[TriLUG] Distro recommendation for secure hosting
Jack Hill
jackhill at jackhill.us
Sat Dec 13 09:48:49 EST 2014
On Sat, 13 Dec 2014, Hariharan Gopalan wrote:
> Hello Group
>
> I host a couple of linux boxes with Tranquil Hosting and having a tough
> time keeping away hackers. I tried everything for hardening the various
> ubuntu versions, but nothing seems to work. Was searching for a secure
> distribution, and wanted to check with the group if anyone had any
> recommendations?
Hi Hari,
Unfortunately, I fear that just switching distros may not be a magic
bullet. Can you tell us a little bit more about your current setup? What
sort of attacks are you seeing? What services are you running? What is you
update policy? What hardening have you tried?
In general, I would start by reducing your attack surface (e.g. by having
a restrictive firewall, reducing the number of services you run). After
that, you want to reduce that chance of the services that are exposed
don't become compromised. A good start is making sure you keep on top of
updates. You can also build with some compiler hardening features such as
stack smashing protection. There also may be service specific ways to make
it more difficult for attackers such as mod_qos for apache, turning off
password auth, and fail2ban. You can also think about what happens after a
service is comprised and try to sandbox it from affecting the rest of the
system with something like SELinux, Apparmor, or grsecurity.
Gentoo and RHEL family distros tend to have good SELinux support.
Gentoo and (I think) Debian have done work on enabling gcc hardening
options.
Best of luck,
Jack
More information about the TriLUG
mailing list