01-15-2021, 07:37 PM
Quite regularly, there are so many vulnerabilities in software discovered that as a general rule of thumb I would say that it is a no-go to run any software that does not receive regular updates fully exposed to the internet. Sure, some software is more vulnerable than others. OpenSSH itself could be considered rather secure in this regard, yet it is noteworthy that it also had quite a few issues in the past:
https://www.cvedetails.com/product/585/O...ndor_id=97
But OpenSSH is not the issue as I assume that you still receive updates for OpenSSH. Regarding the Linux kernel, the situation looks worse:
https://www.cvedetails.com/product/47/Li...ndor_id=33
The best way to run "unmaintained" software in the internet is to put it behind something that is maintained, e.g. you could put your system with the unmaintained kernel/sshd behind another system that runs a secure VPN (like wireguard) for which it receives regular updates. Another option could be things like filtering by source IP etc. but - again - these filters must be implemented on a separate (sub)system that *does* receive regular security updates. But I don't think one of these solutions really makes any sense for your particular case.
I recommend switching to a system that is actively maintained. Possible options:
- switching to Armbian
- switchting to any other Distro where all relevant components receive regular updates
- using Debian unstable
- using Debian stable with a kernel from unstable (if you want to go this way you can find my recommendations how to achieve this here: https://www.kulesz.me/post/140-debian-de...4-install/ )
No matter which solution you choose, keep in mind to look for EOL announcements as these usually require manual steps for migration to a new release that is actively supported. The situation might have been more relaxed a few years back, but as you can see from many reports in the news the threats are rising (I am sure you could find scientific data on that as well but I didn't look for any). In the end, running a well-supported OS with regular automated updates also *feels* a lot better so you probably get to sleep better. :-)
https://www.cvedetails.com/product/585/O...ndor_id=97
But OpenSSH is not the issue as I assume that you still receive updates for OpenSSH. Regarding the Linux kernel, the situation looks worse:
https://www.cvedetails.com/product/47/Li...ndor_id=33
The best way to run "unmaintained" software in the internet is to put it behind something that is maintained, e.g. you could put your system with the unmaintained kernel/sshd behind another system that runs a secure VPN (like wireguard) for which it receives regular updates. Another option could be things like filtering by source IP etc. but - again - these filters must be implemented on a separate (sub)system that *does* receive regular security updates. But I don't think one of these solutions really makes any sense for your particular case.
I recommend switching to a system that is actively maintained. Possible options:
- switching to Armbian
- switchting to any other Distro where all relevant components receive regular updates
- using Debian unstable
- using Debian stable with a kernel from unstable (if you want to go this way you can find my recommendations how to achieve this here: https://www.kulesz.me/post/140-debian-de...4-install/ )
No matter which solution you choose, keep in mind to look for EOL announcements as these usually require manual steps for migration to a new release that is actively supported. The situation might have been more relaxed a few years back, but as you can see from many reports in the news the threats are rising (I am sure you could find scientific data on that as well but I didn't look for any). In the end, running a well-supported OS with regular automated updates also *feels* a lot better so you probably get to sleep better. :-)