Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Server distribution

1 view
Skip to first unread message

Danny Meier

unread,
Nov 16, 2003, 4:49:32 PM11/16/03
to
Hi

I would to install Linux on my server.
The major task will be webhosting.
Apache, php, perl, mysql, gd, ... mailserver and bind

Now, which distribution ist the securest, stablest and "best"?

A lot of people say Debian is the best choice.
What are the advantages from Debian to any others?
Like SuSe, RedHat, Mandrakem, ...?

Support Linux RAID 0 IDE Systems without, a lot of trouble :) ?

Greets
Danny Meier

----------------------------------------------------------------------

Hi

Ich möchte demnächst einen Linux Server aufsetzten.
Er wird als Hosting Server verwendet, dass heisst, es kommt
Apache, PHP, Perl, MySQL, GD, ..., einen Mailserver und BIND drauf.

Nun welche Distribution ist für den vorgesehenen Anwendungszweck am
stabilsten und "besten"?

Meistens hört man ja von Debian, wo liegen da die Vorteile gegenüber
anderen Distries wie SuSe, RedHat, Mandrake und was es da noch gibt?

Wie sieht es mit RAID 0 Systemen aus werden die nahtlos von Linux
unterstützt oder wird es ein gebastel geben?

Freundliche Grüsse
Danny Meier

Joachim Ring

unread,
Nov 17, 2003, 4:10:47 PM11/17/03
to
> I would to install Linux on my server.
> The major task will be webhosting.
> Apache, php, perl, mysql, gd, ... mailserver and bind
>
> Now, which distribution ist the securest, stablest and "best"?

first of all, distribution advocacy is off-topic here...

> A lot of people say Debian is the best choice.
> What are the advantages from Debian to any others?
> Like SuSe, RedHat, Mandrakem, ...?

imo, debian is good for servers for the following reasons:

- slim default installation (you get only what you asked for)
- reasonably secure default setup
- bastille hardening script available (unlike most suse) to tighten up

> Support Linux RAID 0 IDE Systems without, a lot of trouble :) ?

depends on controller chip, some doing raid under windows won't under
linux due to manufacturer docs policy. software raid should work
anyways...

joachim

Rich Persaud

unread,
Nov 24, 2003, 8:59:31 PM11/24/03
to
Danny Meier <dan...@swissonline.ch> wrote in message news:<1s0j3uvaq2q66.1ecqonu0gc1h8$.d...@40tude.net>...

> I would to install Linux on my server.
> The major task will be webhosting.
> Apache, php, perl, mysql, gd, ... mailserver and bind
>
> Now, which distribution ist the securest, stablest and "best"?

Since distro recs are offtopic, here's a distro configuration that is
extremely secure, but enough work that you'll avoid it until all other
defenses have been breached. It has the advantage of detecting a
class of attacks that are not yet publicly known.

It's easier to describe than build, but it can be done and I've built
a web hosting farm with this configuration. Quick summary and I'll
follow up with details if people care to know more.

-- Use StackGuard (or similar) for network-facing apps,
http://immunix.org

-- Use a LIDS-enabled kernel, with detailed file-access rules that
define what *every* network-facing application can *do* (i.e. read,
write, execute) to any part of the filesystem, including rights
inheritance levels

-- Follow normal system hardening practices, e.g. bastille, iptables,
etc.

-- When you have a stable configuration, create a bootable CD-ROM
image based on the working distro layout. Define a boot sequence to
delete high-risk files after successful boot. For single-purpose
servers (e.g. reverse-proxy SSL front-end web servers), you can go as
far as deleting the shell.

-- Install a PXE-bootable network card in the public-facing servers,
connected to a private network with a TFTP server that will serve the
bootable ISO image prepared above. This private network need have no
other servers and the TFTP server need have no other services.

-- Configure LIDS on the bootable CD image to automatically reboot the
machine in case of anonmalous behavior detection. This will take
quite a bit of testing to get right, and is most practical in
single-purpose servers (e.g. web front end reverse proxy). But once
done, any unusual behavior (e.g. triggered by an attack) will cause
the machine to reboot (after appropriate intrusion logging of course,
to a separate server). After reboot, your public-facing server will
re-download a fresh boot image from the TFTP server. It will still be
vulnerable to the recent attack, but the attack will be detected,
interrupted and logged.


Probably more than you wanted, but good to file for future reference.
All references used to create the above configuration are posted at
http://datadmins.com , which is currently down, but in the Google
cache. It does work. If you combine this configuration with
client-side SSL certificates, you have one of the most secure Linux
configurations outside of IPSEC.

--
Rich Persaud | weblog > http://dotpeople.com

0 new messages