Conversation
Notices
-
I'm wondering what Linux distributions would be most secure or least affected by a massive cyber-war. If there was ongoing cyber-war that targeted banks and other critical infrastructure, so much so that people would be left with no money and possibly unable to heat their homes for months, what Linux distribution would survive the best under those circumstances? I've been using Ubuntu, but if Canonical has to cut its workforce substantially then they might not push out the fastest security patches and updates, which would be critical in that kind of environment. I was thinking Arch Linux might be better suited, because it's more community driven and rolling release.
I want to know because if large websites go down, then we (Server Admins) will need to be there to supply critical cyber infrastructure to those who can still get on the Internet. Lines of communication are always key in wars.
Paging admins @gabriel @alex @graf @tyler @matty @Big_Diggity @parker @Lance
-
@p @tyler @Lance @gabriel @matty @parker @graf @Aldis @Big_Diggity A lot of admins here don't care for containers (understandable, they're complex, and complexity often invites security issues), but there's a reason they're getting so popular. Podman allows running containers in userspace and has an emphasis on security, unlike Docker. It can be set to run containers on startup, and all the Linux system capabilities (SYSCAP) can be tweaked or taken away from a given container as needed. The book Podman in Action is a good intro to how it works.
So if you want a reasonably "secure system" with some measure of defense in depth, you might consider a tiny OS whose only purpose is to run containers and have a proxy like Nginx as the frontend to forward requests by hostname to their respective container ports. The downside is the hassle to configure it all...Better take good notes when setting things up.
(Of course, Podman is also owned by Red Hat/IBM, who decided this past week to go scorched earth on anyone who doesn't pay them, so that's worth keeping in mind too.)
-
@Aldis @gabriel @graf @tyler @matty @Big_Diggity @parker @Lance
> what Linux distribution would survive the best under those circumstances?
It's style of operation, not distro. "Principle of Least Access" (take advantage of user- and process-segmentation to make sure that programs can't exceed their station, and don't give anyone access to the box unless they need it, and don't give them more access than they need), good monitoring (so you can see when something bad happens), relevant alerts (either it's important or you shouldn't be alerted), doesn't hurt to know how to do a bit of numerical analysis (rolling averages and standard deviation). Don't be a bigger target than you have to be: don't keep data you don't need. More moving parts means a bigger surface which means more holes: have as few holes as possible by installing as little as you can. Figure out the threat model, figure out what you need, gut everything else without mercy (it's a server, not a dev box or a desktop machine), and then make sure you understand everything that you have left on the box. What's doing disk I/O in the middle of the night? You should know if something is and you should know what triggers it to do disk I/O and you should know what it means if it's doing disk I/O in the middle of the night. nmap your own box to see exactly what's open and what people can see from the outside.
So, "what distro?" is the wrong question. Whatever distro fits that model is the right distro, but no distro is going to do your thinking for you, and it's never going to be great out of the box unless you roll your own box.
That having been said, I'd avoid Ubuntu/Debian/etc. but a lot of sysadmins like it: it ships without things I need (strace, iotop, iftop, a lot of network diagnostics tools) and then ships a bunch of things I don't need or want (which are potential holes at best and liabilities at worst). Ubuntu specifically doesn't give you a lot of flexibility in terms of what actually gets installed, so you have to spend more time gutting bullshit. If you are drawing a big corporate salary to run a farm of boxes, maybe you can afford the time to analyze all the packages and bash out ansible scripts; I don't work as a sysadmin so I just go with whatever doesn't do anything I don't expect. FSE runs on Slackware and CRUX (but will run on Plan 9 before it turns five). I hear very good things about OpenBSD and Theo's cool but I have not used his operating system.
> I want to know because if large websites go down, then we (Server Admins) will need to be there to supply critical cyber infrastructure to those who can still get on the Internet.
I don't know how likely that is to happen, but if Secret Hackers hit Amazon, that's not just a lot of big sites, it's also most mobile apps and a big chunk of fedi is on EC2.
hackedbychinese.gif
-
@victor @Aldis @Big_Diggity @Lance @gabriel @graf @parker @tyler
> but there's a reason they're getting so popular
"If it works on your machine, you can just send people your machine. Let's give up on reliable builds. The OS is so balky and the libraries are so fragile and nothing is self-contained so we may as well put another OS in the OS. At least the kernel's stable." Tack on a ridiculous hype train and that's the reason people are spinning up EC2 instances (a container that Amazon provides in the form of a VM) and then using it to run cgroups-based containers, 99% of the use-case being equivalent to a chroot but with a routing table and a bunch of unreproducible blobs (often of unknown provenance), hardly ever useful and almost never necessary given that process- and user-isolation have been present in Unix since almost the beginning and if I keep going, I will end up pissing everyone off, so I won't. If you are spinning up single-purpose VMs, you don't need containers: it's in a container.
:ken: "We have persistent objects. They're called 'files'." :kenbw:
Anyway, I haven't heard of Podman but checking out their repo required 244MB of space to check out, it was developed at and is owned by RedHat, and podman.io advertises a coloring book. The last item in that list gives a strong hint about who this software is designed for.
what_the_fuck_is_this_bullshit.png
Aldis
Victor
pistolero :thispersondoesnotexist:
All 076萌SNS content and data are available under the 
