How safe is it for me to stay on Debian 9?

I have a VM that is running Debian 9 and was EOL in 2020 and LTS ends June 30th, 2022.

How high risk is it to stay on Debian 9 for say another year? I was told this is very risky as there are no security updates.

Is there any reason you would not upgrade? Is this a production environment?
If it’s not a production server, and it has limited access (no outbound access), it’s risky but not unheard of to run an older OS with EOL.

1 Like

Not advisable. It may not be high risk, but it for certain does not give you peace of mind. Are you worried about an in-place upgrade?

Start by backing up. Then read here: DebianUpgrade - Debian Wiki | or here.

Staying on Debian 9 is a security risk since it doesn’t get any updates after it’s EOL.
I went from 9 to 12 (Bookworm) and it’s SOOOOOOOOO much better. Unless you haven’t been doing backups etc there should be no reason to stay on 9. I would advise you go to 10 and then 11 but that’s just me, because every time I’ve tried to jump that much I’ve wound up doing a fresh install. Yes my luck sucks :wink:


Don’t do what I do, but I still run an internal-only VM running 32-bit RHEL5. Since this is a homelab server that is only available on my network, I don’t really care about it, but it’s definitely not a best practice.

My world-facing production servers are recent versions of FreeBSD or Ubuntu, and I keep those updated, for some hopefully-reasonable definition of “updated.”

1 Like

I would agree for an internal server as well. Just lock it down with firewall rules (pfsense / opnsense)

1 Like

Yeah, I should implement outbound rules to prevent any rogue programs from contacting the world, but there’s no incoming access to this server (other than SSH & HTTP from my network). I’ve never really gotten into outbound firewall rules. Tried it with Little Snitch on my Mac, and I find that they make life difficult, so I quit using them.

1 Like

It is completely safe but there’s no incoming access to this server (other than SSH & HTTP from my network)

1 Like

Sincerely, advising someone to stay or not to stay on a Distro without ongoing security patches is dependent on the use case scenario. If it is being utilized as a web server, there is absolutely no option than to upgrade to the latest supported version.

If it is used for a low risk utility, say, internal test machine, it can still be used if software and services running can be minimized.