But how would a bad guy even get access to the server when it isn't publicly accessible? This is my point. The server is on our local network with no external access. No one else in the organisation uses the server other than me. I would think that under these circumstances, the threat from external hacking is almost zero.

The risk would need to come from within, for example, by me accessing a bad website or running bad software. But otherwise, I can't see how hackers could get in.

My priority is keeping VMware stable. I do very little on this server other than VMware. The only others that I can think of are CrashPlan for backups, Webmin for system maintenance, CyberPower Power Panel Business Edition for the UPS and LibreOffice. That's about all I have installed on the server.

I am seriously thinking of buying an identical 2nd server to test updates and VMware stability prior to applying them to the production server. Is this overkill or necessary?

Is running unattended-updates with a regular cron job a bad idea?

Hi,

If the LAN has a gateway to the internet, then there is a risk and you should try to protect that risk in layers.

If the host is not directly accessible then sure the risk is maybe not that big, but if one machine gets infected or if attackers get past the router somehow then they can analyze what else is in your LAN. It is not that weird really.

Running unattended-updates on debian (which sets a cron job itself) isn't bad, but beware that it by default also updates the kernel, so rebooting your host might give you an unexpected surprise.

In addition one other side effect on unattended upgrades is that it doesn't clean up kernels, so if you have a boot partition of normal size it might come full and you can end up with a broken apt-get database. Which would also stop the automatic upgrades. Unattended updates not deleting old kernels is also a good thing when running as vmware host as you can go back to the older kernel.

I think it is possible to exclude kernel updates on that, but you will have to look up why as I don't have the configuration changes for that handy.

edit: on your question, probably overkill if you stick with security updates and no automatic kernel updates. I've got unattended-updates configured on all my ubuntu and debian machines. Only breakage so far was due to what I mentioned.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

Am I right in thinking that kernel updates are those prefixed with "linux"? So these pending security updates do indeed include some kernel ones:

Inst linux-compiler-gcc-4.8-x86 [3.16.7-ckt11-1+deb8u6] (3.16.7-ckt20-1+deb8u3 Debian-Security:8/stable [amd64])

Inst linux-headers-3.16.0-4-amd64 [3.16.7-ckt11-1+deb8u6] (3.16.7-ckt20-1+deb8u3 Debian-Security:8/stable [amd64]) []

Inst linux-headers-3.16.0-4-common [3.16.7-ckt11-1+deb8u6] (3.16.7-ckt20-1+deb8u3 Debian-Security:8/stable [amd64])

I used this command which I found somewhere to identify security only updates:

sudo apt-get -s dist-upgrade |grep "^Inst" |grep -i securi

I think a second dev/test server is the easiest solution. I will update it regularly. If everything is stable, then do the same updates on the production server.

Not sure how else to deal with this problem.

I would hate to be in the situation where after an update reboot, Workstation Pro stopped working and I need some patch from VMware to be released to resolve it.