Slashdot Mirror
Linux Distribution Security Reviewed
qbasicprogrammer writes: "Security Portal has a review on the security of Red Hat, SuSE, TurboLinux, and Caldera Linux distributions." Debian and Slackware are absent, but its a decent piece.
← Back to Stories (view on slashdot.org)
As for it being a year before woody ships with a 2.4 kernel, it may be a year before 2.4 is remotely stable. 2.4 may not even be feature frozen yet, despite claims to the contrary; Linus seems to be adding a new feature a week. IMHO shipping 2.4 as the default kernel in any distribution would be irresponsible at this point.
My Blog. Sela Ward can sell me long distanc
- 3.9: 16/7/99
- 4.0: 28/11/99
- 7.0: 27/4/00
- 7.1: 27/6/00
Compare to Red Hat:- 5.2: 12/10/98
- 6.0: 20/4/99
- 6.1: 26/9/99
- 6.2: 8/3/00
So you are looking at 5-6 months between RH releases, and 2-5 months for Slackware. Oops, looks like the reviewer was just a lazy fuckbag.reviewer.streetCred = 0;
Finally! The first real use for the blink tag! Give this guy a prize for being the only person so far to find out a reason for its continued existence. :-)
Now all we have to do is convert the manpages to html or add a blink format tag to groff.
--
Friends don't let friends misuse the subjunctive.
Except they're missing the point.
What kind of a system administrator would settle for a default install? What kind of security department would ALLOW security holes to stay open? Sure, it's part of the vendor's job to make sure their product is up to par with what's expected of them, but ALL of the responsibility does NOT rest with the people who put together the distribution!
A Detail Oriented, Security Concious, Responsible SysAdmin is 90% of the equation.
And by not reviewing all relevant distributions, they're putting their 'review' on a slant. That's like saying "We're reviewing Windows security. We're only including Windows 98SE and Windows 2000, and we're leaving out Windows 95 and 98 because, let's face it, they're 2+ years old. RIDICULOUSLY SLOW RELEASE SCHEDULE." Bah. If you're going to take the time to write something like this, review ALL major distributions. Don't pick and choose your review candidates because (rightfully so) it looks like you're playing favorites.
I for one, am a very happy Slackware user, and have been for years. Needless to say, I was quite disappointed to find a lack of a Slackware review. (Slackware is quite a secure/stable distro, by the way.)
I haven't played with Debian too much to know a lot about it's implementations and security, but I can imagine Debian users feel slighted by this as well.
(My solution to the distro war? Use whatever you like. It's pretty simple, really.)
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
So you've just installed your favorite flavour of linux on your home box (as opposed to your home box office. That would be a much more impressive feat, and will give a special prize which is not an angry weasel to whoever can do it first), figured out all the ins and outs, worked some ppp magic, and are ready to tackle the rest of the world! Best make sure the world won't tackle you back!
Now, I know you're thinking "why would a cracker or skript kiddie attack me? what do I have?" Security is just for NetAdmins and big corporations, right? Wrong-o, buddy. You have many things that are just what a potential vandal might want, be they software bits, personal information (/. login cookies, for example), or just distributed processor power for the next big dDoS attack. So it'd be a good idea to keep the baddies out, right?
I'll admit, I didn't start the guru that I am. I've been attacked, and one time, actually cracked. And I didn't know it for weeks. The malicious bit of code sat running a process on my desktop, and I didn't even think to question it, as that this whole enuichs thing was pretty new to me. But eventually, as I came to learn more, I saw what happened, and how they got in.
Silly me, I didn't think to shut off access to port 647284a-3. As you're by now well aware, that's the port that listens for transmissions from the Daemon Quarlakath. Not really an issue most of the time, as that in order to summon Quarlakath, the attacker needs to slaughter the third born black goat under a Summer Moon. So, like linux security, you get one shot, and one shot only! You also need to chant several passages from the book of Lizzaft, in the original Tongue That Cannot Be Spoken. Last I checked they weren't giving classes in Tongue That Cannot Be Spoken in your averate Community College! So I didn't bother with port 647284a-3. No big deal, I thought, that'll NEVER happen.
And of course, it did. Once I understood what happened, I had to get that malicious daemon OUT of my system before it started a dDoS or slaughtering first born children or giving me a charley horse. So I did what any fledgeling Systems person would do, I summoned Taccatha, the Warrior Angel and sworn enemy of Quarlakath. And lo, the battle inside my box raged on for three weeks. When it was finished, Taccatha was victorious, and Quarlakath was banished to the Sulpher pits of Analorp from whence he came. But, of course, I had to pay Taccatha tribute for his service, and I'm still washing the blood of The Thousand Serpents off my walls. For such little things you'd never guess that they'd bleed so much.
