For years i use this method and recommend it, also i helped many in building and configuring such system for their servers.
But not with Linux, i used Windows Hyper-V as
OS (
https://www.microsoft.com/en-us/eval...-v-server-2019) and it is free, it doesn't have shell or user interface yet it is very powerful performance with all the crap removed, you have the firewall and administrative tools, also the remote desktop services, group policy and on top of that the Hyper-V Manager,
1) the host is prevented and configured to not do any updates, ... for real think about it, what an update (automatic or manual) could benefit such host ? except of course big f*** up from MS, or opening a door to breach.
2) the host is blocked form accessing the Internet !, no incoming or outgoing connection, except for one incoming port on
TCP for the RDP, even this is configured to accept only few IPs and may be a specific range, here preferable to remember add all your servers IPs to the allowed between each others, hence even if you lost your local connection you still can do it from low importance server one that allow any
IP to
access its RDP, even the time is prevented form automatic update, one thing though, in some cases there is some software needed to monitor or use some of this server power, then great, build one application and allow its port for incoming connection, and if needed allow all its outgoing, i build many of these with RealThinClient, some to allow uploading files or even downloading the guests and acting as secured SFTP/FTPS/WebDav that build with Delphi, attacking such application will make worse case scenario as DoS, but impossible to breach, and faced many of these and never saw a real DoS, either my simple
IP filter for failed authentication kicked in, or OVH DDoS stopped these IPs, OVH web portal report these incidents.
3) i love OVH and their servers, though don't have experience with (ANY) now, though had used and rented in the past many from UK and US, they all sucked, OVH can protect from DDoS and provided IPMI out of the box with every instance, with IPMI setting BIOS and configuring things like RAID, and disabling the network booting very nice feature to have, these devices are monsters and it is shame to see them takes 2 minutes to boot, but with few tweaks from the BIOS and it is less than 20 seconds for such Hyper-V
OS.
So if i may suggest test the Hyper-V approach before switching to Linux and complicate things, the idea of Linux is more secure is relative, it is all about best practice, in other words, my cup of coffee on my desk is secure and un hackable, simply impossible, once it had an MP3 player and telemetry to report to its manufacturer and will keep checking for an update every hour, inevitably some one will hack it, and ruin my day without a cup of coffee, so no no wired or wireless connection of any sort for my cup, same goes for servers.
And about this point "same goes for servers", lets think about this for second, if the system is prevented form remote
access, not talking about RDP (and not TS services here), then the system is secure, any weak point will come from the installed and running software, so even if IIS need an update then only update it, same goes for PHP, Apache... (on side note PHP on IIS is way more secure form direct/indirect PHP on Linux because it is sandboxed), other than that it is you own software running there, so why i need to update the
OS, this is my way of thinking and doing, even on my Windows 10, i don't want to upload or download anything, i keep my browsers updated and beyond that, check for the tools i am using and almost none use the Internet to allow remote attack, keep your downloads monitored and don't click on any thing you don't know, and that is it.
I don't expect MS to push an update that makes my PC runs faster by anything close to %1, yet they could push one hot mess or allow some ransomware to run and ruin my day/week/month...
in 2017 you might recall there was the WannaCry ransomware it spread like fire, it did exploit the SMB protocol and executed remote attack to install it self, the thing about SMB and its functionality is these ports 445, 139, 138, and 137, that they are open you your device now, and the exploit in 2017 was almost identical for an exploit assumed fixed in Windows XP in 2004 (can't recall now), yet if you search the internet now for "windows smb vulnerability" you will be shocked for the history of these exploits existence, these are just examples :
https://www.csoonline.com/article/55...-affected.html
https://blog.barracuda.com/2022/05/1...ol-eternalblue
And this from June 2024, one month ago
https://blog.netwrix.com/smbv3-vulnerability
ps: for every case there is solution, lets say you are forced or must have be domain member or AD is needed then use VPN, and don't mistake VPN with Internet
access, i have my android mobile using its WiFi or its 4G, while i have WireGurad installed and working to provide protected network with my PC and router on specific network 10.10.XX.XX, accessing each other in protected way while the connection to the internet is not touched, even though that VPN is tunnled over the Internet.
PS2: Many of my specific tools that are built for controlling and securing such servers do listen to a port, authenticate the connection by password or does not, it is up to the client and his preferences, some love the idea of custom client app, with one click the remote part will execute scripts remotely, such as allow RDP port to be accessed, and it will monitor the users connection, once the user disconnect or logged out will wait for 30 seconds and block the port again, all are configurable by simple scripts, like after a click the RDP port will be open for 5 minutes then the firewall will block it, i recall one client wanted
SSH that able to do this, so twisted and refactored that application to do it, with minimum tweaks as RTC is exclusive to work on sockets directly and do support raw input,
forgot to mention in case you are build such application make it Windows Service they are not standalone application, so they are running without user logging and on every restart.