Exposing server uptime a potential security vulnerability?

Question

I run a browser-based game and as part of a page with a bunch of game statistics, I have the server uptime listed. It's currently at 177 days and so someone mentioned to me that I shouldn't do this because a long uptime indicates the kernel is old and therefore missing security updates.

This certainly sounds logical, but I searched around and couldn't find any evidence to support it. So I'm just wondering, is this indeed something I should not have exposed?

How do they know you're not running a cluster? – gravyface Feb 27 '11 at 22:38 — gravyface, Feb 27 '11 at 22:38
I'll plug [ksplice uptrack](http://www.ksplice.com/). – Tobu Feb 27 '11 at 22:40 — Tobu, Feb 27 '11 at 22:40

score 2 · Accepted Answer · answered Feb 27 '11 at 22:43

2

This is nonsense, IMHO. When someone wants to attack you, he will try all possible attack vectors anyway, so if your system is vulnerable, not displaying your uptime won't help. Besides, things like ksplice and module updates exists, allowing patches without affecting your uptime.

answered Feb 27 '11 at 22:43

Sven

97,248
13
177
225

+1 - I was about to mention ksplice. You can have a fully up-to-date kernel **and** a massive uptime. – Mark Henderson Feb 27 '11 at 22:56

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

0

Hope this helps:

How often should I reboot Linux servers?

While not an exact answer to your question this should give you an idea.

In short if you keep it up to date security wise I wouldn't worry about exposing that info.

edited Apr 13 '17 at 12:14

Community

1

answered Feb 27 '11 at 22:45

pablo

3,020
1
18
23

Exposing server uptime a potential security vulnerability?

2 Answers2