Battle of the Secure Distros 158
CrazyEd writes "LinuxSecurity is reporting that EnGarde Secure Linux has received the Network Computing Editor's Choice award to win the battle of the Secure Linux distributions. Well deserved, me thinks." Update: 06/10 15:16 GMT by T : An anonymous reader points out that Linuxlookup.com
reviewed this distro last week, awarding it a perfect score.
Ad Revenue? (Score:3, Interesting)
(I'd do the same, of course)
Re:Ad Revenue? (Score:2, Informative)
Re:Ad Revenue? (Score:2, Informative)
Admin (Score:5, Insightful)
Re:Admin (Score:2, Funny)
Re:Admin (Score:5, Insightful)
In particular, you must know in deep detail all the technologies involved in a complex networking environment (they are countless: DNS, email, NEWS, NIS, LDAP, routing, and so on...).
It is difficult to barely know all of them, and to secure an installation you must know them good. And this is no easy...
Of course I agree with the point that the software must be "secure-able", otherwise you can be the best sysadmin... you system will always be full of flwas if the software you are using is bugged (...who said something about the windows?...).
Cheers
I disagree (with your disagreement...) (Score:5, Interesting)
When you rattle off NNTP and crap like NIS/LDAP as if they were equivalent in complexity to full BGP4/MBGP routing, I think you belie a superficial understanding of the situation. Even something as nastily complicated as BGP route maps is not nearly as challenging as dealing with people, professionally and personally, in a fast-paced environment that values results over process or the latest fad technologies. In that respect I do not believe it is significantly harder to earn one's keep as a sysadmin than to do so as a VP Sales or a Comptroller. It's just a totally different set of technical skills used to do the job.
I don't doubt that you meant well, but really, choosing the right tool for the job (and then using it well) is not so difficult in most cases. 'Tis a poor craftsman who blames his tools!
Re:I disagree (with your disagreement...) (Score:2, Insightful)
Yes, but even a master carpenter can't build a house out of rotten wood.
This has been my mantra over the past couple of weeks as I've been forced to try to get low level hardware and software working with Windows.
Re:I disagree (with your disagreement...) (Score:2)
Yes, but even a master carpenter can't build a house out of rotten wood.
This has been my mantra over the past couple of weeks as I've been forced to try to get low level hardware and software working with Windows.
Fair enough. I've been in that exact situation with Windoze before (trapped into it, in fact) and you just have to trudge through as best you can. I hate Microsoft server OSes (and attempts to use their client OSes, or more pointedly, crippled versions of the same thing they sell as server OSes, to do anything reliably).
The upside to this (IMHO again) is that most shops which run everything on Windows are such amateurs that they won't notice downtime until it is on the order of "one nine" (eg. vs. "five nines")
Doing anything interesting with Windows and hardware that needs to run reliably... well, best wishes, my heart goes out to you.
If it helps you debug the whole get-up (eg. if you need it to run in lock-step across multiple sites) there is one piece of good news -- NTP runs on Windows and is documented (both in an O'Reilly book and elsewhere on the Web). Just something that came to mind after an earlier poster brought up NTP. Good luck.
NTP is a great protocol (Score:3, Interesting)
Still, a working NTP infrastructure is a requirement not just for NDS, but (IMHO) for ANY scalable deployment of service that is meant to be reliable. How can you get anything interesting from your logfiles (on a correlation-across-the-site basis) without a standardized meaning for the timestamp?
Complicated, yes, but also valuable. I have had the misfortune of trying to read the RFC. I even read the source for ntpd and xntpd (v4). The complexity arises (and damned if this isn't going to sound familiar) as a result of multiple people in multiple locations trying to coordinate their metrics for timekeeping. LDAP and NIS complexity also arises from social interactions (upkeep) and scaling (emergent behavior of a system). NTP is a great tool for minimizing the chaos created by bugs in authentication schemes like LDAP, btw.
Aside:
If you want to get really sick, try running a Coda or AFS deployment (with IPSec or SSH tunnels to link nodes) across multiple timezones. Woo Hah!
All of my servers run NTP, from the routers, which in turn pull from tick and tock at the Naval Academy (or NRC, can't remember offhand which).
Re:Admin (Score:5, Interesting)
However, many distros go a different path by enabling services and allowing installs with weak passwords (or no passwords).