So until next time, trkwjjoi hrrwompt snki!
Bad things often happen to good people,
It is up to them to see that they remain good.
...but this article is very unfair to the
;)
major non-commercial distros. I can't say
what Slackware's security is like since I don't
use it, but Debian really gets the shaft...
and undeservedly so. Kurt seems to go on the
notion that any distro which ships software that
hasn't been reved in 6 months or more is
insecure. So in his eyes, Debian is not secure
due to the long release cycles. I find that
to be quite the opposite. Special apt-get
security mirrors, security mailing lists, and
patches that are usually available a couple of
days after an exploit is announced....Debian
does pretty well IMHO.
And it doesn't hurt that they don't ship with
sendmail as their default MTA.
I've offered to write an article for
securityportal on how to secure a Debian box from
remote exploit, but I've not heard back from
Kurt yet. I suppose he isn't in control of article
submissions tho. They'll be suprised to see that
the article is pretty much:
apt-get remove rsh
apt-get install ssh
apt-get install portsentry
apt-get install aide
apt-get remove telnetd
apt-get remove ftpd
edit a couple of config files and reboot. Of
course, local exploits are a whole nother story.
That's true of most Unices tho...except for OBSD.
Anyway, anyone who hasn't used Debian...don't
let this article turn you off to it. I don't
think Kurt has really used Debian very much.
I don't see how he could disregard it like that
if he had. Disappointing from someone who writes
the LASG.
IMHO, of course.
There are numerous cases where newer software packages have introduced new security hole.s For example, Pam added some features, and in the process, added a new local->root hole. When the ISC added a new feature to BIND, the new feature had a, you got it, remote root hole. The capability features to the 2.2.x kernels added new security concerns. And so on.
To say that Debian is insecure because it has not had a major update is just plain silly. Does he also think that OpenBSD is insecure because it still uses BIND 4.x instead of the latest and greatest Bind 8.x? For the record, I am a RedHat and not a Debian user.
The article also did not look at things like "How many services does this distro run out of the box?".
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
I beg to differ on that point. As one who follows Slackware development very closely, there is almost always daily changes to the ChangeLog. These fixes typically consistent of either upgrading a package to a more recent current version or fixing a security bug (a more rare occurence).
Just as with every other distributions, Slackware stays on top of new developments and security fixes. The main version may not increment as often (it typically jumps two or three times a year), but it is nowhere near backward or slow as the reviewer seems to imply. Check out Slackware's main site for evidence of my opinion.
"Vendors need to make hardening scripts available (or support existing ones like Bastille Linux), and tell the users to use them--something like the default email that OpenBSD sends to root after a new install, telling root to read "man afterboot.""
"Vendors need to turn stuff off and make users enable it, or, during install, make users aware of what they are doing (similar to SuSE's "Do you really want to turn inetd on?"). "
On my first entry into Linux, I installed Caldera's OpenLinux 2.3. The reason for this is that I had done some research and found that it was the only distribution at the time that autodetected the Voodoo3 video card I was using. I ran it for a while and was very happy, some annoying problems in that most software and drivers released for linux are now designed for RedHat, so the files that they looked for were in the wrong place. So I had to make a lot of symlinks, etc. Big deal, standard linux installation garbage that everyone has to deal with.
Then my box got root compromised. The cracker/script kiddie had used one of many buffer overflow 'sploits, along with a RootKit to get on my system and hide his tracks. The way I found out was that I chose to use a graphical login, which displayed as icons all user accounts (which i believe RedHat did not have at the time. the root exploit script the cracker used was designed for redhat). I found out that many of my files had been trojanned, and that I was basically going to have to wipe the drive and start over.
Now the problem is that Caldera and most other distros automatically leave all services on. This includes the infamous wu-ftp daemon, among others known to have security issues. If there were a simple dialog at install about which services the user wanted enabled and which disabled, I think the linux market as a whole would be much more secure. But then, now I know, and knowing is half the battle.
---------
"He's more machine now than man, twisted and evil."
A slow release schedule means that a lot of security fixes exist which aren't merged into the distribution. Take the kernel for example: All versions prior to 2.2.16 have a security bug. A distro that releases less often means more work for the sysadmin after installing. There are other facts the guy missed, but I think that is what he's referring to.
