Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Maybe I'm just getting paranoid in my old age, but it seems that damn near everyone on the internet is trying to scam, hack or infect everyone else. (Nice folks at LinuxQuestions excepted, natch.)
I'm looking at upgrading to an ADSL connection in the near future which will only increase my exposure to nasties. My solution: I plan to build myself a low-spec PC from scavenged bits which will be my sole net access, sit it behind a router/firewall, and make sure it isn't connected to my main PC.
My question, therefore, is this: which OS would you recommend I should put on the box? Main requirements: I'd like it to be as bulletproof, security-wise, as possible; I'd like to be able to run all my fave Linux communications software (Firefox, Thunderbird, Gaim... possibly Links...); low memory/CPU requirements; and a simple install, so when it inevitably gets compromised, reinstalling isn't too much of a hassle.
I specifically say OS rather than distro, so as to include the BSDs. Windows advocates need not apply. Same goes for anyone who wants to turn this into a 'My Distro's Best!!!' flamewar. Bugger off, I'm just not interested.
Now I think I'd better finish making my tinfoil hat.
Distribution: Red Hat (and look-alike), SUSE (when drunk), Slackware (when mad)
Posts: 148
Rep:
You should try IPCop. It is reeally a nice project (secure too), with great support forum! I get an average respond of 20 mins!! We use it on a working enviroment and - so far - everything looks fine!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
IPCop is a firewall, you can't run it as a victim host like erraticassassin is describing.
If you're absolutely paranoid about security, you can't get any better than OpenBSD. It has an incredible amount of security built-in by default with no need for third-party kernel patches. You also have the option of enabling even more security, like flipping a config switch to enable encryption of the swap space and using systrace to lock down your applications.
OpenBSD has ports of Firefox, gaim, and links. So far I don't think Thunderbird has been ported, but there are other mail client options. If you're really paranoid, you'd use Mutt I believe Slypheed has been ported, though.
OpenBSD can run quite happily on tiny amounts of RAM, and if you install it without X it will fit in less than 200MB of hard disk space! Of course, with X the installation is larger and requires a lot more RAM (depending on your Window manager). X is by far the most memory intensive application you can run, and everything you run inside that also eats quite a bit of memory (Firebird, gaim, etc).
You can also find some hardened Linux distros that have extra security patches applied to them, such as Hardened Gentoo (of course with Gentoo, you'd have to compile everything, which might take a looong time on a low-powered machine).
I currently use Slackware 9.1 which, despite all the nonsense that's said about the installation process, I found very straightforward to install. (What, no pretty pictures? Gosh! That must be difficult! </withering sarcasm>.) Any ideas how the OpenBSD installation process compares?
The plan was to make up a PC based around a Via Epia motherboard, with maybe a 500MHz processor - would I be able to comfortably run X-based apps on something like that? (At present, in addition to my main PC, I run Slack on an old 233MHz laptop... it's slow, but it works.)
I have nothing against using Mutt as my mail client, but I haven't got around to reading the manual yet...
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
OpenBSD installation is completely text based (probably similar to Slackware). The only interesting part is disk partitioning, for which you will have to read the instructions very carefully (there's a document on the FTP site in the directory you fetch the files from, as well as the FAQ on the OpenBSD.org website). Other than that, it's a few simple questions (hostname, IP, etc).
If you want to build a low-cost machine, check out something best on the VIA Nehemiah CPU. Depending on which stepping version of the CPU you get, it has one or two on-CPU RNGs and AES encryption implemented in silicon! OpenBSD has support (built in by default!) for both the HW RNG and the AES off-loading. What this means is that, using OpenBSD you can get about 8 times faster AES encryption with a VIA Nehemiah than you can with a Pentium 4 3GHz. Nifty stuff, eh? On Linux there's a patch for the VIA crypto support.
Of course, that's only helpful if you use SSH a lot or use protocols with SSL or TLS encryption (HTTPS, POP3S, SMTPS, etc).
As for running X, you should be able to do that with any of the VIA C3 CPUs. It will probably be a little slow on the 500MHz and less CPUs, but on the more recent boards it should be fairly responsive. Of course, it also depends on how much RAM you give it. OpenBSD without X should run quite happily with around 16MB of RAM. With X you probably want at least 128MB.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.