For a nice security benchmark, see the Center for Internet Security [cisecurity.org]. I wait for the day where a default install of RedHat will score a perfect 10 with it... (It is more around 5 right now on their 0-10 point scale).
Re:Admin (Score:2)
Re:Admin (Score:1)
Re:Admin (Score:2)
Re:Admin (Score:2)
Re:Admin (Score:5, Interesting)
These secure distros try to be by default very secure and should only normally become insecure by an admin doing something silly or not keeping up to date with patches. Some of the other distros don't pay as much attention to security, but a really good admin can nail these systems down too. I for one like the fact that this distro comes with no setuid-root programs, its a good precautionary measure.
In some systems, admins do not have a chance to secure the machine because of lack of control. This is normally the case where closed source software kindly leaves you with a gaping security hole, and until someone eventually comes out with a patch the best you can do is stop using it. Ofcourse you were probably using this software for a purpose, and so not using it for a while could not be an option, hence an all too common situation of knowingly running insecurely, and there is nothing the admins can do.
Infact millions of people have done this recently, with the realease of XP the installation was vulnerable to network based attacks from the start. The only way to correct the problem was to install a patch - which meant you had to connect to the internet using that machine to register the software and get the patch from 'the company that shall not be named'. When you have to make yourself vulnerable to get the patch that stops you being vulnerable, security is impossible.
The most valuable part of EnGarde Secure Linux is probably the patch system, if it (or something just like it) was taken up by more distros then securing boxes would be easier and therefor might happen more. I would like to see something similar in gentoo keeping me up to date, because finding out what is going on is often the hardest part. Was there a ptrace vulnerability I missed? Ohh damn.
Re:Admin (Score:5, Insightful)
I spend a lot of time with other people's networks, and have yet to see one which stands up to how I would run my network. That's how I make money, incidentally - fixing other people's networks and securing them where possible.
A guage of how secure things are out-of-the-box is important. Some people will never switch off the default daemons, etc. Some people insist on using some Microsoft DCOM rubbish and opening holes over their firewalls to do it because they can't do anything else. They don't know how and don't care to know.
So, this kind of survey is important for those lesser admins who are probably not geeks and just trying to hold on to their jobs. Perhaps they are good at other things and valuable for the company, and the same is too tight to invest in a proper sysadmin so they dump him the job because he can hack a few basics together and get it to work.
All those of you saying "RedHat isn't secure out of the box" and all that OpenBSD stuff are already enlightened. These surveys are not for you. They are for all those other readers who don't fathom why you're mentioning OpenBSD in the first place.
So what? (Score:2)
NSA not even mentioned. (Score:4, Insightful)
http://www.nsa.gov/selinux/ [nsa.gov]
--
I vote for OpenBSD [openbsd.org]
Re:NSA not even mentioned. (Score:1, Redundant)
Re:NSA not even mentioned. (Score:1)
Re:NSA not even mentioned. (Score:5, Informative)
Quotes: NSA SE-Linux FAQ
13.Is it secure?
[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. Security-enhanced Linux is only a research prototype that is intended to demonstrate mandatory controls in a modern operating system like Linux and thus is very unlikely to meet any interesting definition of secure system. [...]
16.Did you try to fix any vulnerabilities?
No, we did not look for or find any vulnerabilities in the course of our work. We only changed enough to add our new mechanisms.
You can find the full SE-Linux FAQ here [nsa.gov]
Re:NSA not even mentioned. (Score:2, Informative)
Re:NSA not even mentioned. (Score:1)
Better than SELinux? (Score:2, Interesting)
Shell I stop doing so now and just install this distro instead?
Is it really more secure than LVM/RSBAC patched kernels with additional hardening?
For sure?
just my two cents...
Re:Better than SELinux? (Score:1)
sorry, typo.
Hmm (Score:1, Redundant)
LINUX BG (Score:3, Funny)
but unfortunatly you can't have a copy, just incase you find a bug.
Logon requires you press ctrl+alt+delete , because it's oh so hard for memory resident apps to not die when this happens.
My mouse has only 1 button to confuse any computer literate people, and allow me to catch them in the act.
I've remapped the keyboard, to confuse those who touch type.
No network (because the kernel dosn't have the correct drivers),
No-ones hacked it yet.
Hacked by evryone. (Score:1)
Advanced DRM technology, for speeker licenses, if you don't have a licence to connect the speekers to the PC and play that song, then they get bombarded with square waves and lots of clipping until they follow the licence aggrement.
