[TriLUG] Distro recommendation for secure hosting
Ken M
ken at mack-z.com
Sat Dec 13 10:22:02 EST 2014
Second to all of that. But to add to the distro question I will also mention I have had very good results with FreeBSD on the server side as well. Restrictive firewall, disallow remote root login, fail2ban. Also with bsd using jails for external services can be good.
Sent from my iPad
> On Dec 13, 2014, at 9:48 AM, Jack Hill <jackhill at jackhill.us> wrote:
>
>> On Sat, 13 Dec 2014, Hariharan Gopalan wrote:
>>
>> Hello Group
>>
>> I host a couple of linux boxes with Tranquil Hosting and having a tough
>> time keeping away hackers. I tried everything for hardening the various
>> ubuntu versions, but nothing seems to work. Was searching for a secure
>> distribution, and wanted to check with the group if anyone had any
>> recommendations?
>
> Hi Hari,
>
> Unfortunately, I fear that just switching distros may not be a magic bullet. Can you tell us a little bit more about your current setup? What sort of attacks are you seeing? What services are you running? What is you update policy? What hardening have you tried?
>
> In general, I would start by reducing your attack surface (e.g. by having a restrictive firewall, reducing the number of services you run). After that, you want to reduce that chance of the services that are exposed don't become compromised. A good start is making sure you keep on top of updates. You can also build with some compiler hardening features such as stack smashing protection. There also may be service specific ways to make it more difficult for attackers such as mod_qos for apache, turning off password auth, and fail2ban. You can also think about what happens after a service is comprised and try to sandbox it from affecting the rest of the system with something like SELinux, Apparmor, or grsecurity.
>
> Gentoo and RHEL family distros tend to have good SELinux support.
>
> Gentoo and (I think) Debian have done work on enabling gcc hardening options.
>
> Best of luck,
> Jack
> --
> This message was sent to: Ken M. <ken at mack-z.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/ken%40mack-z.com
> Welcome to TriLUG: http://trilug.org/welcome
More information about the TriLUG
mailing list