I run a few dozen dedicated web servers all running CentOS 5.5. A long time ago when one server was apparently compromised, I was urgently advised to sign in to the server and run "yum update" at least once a week to ensure that everything which I had installed using "yum", would get updated with any recently available updates, including security fixes, and that one reason I might have been hacked before was because I hadn't been doing that.

So, I'm still not sure if that would have prevented the original break-in, or how much this has reduced my chances of being hacked, but I've been faithfully signing in to each server every week for the past few months and running "yum udpate". Most times, this results in a lot of patches being downloaded and applied, so it's clear the machines are not doing it automatically. I figure it's about time to learn how to make the machines do this on their own.

Is there a standard way to make "yum update" run automatically, every day, or every week? Yes, I'm sure there are many ways to do it, but is there a single way used by the majority of webmasters of CentOS sites who have automatic updates set up?

Googling a bit for "make yum updates automatic" turned up some threads like:
http://www.cyberciti.biz/faq/fedora-...ion-with-cron/
http://forums.fedoraforum.org/archiv.../t-111213.html
in which people describe writing their own custom scripts to do yum update automatically. This seems odd. It seems like the kind of thing that there would be a standard way to turn on.

Also, is there a reason that virtually every newly provisioned dedicated server does not have "yum update" set up to recur automatically? If it's true that people break into websites using exploits that have been found in older versions of webservers and other software, and that sometimes these breakins would have been prevented by the newest patches, wouldn't it reduce the number of websites being compromised if the OS had yum updates turned on automatically by default?

$ yum install yum-updatesd

$ grep automatic /etc/yum/yum-updatesd.conf
# automatically install updates
# automatically download updates
# automatically download deps of updates

Hope that helps.

The problem with doing it automatically is that stuff goes wrong. When (not if) stuff goes wrong and the sysop is not there to see it, it can be much harder to fix.

That being said, I believe yum-updatesd is installed(but not turned on) in a standard Centos install. You turn it on just like any other service.

Thanks, this is exactly what I needed.

On most of the servers, it is indeed installed and already running, however the /etc/yum/yum-updatesd.conf has all of the automatic downloads and updates turned off. (On only one of the dedicated servers, the hosting company had enabled downloads and updates by default, and that was the server that always told me "Nothing to do" whenever I logged in and ran "yum update" manually, naturally.)

It's interesting that the drawbacks are considered to outweigh the benefits of turning this on automatically. Both choices have their downside -- increased risk of getting hacked, or increased risk of an update taking the server down by accident -- but I would assume the former is more likely *and* the consequences more catastrophic. (None of my servers have ever had a problem when I logged in and did "yum update", but some of them may have been hacked back when I wasn't applying the updates often enough.) And there's also the "public health" argument that a downed server inconveniences only you, but a hacked server inconveniences others as well (can be used to send out flood attacks, can be used as the destination URL for a phishing site, etc.).

I think it really depends on how many servers you run, and what type of services are running on them. Just logging in every so often to manually check and see what is being updated and applying the updates is the best of both worlds. This way if something does break you know it, see what happened and can fix it. Having the latest updates is not the only step to running a secure server, it is just a part of it.

If you do run enough servers an option is to use Spacewalk and have a testing or development server. This way you can manually test each update on a non production machine, and if everything goes well schedule the update to be automatically installed on all of your production machines.

Yeah I assume that for users who know about the required maintenance and log in and maintain the server regularly, they know how they want to do things, so the default settings would be a moot point.

What I'm thinking about are all the users who are admins of dedicated servers, and who don't even know that they're supposed to log in and download and apply updates, and the default behavior will always apply. (I suspect this applies to the vast majority of low-end dedicated servers being leased from hosting companies.) It's all very well to say that people shouldn't be server admins if they don't know how to apply updates, but -- they exist. A hosting company isn't going to say no to someone who will pay the hosting fee.

So, for all of those, the default behavior will apply, so it's a question of whether it's better for the server never to get updated, or to get updated automatically and occasionally go down because of a bad update. For security, it seems like automatic updates would be better, but maybe not. Or maybe the correct answer might change from year to year depending on the intensity of the attacks being perpetrated by cyber-criminals against hosted websites.

I agree there are plenty of "admins" out there who have no business administering a server which is publicly available, but no hosting company would turn down paying business. I think the problem is that experienced and knowledgeable admins will expect to have a base dedicated server setup using the OS defaults. I for one would be pretty upset if I was paying for a dedicated server with changes made away from the OS defaults which made things which normally required admin intervention to happen automatically.

Well what if the OS maker changes the defaults, would that make it OK?

No, really. At some point, the defaults for all versions of Windows (including Server) became to update themselves automatically, and it was up to the admins to turn that off if they wanted to, and people didn't seem to mind that.

When M$ made it a default setting a lot of admins did scream. M$ ignored them. Which was one of the major reasons slipstreaming became so popular about the same time.

Well, was that a bad thing? Many worms like Slammer were based on exploits that had been patched months earlier, so they only infected servers that didn't have the latest patches installed. Imagine how many more machines would have been infected if automatic updates had not been the default.