Slashdot Mirror
Linux Distribution Security Reviewed
qbasicprogrammer writes: "Security Portal has a review on the security of Red Hat, SuSE, TurboLinux, and Caldera Linux distributions." Debian and Slackware are absent, but its a decent piece.
← Back to Stories (view on slashdot.org)
As for it being a year before woody ships with a 2.4 kernel, it may be a year before 2.4 is remotely stable. 2.4 may not even be feature frozen yet, despite claims to the contrary; Linus seems to be adding a new feature a week. IMHO shipping 2.4 as the default kernel in any distribution would be irresponsible at this point.
My Blog. Sela Ward can sell me long distanc
- 3.9: 16/7/99
- 4.0: 28/11/99
- 7.0: 27/4/00
- 7.1: 27/6/00
Compare to Red Hat:- 5.2: 12/10/98
- 6.0: 20/4/99
- 6.1: 26/9/99
- 6.2: 8/3/00
So you are looking at 5-6 months between RH releases, and 2-5 months for Slackware. Oops, looks like the reviewer was just a lazy fuckbag.reviewer.streetCred = 0;
Except they're missing the point.
What kind of a system administrator would settle for a default install? What kind of security department would ALLOW security holes to stay open? Sure, it's part of the vendor's job to make sure their product is up to par with what's expected of them, but ALL of the responsibility does NOT rest with the people who put together the distribution!
A Detail Oriented, Security Concious, Responsible SysAdmin is 90% of the equation.
And by not reviewing all relevant distributions, they're putting their 'review' on a slant. That's like saying "We're reviewing Windows security. We're only including Windows 98SE and Windows 2000, and we're leaving out Windows 95 and 98 because, let's face it, they're 2+ years old. RIDICULOUSLY SLOW RELEASE SCHEDULE." Bah. If you're going to take the time to write something like this, review ALL major distributions. Don't pick and choose your review candidates because (rightfully so) it looks like you're playing favorites.
I for one, am a very happy Slackware user, and have been for years. Needless to say, I was quite disappointed to find a lack of a Slackware review. (Slackware is quite a secure/stable distro, by the way.)
I haven't played with Debian too much to know a lot about it's implementations and security, but I can imagine Debian users feel slighted by this as well.
(My solution to the distro war? Use whatever you like. It's pretty simple, really.)
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
So you've just installed your favorite flavour of linux on your home box (as opposed to your home box office. That would be a much more impressive feat, and will give a special prize which is not an angry weasel to whoever can do it first), figured out all the ins and outs, worked some ppp magic, and are ready to tackle the rest of the world! Best make sure the world won't tackle you back!
Now, I know you're thinking "why would a cracker or skript kiddie attack me? what do I have?" Security is just for NetAdmins and big corporations, right? Wrong-o, buddy. You have many things that are just what a potential vandal might want, be they software bits, personal information (/. login cookies, for example), or just distributed processor power for the next big dDoS attack. So it'd be a good idea to keep the baddies out, right?
I'll admit, I didn't start the guru that I am. I've been attacked, and one time, actually cracked. And I didn't know it for weeks. The malicious bit of code sat running a process on my desktop, and I didn't even think to question it, as that this whole enuichs thing was pretty new to me. But eventually, as I came to learn more, I saw what happened, and how they got in.
Silly me, I didn't think to shut off access to port 647284a-3. As you're by now well aware, that's the port that listens for transmissions from the Daemon Quarlakath. Not really an issue most of the time, as that in order to summon Quarlakath, the attacker needs to slaughter the third born black goat under a Summer Moon. So, like linux security, you get one shot, and one shot only! You also need to chant several passages from the book of Lizzaft, in the original Tongue That Cannot Be Spoken. Last I checked they weren't giving classes in Tongue That Cannot Be Spoken in your averate Community College! So I didn't bother with port 647284a-3. No big deal, I thought, that'll NEVER happen.
