Since distro recs are offtopic, here's a distro configuration that is
extremely secure, but enough work that you'll avoid it until all other
defenses have been breached. It has the advantage of detecting a
class of attacks that are not yet publicly known.
It's easier to describe than build, but it can be done and I've built
a web hosting farm with this configuration. Quick summary and I'll
follow up with details if people care to know more.
-- Use StackGuard (or similar) for network-facing apps,
http://immunix.org
-- Use a LIDS-enabled kernel, with detailed file-access rules that
define what *every* network-facing application can *do* (i.e. read,
write, execute) to any part of the filesystem, including rights
inheritance levels
-- Follow normal system hardening practices, e.g. bastille, iptables,
etc.
-- When you have a stable configuration, create a bootable CD-ROM
image based on the working distro layout. Define a boot sequence to
delete high-risk files after successful boot. For single-purpose
servers (e.g. reverse-proxy SSL front-end web servers), you can go as
far as deleting the shell.
-- Install a PXE-bootable network card in the public-facing servers,
connected to a private network with a TFTP server that will serve the
bootable ISO image prepared above. This private network need have no
other servers and the TFTP server need have no other services.
-- Configure LIDS on the bootable CD image to automatically reboot the
machine in case of anonmalous behavior detection. This will take
quite a bit of testing to get right, and is most practical in
single-purpose servers (e.g. web front end reverse proxy). But once
done, any unusual behavior (e.g. triggered by an attack) will cause
the machine to reboot (after appropriate intrusion logging of course,
to a separate server). After reboot, your public-facing server will
re-download a fresh boot image from the TFTP server. It will still be
vulnerable to the recent attack, but the attack will be detected,
interrupted and logged.
Probably more than you wanted, but good to file for future reference.
All references used to create the above configuration are posted at
http://datadmins.com , which is currently down, but in the Google
cache. It does work. If you combine this configuration with
client-side SSL certificates, you have one of the most secure Linux
configurations outside of IPSEC.
--
Rich Persaud | weblog > http://dotpeople.com