[Dshield] Flavors of Linux
jayjwa at atr2.ath.cx
Sat Oct 2 08:00:04 GMT 2004
On Thu, 30 Sep 2004, Roman Fomichev wrote:
+ First of all you have to realize Linux is not safer than Windows.
As someone who has run both Windows and Linux as servers on the open
Internet, I can say you are in for a much rougher ride to secure a Windows
machine. "Linux is not safer than Windows" is a very broad statement; so I
will have to answer it with a broad reply: Linux inherits from Unix, which
was designed from the ground up to be a multi-user, multi-tasking
server-oriented, secure OS. Windows (only recently) has gotten some of
these features by way of add-ons, but for the most part, it's still MS-DOS
with a nice gui over it. At least that's the impression I get from it.
Whenever I have to do anything on a Windows XP machine, I always find
myself first having to download a bunch of small utilities to make up for
the things that are missing in Windows, that are generally system
standards in Linux. Little things, like 'cut', 'awk', 'grep', 'sort' &
Can both OS's be made secure? Yes. Could they be made equally insecure? Of
course, but I tend to side with the belief that Linux is more 'oriented'
towards being a stable, secure OS.
+ In general it is rather easy to get root privileges in linux once you have
+ bash access to system.
Then you have not configured your system correctly! While of courses it is
*easier*, it is not *easy*. Linux is used for shell servers in many
instances where the users aren't necessarily trusted. I have seen many of
those 'net communities' (the ones where you can get a shell on a box for
free, or next to free, but have only restriced access, such as some email
and web privileges) that run with hunderends, if not more, shells. They
aren't getting eaten alive on a daily basis. Currenly, I have several
users who I've not met personally, who I couldn't tell you what they
looked like in person, who have shell access to my system. I'm completely
confident they aren't running around as root. I suppose they could open a
backdoor or two, but I trust them that far not to do so, and even this I
could guard against, if need be. The important thing is that the option
exists for me to do so, if or when it is ever needed.
Files and directories have owners, groups, and permissions. There's such
fine-grain control as searching directories, reading, writing, and
executing for each of the three classes: owner, group, and everyone else.
Beyond this, there are additional features, such as setting uid, guid,
amd immutable flags. Last time I checked, Windows had little more than +a,
+h, +s with 'attrib', from the days of DOS, and those aren't security
properties at all. I've seen very few Windows systems run with other than
Administrator access. Most users aren't even aware that muliple logins and
users are possible. Even so, even this doesn't fully protect all the files
it should. The FS is just one example.
+ You can configure iptables very easy to protect your box from internet. But if
+ you want to give every one shell to your box it will be very hard to make
+ realy secure box.
Who does this? This is the same as saying you'd give everyone your
'Administrator' password and then say Windows wasn't secure. Most times
shell access isn't needed to a system. Possibly another less permissive
form of access will suffice; it depends on the situation.
IPtables allows for some really complex firewall rules, allowing the admin
total control over what goes in, out, and to/from masquerading hosts. It
can match packets based on address-type, source, destination, unreachable,
prohibited, the packet 'childlevel' (part of a master connection),
transfer rate, conditions of a specific /proc filename, connection
tracking (conntrack) state (invalid, established, new, related, snat,
dnat), remaining lifetime in seconds, fields in IP headers, number of
packets in a burst, if ECN is set/not set, mac source, a special set of
ports (with mport), every nth packet, uid owner, gid owner, and the list
goes on and on. Windows has things like Zonealarm (which once locked me
out of my own system, requiring a new install), Kerio (which I've not
used), and the "Windows" firewall (which I'd be afraid to use ;P ).
+ What for destributions, RedHat and Mandrake are not a good choice. They always
+ install many useless stuff and I found it hard to manage all the rpms to be up
+ to date.
This notion extends from years back, on a more friendly 'Net, when
installing things like fingerd and rsh were commonplace. Modern versions
of the above OS's are not like that anymore (if they ever were, which is
still a matter of personal choice as to what is "unneeded" or not).
I have the RPM package manager, as well as the native Slackware one (which
is basically just smart tarballs), and I have found that RPM's are very
easy to use, almost too hold-your-hand-ish for myself. It can verify
signatures, and do all the basic things you'd expect package management
system to do with only a 'rpm <a few switches>'. Advisories for these OS's
come out quickly, with a link to directly down the (one package, not a
whole bundle of mystery "updates" like a Service Pack) package you're
updating. Exactly what the package does, and what it provides and depends
on, is listed in the spec. On Linux, if you upgrade App A, you need not
worry about App S suddenly braking and App Z no longer working at all.
This happend so much "WindowsUpdate" that it was eventually one of the
major factors why I switched OS's. Case in point: the recent SP for
Windows XP, still being talked about, which according to many people broke
many important apps. And you (thankfully?) only get those every once in a
blue moon! Waiting months for a well-known vulnerability to be fixed in
Windows is the rule, not the exception. Recall the "Adobe Stream" issue.
Then, MS only fixes MS's own MS-stuff. 3rd party apps are left for dead,
as I see seems to be the case after reading the recent posts on the
ics.sans.org main page about the GDI-JPEG bug. I really enjoyed the "let
us out of the basement, MS" article. ;)
If you find the RPM's hard to manage, maybe you could wrap some shell
scripts (or even Perl) around them? Think about cron and/or atd, and you
could even automate your updates.
+ Personally I use Gentoo Linux. It's portage system for managing packages is
+ state of the art solution.
I've never used Portage, so I can't say what I think of it, but I do see
many people swear by it. Personlly, I like simple, direct methods for what
few packages I still maintain as 'packages' (more and more I've been
compiling source directly from the site of the authors/maintainers of the
product, such as with Apache 2.0.52). Since the first part of 2004, I've
done daily updates to the Slackware current ChangeLog for those packages I
still have from it, and source updates from the others as soon as a new
stabile (sometimes beta or release canidate) version is released. I ftp
everything down with Ncftp, in background batch mode. Logout, come back
later, and it's all ready to go.
+ On Tue, 28 Sep 2004 Shane Presley <shane.presley at gmail.com>
+ > I was wondering if anyone had any comments on the security of various
+ > flavors of Linux?
So my vote would have to go with Slackware, because it's what I use, but
it does require some administering and configuring overhead. Once it's
set up properly, there's no reason that it can't be as easy-to-use as any
other OS (maybe X11 sessions for users, with pre-made menus under the
window manager of your choice) and secure as well.
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
More information about the list