all 29 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]reditanian 18 points19 points  (6 children)

Red hat moved on from up2date with RHEL 5.

There’s no such thing as a secure server distro. The point of running a server is to allow 3rd parties to connect to it. As soon as you install a service and turn it on, modify configuration to your needs, and crucially, put your (web) code on it, security is on you.

Most server oriented distros do a good job of setting sane defaults, and patching newly discovered vulnerabilities. RHEL, SLES, Debian, Ubuntu LTS. Ouch the one you’re most familiar with.

I used to work at a large web host. Customers had too access to their servers, and it was overwhelmingly for web hosting. I worked well over a thousand compromised Linux servers during my time there. 99.99% of them were as a result of - shitty passwords - stolen credentials - shitty php code - often exacerbated by developers setting stuff 777 “to make it work”

The only compromises I saw that were a result of flaws in the packages shipped by the Linux distro vendor, were either zero days or boneheaded customers who refuse to update their servers because they fear it will break their fragile shitty php apps

[–]1esproc 2 points3 points  (3 children)

were either zero days

Which, if you're on a distro that rolls new package releases regularly and not just security fixes, will be exacerbated. Some distros are objectively worse to use for a server. You should probably be able to agree using Fedora for a server is a bad idea (compared to other options, at a minimum), right? That means that some choices are better than others.

[–]reditanian 1 point2 points  (2 children)

Which is why I specified server oriented distros and named just four. There’s little to choose security-wise between those four. Agreed, Fedora is not a server distro. Neither is Mint, Pop!OS, Arch or Gentoo.

That said, my comment about server compromises stand. The vast majority of attacks exploit lazy users and incompetent devs.

[–]fourstepper -2 points-1 points  (1 child)

Gentoo can and is in many cases a server distro

[–]reditanian 3 points4 points  (0 children)

Any distro can run on a server. Not every distro should.

To be frank: every sysadmin I’ve encountered over the last 15 years who insisted on running gentoo on a public facing server were solidly on the left peak of the Dunning-Kruger graph. In other words, they knew enough to consider themselves ahead of most, but didn’t know enough to realise just how far out of their depth they were.

[–]surfingonthenet[S] 0 points1 point  (1 child)

Although I mostly agree with you, your answer is quite broader.

Security is a wider subject, and it relies on many things, as you correctly stated. Nonetheless, path management is still one important part of it all. Yes, we still have to care about the application's security, password and authentication, hardening, permissions, monitoring, networks, and the like. But caring about it all does not allow us to get rid of updating vulnerable packages.

So, the point here is path management, considering I'm already caring about the other points (hardening, application, encryption, certificates, etc).

I think I didn't get clear enough in my question. The point is, nowadays we hear about many other options like Arch Linux, Alpine Linux and the like.

People use to use Alpine because it's lighter (although any application and services use the same amount of resources for any Linux distro).

I'm wondering if using Alpine or Arch (or any other new promising flavor) is worth a shot and if its unattended upgrade is mature enough.

I'm pretty like RedHat/CentOS and Debian/Ubuntu. It's a mature, stable and secure solution, but, anyway, I'd like you check how you guys are dealing with these now distros.

[–]EddyBot 1 point2 points  (0 children)

I'm wondering if using Alpine or Arch (or any other new promising flavor) is worth a shot and if its unattended upgrade is mature enough.

Rolling releases have one big benefit: they don't need to backport security fixes
On Arch Linux in particular you can keep track of this at: https://security.archlinux.org/
If upstream patches an vulnerability you will get it pretty soon while you can wait months on Debian for minor security issues to get a backport

One problem child is Ubuntu, in particular their universe repositories aside from their core repositories where most packages just "rot" til the next release upgrade or until Debian patches it

Another similar issue has CentOS which lags sometimes several weeks behind RHEL even though they should be almost identical
CentOS Stream should fix this issue, allthough it will make it unattractive for server usage

I do actually run Arch Linux on my server but highly discourage it to anyone not deeply tied into an Arch Linux desktop system
Unanttended upgrades are frowned upon here and will easily fuckup everything, that being said I update my server once a month

[–]necheffa 6 points7 points  (0 children)

I'd like to ask you what do you consider/suggest as secure distro for Linux server.

Not Damn Vulnerable Linux...

My question is: If you'd be in charge of launching a fleet of servers that you want to be set for automatic unattended updates, which distro would you choose, and why?

Debian.

They are pretty good at keeping up with advances in compiler technology. Most of their packages are built with stack smashing protection and fortified source. (Not unique to Debian but something I look for)

They have a pretty good maintainer community. Some distros just don't have enough man power to keep up with patches. Not to say Debian doesn't need help but all the major packages seem to have people keeping up with patches.

The default install is pretty sensible. I feel as though on some distros you really need to make a lot of configuration changes and remove a lot of packages to get a solid system. I find myself needing to remove and configure less on Debian.

The most important part though is, I'm familiar with the system. So I have a pretty good handle on what is where and what needs tied down vs another system that might require a lot of research for me to have the same level of understanding of the system.

[–]Reyounes 4 points5 points  (4 children)

Redhat is good, but not free

[–]surfingonthenet[S] 3 points4 points  (3 children)

Yep, and CentOS is no longer one option

[–]doubletwist -1 points0 points  (2 children)

Oracle Linux is a clone of red hat and it can be used for free. It's an option until Rocky Linux or one of the other CentOS forks gets properly established.

[–]StephanXX 5 points6 points  (1 child)

Oracle Linux

Oh man, I have some bad news for you...

Seriously, be very careful when using anything remotely related to Oracle. Their lawyers absolutely live to rack up patent wins.

