-1

Through work I recently came across a server that is used by 10-20 users daily as a sort of web server. It is running Ubuntu 12 and it has not been updated for a very long time it seems. Currently there are over 300 security updates waiting to be installed.

I am have used Ubuntu for years and offered to perform upgrades and maintenance work on the server over a weekend when I could fix any potential problems. However I got a firm no as a response and it was explained to me that there was very little risk involved as the server only runs on the local network.

Could this be correct? What risks should be considered when running a server on a local network that is never updated?

The server in question does make requests out from the network to download information from other web servers. Users using the server have internet access on the same network. Ports for web, ssh and ftp access are open on the local network only and are password protected.

Uberswe
  • 159
  • 3
  • 9
  • Please do let me know with a comment as to why my question was poorly stated so that I can improve future questions, thanks. – Uberswe Nov 15 '15 at 10:36
  • By philosophy and design votes are anonymous and **neither voting [up](http://serverfault.com/help/privileges/vote-up) nor voting [down](http://serverfault.com/help/privileges/vote-down) requires any mandatory explanation**. The tooltip that appears when your mouse pointer hoovers over the down button states: *"this question does not show any research effort; it is unclear or not useful"*. Pure speculation but questions often also attract a down vote when not [well written](http://meta.serverfault.com/a/3609/37681), not quite [on-topic](http://serverfault.com/help/on-topic) or missing details. – HBruijn Nov 18 '15 at 12:59
  • Opinions may differ, but one of the default close reasons is: questions should demonstrate reasonable business information technology management practices. Questions that relate to unsupported hardware or software platforms or unmaintained environments may not be suitable for Server Fault, which may explain some of the downvotes – HBruijn Nov 18 '15 at 13:03
  • Of course, I do not expect eveyone to explain their actions but at the time it was difficult for me to understand. After re-reading my question I can see that it may have been poorly written. I appreciate the explanations and help. – Uberswe Nov 18 '15 at 15:18

2 Answers2

3

"Internal only" machines can still get pwned, because some other "internal" machine (or the gateway) gets popped, and the attacker engages in "lateral movement" to discover more resources to abuse, or to improve their chances of persisting their access. So, not patching a machine just because it's in the soft, gooey centre of a company's infrastructure is a dumb idea.

That being said, if you've asked and been told "no", you shouldn't do it. Engage in a bit of CYA: get it in writing that you've advised The Powers That Be that the machine is unpatched, and could potentially be compromised, and that they've refused to let you do it. Then, when it all comes unhinged, you've got a bit of ammunition to shoot back with. Remember to keep a copy of that e-mail at home, too...

womble
  • 96,255
  • 29
  • 175
  • 230
-3

Well, about 90% of security updates contain fixes with no known exploits. Another point is user base and information cost. If company owner is sure that no one of his employees will betray him and use unpublished data from thi server for his own profit or to harm a company, well, why not? But if you can afford stopping the server, making full backup, and apply the updates-it's worth doing.

mickvav
  • 111
  • 1