[TriLUG] Distro recommendation for secure hosting

[Jack Hill]

On Sat, 13 Dec 2014, Hariharan Gopalan wrote:

> Hello Group
>
> I host a couple of linux boxes with Tranquil Hosting and having a tough
> time keeping away hackers. I tried everything for hardening the various
> ubuntu versions, but nothing seems to work. Was searching for a secure
> distribution, and wanted to check with the group if anyone had any
> recommendations?

Hi Hari,

Unfortunately, I fear that just switching distros may not be a magic 
bullet. Can you tell us a little bit more about your current setup? What 
sort of attacks are you seeing? What services are you running? What is you 
update policy? What hardening have you tried?

In general, I would start by reducing your attack surface (e.g. by having 
a restrictive firewall, reducing the number of services you run). After 
that, you want to reduce that chance of the services that are exposed 
don't become compromised. A good start is making sure you keep on top of 
updates. You can also build with some compiler hardening features such as 
stack smashing protection. There also may be service specific ways to make 
it more difficult for attackers such as mod_qos for apache, turning off 
password auth, and fail2ban. You can also think about what happens after a 
service is comprised and try to sandbox it from affecting the rest of the 
system with something like SELinux, Apparmor, or grsecurity.

Gentoo and RHEL family distros tend to have good SELinux support.

Gentoo and (I think) Debian have done work on enabling gcc hardening 
options.

Best of luck,
Jack