LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-17-2009, 05:48 PM   #1
xxon
LQ Newbie
 
Registered: Oct 2009
Location: Denver
Distribution: CentOS
Posts: 2

Rep: Reputation: 0
Firewall choice quiz


This will get a lot of different response... I have a question to pose and I want responses that have meat to back it up... The best Linux distro to base a first line of defense against the wild and wooly?

Here goes:

I want to build a secure system, a firewall in itself, netfilter, it will be an exposed system. Linux is of course my OS of choice, but which distro is the most inherently secure overall? I am currently leaning toward CentOS because of its functionality and stability, then hardening it to do the job. Throw some opinions at me... The current CentOS kernel is 2.6.18. Best is 2.6.31 vanilla stuff as of this writing. Not bad I guess... IPtables is 1.4.5 which I downloaded and compiled on my test system.

If you were building a first line of defense what would you do?

Thanks all for your advice.

->xxon
 
Old 10-17-2009, 06:02 PM   #2
Lordandmaker
Member
 
Registered: Sep 2005
Location: London, UK
Distribution: Debian
Posts: 258

Rep: Reputation: 38
If it's just a firewall, I'd go with one of the firewall-leaning distros.

The problem with this question is that it's mostly irrelevant which is most secure by default, since you're not going to run a default system. And once you've configured the system, it's mostly irrelevant which one you started with.

The best one is the one you can most easily and most reliably secure.

</cop out>
 
Old 10-17-2009, 06:10 PM   #3
xxon
LQ Newbie
 
Registered: Oct 2009
Location: Denver
Distribution: CentOS
Posts: 2

Original Poster
Rep: Reputation: 0
Agreed. My goal is to create a secure system that can withstand attack (constant) from the wild. It has to be secure and at least promise prevention (lost cause). So, overall, is there a version of Linux with that built in? Open ports are always a hazard but necessary.
 
Old 10-17-2009, 11:01 PM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
I would stay away from centos. They have been slipping on there security patches. 1 1/2 months after the red hat release for some recent patches. Long story why.

if you want a firewall based distro there are many options. IPCOP, smoothwall, clarkconnect, engrade, etc.

here is a list of a majority of them


http://en.wikipedia.org/wiki/List_of..._distributions
 
Old 10-17-2009, 11:24 PM   #5
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
I haven't tried it yet, but I came across this while doing a search for security-focused versions of Linux:

"Owl", -- a security-enhanced server platform.
http://www.openwall.com/Owl/CONCEPTS.shtml

"Owl" (or "Openwall GNU/*/Linux"; please, note that only the "O" is capitalized in either case) is a security-enhanced operating system with Linux and GNU software as its core, compatible with other major distributions of GNU/*/Linux. It is intended as a server platform. And, of course, it's free.

Owl combines several approaches to reduce the number and/or impact of flaws in its software components and impact of flaws in third-party software that one might install on the system.

The primary approach used is proactive source code review for several classes of software vulnerabilities. However, because of the large amount of code, there's a certain level of "importance" for a software component or a part thereof to be audited. Currently, only pieces of code which are typically run with privileges greater than those of a regular user and/or typically process data obtained over a network are audited before the corresponding software component is included. This covers relevant code paths in many of the system libraries, all SUID/ SGID programs, all daemons and network services. Other software may be audited when it is already a part of Owl. Potential problems found during the audit are fixed or, in some pathological cases, may prevent the software component from being included. In general, code quality and privilege management are always considered when there's a choice between implementations of a feature. As the project evolves, many of the software components will be replaced with ones of our own.

When packaged for Owl, the software components are configured or, when necessary, modified in order to provide safe defaults, apply the least privilege principle, and introduce privilege separation. The use of safe defaults, where optional and potentially dangerous features need to be turned on explicitly, lets us audit the pieces of code used in in the default configuration in a more thorough way. Extra systems administration facilities ("owl-control") are provided for managing system features such as the optional SUID/SGID binaries independently from installing the corresponding packages. Every Owl package will have its audit status documented to allow for risk assessment.
 
Old 10-18-2009, 03:45 PM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778
Quote:
Originally Posted by Lordandmaker View Post
The problem with this question is that it's mostly irrelevant which is most secure by default, since you're not going to run a default system. And once you've configured the system, it's mostly irrelevant which one you started with.

The best one is the one you can most easily and most reliably secure.
The one thing that I'd add to that (make that two things, although one isn't really new)
  • you don't want any surprises...if you know one distro intimately, its probably easier to work with that...so a distro which surprises you by running things just because you've installed them, when you hadn't expected that, would be bad news
  • patches...you need prompt security patches...I haven't checked that on the specialist firewall distros, but if security was the priority, you'd need to be assured that patches got through the system promptly

Quote:
system that can withstand attack (constant) from the wild
...and this is the point: current flavour of the month seems to be brute force ssh attacks (probably be something else next month), which prompts the question 'Do you have a strategy for this?'. Just assuming that you can plug in a firewall box and have all of the problems go away is perhaps a little simple minded, so you have to know more and do more than that, if you want to keep your insecurity to a minimum. And keep up to date with what has become the latest threat of the month and have a strategy for that.
 
Old 10-19-2009, 11:59 AM   #7
wfh
Member
 
Registered: Sep 2009
Location: Northern California
Distribution: Ubuntu Debian CentOS RHEL Suse
Posts: 164

Rep: Reputation: 44
Quote:
Originally Posted by xxon View Post
I am currently leaning toward CentOS because of its functionality and stability

If you were building a first line of defense what would you do?

Thanks all for your advice.

->xxon
Consider the possibility that RedHat variants are very well studied by hackers and a number of attack kits exist to exploit it's file structure and setup; that would make me think twice about CentOS.

Nobody has approached it from this angle, so let me throw in the possibility of a distro geared for security from the get-go; Untangle Server.

I have heard that the Untangle Server is like an open source equivlent of a SonicWALL appliance minus the crypto enhancement chip. You get a lot of preconfigured functionality that's installable from an ISO.

You can recompile or enhance any functionality, but this was made for use as a first-line-of-defence gateway.

http://www.untangle.com/Downloads/Download-ISO

Last edited by wfh; 10-19-2009 at 12:01 PM.
 
Old 10-20-2009, 10:29 AM   #8
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
I want to build a secure system, a firewall in itself, netfilter, it will be an exposed system.
Have you checked out Vyatta? It's a commercial product, but every six months they release an upgrade, and put the old version into open source. They encourage prospective customers to try out their community version, to see if they like it, and then to buy support to get the most current version.

Vyatta is based on Debian, is well documented, and has an active community involvement. Check it out...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Multiple Choice Questions Short quiz Lazairus Linux - General 2 08-07-2008 06:40 PM
Probs with shorewall, what's your choice of firewall? GlennsPref Mandriva 2 12-21-2007 08:55 PM
router firewall distro choice... daveoily Linux - Newbie 3 10-24-2007 12:36 PM
Choice of Firewall _maco_ Linux - General 10 08-21-2003 06:04 AM


All times are GMT -5. The time now is 09:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration