Choosing the right distribution for a very secure webserver

[shandrio]

Hi everybody,

I want to build up a small but very secure "production-style" webserver box. My idea is to start with an old computer (say a PII or the like) and put a very solid, stable and reliable server on a similarly solid OS platform. Which server I know for certain: Apache Tomcat. The problem is with the OS... I'm pretty sure that there must be some linux flavor that fullfils the task perfectly. But the question is... which one?

I need your comments! If you point this or that distribution, please explain WHY you'd recomment it.

Thanks in advance!
yours,

shandrio

[L4Linux]

Welcome to the forums!
All major distributions are safe and solid and in most cases it is very easy to install apache,mysql, php,etc. Have you used Linux before?
You could also go for BSD, its developers are suppossed to be more "paranoid"(in the good sense of the word) than the ones of Linux. The con to BSD though is that it has fewer users, so it will probably be more difficult to get help for any issue you 'll face.

[meton_magis]

The problem with security, is that you are always going to be taking someone elses word for it. If you want to be REALLY secure, look into linux from scratch. you can audit all source code (though all GNU software, as well as apache (and some others, the openBSD stuff like openSSH is well known to be secure) is usualy taken as secure.)

But this takes alot of work. If your looking for an easy route, i'd go with CentOS, and monitor RHEL for any security warnings, and adjust as proper. But any secure program can be completely undone by an ignorant admin, so make sure to think in a security mindset at all times.

[shandrio]

Welcome to the forums!
All major distributions are safe and solid and in most cases it is very easy to install apache,mysql, php,etc. Have you used Linux before?
You could also go for BSD, its developers are suppossed to be more "paranoid"(in the good sense of the word) than the ones of Linux. The con to BSD though is that it has fewer users, so it will probably be more difficult to get help for any issue you 'll face.

Thank you! And yes, I've been using linux for quite some long. I started with Redhat 5 through 8, later Mandrake and now I'm trying the new boom: Ubuntu. I like what you say about "paranoid" programmers of BSD. I'm quite one myself! What about security updates? Is BSD always up-to-date?

The problem with security, is that you are always going to be taking someone elses word for it. If you want to be REALLY secure, look into linux from scratch. you can audit all source code (though all GNU software, as well as apache (and some others, the openBSD stuff like openSSH is well known to be secure) is usualy taken as secure.)

But this takes alot of work. If your looking for an easy route, i'd go with CentOS, and monitor RHEL for any security warnings, and adjust as proper. But any secure program can be completely undone by an ignorant admin, so make sure to think in a security mindset at all times.

Auditing Linux code seems like something "extreme" to me. I remember I once downloaded the source code of the kernel and just tried to read some for the fun of it. Oh my god... I never thought that C could actualy even be written that way! haha Forget about that. Perhaps I'd dare look into some most-probably-unsecure rutines of some HTTP connection code looking for probable buffer overflows or the like. But once again... is it worth the effort? Probably you'll always end, like you correctly said, just having to trust in somebody else's words.

I've never heard of CentOS nor RHEL, so I have some homework to do... find out more about them.
Finaly, I agree completly with your last statement. You could eventualy have an almost-prefectly secure system... but if you administer it badly, It's all worth nothing!

Thank you both for your feedback!

[GNU-Fan]

Well, in order to evaluate something on security you have to look at where the most break ins occur. And in the world of GNU/Linux and *BSD, it is very rarely a hole in the core system that gets exploited.

It is stuff like stupid obvious passwords, widely opened PHP scripts or insane file permissions that get boxes rooted on a daily basis.

I've been using Debian Stable on my servers for years. They deliver security updates in a timely manner and the software is configured to sane defaults. But this all didn't help me if I were to do ONE single stupidity, like installing PHP scripts somebody anonymous had written.

You may shake your head now, but go to some random defacement site to see how independent of the OS the statistic is. (The market share of server's OS taken into account, of course )

[L4Linux]

RHEL is Red Hat Enterprise Linux. CentOS is a recompile of RHEL, basically RHEL without the brand name of Red Hat and its support.

[shandrio]

Thanks GNU-Fan for your recomendation!

and L4Linux... I've used RHL for quite some time. I can't belive I didn't realize the acronym!
RHEL is surely out of my reach since I don't have that much money to spend... but I'll sure investigate more about CentOS. It seems quite interesting. What about the updates? does no support mean no updates too?

[oz]

What about the updates? does no support mean no updates too?

You get updates, just no paid support channel.