Which Linux distro is most secure for a web server?

n00b_noob · 09-05-2020, 10:03 AM

Hello,
Which Linux distro is more secure by default for a web server? How about "OWL" distro? is it OK for web server?

Thank you.

Turbocapitalist · 09-05-2020, 10:08 AM

Secure as per which definition? What you would probably want would be to have the least moving parts possible, because if it is not there it can't break. As such some of the server editions of popular distros would be a good choice. Most have the minimal possible number of packages pre-installed and you then add whatever you need but only what you need.

DavidMcCann · 09-05-2020, 10:24 AM

Every year there's a survey of web-servers. Of those that will show what they're running, the most popular are Debian Stable and CentOS. The CentOS full installation disk has a web-server option, so that you only get what you need.

boughtonp · 09-05-2020, 10:31 AM

Most servers I've used have been CentOS, or another RHEL-based distro.

I hadn't heard of OWL, so I searched "OWL linux" and Openwall GNU/*/Linux came up.

This is from the front page:

Quote:

Openwall GNU/*/Linux (or Owl for short) is a small security-enhanced Linux distribution for servers, appliances, and virtual appliances.
...
Owl 3.0 was released in December 2010. It uses a RHEL 5.5-based Linux/OpenVZ kernel and it has optional OpenVZ container-based virtualization integrated. We've since updated to RHEL 5.11-based Linux/OpenVZ kernels and beyond in Owl 3.1-stable.
...
At this time, we barely maintain Owl[/b], fixing only the most critical vulnerabilities. [b]Owl's future is unclear.

Centos/RHEL are currently at v8. RHEL v5.11 is not supported, except by people who pay Red Hat for extended support, and even then only until November this year.

So probably best to avoid Owl.

n00b_noob · 09-05-2020, 11:01 AM

I asked about OWL because it is a customized Distro. any similar distro?

boughtonp · 09-05-2020, 11:24 AM

Do you have a reason to not use CentOS?

If so, I'm pretty sure distrowatch.com will have a way to list all server-focused distros.

pan64 · 09-05-2020, 11:38 AM

it was already explained several times: security mainly depends on the maintainer and the configuration, not on the distro or software.
Do not expect any distro will work for you without human intervention.

n00b_noob · 09-05-2020, 12:42 PM

Thank you.
I don't know it is right or wrong but some of customized Linux distro embedded security applications or using modified Kernel.

Turbocapitalist · 09-05-2020, 01:34 PM

If you're using WordPress or Drupal or any other CMS, your vulnerabilities are going to be there. That is where the complexity is and that is combined with the exposed surface. If you can, use a static site generator instead. But if you can't, then stay on top of the latest security patches for your chosen CMS.

ondoho · 09-05-2020, 03:22 PM

^ An important aspect: your server software can be ultra "secure", if you use a badly configured vulnerable CMS something can still pwn your webroot. Maybe not the rest of the system, but all clients can get phished regardless.

Quote:

Originally Posted by n00b_noob

I don't know it is right or wrong but some of customized Linux distro embedded security applications or using modified Kernel.

"More security apps" does not mean "more secure", whatever your definition of "secure" is (you still haven't told us).

n00b_noob · 09-06-2020, 06:44 AM

Quote:

Originally Posted by ondoho

^ An important aspect: your server software can be ultra "secure", if you use a badly configured vulnerable CMS something can still pwn your webroot. Maybe not the rest of the system, but all clients can get phished regardless.

"More security apps" does not mean "more secure", whatever your definition of "secure" is (you still haven't told us).

Definition of Security? My server doesn't hack by a Script kiddie.

wpeckham · 09-06-2020, 07:45 AM

All of the above posts were reasonable
If I may add, it depends upon what it is you are trying to secure!
Do you mean in terms of being difficult to break into, in terms of protesting your network, protecting your data, protecting your code...?

One option is a container based distribution. If your web server runs in a container, perhaps a full distro container, then it can be more isolated from both the host and the rest of your network.

Do not forget generational full and incremental backups that allow you a point-in-time recovery and restoration to secure your operation, if that matters.

ondoho · 09-06-2020, 03:27 PM

Quote:

Originally Posted by n00b_noob

Definition of Security? My server doesn't hack by a Script kiddie.

No, that's not a definition of Security, that's just what you want to prevent.
It's like saying "My definiton of secure driving is that no accidents happen".
We are asking this for a reason, not to annoy you or to appear mystically superior.
Read some of the links offered to you in the various threads this came up, you'll soon understand.

berndbausch · 09-06-2020, 07:06 PM

Quote:

Originally Posted by n00b_noob

Which Linux distro is more secure by default for a web server?

OpenBSD. Not exactly Linux, but not THAT different either.

Plus:

Watch security advisories
Install patches
Use a firewall and an IDS
Disable all services and accounts you don't need
Watch log files (see also number 3)
Other security practices

ondoho · 09-07-2020, 01:26 PM

Quote:

Originally Posted by ondoho

Read some of the links offered to you in the various threads this came up, you'll soon understand.

To be fair, nobody has bothered to link anything like that in any of your threads afaics, although I'm sure LQ already has various very similar threads that do contain the information you seek.
Anyhow, 2 searches to get you started:
https://duckduckgo.com/?q=which+linu...r+a+web+server
https://duckduckgo.com/?q=how+to+sec...nux+web+server