Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
Yes.
Why? Well, Unix and Linux systems do not permit privileged execution of programs by an ordinary user (that would infest the operating system, wipe out disk files, or the other "fun" stuff that, in Windows, is far too easy to accomplish); this, of course, presumes that system security is not compromised by the administrator fooling around with things better left alone.
for balance, i'll also say "no" as it's much more complicated that you can cover with a one word answer. The biggest security issue is usually the user, not the software.
There is no way to answer this question properly without knowing what you mean by better security. For example, are you referring to the overall number of public vulnerabilities present in either OS in a given time frame? The speed at which the developers distribute security fixes? The amount of security features the OSes offer? Stuff like that my be quantified in such a way that a semi-objective argument could be made as to which one is better with regards to specific factors. But, as hinted by acid_kewpie, security is so much more (it is, after all, a continuous process), and in the end most of it will depend on things other than the OS software.
In the right hands, either GNU/Linux or Microsoft Windows can meet most administrators' and/or users' security requirements. If you pick either of those OSes over the other because "it's more secure", then I'd say you're off to a bad start and you should get your security posture evaluated, as you may have serious vulnerabilities in areas which have been overlooked due to focusing on the choice of OS.
As usual, "that depends upon the system and its owner."
Windows has a very powerful security model that is effectively turnedoff in literally millions of "Home Edition" Windows boxes around the world. So, all that programming doesn't do a dam bit of good.
Linux has Pluggable Authentication Modules (PAM), which allows any sort of authentication scheme that you wish to use, to be, well, "plugged in" at strategic points just by editing a configuration file. (There are also, of course, PAM modules that can be fixed into the kernel so that no one can "remove the locks.")
Linux also normally has features, such as Access Control Lists (ACLs) and Extended Attributes, but many folks know about the chmod and chown commands and nothing more, as though nothing at all had actually advanced since the earliest Unix days.
The bottom line, though, is that effective system security is a human process, not a product nor an operating-system feature. The computer's great at enforcing rules ("yes" or "no"), but it's only a dumb machine, doing whatever it's been told.
Last edited by sundialsvcs; 07-14-2011 at 07:25 AM.
The answer? As you may have already noticed, you'll probably get as many answers as respondents, if not more. In the interests of trying to define some corner points:
there are a number of reasons that there is no such thing as Linux security: Technically, Linux is a kernel, and there is really no point in discussing the security of a kernel alone, because the system is so much more that the kernel, and a hole in the security of some of the non-kernel stuff can be just as fatal to your desire for security (mind you, you may not need anything very complex, or directly software-related, if you've got a user)
You were probably thinking of 'a distro' really, rather than 'kernel' and while all distros are variations on a theme, there can be enough difference in, say, how quickly problems are fixed to make a real difference (although, in this regard, MS is usually worse and less transparent, in speed of fixes)
In general (and this is a wild generalisation) most Linux distros do a decent job with giving you an install that is reasonably secure out of the box, but the builders of the distro itself don't know what you will do with it, and you will have to take responsibility of what you do from the point that you install it.
Whatever you think of the security of a system 'out of the box', usually the first thing that the user does when the system comes out of the proverbial box, is that they take measures to mess up the security. As a (vaguely related) example of this tendency, bear in mind that MS has recently turned off 'autorun' by default. This has been a well-known idiocy for a decade or so, but apparently MS thought if they turned off this 'convenience feature' there would be a revolt amongst the users (and they would all just turn it back on) so that it wasn't worth doing. It turns out that this has been actually a very significant improvement (although, anyone with any sense could have manually changed the autorun status)...so a big part of the problem was user laziness (or the perception of what the user would consider as excessively inconvenient...personally, I would consider cleaning up after an intrusion as a real inconvenience, but maybe these users consider this as 'somebody else's problem').
