FOOD FOR THOUGHT Incredible 16-15 Centos 7 yum updates

[markd89]

My server is running nicely

I don't use Webmin much, but was poking around in there and noticed there are Centos updates available including security updates.

I have iptables and TM3 on this machine and things are well locked down. I like the idea of updates but I don't want to break things.

What is the best practice here?

Should I be running a manual

yum update -y

periodically?

Does the update script on login take care of Centos security updates?

Would answers to the above differ on 15-16 + Public? I'm thinking not because Public also has a nice, tight IPTables setup.

On my old Purple VM, I don't think I installed updates ever and it worked fine (IPTables/TM), but maybe that wasn't wise.

Any advice much appreciated!

Mark

 

[progs_00]

Hi markd89

Although a far better answer would come from the guys that designed the IPBX system, what I choose to do is NEVER apply a yum update to any of my systems. The logic here is that some packages seem very tightly integrated to the system, some others packages get configured outside of yum so they would most likely break if updated with yum and so on. Same logic I follow with the new IPBX 16 or IPBX 2020.

Having said all that, I must also say that none of my systems have public IPs, all are behind a firewall enabled router and use all security options of the IPBX platform. This greatly diminishes the attack surface so even when a zero day exploit breaks out, I can still remain as best protected as I can until it gets patched and instructions are given here in the forum (most likely Ward's team will issue an update through their script so yum update would still not be needed)

So to sum up, if your system is set pretty much like mine above, I'd say you are far more secure than someone who is running yum update even daily but has his system explosed directly to the Internet

That's my two dimes. Yours is a great question and I hope others join in and share their point of view

Cheers

 

[Stepan Novotill]

My take on this (and I'm no expert) is that it is safe to update with Yum right after you install CentOS but only before you install IncrediblePBX. Thereafter I'm very selective about updates. For instance I may apply an update to fix an http or firewall or ssh vulnerability but never any overall updates.

 

[wardmundy]

Good advice. Most so-called "security updates" flagged by WebMin don't apply in our case. IPtables and SSH are the two to watch out for.

 

[markd89]

Thanks for the advice, Gents.

My VM does have a public IP, but it has a tight IPTables setup.

I installed the updates yesterday (before I saw your responses). All still seems to be working OK. I'll refrain from more updates, except IPtables and SSH as Ward advises. Those two are so widely used in Linux-land, if/when there is a vulnerability, we'll all know.