No matter which OS you are using always ...
- ... update regularly
- ... configure a separate ssh user
- ... configure a simple firewall ( ufw )
- ... turn off root access
Most of the linux distribution which are using the debian package management system are published in release cycles. The cycles guarantee that during a certain periot no new ( testing or unstable ) major versions of software are distributed through their package mirrors. There are testing and unstable branches offered but since we gonna need a rock solid base you are always well advised to stay on LTS version.
Here is the big difference between ubuntu and debian derivates. Both distributions do offer fast security fixes on their LTS version but debian uses older packages and theirfore the security leaks are mostly fixed. If you don't need younger software verion of apache or php you will have more fun with debian than with ubuntu.
If you ask why - the answer is short. It is sometimes annoying to update ubuntu twice a day because they need to fix another package in the core system - therefore people ( not only me ) do say that debian is more stable.
For those of you who love the hardened kernel and the best tested security on linux userland there won't be a way around RedHat based distributions like CentOS. The configuration could be tricky sometimes because 99% of HowTos from RedHat do work on CentOS but not all work the other way around.
If you need HA-Proxies, Intrusion Detection or LoadBalancing you gonna need to think about using CentOS or RHLE. There is a reason why I've never seen any provider offering Fedora as VPS image. Fedora is the so called bleeding etch of RHLE - stable but far away from beeing secure.
Some service providers do offer BSD as operating system, and let's keep this article short. Best choice for hardened system and installation pain. The amount of attacking vectors you can fire and success are going to z3r0 but installation and configuration of bsd is often just a pain in the a...
It is needless to say those distribution have nothing to do on a public webserver. I know only 3 reasons why I would use a Gentoo ore ArchLinux as base of a webserver.
- bleeding edge testing
- why not? - case study
A Webdesigner or WebShop hoster would never install gentoo on productive setup. Once I've used a Gentoo as SMB-Server and MAIL-Server. It was very easy to patch the cyrus-imap with the so called autocreate patch. And so I thought - oh the corepackages are already compiled with my "crazy" hardware optimized C and CPP Flags why not use them for a SMB Server.
Result was an incredable fast, light and optimized system. After 2 years I've left the student community as admin and they've been running these servers for 4 years without update. An excellent case of "INFORMATION and COMPETENCE LOSS".