---------- Forwarded Message ---------- Subject: [Fwd: Most secure "out of the box" distribution?] Date: Wed, 19 Jan 2000 07:23:30 -0500 From: Hugh Semmler <[EMAIL PROTECTED]> Path: news.frontiernet.net!nntp.frontiernet.net!nntp.primenet.com!nntp.gctr.net!newsfeed.tli.de!newsfeed01.sul.t-online.de!newsfeed00.sul.t-online.de!t-online.de!newsfeeds.belnet.be!news.belnet.be!news-FFM2.ecrc.net!nntp2.deja.com!nnrp1.deja.com!not-for-mail From: milanuk <[EMAIL PROTECTED]> Newsgroups: comp.os.linux.security Subject: Re: Most secure "out of the box" distribution? Date: Tue, 18 Jan 2000 16:33:02 GMT Organization: Deja.com - Before you buy. Message-ID: <8624ju$chi$[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <85mvr9$l47$[EMAIL PROTECTED]> NNTP-Posting-Host: 209.36.193.2 X-Article-Creation-Date: Tue Jan 18 16:33:02 2000 GMT X-Http-User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95; Nebraska Public Power District; DigExt) X-Http-Proxy: 1.1 x40.deja.com:80 (Squid/1.1.22) for client 209.36.193.2 X-MyDeja-Info: XMYDJUIDmilanuk Xref: news.frontiernet.net comp.os.linux.security:7348 In article <85mvr9$l47$[EMAIL PROTECTED]>, Paulo <[EMAIL PROTECTED]> wrote: > I've installed the Mandrake dist (v.7beta), as server/expert and it > looks very secure, almost all ports are closed. > I haven't yet tried bastille (the hardening scripts for RH 6.0), but I would presume that they are effective. SuSE 6.3 includes several kernel modules, cron scripts, etc. aimed at tightening up security and preventing certain attacks. In addition, harden_suse is a (perl?) script that asks you 9 or 10 questions that will allow you to selectively lock down your box. Luckily it provides a log file and an uninstall script so you can 'undo' this if you got too much security (i.e. not enough usability). Obviously, once you are satisfied w/ your security in this case, you would remove (i.e. archive on a floppy) the logs and uninstall script so as to prevent any tampering, though you have to be root to run them anyway. I sat down and installed Linux-Mandrake 7.0 (Air) last night, and I was fairly impressed w/ the security provisions, at least at first glance. If you do the customized install, you get three security options, i.e. low, medium, and high. High is recommended if you want to use the box for a server. If you do the expert install, you now have 5 choices, ranging from Level 0 (annotated as 'Hello Hackers!' ;) ) to Level 5 (Paranoid). Switching back and forth btwn the main install screen and the syslog screen, I noted a blurb that in level 5, root needed to add specific users to a group ( the exact name escapes me at the moment) so they could even use X. Cool! I took a brief i.e. <5 min tour thru the install and user guide, and there is a section on security, titled MSEC, or something to that effect. In level 5, I believe pretty much everything is closed and the administrator must deliberately open specific ports. Shades of OpenBSD! (Actually, Turbolinux 3.6 was somewhat similar, just not this extreme, in this aspect). Next big suprise was that once you configure your network, you have the option to download and install crypto software, including openssh, openssl, pgp, gnupg, pgpgpg, lynx-ssl, mutt-i, and some (i believe) apache modules. Again, shades of OpenBSD! Sorta like downloading the sslUSA26.tar.gz package during install in OpenBSD. Also, to add the icing to the cake, you can install a hardened kernel w/ several of the known security patches already installed during the initial install. Yahoo! Now before the *bsd fans get out their flamethrowers for my comparing Mandrake to OpenBSD, let me just say that I do not believe for a minute that _any_ linux distro has the benefit of the close attention to detailed security that OpenBSD has benefited from. Linuxes have always focused more on new features and usability. But if Linux-Mandrake 7.0 is a sign of things to come, that may change in the (relatively) near future. Monte -- There are basically three kinds of men. There are the ones who learn by reading. Then there are the few who learn by observation. The rest just have to pee on the electric fence for themselves. Sent via Deja.com http://www.deja.com/ Before you buy. ------------------------------------------------------- -- "I haven't lost my mind -- it's backed up on tape somewhere."