And of course, it did. Once I understood what happened, I had to get that malicious daemon OUT of my system before it started a dDoS or slaughtering first born children or giving me a charley horse. So I did what any fledgeling Systems person would do, I summoned Taccatha, the Warrior Angel and sworn enemy of Quarlakath. And lo, the battle inside my box raged on for three weeks. When it was finished, Taccatha was victorious, and Quarlakath was banished to the Sulpher pits of Analorp from whence he came. But, of course, I had to pay Taccatha tribute for his service, and I'm still washing the blood of The Thousand Serpents off my walls. For such little things you'd never guess that they'd bleed so much.
So until next time, trkwjjoi hrrwompt snki!
Bad things often happen to good people,
It is up to them to see that they remain good.
...but this article is very unfair to the
;)
major non-commercial distros. I can't say
what Slackware's security is like since I don't
use it, but Debian really gets the shaft...
and undeservedly so. Kurt seems to go on the
notion that any distro which ships software that
hasn't been reved in 6 months or more is
insecure. So in his eyes, Debian is not secure
due to the long release cycles. I find that
to be quite the opposite. Special apt-get
security mirrors, security mailing lists, and
patches that are usually available a couple of
days after an exploit is announced....Debian
does pretty well IMHO.
And it doesn't hurt that they don't ship with
sendmail as their default MTA.
I've offered to write an article for
securityportal on how to secure a Debian box from
remote exploit, but I've not heard back from
Kurt yet. I suppose he isn't in control of article
submissions tho. They'll be suprised to see that
the article is pretty much:
apt-get remove rsh
apt-get install ssh
apt-get install portsentry
apt-get install aide
apt-get remove telnetd
apt-get remove ftpd
edit a couple of config files and reboot. Of
course, local exploits are a whole nother story.
That's true of most Unices tho...except for OBSD.
Anyway, anyone who hasn't used Debian...don't
let this article turn you off to it. I don't
think Kurt has really used Debian very much.
I don't see how he could disregard it like that
if he had. Disappointing from someone who writes
the LASG.
IMHO, of course.
Ok, a quote from the article:
"I have not fully covered Slackware and Debian, with their ridiculously slow release schedules. "
So... since when does release schedule have ANYTHING to do with security? Sure, Debian and Slackware don't release new versions often. This doesn't mean they don't release security fixes.
I've said it before, and I'll say it again: Debian is the easiest distribution to keep up-to-date, security wise. I often recieve updated packages via apt before the security announcement even hits Bugtraq. And since it takes all of 2 minutes to get the updates and apply them, it is easy for me to keep it up-to-date. Compare this, for example, with having to constantly search down the news/new packages/etc , which you have to do with other distros.
Debian likes to make sure the release is rock solid before releasing it. I'll be the first to admit that sometimes it is a bit slow. But this does not make the distribution less secure. In reality, it helps make it more secure.
Anyways, that comment alone was enough to make me skeptical of the actual knowledge of the author. It is a really ignorant, offhand remark to make, and has no relevance to security. But that is just me.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Your enthusiasts are going to have the full range of skill sets, from rank beginner to seasoned UNIX gurus. They don't have to justify their desire to install the OS, and they should be able to do so while remaining reasonably certain that if they connect it to the Internet, they won't immediately be taken over by script kiddies.
Moreover a reasonably competent system administrator who is responsible for a fair sized chunk of a large company is going to want to choose the distribution that allows him to do as little work as possible once he installs a new platform. He's also going to want automated tools so he can update a thousand machines at a shot and more automated tools so that most of the log crap gets filtered, so he only needs to pay attention to the trouble spots.
Furthermore I've yet to run across a company that has a resonably competent system administrator. Many of them are hired to point and drool at NT systems and are given responsibility for the UNIX machines as an afterthought. With many more, a group gets a UNIX box and its administration gets tacked on to someone else's job description. Test code, write reviews, administer UNIX box. Write documentation, administer UNIX box. Take customer calls, monitor network status, administer UNIX box. Write database software, administer UNIX box. Beats having to hire a sysadmin for $125,000 a year, doesn't it?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?