which is the best and secure Linux OS

Dears,

Good Day,

I'm new to Linux, could you please guide me which is the best and secure Linux os (Freeware)

Thanks
Ram Kumar ChellamSr. System AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
All are fairly secure + here's my rule.

I always run Ubuntu LTS (5 years updates), because Ubuntu uses Debian packages + tends to be easier to use.

CentOS/RedHat/Fedora have very old Kernels currently 3.10.x (super old) whereas Ubuntu Bionic (LTS) uses Kernel 4.15 which is faster, networking has been almost completely retooled to fix many old 2.6.x + 3.x.x Kernel slowdown problems.

Security starts with Kernel you're running. The more recent is usually better. Also you must use a Distro which is shipping Kernel fixes.

I use Ubuntu LTS, because they ship 5 years of bug + security fixes for their Kernels.

Security continues with your internal policies.

For example, I install all Kernel + Software Package updates daily, to ensure any zero days + backdoors are immediately closed.

My suggestion, based on your questions, book phone calls with a variety of people who've been working with Linux for a decade or two. Ask them how they keep their machines secure.

Possibly even hire someone to do your admin which maintains machines, all day, every day.

Long experience is the best way to understand how to maintain security of machines + also sites.

Tip: I also run LXD on all my machines. Each site or project (collection of sites) gets it's own container. This way if some site has hackable software installed (usually a premium WordPress theme or plugin) + the site is hacked, all hacks are compartmentalized to one LXD container.

Tip: You will never be smarter than all the hackers in the world, so another important item on you security checklist is to organize all your sites, so if they're hacked sites are blocked from attacking other sites, which is usually what occurs with hacks.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
I have an Ubuntu 16 LTS virtual machine and it works well and is reasonable to use. So I also recommend Ubuntu.  I have this running on a Windows 10 host and both machines have been secured.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
At this point, if I had to run Windows.

I'd run Ubuntu at the Machine level + then LXD + then VirtualBox in an LXD container to run Windows.

Keep in mind LXD + VirtualBox can be used to completely partition off other types of OS installs, to run inside your Linux machines.
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

madunix IT Specialist Commented:
For each OS; I would start with device hardening and secure configuration practices.  Examples of hardening techniques:
• Deactivate unnecessary components on the main servers.
• Disable unused user accounts on the main servers.
• Implement patch management.
• Restrict servers access.
• Restrict shell commands per user or server for least privilege purposes.
btanExec ConsultantCommented:
Actually the best secure OS is a balance between being most secure, less "user friendly" or being most usable, less secure. Agree with madunix the need to hardening regardless which OS that you are looking at - you need to understand what is the user requirement and set a security baseline that works.

There are already some ready secure OS (below are some examples) that have different security objectives but ultimately, you have the full control how you will want to make it as secure as possible (though is developed to support the principle of Secure by Default) :

a) Qubes OS - It focuses on desktop security by adopting security by compartmentalization. Mainly it is isolating and virtualizing various VM separately. Each VM is considered as "compartments". It puts all of your application windows on the same desktop with special colored borders indicating the trust levels of their respective VMs. It also allows for things like secure copy/paste operations between VMs, securely copying and transferring files between VMs, and secure networking between VMs and the Internet. With such isolated from program and personal files malware would not access it so easily even if the OS is being penetrated.

b) Tails - It’s a live CD and a pre-installed OS with the Tor browser bundle using the onion circuit. This is a privacy "conscious" OS. It doesn’t use any space of hard disk rather it only uses the required space in your RAM, but it will be erased automatically when you shut down your system. It can be used as a live DVD or live USB.

c) CoreOS Container OS - It uses SeLinux which is a fine-grained access control mechanism integrated into its Container Linux. Each container runs in its own independent SELinux context, increasing isolation between containers and providing another layer of protection should a container be compromised. But note that it currently does not enforce SELinux protections by default. This is to allow deployers to verify container operation before enabling SELinux enforcement. Also Container Linux has a very slim network profile and the only service that listens by default on Container Linux is sshd on port 22 on all interfaces.

Just to share also these OS will also need to constantly be patched to make sure risk exposure is minimised.
Prabhin MPEngineer-TechOPSCommented:
suggest you to go with Ubuntu 18LTS or Fedora Latest version,


Ubuntu 18 is one of the best OS for Desktops which support a various application.
madunix IT Specialist Commented:
I would add some links as references:
https://www.cisecurity.org/resources/benchmark/
https://www.peerlyst.com/posts/how-to-implement-linux-security-checklist-nasrumminallah-zeeshan
https://www.researchgate.net/publication/320832324_In-Depth_Modeling_of_the_UNIX_Operating_System_for_Architectural_Cyber_Security_Analysis
https://www.cisecurity.org/cis-benchmarks/
https://medium.com/viithiisys/10-steps-to-secure-linux-server-for-production-environment-a135109a57c5

Hardening is most useful as a preventative measure when designing system security. Keeping systems patched and up-to-date is an essential security practice.
    • Linux Firewall
    • Linux services, daemons, and other key attack surface components
    • Patching
    • File system permissions
    • Secure Shell (ssh)
    • Network configuration
    • Kernel configuration
    • Passwords and accounts
    • Sudo
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Scanning responses to this question...

Likely best you describe your endpoint usage for your Linux install.

Each specific usage of your Linux install may suggest different starting points for selection.

For example, I host 1000s of project sites, so my... bias... is keeping 1000s of sites running every day... with no hacks... while maintaining some semblance of a normal life...

Each usage will suggest a bias or set of filtering for best selection.
nociSoftware EngineerCommented:
If looking for a secure OS (unix like)   OpenBSD is the best choice.... Security by design from the ground up.
If you need Linux see above.
madunix IT Specialist Commented:
I agree with noci, OpenBSD; by default, is the most secure. I believe most secure OS if properly configured and administered. It should have layers of security right down to the object level. Check out CVE. It is useful for identifying weaknesses in your system. Stay current on discovered vulnerabilities by consulting CVE database.
https://www.cvedetails.com/top-50-products.php?year
https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-think-so.html
https://en.wikipedia.org/wiki/Security-focused_operating_system
serialbandCommented:
That's like asking which Windows 10 (home or Pro) is most secure.  Linux is linux.  Whether or not it's secure depends on what software is installed and what it's being used for.  It also depends on what firewalls are set and what else is on the network.  It depends on whether a user is actually computer literate as well.  You can get hacked on Linux.  It's only as secure as the person managing it can make it.
nociSoftware EngineerCommented:
@MadUnix:
There  are more secure OS's, OpenVMS  being one of them.  But those OS's are not Unix Like.
(OpenVMS was the first POSIX certified OS though.. But filename schema's are different..., which may complicate things).
OSF/1 is a secure Unixlike OS but is not available anymore.

@SerialBand: In many cases people know Linux but  many software is available on other Unix or UnixLike systems.
If you need a secure Apache Server, OpenBSD may very well be a better choice than any Linux system.  Anyway if one looks for a Secure Linux system and put the system on someone's office desk, all bets are off.  First and foremost access to the system (pysical hardware it runs on) must be controlled. Then one can build upon those foundation to start a secure system.
Besides that security also depends on the purpose & software used on it.
Running OpenBSD and only provide FTP and TELNET as a service is not providing a secure environment.. Any (PC,MS,*)-DOS systems is good enough for that.
madunix IT Specialist Commented:
>>There  are more secure OS's, OpenVMS  being one of them.  But those OS's are not Unix Like<<  ...Agree, I was referring to Unix-Like.
serialbandCommented:
@noci
I basically said that in more generic terms for the non-tech.

BSD and System V (5) are just flavors of Unix which Linux is also based on.  I categorize them in the same family as Linux (or what the general populace, not tech, considers to be Linux), since this question is about Linux.

Linux followed the System V direction.  That difference is very much the same as the difference between Debian based vs Redhat based distros.  Underneath, they're both Unix based and while many BSDs or Linux are not fully POSIX compliant, they all contain numerous POSIX compliant tools and have many of the same basic underlying tools and commands.

OpenBSD is not more secure.  It's still uses the same basic tools that have the same basic bugs that come from the same basic source code.  There may be parts of the OS or kernel that are inherently more secure in the past, but BSD has a smaller following and Linux has many more devs working on it to plug security holes.  I don't see BSD as more secure these days.  If you don't install anything, then maybe, but you're going to install tools, whether it's apache, openssh, etc...  They do interchange tools and those tools have the same general base code.  (e.g. SSH started on BSD first, but is widely used on all unix based systems now.)  You've built the walls out of concrete instead of wood, but you use the same flimsy entrance lock and door.

In terms of security, Microsoft's Windows OS is inherently more secure than Linux now, but far more non-technical people use it, hence the targeting by hackers and higher numbers of hacked systems.  It's not because Linux is more secure.  Linux is targeted differently.  The multitudes of command and control centers are generally running on linux, while the bots are on Windows.  The botnets require both to work correctly.

Looking for the best or most secure linux is like picking the best apple variety: braeburn, cripin, empire, fuji, haas, red delicious, etc...  Which flavor do you prefer?  Every variety of apple gets bugs, unless you spray pesticides.  Pick the one that's more appealing to your own tastes.  Debian based Ubuntu is the most popular distro for users and has the largest help forums.  You'll be able to find help more easily to do what you need to secure the system.  If you have a specific need for work, then you should pick the distro that you'll be needing to support or work on.  They can all be secured that same basic way.
Ram Kumar ChellamSr. System AdministratorAuthor Commented:
Thx
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.