Re: Selecting OS for High-availability/mission-critical web portal

Dear all,

I am a new system administrator for a company planning to create a web portal
which provides email, IM, e-buisness, and search engine. Liferay is our
portal management tool.

I am searching for the best OS to be our platform. The required featuers are :

Attack resistance (I expect lot of attacks specially DoS).

Linux and OpenBSD are the main candidates for this mission.

*cut*.. (OpenBSD vs. Debian with SELinux pros/cons)

My thoughts are that:

*OpenBSD will become vulnerable as much as the running service on top of it.
Hence I will lose the legendary security it has.

To some extent. OpenBSD's code has REALLY been pored over. But, apache and mysql's has as well.. the "low hanging fruit" security probelms have been gone from them for years. OpenBSD prevents stack smashing (those compiler changes). I think you can get a modified compiler for debian that does too; either way, SELinux will detect attempts to execute code on the stack and crash out the offending program (so a buffer overflow will crash the offending app rather than giving the potential intruder unwanted access.)

*When I look at top 51 ( Linux
had 45% share. Which means that it is highly secure.
No it doesn't.. several years ago, something like 60 or 70% of hosting domains were on Win2K+IIS, but the security was crap. But, yeah, Linux is quite secure.

* With OpenBSD I am not going to spend time hardening it but rather trying to
get the services (MySQL, Apache, ...) running on top of it. While in Linux
installing the services is easy but I need to spend good time hardening the
OS itself.
I'd agree with that. OpenBSD will ship with everything FULLY locked down, and you (carefully, after realizing the security implications) open things up as you need them. Some Linux distros ships with daemons setup for maximum usefulness/flexibility trading off (in theory at least) considerable security. I think Debian is somewhere in between the "open up everything" and "lock down everthing" crowd, but really the difference between locked down and fully flexible is changing the configuration files.. so just make sure to look at them for daemons you are running.

Any hint/comment is welcome.
I'd suggest installing both, Debian w/ SELinux on 1 test box and OpenBSD on another. To initially test performance, I'd use some slow test boxes like P2s or lower P3s; a higher end system like you might actually want to use in production will be hard to time without lots of users slowing it down 8-). If I had to guess, I'd say the 7% SELinux penalty will make Debian w/ SELinux and OpenBSD roughly neck-and-neck.. but I'm not sure. If both perform OK I'd go w/ OpenBSD due to the security. Otherwise, Debian.. just carefully lock down apache, mysql, etc.. especially, if mysql is set to accept network connections, either lock it down to a socket or to accept connections only from localhost.

Best regards,

Relevant Pages