[Dshield] Flavors of Linux

jayjwa jayjwa at atr2.ath.cx
Sat Oct 2 08:00:04 GMT 2004


On Thu, 30 Sep 2004, Roman Fomichev wrote:

+ First of all you have to realize Linux is not safer than Windows.

As someone who has run both Windows and Linux as servers on the open 
Internet, I can say you are in for a much rougher ride to secure a Windows 
machine. "Linux is not safer than Windows" is a very broad statement; so I 
will have to answer it with a broad reply: Linux inherits from Unix, which 
was designed from the ground up to be a multi-user, multi-tasking 
server-oriented, secure OS. Windows (only recently) has gotten some of 
these features by way of add-ons, but for the most part, it's still MS-DOS 
with a nice gui over it. At least that's the impression I get from it. 
Whenever I have to do anything on a Windows XP machine, I always find 
myself first having to download a bunch of small utilities to make up for 
the things that are missing in Windows, that are generally system 
standards in Linux. Little things, like 'cut', 'awk', 'grep', 'sort' & 
'uniq'.
Can both OS's be made secure? Yes. Could they be made equally insecure? Of 
course, but I tend to side with the belief that Linux is more 'oriented' 
towards being a stable, secure OS.

+ In general it is rather easy to get root privileges in linux once you have
+ bash access to system.

Then you have not configured your system correctly! While of courses it is 
*easier*, it is not *easy*. Linux is used for shell servers in many 
instances where the users aren't necessarily trusted. I have seen many of 
those 'net communities' (the ones where you can get a shell on a box for 
free, or next to free, but have only restriced access, such as some email 
and web privileges) that run with hunderends, if not more, shells. They 
aren't getting eaten alive on a daily basis. Currenly, I have several 
users who I've not met personally, who I couldn't tell you what they 
looked like in person, who have shell access to my system. I'm completely 
confident they aren't running around as root. I suppose they could open a 
backdoor or two, but I trust them that far not to do so, and even this I 
could guard against, if need be. The important thing is that the option 
exists for me to do so, if or when it is ever needed. 
Files and directories have owners, groups, and permissions. There's such 
fine-grain control as searching directories, reading, writing, and 
executing for each of the three classes: owner, group, and everyone else. 
Beyond this, there are additional features, such as setting uid, guid, 
amd immutable flags. Last time I checked, Windows had little more than +a, 
+h, +s with  'attrib', from the days of DOS, and those aren't security 
properties at all. I've seen very few Windows systems run with other than 
Administrator access. Most users aren't even aware that muliple logins and 
users are possible. Even so, even this doesn't fully protect all the files 
it should. The FS is just one example.

+ You can configure iptables very easy to protect your box from internet. But if
+ you want to give every one shell to your box it will be very hard to make
+ realy secure box.

Who does this? This is the same as saying you'd give everyone your 
'Administrator' password and then say Windows wasn't secure. Most times 
shell access isn't needed to a system. Possibly another less permissive 
form of access will suffice; it depends on the situation.
IPtables allows for some really complex firewall rules, allowing the admin 
total control over what goes in, out, and to/from masquerading hosts. It 
can match packets based on address-type, source, destination, unreachable, 
prohibited, the packet 'childlevel' (part of a master connection), 
transfer rate, conditions of a specific /proc filename, connection 
tracking (conntrack) state (invalid, established, new, related, snat, 
dnat), remaining lifetime in seconds, fields in IP headers, number of 
packets in a burst, if ECN is set/not set, mac source, a special set of 
ports (with mport), every nth packet, uid owner, gid owner, and the list 
goes on and on. Windows has things like Zonealarm (which once locked me 
out of my own system, requiring a new install), Kerio (which I've not 
used), and the "Windows" firewall (which I'd be afraid to use ;P ).

+ What for destributions, RedHat and Mandrake are not a good choice. They always
+ install many useless stuff and I found it hard to manage all the rpms to be up
+ to date.

This notion extends from years back, on a more friendly 'Net, when 
installing things like fingerd and rsh were commonplace. Modern versions 
of the above OS's are not like that anymore (if they ever were, which is 
still a matter of personal choice as to what is "unneeded" or not).
I have the RPM package manager, as well as the native Slackware one (which 
is basically just smart tarballs), and I have found that RPM's are very 
easy to use, almost too hold-your-hand-ish for myself. It can verify 
signatures, and do all the basic things you'd expect package management 
system to do with only a 'rpm <a few switches>'. Advisories for these OS's 
come out quickly, with a link to directly down the (one package, not a 
whole bundle of mystery "updates" like a Service Pack) package you're 
updating. Exactly what the package does, and what it provides and depends 
on, is listed in the spec. On Linux, if you upgrade App A, you need not 
worry about App S suddenly braking and App Z no longer working at all. 
This happend so much "WindowsUpdate" that it was eventually one of the 
major factors why I switched OS's. Case in point: the recent SP for 
Windows XP, still being talked about, which according to many people broke 
many important apps. And you (thankfully?) only get those every once in a 
blue moon! Waiting months for a well-known vulnerability to be fixed in 
Windows is the rule, not the exception. Recall the "Adobe Stream" issue. 
Then, MS only fixes MS's own MS-stuff. 3rd party apps are left for dead, 
as I see seems to be the case after reading the recent posts on the 
ics.sans.org main page about the GDI-JPEG bug. I really enjoyed the "let 
us out of the basement, MS" article. ;)
If you find the RPM's hard to manage, maybe you could wrap some shell 
scripts (or even Perl) around them? Think about cron and/or atd, and you 
could even automate your updates.

+ Personally I use Gentoo Linux. It's portage system for managing packages is
+ state of the art solution.

I've never used Portage, so I can't say what I think of it, but I do see 
many people swear by it. Personlly, I like simple, direct methods for what 
few packages I still maintain as 'packages' (more and more I've been 
compiling source directly from the site of the authors/maintainers of the 
product, such as with Apache 2.0.52). Since the first part of 2004, I've 
done daily updates to the Slackware current ChangeLog for those packages I 
still have from it, and source updates from the others as soon as a new 
stabile (sometimes beta or release canidate) version is released. I ftp 
everything down with Ncftp, in background batch mode. Logout, come back 
later, and it's all ready to go.

+ On Tue, 28 Sep 2004 Shane Presley <shane.presley at gmail.com>
+ wrote:
+ 
+ > I was wondering if anyone had any comments on the security of various
+ > flavors of Linux?

So my vote would have to go with Slackware, because it's what I use, but 
it does require some administering and configuring overhead. Once it's 
set up properly, there's no reason that it can't be as easy-to-use as any 
other OS (maybe X11 sessions for users, with pre-made menus under the 
window manager of your choice) and secure as well.

--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++



More information about the list mailing list