Why it's so secure that i cant even open the coffie cup holder.
I don't give a flying filesystem check (Score:3, Insightful)
Orange Book etc (Score:2, Interesting)
In any case, to be a properly secure distribution you need DoD/NSA style certifications. The Common Criteria [commoncriteria.org] go part of the way there, but again certification is slow and really not universally accepted. (There's a flame bait for you CC fans).
Bottom line - true security requires seriously lengthy evaluation and certification. And even so, a product like NT 4.0 is still being found to have security holes to this day.
Sigh.. anyone fancy rewriting Multics [multicians.org] for the Intel platform? :)
Re:Orange Book etc (Score:2, Informative)
BTW, you might want to get a handle on the basic background of CC [commoncriteria.org] before shooting your mouth off. TCSEC is no longer accepting new products for evaluation [ncsc.mil], though those who started the old process can finish it. Common Criteria really means it now. Read the friendly website [commoncriteria.org].
That's because... (Score:5, Interesting)
En Garde may be better, for all I know. But I'll be using SELinux for gov't clients wanting high security, and OpenBSD for my need-to-be-hardened services, because I know they are excellent tools for those applications. (sorry folks...)
The above are just my experiences. For all I know it could be a vast conspiracy to provide disinformation
Re:That's because... (Score:1)
While stipulating that SELinux is the best design I've see *by far* for linux;
NSA has absolutely not 'approved' this for any use, nor do they represent it as a system that's either in any production operation at NSA, nor that it is an appropriate system for such use.
As said in posts above SELinux is a research project / reference implementation. Yes many folks are planning on offering commercial solutions based on SELinux, and for good reason, it's a fine design with good attention to detail.
There is a serious set of issues involved in applying SELinux to a production environment. SEL development (and LSM on which it depends) tracks the stable and -dev kernels. This means the platform is updated often and no attempts are being made to maintain fixes/changes compatible with prior releases / kernels.
Also all versions since the first reference impelementations are based on the Linux Security Modules LSM [immunix.org] which are an attempt by the security industry to build a common interface for securing / auditing Linux's security - relevant interfaces.
LSM is an impressive piece of work, and has come a long way in the roughly 1 year that they've been coding! When one of the participants (IBM) provides a programmatic analysis tool that finds there are some oversights in the design, you know that this is still a work in progress / and I hope that any serious security implementer will take these things into consideration.
The upside of course is that these tools are being built and both LSM and SELinux are doing very good detail work on thinking about how to get Unix (Linux in this implementation) to a place where the OS itself can eliminate the reliance on root-privilege. WinNT was supposed to be such an implementation, I think most observers agree that intent didn't make it into the release code due to the complexity and competing design objectives.
SELinux cachet does not come from any NSA approval (Score:2)
Rather, my experience has been that other three-letter agencies find it helpful in the decision-making process if a solution based on Linux also has the imprimatur of the NSA (eg., "we can do this on NSA SELinux if it suits you better") so that it need not be seen as a rogue deployment of something outside the norm.
I am sorry if anyone got the idea that SELinux is Orange Book or NSA approved or in any other way superior to a properly-implemented kernel MAC implementation. What I was commenting on is the "aura", if you will, of offering a product that is Linux-based, but NSA-Linux-based. It makes life easier. I had trouble the first time I explained this to my boss, so clearly I need to work on my presentation of the issues some more
YMMV...
Re:Orange Book etc (Score:1)
Bit more info here [winntmag.com]
If you rely on NT's C2 security rating in your security decisions, you must keep in mind two important considerations. First, a C2 security rating is different from a C2 security certification. OSs and programs earn ratings, but individual installations must be certified. This distinction means that most NT installations are not C2 certified.
NT earned its C2 rating as a standalone system, with no networking enabled. If you take your C2Config C2-certified system and attach it to your LAN, your system loses its C2 certification.
Re:Orange Book etc (Score:2)
That is not the case for NT4. The cited report refers to the NT 3.51 evaluation since the NT4 evaluation had not been published when it was written. The summary of the NT4 evaluation [ncsc.mil] says "A networked configuration was evaluated for interconnecting the various hardware with Windows NT workstations and servers.". The full evaluation report is available for those who want to read it.
Windows NT4 (with specified SPs and fixes) also has an ITSEC E3/F-C2 certificate, and networking is mentioned in that one too - search from the CESG certified products page [cesg.gov.uk] if you want details.
