Questions regarding security/stability on a server in a datacentre
 

Hello everyone.

I use Linux mainly on my desktop computers and as a local server.

But now I am planning to set up a server in a datacentre.
Which distribution aims at good stability and security ?
Would Debian 3.1 Sarge be a good idea ?

And what about security ?
What should I do / keep an eye on ?

Should I search for (or compile my own) kernel with PaX or GRsecurity patches ?

How about updating when there are security issues ?
When there is a new version of Apache (or Lighttpd) for example, I have to upgrade and restart the httpd service ?
And how about kernel security updates ?
I would have to reboot, right ?
But that won't be good for the uptime :(

I guess big webhosts do it by clustering, but I only have $ to put 1 server in a datacentre.

Thanks in advance!

I believe that some of the municipalities that have converted to linux have opted to roll their own debian based distro for the city rather than Licensing Red Hat or SuSE. However, they may have more people who can keep track of security upgrades and manually apply the patches that they need.

You will probably want to read a book on Linux Servers and hardening Linux before you even think of installing a server. For servers, less is better. They have much less installed on them then a desktop would. It is easier securing and maintaining a server that only offers one service. Most security updates won't even apply because you don't have that software installed, for one example. There will be less to keep track of in the logs, and you are able to do things like calculating the md5 sums of all of the programs and libraries before the server goes on line, and storing them on a CD if needed for reference later. This would be more difficult to track if you had a lot of software or services installed.

Red Hat servers use SELinux for security. SuSE supports it, but they offer App Armor as a easier to maintain alternative. This may be more of an issue if you have a large number of desktops running linux.

Yes, you would need to reboot after a kernel upgrade. You may also need to rebuild some kernel modules as well. Often, a server will have a custom built kernel. Such a kernel would be pruned of many of the modules that are in a stock kernel. But this could entail patching the source, and building the kernel on another machine. A secure server won't even have gcc installed, or it will be uninstalled after the server is built.

If you are responsible for this server, and you are the most familiar with Debian, I think it would be best to stick with what you know. You will have enough work to do planning exactly what packages are needed, how to keep up with patches, a backup/restore plan, and recovering from any failures.

I'm sure others on this site can provide you with better first hand advice. I would recommend drawing up a checklist of everything that you need to do before starting, and then keep a notebook recording everything that you do as you install the system.

Okay, thanks for the information!
More advice is always welcome, of course.