# What are the server security update best practices?



## peterh (Mar 19, 2020)

I've started maintaining a FreeBSD server recently. I've read the parts of the handbook about updates and from that I've come up with the following plan for keeping the server up to date. The server hosts a small website.

On a regular schedule, run:
`sudo freebsd-update fetch
sudo freebsd-update install
sudo reboot
sudo pkg upgrade
sudo reboot`

After a minor version release, run:
`sudo freebsd-update -r <next-version>-RELEASE upgrade
sudo freebsd-update install
sudo shutdown -r now
sudo freebsd-update install
sudo shutdown -r now`

Subscribe to freebsd-security mailing list and maybe do one of the above updates out of schedule if there's something critical.

I have some questions:

1. Does the above plan seem reasonable?
2. Is there an easy way to get rid of one of the reboots for the regular updates?.
3. In the daily "freebsdfoundation.org daily security run output" emails, there tends to be a package reported with a vulnerability. Right now it's "py36-urllib3-1.22,1". It seems to take a really long time before these go away. Someone in the forums suggested using synth to get the updates sooner and I tried that, but synth puts a pretty heavy load on the server.


----------



## SirDice (Mar 19, 2020)

Yes, very. 

 For the regular schedule I typically don't reboot between freebsd-update(8) and pkg-upgrade(8). Only after I updated everything. If there are no base OS updates, I do run pkg-upgrade(8) but no reboot. I just restart whichever service needs to be restarted. 

Minor version releases I run the `freebsd-update install` *three* times, then reboot. But I do keep an eye on the type of updates. I've had one instance, a very long time ago, when it was absolutely necessary to boot the new kernel _before_ updating the rest of the world. But most of time this isn't really needed and you can skip that reboot.

 https://www.vuxml.org/freebsd/87270ba5-03d3-11ea-b81f-3085a9a95629.html? That looks fixed, everywhere. It was updated to 1.25.6 (quarterly) over three months ago, and recently to 1.25.7 (latest). Are you sure your updates are actually updating?


----------



## richardtoohey2 (Mar 19, 2020)

Pretty much what I do (I've not moved to packages yet, so my ports/packages process different) and as SirDice says you should be OK skipping the reboot between the freebsd-update and the ports/packages (unless explicit instructions to the contrary, obviously).

I keep an eye on: https://www.vuxml.org/freebsd/

There's also (this might be what your number 3 is doing):

```
pkg audit -F
Fetching vuln.xml.bz2: 100%  837 KiB 214.4kB/s    00:04   
0 problem(s) in 0 installed package(s) found.
```

And if you've got a spare server or VM or whatever - test the process on there first - preferably with all the same set-up and applications etc. as your main server(s) - so whatever powers the website.


----------



## peterh (Mar 20, 2020)

Huh, that's weird. I was using synth, but I have since uninstalled it. Maybe that's causing a problem with the package upgrades?

Here's what I'm getting:

```
$ sudo pkg audit -F
vulnxml file up-to-date
py36-urllib3-1.22,1 is vulnerable:
urllib3 -- multiple vulnerabilities
CVE: CVE-2019-11324
CVE: CVE-2019-11236
CVE: CVE-2018-20060
WWW: https://vuxml.FreeBSD.org/freebsd/87270ba5-03d3-11ea-b81f-3085a9a95629.html

1 problem(s) in 1 installed package(s) found.

$ sudo pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking for upgrades (23 candidates): 100%
Processing candidates (23 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

$ sudo pkg audit -F
vulnxml file up-to-date
py36-urllib3-1.22,1 is vulnerable:
urllib3 -- multiple vulnerabilities
CVE: CVE-2019-11324
CVE: CVE-2019-11236
CVE: CVE-2018-20060
WWW: https://vuxml.FreeBSD.org/freebsd/87270ba5-03d3-11ea-b81f-3085a9a95629.html

1 problem(s) in 1 installed package(s) found.
```


----------



## SirDice (Mar 24, 2020)

Which repository are you using? Post the output from `pkg -vv`.


----------



## peterh (May 13, 2020)

I sort of figured out what was going on.

We had originally installed the py36-certbot package. That requires py36-urllib3-1.22,1. At some point, all of the py36 packages were deprecated or something and replaced with py37 packages, but it seems like `pkg upgrade` doesn't handle that. So I just removed all the py36 packages using `pkg remove` and then did `pkg install py37-certbot-1.3.0,1`. 

Now `pkg audit` isn't producing any warnings.


----------



## SirDice (May 13, 2020)

Make sure to regularly run pkg-autoremove(8). This will  clean up so-called "orphaned" packages. Those were once installed as a dependency but nothing depends on them any more.  Especially with changes like the Python 3.6 to 3.7 update the old dependencies can linger if you don't clean them up too.


----------