One part of the answer (I'd describe this as one canonical answer, if that wasn't open to too much misinterpretation) is that most Windows end users have problems with security and most Linux don't (as far as I can tell); you could regard that as conclusive, but it really isn't. If you fsck up your Linux security badly enough, you can make it as bad as the typical Windows user would make it. It is your computer, you can do that, but you probably shouldn't, if you know what is good for you. But, you probably don't know what is good for you, and you really need to know what you are doing to keep the system secure.
I'd also like to echo this, from win32sux, "either GNU/Linux or Microsoft Windows can meet most administrators' and/or users' security requirements"...but, while it is true, it is also true that most users will, if allowed, take their system in entirely the opposite than the one that leads towards security. Now, it isn't completely clear whether the cause is lack of knowledge, a feeling of 'it'll never happen to me' or plain, pig-headed, stupidity (but, it seems as if it is done most thoroughly when all of the above are brought to bear on the situation), but it is what happens.
I think another point to consider is the costs of security in a Windows environment. Out of the box you will still require software to fully secure an environment or desktop. The open source community, this includes Linux , BSD, etc provides all of the needed tools you would require to secure an entire enterprise environment. Granted you have to consider the different software you will require and build out a setup for your purposes, but when you think about needing a spam filter for exchange environments, and needing corporate antivirus for all of your servers and desktops, then you add to that the malware and drive by attacks, and you find yourself spending a lot of time and money on security. With Linux and open source.. you just need time , maybe more time, but when you come away from it you really know that you know that your stuff is setup and secure to the best of your knowledge and understanding and you can do more with less resources.
Why? Well, Unix and Linux systems do not permit privileged execution of programs by an ordinary user (that would infest the operating system, wipe out disk files, or the other "fun" stuff that, in Windows, is far too easy to accomplish); this, of course, presumes that system security is not compromised by the administrator fooling around with things better left alone.
To find the answer ask yourself what do you expect from Linux distros? Check carefully your needs, analyze them. I hope you will be satisfied.
For more details check this link with this question: Why Linux is better? http://www.whylinuxisbetter.net/. I hope you will find the correct answer and you will be satisfied when you read the argumentations. It depends according the users needs.
security is only as good as the person implementing and maintaining it. To my knowledge, Windows 7's firewall has never been cracked. Linux is also secure if you run the proper software as well - however a good password really goes a long way - especially if you use an encrypted file system.
i'd suggest not to indulge yourselves in these kind of questions...these can't be answered in a line.
its very foolish to draw some conclusions....every system has its own pros and cons.
But still if you want to research a bit,then take a look at these and then tell what you concluded (if you can)...
comparison of linux and windows security
Security Report: Windows vs Linux
good luck...^_^
i'd suggest not to indulge yourselves in these kind of questions...these can't be answered in a line.
its very foolish to draw some conclusions....every system has its own pros and cons.
But still if you want to research a bit,then take a look at these and then tell what you concluded (if you can)...
comparison of linux and windows security
Security Report: Windows vs Linux
good luck...^_^
so why are you indulging them?? Why is it that so often the worst questions attract the most answers? This dude is not coming back, why do people keep responding?
Even though the OP isn't returning, I see no reason why this discussion should be stopped. As far as I'm concerned, the topic is totally compatible with LQSEC and everyone is free and welcome to share their relevant thoughts and points of view here.
i'd suggest not to indulge yourselves in these kind of questions...these can't be answered in a line.
its very foolish to draw some conclusions....every system has its own pros and cons.
But still if you want to research a bit,then take a look at these and then tell what you concluded (if you can)...
comparison of linux and windows security
Security Report: Windows vs Linux
good luck...^_^
Everyone who goes to these articles should check the dates on them. One of them talks about Windows Server 2003 and is from 2004. That's highly outdated; Unless things have changed in about the past 2 months, Windows 7 / Server 2008 firewalls have yet to be cracked (if it has been cracked, please let me know!).
