LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-18-2009, 01:24 AM   #1
lupusarcanus
Senior Member
 
Registered: Mar 2009
Location: USA
Distribution: Arch
Posts: 1,022
Blog Entries: 19

Rep: Reputation: 146Reputation: 146
What Linux distro is the most secure?


Well, I have a Netbook (the small laptops without the optical drive), and I was wondering which Linux Distro is the most secure? I have done everything I can to make my wireless network secure, as well as my computer physically itself. I use this thing everyday and I like gnome as the starting Desktop environment. In this information age, I just feel the need to secure my info as much as possible.

Oh, and just a secondary question...Is Ubuntu 9.04 Netbook Remix safe?
{I download every update if I see it}

Thanks

Last edited by lupusarcanus; 10-18-2009 at 01:33 AM. Reason: A new curiousity development
 
Old 10-18-2009, 02:03 AM   #2
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
I don't really know if we can say one distribution is the most secure because we don't know just how vunabilities potentially exist within any distribution at any given time. Security is something really that the user has to set-up and be aware of, tho atleast it's usually more secure then Windows.

Ubuntu should be safe at the time being however there have been some vunabilities in the distribution in the past, like the Debian OpenSSL vunability a few years back.
 
Old 10-18-2009, 02:32 AM   #3
lutusp
Member
 
Registered: Sep 2009
Distribution: Fedora
Posts: 835

Rep: Reputation: 102Reputation: 102
Quote:
Originally Posted by leopard View Post
Well, I have a Netbook (the small laptops without the optical drive), and I was wondering which Linux Distro is the most secure? I have done everything I can to make my wireless network secure, as well as my computer physically itself. I use this thing everyday and I like gnome as the starting Desktop environment. In this information age, I just feel the need to secure my info as much as possible.

Oh, and just a secondary question...Is Ubuntu 9.04 Netbook Remix safe?
{I download every update if I see it}

Thanks
With respect to Linux, the biggest factor in computer security is the user and his behavior, not the OS or the machine. With respect to Windows, well, different story.

There is no "more secure" Linux distribution. There is only "more secure" user actions and discipline.
 
Old 10-18-2009, 12:00 PM   #4
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,362

Rep: Reputation: 172Reputation: 172
lutusp is correct in that the user is the weakest link. However using wireless itself is probably a close second. WEP/WPA/WPA2 are all vulnerable to attack, you can reduce your exposure by using WPA2 and a 20+ character pass phrase(changing it at least monthly). Using a VPN would be a big step forwards. Running Cat6 in a home/business is not that difficult or expensive.
 
Old 10-18-2009, 03:42 PM   #5
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Quote:
Originally Posted by lutusp View Post
There is no "more secure" Linux distribution. There is only "more secure" user actions and discipline.
I don't actually think that bit about linux distributions is true, while the most important piece is the User (Policies), I would say that there are alot of difference between some distributions and they handle security in different ways. While generally security is not too different at most times between the distributions, to say they are the same is not actually true. To know which are the most secure at any given moment is however impossible to say is more along the right lines. I have after all given an example of a large vunability that only ever really hit Debian and the *Buntus.

Right now what is more secure... Fedora or Ubuntu, I couldn't really say and it's hard to really know until we hit hindsight times.
 
Old 10-18-2009, 03:47 PM   #6
dxqcanada
Member
 
Registered: Sep 2006
Location: Canada
Distribution: Gentoo
Posts: 702

Rep: Reputation: 43
There are Linux distributions that are specifically tailored towards security ... they are normally labeled as "hardened".

You can harden your current distribution by making changes to permissions, security, encryption, and applications manually.

There are even apps that assist you with this ... such as Bastille.
 
Old 10-18-2009, 04:02 PM   #7
mrclisdue
Senior Member
 
Registered: Dec 2005
Distribution: Slackware -current, 14.1
Posts: 1,075

Rep: Reputation: 189Reputation: 189
Quote:
Originally Posted by lazlow View Post
...20+ character pass phrase(changing it at least monthly)...
Serious question, I'm not trying to be a jerk here, but why should one change a password at least monthly, or at all?

If I hide a key to my house somewhere, how does frequently changing the hiding location decrease the chance that an adversary will find it, since I'm the only one who knows where it is in the first place?

cheers,
 
Old 10-18-2009, 04:15 PM   #8
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Actually, I say that style of behaviour decreases security as your giving more potential points that people can observe you moving the key around your house . Similarily, you have to change that pass phrase on all the machines that log into it... you have to do it on the machine itself... all it takes is one key-logger.

When you have weak~medium passwords, then that style of behaviour does improve security slightly, however when your already at strong level and if you have decent firewall settings that limit login attempts on an IP basis (say 3 attempts every 5 minutes) then it'll take longer then the current age of the universe to reliably be able to break into that machine via guessing pass phrases or strong passwords (assuming minimum lenght 16 characters, contains upper and lower case letters, numbers and special characters)

Last edited by r3sistance; 10-18-2009 at 04:16 PM.
 
