What are the security implications of omitting the 'security.debian.org' sources from sources.list in Debian Jessie?

Question

I'm in the process of upgrading a standalone dual quad-core Xeon PowerEdge rack server from Wheezy to Jessie. In following the debian.org instructions for the upgrade, only the following deb line is mentioned as needing to be placed into sources.list:

deb http://mirrors.kernel.org/debian jessie main contrib

In this question and answer, I learned that the jessie/updates source on security.debian.org supplies "Security-critical updates ... provid[ing] the safest fix for security issues as quickly as possible.... These updates are usually merged into the next stable update."

I use the server for quantum chemical computations; its only (intentional) inbound interactions from the outside world are when I SSH into a console, through NAT via an SSH port opened in and redirected by my router. root login is disabled, and I have denyhosts installed and configured to parse auth.login every thirty seconds in order to clamp down on hack attempts.

I do have gdm installed, and browse the web occasionally with Firefox (GitHub, StackExchange, Gmail, Twitter, etc.). I also pull from and push to GitHub repos from time to time.

So: What are the security implications of omitting the security.debian.org jessie/updates sources from my sources.list? (To note, I see no reason not to include them; I'm just curious whether leaving them out would represent a major security problem.)

Answer 1

You will miss important security updates. ssh had few security updates recently, you will miss also updates to firewall (not so needed under NAT, but you should also not trust so much our local network).

I think in the past security was used also to patch a ntp bug (which hanged computers on leap second).

And you should not forget about outgoing connections. Also that should be secure: e.g. injection and downgrading could make you download unwanted data/virus, or some program disclose too much information. So check also about outbound connections.

Answer 2

I'm just curious whether leaving them out would represent a major security problem.

Well it would. When a security hole becomes public, you need to install the patched code or you will be a sitting duck.

Your other security measures might be useful, but only in conjunction with software that has been patched for known vulnerabilities.