I prefer to use Linux, but Windows has come a long way and is working their way slowly away from everything being set in the registry.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
This morning's mail included a Technical Cyber Security Alert, number TA11-200A (available at http://www.us-cert.gov/cas/techalerts/TA11-200A.html). Although not specific to platform, the content may be of some interest:
Code:
National Cyber Alert System
Technical Cyber Security Alert TA11-200A
Security Recommendations to Prevent Cyber Intrusions
Original release date: July 19, 2011
Last revised: --
Source: US-CERT
Overview
US-CERT is providing this Technical Security Alert in response to
recent, well-publicized intrusions into several government and
private sector computer networks. Cyber thieves, hacktivists,
pranksters, nation-states, and malicious coders for hire all pose
serious threats to the security of both government and private
sector networks. A comprehensive security program provides the best
defense against the full spectrum of threats that our computer
networks face today. Network administrators and technical managers
should not only follow the recommended security controls
information systems outlined in NIST 800-53 but also consider the
following measures. These measures include both tactical and
strategic mitigations and are intended to enhance existing security
programs.
Recommendations
* Deploy a Host Intrusion Detection System (HIDS) to help block and
identify common attacks.
* Use an application proxy in front of web servers to filter out
malicious requests.
* Ensure that the "allow URL_fopen" is disabled on the web server
to help limit PHP vulnerabilities from remote file inclusion
attacks.
* Limit the use of dynamic SQL code by using prepared statements,
queries with parameters, or stored procedures whenever possible.
Information on SQL injections is available at
<http://www.us-cert.gov/reading_room/sql200901.pdf>.
* Follow the best practices for secure coding and input validation;
use the secure coding guidelines available at:
<https://www.owasp.org/index.php/Top_10_2010> and
<https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/305-BSI.html>.
* Review US-CERT documentation regarding distributed
denial-of-service attacks:
<http://www.us-cert.gov/cas/tips/ST04-015.html> and
<http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf>.
* Disable active scripting support in email attachments unless
required to perform daily duties.
* Consider adding the following measures to your password and
account protection plan.* Use a two factor authentication method
for accessing privileged root level accounts.
* Use minimum password length of 15 characters for administrator
accounts.
* Require the use of alphanumeric passwords and symbols.
* Enable password history limits to prevent the reuse of previous
passwords.
* Prevent the use of personal information as password such as phone
numbers and dates of birth.
* Require recurring password changes every 60-90 days.
* Deploy NTLMv2 as the minimum authentication method and disable
the use of LAN Managed passwords.
* Use minimum password length of 8 characters for standard users.
* Disable local machine credential caching if not required through
the use of Group Policy Object (GPO). For more information on this
topic see Microsoft Support articles 306992 and 555631.
* Deploy a secure password storage policy that provides password
encryption.
* If an administrator account is compromised, change the password
immediately to prevent continued exploitation. Changes to
administrator account passwords should only be made from systems
that are verified to be clean and free from malware.
* Implement guidance and policy to restrict the use of personal
equipment for processing or accessing official data or systems
(e.g., working from home or using a personal device while at the
office).
* Develop policies to carefully limit the use of all removable
media devices, except where there is a documented valid business
case for its use. These business cases should be approved by the
organization with guidelines for there use.
* Implement guidance and policies to limit the use of social
networking services at work, such as personal email, instant
messaging, Facebook, Twitter, etc., except where there is a valid
approved business case for its use.
* Adhere to network security best practices. See
<http://www.cert.org/governance/> for more information.
* Implement recurrent training to educate users about the dangers
involved in opening unsolicited emails and clicking on links or
attachments from unknown sources. Refer to NIST SP 800-50 for
additional guidance.
* Require users to complete the agency's "acceptable use
policy" training course (to include social engineering sites and
non-work related uses) on a recurring basis.
* Ensure that all systems have up-to-date patches from reliable
sources. Remember to scan or hash validate for viruses or
modifications as part of the update process.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.