I understand your opinions but once a defect is found and an exploit
is created and made available in a automated scripted form you are
still vulnerable to it. GNU/Linux is not some kind of solid steel box
with no cracks in it all software has defects that will be found
eventually and a large portion with have automated exploit kits
produced for them.
The longer you wait to plug holes by not upgrading the more holes
start to show up. The biggest advantage to FLOSS Community distros is
the low upgrade price of free.
I imagine you have more than one NTP server on site or have a external
configurd as a backup, I would seriously consider jumping up to 13.1
particularly if you are only running ntpd on it!
Also just because a server is only available on an Internal Network
also does not make it impervious to attacks either because any machine
on the network that can accesss that resouce can be used to launch an
attack on it if it has been compromised.
Obviously you could build your own kernel and install the latest
maintenance releases from the upstream into /opt but still letting you
system turn into a giant attack target of known exploitable
vulnerabilities seems crazy to me.
Maleware in the forms of viruses, trojans and spyware may not be in
large abundance on GNU/Linux but nessus and metasploit certainly have
a large collection of known defects to choose from to own a unmainted
system. You may want to install the latest version of Nessus on it and
run a quick privilidged scan just to see how much red does show up.
You could very well have heart bleed, the bash vulnerability that was
patched this week as well as a slew of kernel defects that can be used
for privilidge escalation.
You can harden GNU/Linux very well but not upgrading your software to
fix known issues defeats the entire purpose of hardening to begin
with.
Obviously your systems are not mine. I do not know what they are
supporting so the risk is of course yours to take but I would sign up
for the US Cert weekly aggregate list and take a look through that for
a month and possibly rethink your position.
On Wed, Sep 24, 2014 at 7:45 PM, John Andersen
On 9/24/2014 5:05 PM, Timothy Butterworth wrote:
I did not realize until today how many users are actually running old openSUSE releases that are not even under maintenance any more that is kind of a scary though. I am curious as to the reasons why they are doing this?
Your fears are largely unfounded.
For a servers not exposed to the net there is very little to worry about. For servers that don't host websites and don't allow password based outside login of any kind, there is even less to worry about.
The only adjustment I've made in a long time was restricting access to my NTP server recently. After doing that I peeked at my iptables and found I was already blocking outside access to that.
This idea that something has to be under maintenance is something learned learned in the microsoft world, or in risk avoidance school taught by bean counters.
-- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org