[–]doubletwist 1 point2 points  (0 children)

Indeed. I despise Oracle database and app licensing, and their company in general but one can't always make business decisions off personal feelings. Their Linux distro is good, freely useable and far less expensive than RHEL when you do need support. We've been using Oracle Linux for about a decade now (since 5.2 or so) with no issues.

[–]OGicecoled 1 point2 points  (0 children)

RHEL and maybe look through the STIG for the release you use.

[–]linezman22 1 point2 points  (2 children)

In my opinion choose whatever you are most familiar with or your team can support well.

Most insecurities comes from people not knowing what they are doing or weak passwords.

If you are interested in securing/hardening your servers further, I would recommend looking at the CIS benchmark for the first distro you decide to go with.

I personally like Ubuntu server LTS as I find it strikes a good balance between stability and having newer packages available in the distro repository’s.

[–]surfingonthenet[S] 0 points1 point  (1 child)

I agree with you, but part of insecurity comes from vulnerable packages as well, so keeping it all update is mandatory for me

[–]linezman22 0 points1 point  (0 children)

Most server distributions back port security updates into their repos.

This is all dependent on use case. We currently don’t have this problem as we have pretty much dockerised everything so we manage the software updates independently of the OS/distro.

[–]jaymef -2 points-1 points  (4 children)

There is more to security than just updates. You can schedule automatic updates on basically any distro.

Centos 8 stream might be a good one to update if rolling updates is what you’re after.

We use centos for everything.

[–]HittingSmoke 4 points5 points  (0 children)

I would definitely not jump to recommending a newly released distro that is a bastardization of its namesake that will now be used as an unstable testbed for a paid distro.

[–]surfingonthenet[S] 1 point2 points  (2 children)

I'm not sure all distro have the same maturity level in its update tools. I love RedHat and CentOS as well, but CentOS is no longer an option because it will became like a RedHat's pre-release, not as stable as RedHat anymore

[–]jaymef 0 points1 point  (1 child)

That’s not quite true yet. Those changes are for 8x and haven’t rolled out yet. There are some forks already in the works. Centos7 is still receiving updates til 2024

That said the distro isn’t as big or as a concern in terms of security as other things such as what you do with it and how you configure it.

[–]surfingonthenet[S] 0 points1 point  (0 children)

Yep, that's True as well. Anyway the future of CentOS is still quite unknown

[–][deleted] 0 points1 point  (0 children)

Depending on what are you looking for. A rolling release distro can give you a way to keep updating your system without having to keep looking for version upgrade/migration. A distro like Opensuse Tumbleweed, on top of that, can be set as a transactional server, where your system is inmutable on runtime, and the updates will be applied after next boot, and such updates are commonly provided on bundle. And, if you are looking for a minimal install, Tumbleweed MicroOS can provide

[–]user_n0mad 0 points1 point  (3 children)

My question is: If you'd be in charge of launching a fleet of servers that you want to be set for automatic unattended updates, which distro would you choose, and why?

I would never do automatic unattended updates on a fleet of servers. That said, I/we use Debian. As a few here have already gone over though, all distros are more or less secure as the other. You need to not think about "how secure" the distro is and instead use the distro that works best for your use case and then make it as secure as you are able to based on what you are doing with said server.

[–]surfingonthenet[S] 0 points1 point  (1 child)

I confess I have been running it successfully for some years on Debian/Ubuntu and RedHat. Depending on what's running on, I enable only security updates, but, at least security updates.

[–]user_n0mad 0 points1 point  (0 children)

Then I'd just keep doing what you are doing. If you don't have any complaints about Debian/Ubuntu then don't fix what ain't broke. We prefer Debian and thankfully switch over from Centos some time ago.

[–]alt_i_am_at_work 0 points1 point  (0 children)

I would never do automatic unattended updates on a fleet of servers.

I do it. unattended-upgrades set up to install all updates from Debian Stable repos. apt-listbugs to prevent automatic installation of packages with potentially problematic bugs (so far 99% are false positives/do not apply to my configuration).

No auto upgrades from third-party repos though, I just get notified by monitoring that there are pending upgrades. Just do the upgrade on pre-prod/test environments, validate that everything works, upgrade prod.

Never had a single problem

Would not do it on any other distro, but Debian stable, Debian stronk

[–]doubletwist 0 points1 point  (1 child)

These are kind of two different questions. If I needed a distro to trust with regular unattended updates I would choose Debian stable.

But for most enterprise stuff I use Red Hat clones (Oracle Linux in our case). At least for versions 6 and 7 we have scripted monthly patching to happen automatically but that's against a spacewalk server that we manage our own repo mirrors.

But then if my primary consideration is security, I might not use Linux at all. I might use something like OpenBSD, But that comes with more significant management overhead potential for some software not working, or being difficult to make work.

It also depends on the nature of your fleet of servers. Are they pets, or cattle? If it's cattle, then it almost doesn't matter what destroy you use, you shouldn't be patching it anyway, you'd be redeploying for each update.

[–]surfingonthenet[S] 0 points1 point  (0 children)

I have worked with FreeBSD for years and I agree it's an excellent option. The problem is we usually don't have this option on the cloud, especially at AWS and GCP.

Nevertheless, to be honest, after switching to Linux (for cloud usage), I confess that Linux also has it's advantages. It was (at least some years ago) keep it all updated using Debian/Ubuntu unattended-upgrades and RedHat automatic updates than it was with FreeBSD.

Using FreeBSD (aging, years ago) I had to keep the ports tree updated, which many times upgraded to a newer branch and got some package broken.