These certificates do not necessarily mean much in practice, but we should refer to up to date ones if we refer to them at all.
Re:Orange Book etc (Score:2)
Re:Orange Book etc (Score:2)
Re:Orange Book etc (Score:1)
COMPUSEC/1-99, Sec II item 5.
2) CC has a much wider acceptance internationally.
3) Win2K HAS been undergoing CC evaluation (Evaluation Assurance Level 4).
Moderators: How in the heck did Dynamoo's post rate a 3?
Re:Orange Book etc (Score:1)
It is also worth noting that Microsoft have had Windows 2000 going through a C2 evaluation [microsoft.com] for over 18 months with a proper hardware configuration unlike the previous NT 4.0 evaluation.
There can be only one... (Score:2, Offtopic)
OpenBSD 3.1!!! =))
Sorry, could not resist...
OpenBSD (Score:1, Troll)
Other pluses: it's Really Free(TM) Software - as opposed to Redhat and others which bundle non-free software in the default distro, it's manpages don't suck, etc.
Re:OpenBSD (Score:2)
Re:OpenBSD (Score:1, Insightful)
That would be like letting tiger woods compete in the girl scout's golf tournament.
Re:OpenBSD (Score:1)
yeah OBSD would have taken it
there needs to be a group of people to do exactly what open bsd does... thorough code reviews, not just in the kernel, but glibc, etc..
Tinfoil hat Linux (Score:3, Funny)
Downloads (Score:3, Informative)
i386 "Bonus" Package [guardiandigital.com]
The i686 version [udel.edu]
i686 "Bonus" Package [guardiandigital.com]
Debian-based? (Score:2)
It’s just me or other people also noted EnGarde’s installer [guardiandigital.com] looks just like the Debian one? Would it be Debian-based?
I haven’t seen them at Debian’s derived distributions list [debian.org.], so maybe I’m mistaken.
Re:Debian-based? (Score:2)
I just use Debian, nothing else. Perhaps it’s Anaconda, but then please enlighten me as to what Anaconda is.
anaconda is... (Score:1)
here [rpmfind.net] are details.
end of enlightenment.
OpenBSD, Pitbull, SE Linux *all* mentioned (Score:2, Informative)
try reading the article before making false claims.
Linuxlookup.com gave it a perfect score too. (Score:1)
Bastille script hardens Redhat (Score:1)
Here's the summary:
The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems, with support on the way for Debian, SuSE, TurboLinux and HP-UX. We attempt to provide the most secure, yet usable, system possible. The project is run by Jon Lasser, Lead Coordinator and Jay Beale, Lead Developer, and involves a number of developers, beta-testers and concept-creators. Bastille Linux was developed with several major goals:
Gentoo?? (Score:2, Informative)
KRUD (Score:3, Informative)
Re:KRUD (Score:1)
-r
Call me ignorant if you like... (Score:1)
OK, I'll call you (a little bit) ignorant. (Score:3, Insightful)
Furthermore, several of the services that run by default on a raw install of OpenBSD have been shown over time to have local root exploits possible. Not remote root, mind you, and not without a swift and comprehensive patch being released, but the moral is, No One Is Perfect.
That said, I have never had a compromise of any sort on my OpenBSD systems. I buy each and every release on CD direct from them to support the project, and have donated a little bit, too. If anyone who just runs Linux says "so what, it doesn't affect us" I request that you look at what version of SSH you're running. OpenSSH? Hmm, guess which dev team wrote that? Yeah, that's right. *BSD will be dead around the same time we see the paperless office (and the paperless restroom, and flying pigs, and...). OpenBSD is good stuff when you just can't take chances!
hmm (Score:1)
Re:hmm (Score:1)
It's not a phrase, it's a word [m-w.com].
Of course, some people are idiots.
What makes a Linux distribution secure? (Score:1)
Daemons that are run by default are reduced to a minimum.
Easy upgrading of security-critical packages (no, that's no ad for Debian, of course :-;)
Ability to a install a minimum system with a minimum number of packages.
Careful file permissions and special user groups (i.e. "dialup","audio")
Use of "secure" programs for a particular purpose (i.e. ssh instead of telnet, not sendmail as MTA, ...)
Any other ideas?
Ready to go out of the box is a BIG selling point! (Score:1)
One of the problems with setting security to paranoid is that it usually means that nothing works. Let's face it; most small businesses are not going to have a Linux guru working for them. Unless they can afford to hire a guru to come in and set things up, they will have to figure it out for themselves.
We need distros that run "out of the box" and are secure. I know my way around a Linux box fairly well but I do not consider myself a guru. For me, there are few things more frustrating than setting the security level to paranoid and having nothing work. What makes it worst yet is that rarely (if ever) will you find adequate utilities for the non-guru to properly configure a service once setting the system's security has broken that service.
This has got to change. I don't have time to be a Postfix guru and a MySQL guru and a apache guru and..... Further, I don't know what sadistic bastard wrote these manuals but they appear to all be written by one guy and maybe his brother. I am NOT a stupid person but twenty minutes of reading Linux man pages makes me want to go up to the roof and sit naked with a high powered rifle! Maybe some people can read that stuff and get a warm fuzzy feeling but I want something that I don't need a PHD to understand. Believe it or not, most of us want to spend more time using our Linux boxes than we spend trying to configure them.
Re:Ready to go out of the box is a BIG selling poi (Score:2)
Re:Ready to go out of the box is a BIG selling poi (Score:2)
I really love Linux. It's power, flexibility and open source philosophy is wonderful. But really, business people just don't have the time to read all of the books that it takes to configure all of the various parts of a Linux server. And small businesses can't afford to hire an expert every time that they need something done.
The answer, I feel, is to have configuration tools for the complete idiots. I know I would use them!
Re:Ready to go out of the box is a BIG selling poi (Score:2)
And you know what manually configuring things is no longer required. With programs like linuxconf and webmin (especially webmin) any body can configure just about anything. Install webmin you won't be sorry.
Re:Great! (Score:2)
RedHat (Score:4, Insightful)
Because I'm always installing Linux for clients, RedHat is always specified, so I have no choice, but I've got it down to taking about 10 minutes to have a really secure box. It's just a case of knowing what needs to be done, which sadly, Linux newbies won't know.
In my opinion, security should be paranoid to start with. If that stops the users from doing something, fine. They'll have an incentive to try and figure out how to allow what they wan to do. Make it too easy, and they'll just live in blissful ignorance.
Securing Redhat, and Linux in general (Score:3, Insightful)
Yep, got my home box r00ted six weeks ago. All because I hadn't taken all the usual basic precautions. (insert your sarcastic insult here). Being an ex sysadmin, I should have known better. Tightening up the security didn't take too long.
The hardest part was setting up ipchains to do packet filtering. Lord help a newbie doing this; you have to know a fair amount about TCP/IP. The various security HOWTOs make a brave effort of trying to explain it all, but I really wonder how many novices will understand it. I don't see how any Linux distribution can make this easy: there are too many variables about the intended use of the computer. The rules for a DMZ computer, a LAN computer, a lone dial-up computer and a firewall are completely different.
Re:Securing Redhat, and Linux in general (Score:2)
packeteer [slashdot.org] asks
The information you need is in various Linux HOWTO documents. These should have come with your distribution. You can fetch updated versions of the documents from The Linux Documentation Project [tldp.org]. You should study the following HOWTOs:
I asume you simply have a home box which you connect to the Internet using a ppp dial-up connection. If you have something more sophisticated, you will have to learn more. I'd say the most important thing to do is to block connections to the privileged ports via your ppp interfaces, for the following reasons.
- You shouldn't be providing any services to the Internet unless you really know what you are doing.
- If you have a dial-up ppp connection without a static IP adress and your own domain name, there is no legitimate reason for anyone to ever try and connect to those ports.
- Security exploits of privileged services will immediately given an intruder a root shell, and thus complete control of your computer.
The following rule will do the trick (warning, untested--myipchains rules are more complex than this): ipchains -A input -i ppp+ -p TCP -y -d 0.0.0.0/0 0:1023 -j DENY -lRe:RedHat (Score:5, Interesting)
I too regularly install GNU/Linux for clients, and more often than not they specify RedHat (occasionaly SuSE), but I've not installed anything other than Debian for years (except during RHCE/RHCX courses
The trick is to ask them why they specified RedHat. Most of them will cheerfully admit that they said that because it's the only distro.they've heard of so they were saying "RedHat Linux" in the same way they might say "Microsoft DOS", never realising there was a "DR-DOS" (once upon a time
It doesn't normally take too much effort to convince them that they are paying me for my expertise, so if I recommend a particular flavour they might as well listen.
The only time I'd take such a request seriously would be if they were already a RedHat shop, and had a lot of in-house RedHat expertise.
The last time that was claimed the "expert" turned out to be clueless, and the existing RedHat systems so broken (9GB swap, 800MB root, permissions all +rwx) that I ended up having to reinstall them anyway --- they're a Debian shop now
I've since decided that any RedHat shop that decides to hire me in, is probably not full of experts (otherwise they'd do it themselves), so take a lot of convincing that going with the flow is the wise thing to do.
If you have a good technical reason not to install RedHat, and you can justify it, give it a try.
The worst that happens is they say no (and you get to look smug if their decission bites them).
The best that might happen is that they decide to respect your opinion, which bodes well for the future business relationship, and means you get to work on the system you feel best fits the problem, which avoids stress and frustration.
Re:RedHat (Score:3, Insightful)
If you were going to set up a large and complex shop, and then turn the maintenance over to $60,000/yr worth of support personnel (whose turnover rate might be high), which distro would you recommend?
I know a shop where the head admin is having to get rid of Linux boxes (for Windows ones), because no one else in the company knows Linux. He understands that it's not just technical superiority that matters, but supporting the technology as well.
Re:RedHat (Score:3, Interesting)
Have you ever seen or taken the RHCE tests? Granted I haven't either, but I took the BOSON practice test. Now I am not saying that there is any relation between the two, but the practice test was full of questions such as "What is listed in the submenu when you right click the GNOME foot?" and "What's the best way to laugch NAUTILUS?" If that's the kind of test you have to take to pass, forget about it.
In general it's easier to find admins for RedHat, particularly less-experienced ones.
You get what you pay for.
SealBeater
Re:RedHat (Score:2)
Yes I have (to my shame
The RedHat test is a pretty decent test, unlike the one you describe. There are one or two bits that I found anoying (as a Debian user) because they appear to have decided that rather than fixing some things that I'd consider to be usability bugs, they'll just add the work-around proceedure into the test, but that only accounts for a couple of percent.
I'd be unhappy about letting someone that failed the RHCE be a sysadmin on anything I cared about.
Most people that pass it, and also get a year or so's experience around the same time, can probably be trusted to have a clue. They also would have little trouble administrating a Debian system, or any other GNU/Linux system, once they got over their confidence problem about it not being RedHat.
After all, I got 99.6% on the RHCE exam, and the first time I had installed RedHat was 4 days earlier at the start of the fast-track course. It's really not that different from Debian (/etc/rc.d/nit.d vs
Re:RedHat (Score:1, Interesting)
FWIW I have 7.2 right now
Thanks in advance!
Re:RedHat (Score:2)
Re:RedHat (Score:1)
Re:RedHat (Score:1)
Re:RedHat (Score:1)
Re:RedHat (Score:1)
And the fact that it's a 486. So, one can assume I have a "cheap" setup. You can get a 486 for $50. IPCOP is free. 2 NIC's cost $15.
Re:RedHat (Score:2)
Re:RedHat (Score:1)
Re:RedHat (Score:1)
We would appreciate it very, very much.
Re:RedHat (Score:5, Informative)
I start with a shell alias like this:
alias nsl='netstat -alnp --protocol=inet|cut -c-6,21-94|tail +2|grep -v ESTABLISHED|grep -v CLOSE_WAIT'
At a glance you will see what services are running and listening to ports. The "Local Address" column is the most useful. Anything starting 127.0.0.1 can be safely ignored, the rest will be based on what you feel you need.
As a general rule, boxes I configure offer WWW (port 80), SMTP (port 25), POP3 (port 110) and DNS (port 53). I turn everything else off, or if I do need it, I firewall it (see later).
