Everytime I read something about Linux server hardening, I get more confused. We're lacking a clear and simple, modern guide on how to do things. I know, every setup is different, but there should at least be consensus for a fresh installation.
Also, do I really HAVE to change something so that it is secure? Isn't a Ubuntu server secure out of the box? With a strong, unique root password of course.
The problem is servers can be provisioned a number of ways:
* manually (like this guide)
* via CI/CD using tools like Packer
* Cloned (eg CloneZilla, or cloud snapshot)
* via configuration management (eg Puppet, Chef, Ansible, etc)
* via other initialisation methods such as CloudInit
Aside from the manual option, there’s no wrong way to any of these. And some of these approaches compliment some of these other approaches too. Many of these approaches will have a multitude of different solutions available that differ significantly in set up.
A lot of the time it boils down to preferences as much as it does best practices.
As for why servers aren’t locked down more from the outset. Some distros are. And there’s images of popular distros that have been pre-hardened for you too. Ubuntu isn’t the best for secure defaults but it’s target audience is more diverse than RHEL (Redhat Enterprise Linux). And as I’m sure you’re aware, security is often a trade off between convenience. So Ubuntu takes the approach of being slightly more convenient for the average user at the cost of being less secure by default.
It's hard to make a guide because the main action to get security is removing or not adding things. And as you need stuff installed on your system, the security advice becomes specific to what you have installed and what are your goals.
Even your question if it's already secure by default is meaningless if you don't say what you are using the computer for and what kinds of threats you are protecting against.
I think people working at RedHat are more competent in moving security forward on Linux than what Ubuntu does. Ubuntu hardly innovates at all. Its target market seems to be desktop users (or server admins that are only familiar with the Desktop version). Personally I wouldn't put Ubuntu (or any other distribution) on a server without an elaborate playbook to tailor it to my needs (on Ubuntu that playbook is always more complex from my experience). This is where Ubuntu fails for me because it makes some weird assumptions as to what I want in terms of security (which are absent in Debian). YMMV.
Although I think that a distribution's goal should be accessibility and configurability - in that regard all of them don't prioritize security features as much as I'd like to see (but knowing myself I probably would complain the second these features become too opinionated - which they most certainly would - which is why I think Debian does the right thing with not making opinionated assumptions).
Ubuntu compared to Debian standard install is more bloated, interim releases are much buggier, and Ubuntu LTS is less stable than Debian stable. Ubuntu's root certificate store is constantly outdated (though the same issue might also be on Debian). Their apparmor configuration lags behind, ... whatever is good they usually inherit from Debian.
All distributions could do more to lock down processes with seccomp-filters in systemd. Would be interesting to see what lynis⁰ discovers when comparing a fresh server install between Ubuntu and others. In over 20 years I have seen some real shit-shows in production with all distributions except Debian (again ymmv).
Jason Donenfeld, the creator of Wireguard said about Ubuntu on the latest¹ SCW podcast:
> Ubuntu is always, a horrible distribution to work with, ...
> Well, they [Ubuntu] sort of inherit from Debian, but they're like not super tuned in to what's going on and like not really on top of things. And so it was just always, it's still a pain to like make sure Ubuntu is working well. but I don't know, it's not too much interesting to say about the distro story, just open source politics as usual.
while somewhat anecdotal I trust that Jason knows what he is talking about having been on the linux security kernel team for ages and familiar with the quirks of various downstream vendors. His development cycle for WG is: implement -> decompile -> formal-verification -> rinse/repeat :-/
All of Linux security is a shit show. This is why grsecurity is charging money for it's service.
>Its target market seems to be desktop users (or server admins that are only familiar with the Desktop version)
Uhh what? Isn't it's largest target cloud/server distro deployment?
> Ubuntu's root certificate store is constantly outdated
Uhh for me cacerts updates what twice a year? Certainly it's a lot easier for me to keep it updated on ubuntu than rhel/centos.
>Their apparmor configuration lags behind, ... whatever is good they usually inherit from Debian.
Apparmor and SELinux are objective failures for the most part. The entire point of snap/flatpaks is to hide away the nonsense configuration in favor of an actual permission model. I would say snaps are actually enabling apparmor to be used and enforced unlike the generic apparmor profiles generated.
>Jason Donenfeld, the creator of Wireguard said about Ubuntu on the latest¹ SCW podcast:
What specific aspects is he referring to here? Wireguard has been baked into the kernel. I can understand packaging updates being a mess, and updating universe/lts but that is problematic for every Linux OS out there.
This is precisely why snaps were introduced. You now have apparmor/seccompf enforced permission model and an easy way for developers to directly push to multiple Ubuntu versions without having to worry about OS compatibility.
the premise for my reply was security not market share.
just because something is popular does not imply a good security posture. In fact most popular things are dumpster fires from an infosec perspective.
what I'm saying is: familiarity with Ubuntu desktop translates easily into let's install this on a server.
All of AppSec in Linux is hard. SELinux/AppArmor/firejail/systemd-hardening especially cost effort.
if you think snap/flatpack are better go for it - for me they are a major reason to stay away from Ubuntu in production. But I'm not the boss of you.
And yet there is utility in using ubuntu because it's a shared platform that many tools are developed on. It is mostly debian, but it is not exactly debian. Since ubuntu LTS latest is the de facto linux default its shortcomings fall away for swiss-army development.
De facto Linux for who? I've sold on prem apps to enterprises and startups for a while and the majority weren't Ubuntu. It was a mix of Amazon Linux, CentOS, RHEL and Ubuntu or Debian.
In containers I most often see Ubuntu-minimal or Alpine.
And while Ubuntu is represented in both those groups its not clearly de facto anything.
The only place I'd personally argue you really need to run Ubuntu (unless you really want to spend time hacking desktop configuration) is on a laptop.
But even then there are a large group of people who do run things other than Ubuntu like PopOS or Mint or Fedora or whatever other new distro there is.
Every time I see Ubuntu listed as the "de facto standard" or similar, I realize that I've never seen an Ubuntu server in production.
They're definitely a popular solution, and I'm not sure if I should be surprised I've never seen one, or if maybe it's region / industry specific.
RHEL? Yes. Lots of CentOS, most now looking at Rocky and Alma. A few Gentoo and Arch boxes at smaller businesses. Been logged into the odd BSD, AIX and HP-UX machine before.
Ubuntu? No... Never seem to stumble upon SUSE either, for what it's worth.
I used to be a SuSE fan until 2003 when I switched to consulting. I became a SuSE Gold partner peddling Suse Enterprise / OpenXchange (SLES/SLOX) and they sent us with pre-alpha grade quality to do digital transformation to companies with +5K employees.
Most of their tools were cardboard cut-outs with severe bugs and lacking functionality. I did this for 6 months losing 3 key clients that were important for my survival and almost went bust.
They have lost the plot the moment that they introduced yast2 (their only ever value proposition at the time compared to other distros was yast) everything there went downhill since.
I haven't seen a SuSE in the wild since the same time. SAP / salesforce seem like a good fit for them. They're equally dependent on consultants like me whose jobs is to perpetually apologize to customers. I don't think SuSE has much of an impact outside Germany.
Ironically Android is the Linux distribution with more security knobs turned on (LinuxSE, seccomp, HWAsan, FORTIFY_SOURCE, userspace drivers,...) without being really Linux.
Also, do I really HAVE to change something so that it is secure? Isn't a Ubuntu server secure out of the box? With a strong, unique root password of course.