...possibly another dumb question.


Before switching to Linux, I always heard about how it is so much more secure and stable Linux is than Windows. For the time being, I am pretty confident that I will stick with Linux, but is it really as secure as everyone says?

The reason I bring this up is I had Windows 2000 installed and connected via DSL for the last year without any hacking worries/troubles at all. Now, I have gotten into linux and all I have done for the last several days is deal with security fixes and I still could have already been hacked for all I know.

It is hard finding good documentation on what needs to be done and it is even harder to make sure all is done right... starting to get frustrating for me.

Does anyone know a good source for securing Red Hat 7.1

also

Why does so much work have to be done for linux and nothing for windows 2000?

Thanks

Linux is more secure than Windows, although Win2K is a great improvement (security wise) over WinNT. The things that make it more secure is the file permissions structure, the fact that YOU have control over who or what has permissions to execute etc.. The reason it seems you're always worrying about security on Linux is that the programs are open source and black hats have the ability to look at it and find or make vulnerabilities. But since there are sooo many white hats paying attention to this risk security holes are plugged much quicker than Micro$oft can do and they do it for free :-). There are several security tools and tutorials available for Linux, and I'd suggest reading the Linux Security How-to at www.linuxdoc.org for the basics and for links to linux security sites. Also, websites like www.securityportal.com, www.cert.org, www.rootshell.com all have excellent tutorials, alerts and fixes to linux security problems. One thing I know makes me feel infinately more secure about using Linux versus using Win2K is I don't have to worry about most viruses running around on the web like Codered and Nimda. And most viruses are written in vbscript which doesn't attack Linux boxes. I hope this helps to quiet your fears. FYI you should probably look into using IPCHAINS (for Kernels 2.2.x and below) or IPTABLES (for Kernels 2.4.x and above). There is a great IPTABLES tutorial at http://people.unix-fu.org/andreasson/index.html#3. I know it's hard to find good tutorials (right now) for IPTABLES. And using programs such as tripwire (www.tripwire.com) and tcp_wrappers (see www.linuxdoc.org) will help greatly in increasing your security. Also look at the manpage for "xinetd" it is very customizable and will enhance security for your system services.
Hope this helps, have a great day!

this is what i tell everyone... " Linux is as secure as you make it. Its open source which helps in how secure it is. Therefore Microsoft is not, making it less secure."
with linux you have more control, with microsoft you don't, making it more secure.. but only as secure as the person running it though.

What you hear about these things are mainly just a bunch of biased opinions.. Wether they come from one side or the other..

You can secure your system as much as you want. But it wont help if the appz/services you're running are insecure. And they've been proven that several times in both Linux and Windows..

And just to bitch about something (which I like to do )..
One thing that I h8 when working with Linux (trying to secure it) is reading a thing like this in a How-To/documentation:
And that even when it's the developer him/herself writting the documentation. IT'S UNACCEPTABLE!! DO YOUR HOMEWORK RIGHT BEFORE TURNING IT IN!!



We "all" know that it's all fun and games working on projects @ the Uni. TILL you have to start writing the report..
But you gotta do what you gotta do!

Open Source software doesn't automagically imply it being secure. Applying coding standards and auditing make a difference.

Q25,

You're absolutely correct about the security of apps/services, but we should remember 1) they're free and you get what you pay for 2) they're opensource and if you notice a security vulnerability in it a) let people know b) try to fix it and when that's done let people know, especially the developer of the software. As far as incomplete how-to's goes, yes it's frustrating but again these people are developing this stuff on their free time and many times demand for an app/service is higher than the demand for complete manpages/how-to's. I also agree that the software shouldn't be submitted until it's got complete documentation, but if it doesn't and I can't figure it out myself I just won't use it for fear of screwing up my box.