Now, how to get rid of things. Obviously, this varies from thing to thing, but take for example the lines starting
udp 0.0.0.0:2599
tcp 0.0.0.0:
udp 0.0.0.0:111
Now, as I'm not running NFS or NIS, I don't need any of these services. If you're not sure what, say, port 111 is, the -p option to netstat is great - it lists the PID and process name, so we know to close down portmap. Now, this is started by /etc/rc.d/init.d/portmap via a symlink in /etc/rc.d/rc3.d (assuming you start in runlevel 3). Simply rename the link there to start with a K, like this:
/etc/rc.d/rc3.d/
./K86nfslock_S14 stop
./K87portmap_S13 stop
[root@pootle init.d]# cd
[root@pootle rc3.d]# mv S14nfslock K86nfslock_S14
[root@pootle rc3.d]# mv S13portmap K87portmap_S13
[root@pootle rc3.d]#
[root@pootle rc3.d]#
Now, run netstat again, and see what ports remain for you to tidy up. You'll probably remain with ones that you really do want to keep, e.g. postgres on 5432, tomcat control on 8008, MySQL on 3306, etc...
This would normally be a job for the firewall. If you have one, use it! However, just in case a machine inside your net is compromised, you can run additional filtering rules on every machine. For instance, my /etc/sysconfig/ipchains file looks like this:
# open up the POP server
-A input -p tcp -s 0/0 -d 0/0 110 -y -j ACCEPT
# open up the WWW server
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
...
# close all reserved ports
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
# protect mysql
-A input -p tcp -s 0/0 -d 0/0 3306 -y -j REJECT
# protect postgres
-A input -p tcp -s 0/0 -d 0/0 5432 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 1026 -j REJECT
and so on. Basically, the theory is, explicitly open up the ports <1024 that you want to allow access to, and block anything else to the priviledged ports. Then, by default allow all higher ports access (otherwise, you'll get problems connecting from the machine to other machines), but explicitly close services you don't want publically available, e.g. databases, etc...
Other stuff you'll want to do is remove telnet and ftp from your machine and install openssh. With both of those protocols, you run the risk of passwords being snooped along the way, and ftp gets hacked fairly regularly. If you do need to upload files regularly from Windows machines, check out WinSCP2 - it's really good.
Next off is protecting services that have a track record of being hacked, such as named. There are several tricks; running as a non-root user is always best if you can, running in a chrooted environment is better still. The first gives the program so few privileges that it can basically only access files it owns. Good, unless you have have local root-exploitable holes. The second runs the application completely in a sandbox, where it sees a very restricted view of the directory system, e.g. on my machine, all DNS data lives under /chroot/named, and if it was hacked, the best they'd be able to do is destroy DNS data. This can be complicated to set up, and I'd advise you to search the web for in-depth discussions.
I will often use a combination of techniques, e.g. DNS on my systems run as user named, live in a chrooted filesystem, and also have packet filtering rules, so that they only talk to machines which are dedicated secondary DNS servers.
Of course, you also need to audit anything that is left available. If you run CGI scripts that will accept data unchecked and pass it to a shell command, your machine will be compromised. Keep an eye on security mailing lists or websites - if you run software that vulnerabilites are discovered in, you need to patch them quick, e.g. SSH bugs found a few months ago, etc... But by keeping things down to an absolute minimum (using seperate boxes for each service if you can) and really considering who needs to use them, you stand a good chance of being really secure.
This is getting too long now! Hope some of this helps...
Re:RedHat (Score:1)
You know, if I typed something like all that in front of my boss (not a tech literate guy) and actually got a result, he'd probably give me a raise. If you use redhat you might try:
nmap localhost
Re:RedHat (Score:1)
[root@pootle rc3.d]# mv S14nfslock K86nfslock_S14
[root@pootle rc3.d]# mv S13portmap K87portmap_S13
[root@pootle rc3.d]#
[root@pootle rc3.d]#
You (and all those who come after you) would find it significantly easier if you simply did:
Any Red Hat Linux since release 5.0 (1997, five years ago) has /sbin/chkconfig. And any Red-Hat-derived distribution has it as well. And if you have something else and prefer to use chkconfig, look for it on Freshmeat [freshmeat.net].
Geez, folks, it doesn't have to be that complex.
Re:RedHat (Score:1)
Re:RedHat (Score:1)
Re:RedHat (Score:2)
/sbin/chkconfig --del nfslock
/sbin/chkconfig --del portmap
It is important to note, that the services continues to run after this, until the box is restarted, or the services are explicitly shutted down.
A "/etc/init.d/[service] stop" should be issued after deleting it with chkconfig.
That said, chkconfig is a breeze to work with, and probably the first command I use, on a newly installed Red Hat box.
Re:Great! (Score:2)
Re:Great! (Score:1)
Um... you said;
"It's redhat w/o NO services running."
