More Debian vs Ubuntu stuff

Last week I’ve explained a bit why I’m considering jumping from Debian to Ubuntu to get our managed hosting a bit more up-to-date by default, instead of using 10 third party repos.

This week I would like to specify more about our managed hosting tooling, what we’re using for Debian, what we might like to change running on Ubuntu and just paint a more overall, complete picture.

And: do we even need third party repos while using Ubuntu?

Let me start off by emphasising that this repo stuff really is more than just a nuisance. Although Debian has been treating us well the past year, a couple of third party repos gave us a couple of serious problems. I just want to avoid this.

Below the most important elements for our Debian managed hosting and how this might change in an Ubuntu setup.

Debian

LEMP stack

CSF firewall

LFD brute force detection

AppArmor access control

Sysctl kernel hardening

Modern SSHD hardening

OSSEC intrusion detection

Rootkit hunter anti-malware

Icinga monitoring

Lynis hardening

Rsnapshot backups

Atop resource history

Sysstat resource history

Unattended upgrades

Ubuntu

LEMP stack

UFW firewall

OSSEC active response

AppArmor access control

Sysctl kernel hardening

Modern SSHD hardening

OSSEC intrusion detection

OSSEC + ClamAV for anti-malware

Icinga monitoring

Lynis hardening

Borg backups

Atop resource history

Sysstat resource history

Unattended upgrades

This is a pretty complete list on what we’re running to keep our servers healthy and as with the Debian vs Ubuntu debacle, we’ve looked at all of them. In an Ubuntu situation, almost all the above would be my first choice.

No need to discuss the tooling that stayed the same, so let’s focus on the differences.

The CSF / LFD firewall and brute force will be dropped for sure. The community support is awful and it can’t even be installed via a repository. UFW will fill the firewall gap, OSSEC can hopefully take care of the brute force detection and prevention.

Kernel hardening via sysctl will stay, but I’ll have to update and finetune it some more because last time I’ve done so properly, must have been a year ago already.

Rootkit hunter will be replaced by OSSECs build-in rootkit detection and I’m searching for software to do a daily anti-malware scan in addition to the OSSEC detection (ClamAV?). Rootkit hunter is not so well maintained anymore.

I’m thinking of replacing rsnapshot backups with Borg backups, but still have to do some more reading about it. Rsnapshot works, but might get a bit cumbersome when more and more backups are added. It’s also very rarely updated.

In this setup we will need 1 third party repo and that is for OSSEC. In any case it will be a huge improvement over Debian with all the other repos.

I will surely followup with my experiences about one or more of these subjects.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.