Is there any way to secure old unpatched Linux server?

Put a firewall in logging mode in front of it. Watch all the traffic coming in and out of it and run any reports or processes that this server should do so you make sure to capture all the types of communication the firewall rules have to allow. Create rules to allow only this traffic to pass. Once you are confident you have everything set correctly drop and log any traffic that is outside the normal traffic parameters. Make sure to alert on anything logged so it can be investigated to be added as a rule or as an intrusion attempt.

Edit: I've assumed based on the question wording that this is an internal server. Also, use the opportunity when profiling the traffic to look for indicators of existing compromise.


You might be surprised how common this situation is.

The short answer is, yes, there are all kinds of things that you can do. But it will require that you understand the normal operating state of the server and to start locking down those states.

As with a full company cybersecurity programme, you can break it down into steps/phases:

  1. Identify everything that is running, all ports, all admin/service accounts, all expected outbound connections, all types of data, and the risks to each of those things if something goes horribly wrong
  2. Protect those things that you have identified in proportion to the risks that exist for those things: firewalls rules that whitelist only that which is needed, configure encryption, reset admin and service account passwords, disable unused accounts
  3. Detect any anomalous activity to determine if there is a persistent threat or if you missed something in your Identify phase by setting up logging and monitoring processes
  4. Respond quickly and with pre-approval to things that will result in unacceptable risk to the company

I would also look at the patches that were not applied and see if things can be patched or if you can deploy alternate mitigations for the highest risk things.

In general, I would assume that the server has already been cracked and is used by malicious actors. I'd also assume that there are people who have inappropriate access to the server and its data. And while you might not be able to "fix" the situation, by making these assumptions, you can set expectations and set the level of effort and protection required.