Old 10-18-2009, 04:33 PM   #9
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,362

Rep: Reputation: 172Reputation: 172
One can passively grab(on wireless) the encrypted pass phrase (thus firewall/ip limits are not applicable). One can then compare the encrypted pass phrase with generated ones(salted from ssid on wpa/wpa2). A 700mhz PIII(typical laptop power range) can do about 18,000 comparisons/sec(from a pre generated table). The hardware is commonly available to the community to generate over 9000 hashes (encryption)/sec. These table are then distributed (widely). Using this method there is virtually no way to detect when an attack is occurring. The attacker has to be in wireless range for far less than 30 minutes during the collection phase, after than it is not necessary to return until the the pass phrase is known. Since the attacker will then have a valid pass phrase and be spoofing a valid mac, it is very difficult to detect. The software to do all of this is commonly available (open source) and is fairly basic to use. Tables that include the 1000 most common ssids and a high percentage of passwords are easily available for download(referenced one is 9DVDs or 33GB).

Edit: Changing the pass phrase every month helps push your AP into the range of diminishing returns(not worth the continual effort).

Last edited by lazlow; 10-18-2009 at 04:35 PM.
 
Old 10-18-2009, 04:45 PM   #10
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Should have re-read the entire piece there, forgot it was on about wireless protocols... but even so...

Considering somebody has already gone to this lenght to get your passphrase, you'd have to change your pass phrase daily to really make it, not worthwhile. If someone can break your passphare in half an hour one day, they can do it again another 30 days later... heck if the software is already doing it and they don't need to do much more then wait, there are alot of people out there that would just redo it again and again every month, if you want to secure it all down your going to have to use encryption that they can't break. Setting up automatic SSH tunnels on all the machines and having a proxy that only accepts connection via SSH with the proxy being the only way in and out of the network... that kinda stuff that people rarely, if ever actually do...
 
Old 10-18-2009, 05:03 PM   #11
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,362

Rep: Reputation: 172Reputation: 172
IF your machine is their particular target then you are correct, but most are not after a particular machine they are just after "a" machine. If access (internet) is your biggest goal (and it is in a lot of cases, most?) which would you be more interested in, a machine that you have to redo work on every month or one that you only have to mess with once a year(or less frequently)? IF they are after your specific machine you are probably better off running a VPN(which I noted above).

One should also keep the same things in mind if you are running on Docsis(cable), the modified modems allow one to sniff(monitor) the traffic on that node just like it was Ethernet.
 
Old 10-18-2009, 05:15 PM   #12
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
This has drifted far off from the "most secure distro". However, I would agree that anything can be sniffed if people have physical access, I know of a case of somebody I know suffering the dreaded fate of having somebody keylog their computer in a professional enviroment too... so at the end of the day the only way you can be totally secure is to be paraniod like heck, personally I just set-up levels of security where other people can't really touch things and just leave little sacrifices or tests around to see if anything gets touched. I am not a fan of wireless, but I am not the only person who uses the internet connection and turns out the other system connected to it, is a laptop... using wireless, sigh.
 
Old 10-18-2009, 05:44 PM   #13
mrclisdue
Senior Member
 
Registered: Dec 2005
Distribution: Slackware -current, 14.1
Posts: 1,075

Rep: Reputation: 189Reputation: 189
Thank you, both, for your replies.

cheers,
 
Old 10-18-2009, 08:01 PM   #14
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by leopard
Well, I have a Netbook (the small laptops without the optical drive), and I was wondering which Linux Distro is the most secure?
After a default install, probably Owl. I don't think you will want to run that on your netbook.

After proper hardening, any Linux distro can be made very secure.

For your purposes (unless the feds are after you), a default Ubuntu install probably is OK. Since (almost) all listening services are off by default for the workstation-centric version of Ubuntu, IMO the biggest threat for you will come from browsing web sites. Be careful about where you visit. (e.g. If you must view pr0n or other questionable sites, do so from a live cd.) And if you can live without it, it's probably a good idea to avoid a binary flash plugin.
 
1 members found this post helpful.
Old 10-19-2009, 02:18 AM   #15
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
The topic is relative. As others have pointed out, there are some distros that come in a "hardened" version. Special kernel patches like grsecurity or SELinux, etc. Some OSes come with better security out of the box of course. That's true. But, ultimately, the most secure OS is the one you know better.

The thing is almost never white or black, there's a lot of grey tones in the middle.

Quote:
Originally Posted by mrclisdue View Post
Serious question, I'm not trying to be a jerk here, but why should one change a password at least monthly, or at all?

If I hide a key to my house somewhere, how does frequently changing the hiding location decrease the chance that an adversary will find it, since I'm the only one who knows where it is in the first place?

cheers,
Simple maths. If you have 5 locations to hide the key and your adversary tries one location per day, s/he will find it on 5 days, for sure.

The first day s/he will have a chance of 20% to find the key. The second day the chance will be 25%. The third a 33%, the fourth the chance will be 50%. The last day the chance is 100%.

If you reset the location of the key each day, the chance is always 20%.

Being that said, if the attacker has physical access to the box and the time and knowledge, nothing will stop him but encryption. Just take off the bios battery, configure it to boot from any external media, boot from it, and break into your drives without any big problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
will a sata dvdburner work with any distro and how secure is linux mr norm Linux - General 1 06-01-2008 07:56 AM
Linux distro with Keepass + Truecrypt? For a secure banking terminal... target77 Linux - General 4 07-12-2007 12:28 AM
Secure Linux Distro Hardened for Server Operation colline Linux - Security 3 05-13-2005 08:04 PM
most secure Linux distro name_in_use450 Linux - Security 8 08-31-2004 09:24 PM
Which Linux distro is most secure?? StamfordRob Linux - Security 14 02-25-2002 02:05 AM


All times are GMT -5. The time now is 11:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration