this post was submitted on 30 Aug 2024
24 points (90.0% liked)

Selfhosted

40399 readers
767 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Does anyone know of a hosting service that offers Silverblue as a possible choice for OS?

It seems to me that for a server running only docker services the greatly reduced attack surface of an immutable distro presents a definitive advantage.

you are viewing a single comment's thread
view the rest of the comments
[–] aordogvan 1 points 2 months ago* (last edited 2 months ago) (1 children)

While what you're saying is theoretically true, don't forget that as far as I know, most attacks are perpetrated by bots. And while it is true that in a fedora based version one could run ostree admin unlock etc... this particular command would need to be included in the attack script.

Now if the script has to be modified to include all possible different immutable systems that could possibly run it would increase the complexity and most importantly the size of said script making it easier to detect.

I'm not saying that its a bulletproof method, I'm just saying that by itself it greatly minimizes the risk, at least until all servers run immutable systems. And even then it still complicates matters for potential attackers quite a bit. So therefore reducing or at least greatly minimizing the potential of the system being compromised.

[–] [email protected] 1 points 2 months ago

Because even if an attacker could gain access even as root he cannot modify system files.

Your comment was already from the position of if an attacker could gain root access. My responses were to that directly, and nothing else.