturer's updates, or your going to have some very funny looking clothes. Pretty much any router older than a year or two, that hasn't been kept up to date, is easy meat for someone who wants in. Similarly, there are reports of people using exploits to get into Tivo boxen, and running Bitcoin miners on them .

Got a Jeep Cherokee? A recent one, with the U-Connect networked package? (BTW, I own a Chrysler. The U-Connect trademark *does not* mean the car is network connected, that's an additional option.)

If it connects to the network, somebody is looking to hack it. The only way for an individual or small business to protect yourself, is to keep up with those security patches. The bad guys are, and they're reverse engineering the changes to come up with exploits they know will work in many cases, because people don't keep up with the patches.

 

[briankelly63]

Ummm, I disagree. That exact reasoning is why, for example, routers are being compromised on a wholesale basis.

If your washing machine is connected to the internet, you bloody better keep up with the manufacturer's updates, or your going to have some very funny looking clothes. Pretty much any router older than a year or two, that hasn't been kept up to date, is easy meat for someone who wants in. Similarly, there are reports of people using exploits to get into Tivo boxen, and running Bitcoin miners on them .

Got a Jeep Cherokee? A recent one, with the U-Connect networked package? (BTW, I own a Chrysler. The U-Connect trademark *does not* mean the car is network connected, that's an additional option.)

If it connects to the network, somebody is looking to hack it. The only way for an individual or small business to protect yourself, is to keep up with those security patches. The bad guys are, and they're reverse engineering the changes to come up with exploits they know will work in many cases, because people don't keep up with the patches.

Point well taken. I think it's a matter of degree and the type of firewall. I use an up to date PFSense system. As far as the system behind it I'd go for major security flaws.

 

[voip_user]

I think this depends if your running SIP trunks or not and if you are terminating those SIP trunks in gateways vs the server. If you are running SIP trunks directly into your system from the PSTN then you need to stay on top of security as your box will have a direct connection to the internet. If you are terminating your trunk on some sort of gateway that gives you a bit more of protection "especially if you are running cisco cube" you can hold of on always doing security patching. So it really just depends.

my 2 cents.