So is it redhat WITH services running? (In which case how's that different than RedHat?)
or did you mean;
It's redhat with NO services running?
Got to watch those double negatives...
Just my $0.02 (Canadian, before taxes)
Re:Great! (Score:1)
Re:Great! (Score:2, Insightful)
Re:Why OpenBSD just won't do. (Score:1)
Dirk
Re:The winner (Score:2)
Freeeowww! it was a joke!! Tchuh!
"Organic lifeforms have *no* sense of
Re:The MOST secure OS is already deployed on serve (Score:1)
The Mac server can't be rooted because... it has no root.
And there aren't any command line utilties because... it has no command line.
And... this means that the machine is secure.
Ok, some challanges for you (simple tasks to
perform, that I do all the time).
1 - My server box is headless (no monitor/keyboard). That's because I am never PHYSICALLY there. Yet, I update web pages, email services, add new forms, etc. I can even update the OS remotely. Can you do this on the Mac? Serious question, I'd like to know the answer (I SUSPECT its NO, but I do want to know).
2 - I can provide additional services on my servers. (I run a simple collaboration server). If I need to, I can add additional services (again, remotely, because these machines DON'T have monitors/mice/keyboards).
3 - If I need more compute power (and I occasionally do), I use DHCP and TFTP to load OS's into diskless and headless boards. I can then control these nodes remotely as well (good for LAME, video transcoding, other stuff). Does Mac offer anything like this?
And, please restrict your answer to Mac OS prior to OS X. I am aware that OS X will do these things, which is why I may finally get a Mac.
Due to the nature of trying to offer services that can potentially be general across the I'net, I have to be careful about security. I could offer NO services, and be fully secure, but that wouldn't be anywhere near as useful.
If Mac OS (not OS X) can offer these services, and is as secure as you say, I WILL buy as many as I can get my hands on. Really. I haven't been shown how yet. I presume that either (1) I am ignorant, or (2) It's not possible. If it isn't possible, then the Mac "solution" isn't very useful. I don't want to have to run home to update web pages, open up MP3 playback from home to my work, add email filters, monitor collaboration services, or check on the system health.
I am looking forward to being educated here.
Ratboy.
Re:The MOST secure OS is already deployed on serve (Score:2)
You can do most of the above using a tool like Timbuktu, which allows remote use of a mac using the GUI; you can do most of what you want through that. A better way is to use the Remote Admin Extension [securemac.com], which allows you to administer MacOS (pre-X of course) through a telnet client. Most Mac webservers also have remote administration capabilities built in. I administered a headless Mac webserver for about 5 years using these tools (The OS was 7.1 and I was running Webstar 1.1; this stuff worked faithfully (though slowly) for a long time.
Of course, the real reason Macs are perceived as more secure is because fewer people have spent time hacking them, because there are fewer Macs. Every service you offer can be coded for the Mac, and many have been, but every service opens the potential for security risks. You can stay up to date on Mac security issues at http://securemac.com, among other sites.
Finally, you can always install linux on the Mac and do what you want, but that really doesn't answer your question.
Re:The MOST secure OS is already deployed on serve (Score:2)
2) no, unless you run extra software which may not be secure, such as VNC.
3) Jobs demonstrated a diskless netbooting iMac on stage a couple years ago; the client ran Mac OS 9 but the server was Mac OS X. Of course the same can be done with OSX clients. I'm not sure what all this allows you to do; it's not something I've played with at all. Of course, you should be able to netboot a *nix OS on Mac hardware, but the hardware is a bit pricey for that sort of thing.
Re:The most secure OS is the one I use. Unhackable (Score:1)
I think, you should distinguish between Operating System Security and Secure Applications on top of an insecure OS.
Mac OS 9 does not have any security.
It's only the webserver which was secure. Use the same webserver on Linux, and Linux is as secure as your Mac.
This level of security can be reachen on ANY platform, including DOS and even Windows 95.
Just disable everything which has something to do with networking, and then install some secure server application.
I'd like to see a Mac OS 9 driven computer that can prevent hackers from destroying data DESPITE the fact that it is running insecure software - THIS would be real OS security.
Re:The most secure OS is the one I use. Unhackable (Score:2)
Umm... it ships out of the box with all ports closed. If the web server you install on top is actually secure (as you say), then how can the OS be compromised remotely?
I'm not questioning that there is no local security, but if you've got physical access to the box anyway, most systems aren't very secure.