-JD
Good response for what? Red Hat isn't a distro for the people who want the latest and greatest updates as soon as possible. It's a distro for those who require a very tested solution. That's why Red Hat is often behind on the technology by the time it gets to .2, because they're focusing on the testing.
Red Hat is an IT distro. If you want Red Hat-ness without the IT requirements, try Mandrake.
Oh yeah? Just try to get into my BeOS system without local (physical) access. Just try. You'll come crying back to me in a week, after having been shafted by the BeOS!
Ok, a quote from the article:
"I have not fully covered Slackware and Debian, with their ridiculously slow release schedules. "
So... since when does release schedule have ANYTHING to do with security? Sure, Debian and Slackware don't release new versions often. This doesn't mean they don't release security fixes.
I've said it before, and I'll say it again: Debian is the easiest distribution to keep up-to-date, security wise. I often recieve updated packages via apt before the security announcement even hits Bugtraq. And since it takes all of 2 minutes to get the updates and apply them, it is easy for me to keep it up-to-date. Compare this, for example, with having to constantly search down the news/new packages/etc , which you have to do with other distros.
Debian likes to make sure the release is rock solid before releasing it. I'll be the first to admit that sometimes it is a bit slow. But this does not make the distribution less secure. In reality, it helps make it more secure.
Anyways, that comment alone was enough to make me skeptical of the actual knowledge of the author. It is a really ignorant, offhand remark to make, and has no relevance to security. But that is just me.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Why should the presence/absence of a CD iso-image matter?
I know the feeling. The most important thing you can do, as the previous poster said, is disable everything network-related that you don't need right now. Comment everything out in /etc/inetd.conf, add a line "ALL: ALL" to /etc/hosts.deny (thus denying access to many network services by default), and turn off every daemon that you don't know what it is (don't worry, you most likely won't break anything), probably by removing entries from /etc/rc.d/. Then, check out Mandrake's updates regularly for reports of any software with security holes, and upgrade or remove that software.
That's the easy (and most important) part. Then, you can install a kernel-level packet filter (ipchains, iptables) to block all suspicious packets, and install and use ssh rather than telnet and ftp, which are incredibly insecure (anybody nearby with a packet sniffer can compromise your system). Finally, 'chmod 755' all suid root programs (their permissions start with "-rws", and they are often used to gain root from a normal account) from /usr/bin and /usr/sbin, though this is not really so important for a single-user machine.
Once you've done all that, your system is rather tight. Always stay paranoid, though, and regularly install security patches and read your logs as often as possible. You can then re-enable services as you learn how to configure them properly. Also check out the linux security HOWTO, though it mostly says what I just said (but is much more wordy :).
Your enthusiasts are going to have the full range of skill sets, from rank beginner to seasoned UNIX gurus. They don't have to justify their desire to install the OS, and they should be able to do so while remaining reasonably certain that if they connect it to the Internet, they won't immediately be taken over by script kiddies.
Moreover a reasonably competent system administrator who is responsible for a fair sized chunk of a large company is going to want to choose the distribution that allows him to do as little work as possible once he installs a new platform. He's also going to want automated tools so he can update a thousand machines at a shot and more automated tools so that most of the log crap gets filtered, so he only needs to pay attention to the trouble spots.
Furthermore I've yet to run across a company that has a resonably competent system administrator. Many of them are hired to point and drool at NT systems and are given responsibility for the UNIX machines as an afterthought. With many more, a group gets a UNIX box and its administration gets tacked on to someone else's job description. Test code, write reviews, administer UNIX box. Write documentation, administer UNIX box. Take customer calls, monitor network status, administer UNIX box. Write database software, administer UNIX box. Beats having to hire a sysadmin for $125,000 a year, doesn't it?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Oh please. A slow release schedule should mean that the distribution is MORE secure if anything. It means that the software included is tried and tested. This is one of the reasons why Debian potato uses a 2.2 kernel and a 3.3 XF86.
Is this the best reason they could come up with to not cover Slack and Debian? Either this guy is flat out lazy or he knew something about Debian and Slackware that would just not compare well against the others. Either way it makes me question his knowledge of the material at hand.
Besides, Debian's apt makes security updates tons easier than reading bugtraq and making sure you download the right RPMs.
[..] will focus on the major Linux distributions: Red Hat, SuSE, TurboLinux and Caldera, plus a few others.
Since when are TurboLinux and Caldera major distributions? Major distributions in my opinion are RH, SuSE and Debian. Slackware, while excellent, is too much a geek niche to be considered major. TurboLinux suffers the same categorization for Asian language support and I just don't know what anyone would do with Caldera.
Using your sig line to advertise for friends is lame.