im a long time windows veteran looking to expand my horizons to an opensource OS because winXP is way too limiting. i dont know which linux distro is best for internet security related uses and half-life and such.... plz help


-linux n00b

82.5% of security is just all in the kernel, some distros are a little more paranoid then others, some come with tools that'll simplify the learning process: CRUX, Mandrake Bastille, etc... but the distros are so maleable, that there is no one that is more secure then the others. If you really want to get your hands dirty, take a look at the BSDs, OpenBSD in particular, although its usually a hastle to run game servers on because of the need to run Linux binary emulation etc...

Also, this is probably better of in Security as opposed to the wireless forum. I'll see what I can do about a move.

Cheers,

Finegan

There are basicly three critical elements to OS security

1) How strict the kernel and the compiler are (pretty much the core OS)
2) How safe is the default configuration
3) How knowledgable is the administrator?

Depending on the circumstances, any one of those three can cause you headaches. OSs like OpenBSD do a fantastic job on #1 and #2, but for #3 you're on your own (and in the case of OBSD, you better know what you're doing because there aren't any pretty GUIs to help you).

Other OSs, such as Mandrake Linux come by default fairly lax, but they allow you to tighten your security posture during the install, and they provide an optional secure kernel (grsec?), and also prelude IDS, Shorewall firewall, and msec lock-down scripts. So #1 is fairly well covered (although they haven't done the special stuff that OpenBSD did for memory management), #2 is decent, and even if you're lacking on #3 they give you some help.

Finally, there are some OSs that are not so good. I hear that Lindows is pretty wide-open by default, and I haven't heard of any friendly security tools that it might have. Red Hat has also been traditionally quite bad at "turning everything on", and while they've gotten better recently, they still have a long way to go (their firewall quite honestly sucks).

It really depends where you're at. If you aren't very knowledgable, then you'll need something that will help you out a little (although OpenBSD's man pages are outstanding and highly helpful, most newbies don't take the time to read them). Also, when you say "half-life and such" do you mean game server, or game client? *BSD boxes can run Half-Life game servers under Linux binary emulation, but I don't know about the actual client.

i dont know which linux distro is best for internet security related uses and half-life and such.... plz help
Post details on what "internet security related uses" means to you, in short the purpose of the box. This is way to opaque to answer.


1) How strict the kernel and the compiler are (pretty much the core OS)
2) How safe is the default configuration
3) How knowledgable is the administrator?
I just disagree how you itemised the first two items. To me there's kernel stuff and there's userland (users, process) stuff. To reinforce the kernel you would remove unnecessary options, modules or compile as much monolithic as you can and remove CAP_MOD and such by patching it with Grsecurity, LIDS or the SELinux framework. Userland stuff means enforcing restrictions on any resources by way of "proper" configuration, running from lesser-privileged accounts, jailing, limiting, ACL's, stuff like that. Could you clarify what do you mean by "strictness" wrt compilers?
About administration can be made no mistake tho. Each and every OS will fail due to neglect, misconfiguration, mismanagement and such no matter how hardened it is. To me a "default" install isn't a starting point for discussing safety, it just isn't safe (enough for me), no matter what Linux/GNU/OSS flavour you choose. Anyway, if you're installing a production box it'll have a distinct prupose (or so I would hope) so a "default" install won't cut it: always choose custom for max control, then scrub the package list when installed.

Well it's possible to change the way a compiler creates binaries so that they're loaded into memory differently (the ABI, I believe), which (and I could easily be wrong) is one of the things that OpenBSD does. For instance OpenBSD binaries cannot be used on FreeBSD, and FreeBSD binaries can only be used on OpenBSD with a compatibility mode. Also, you can be very strict with a compiler about what kind of warnings or errors it will generate for certain code, and whether it will refuse to compile it.

I consider the compiler part of the core OS simply because it's used to generate a lot of your userland tools, and even the kernel itself if you recompile it. Since every OS except Microsoft is bundling a compiler these days, (and because the the first point I outlined) I consider it core OS, at least if the OS team made modifications or improvements to it.

I referenced default configuration, because honestly the majority of Linux users do very little as far as substantial security tweaking, in fact most of the things a typical Linux user does is try to install a bunch of third-party apps, web server plugins, etc, which actually *lower* the overall security posture. IMHO a sane and safe default configuration is extremely important, because there are very few C_Cs and unSpawns in the world who actually know how to lock down a box (and take the time to do so).

I like slackware because its init scripts are simple--that said--any distro can be hardened.

Some basics:
1. As pointed out above--compile your kernel with only what is needed. You may think about using one of the security enhanced kernels--I use selinux on my server, though it probably doesnt make a lot of difference for what i use it for.
2. Limit the services running on your machine to only what is needed (this is true of any OS including windows). The fewer things to exploit the better.
3. Get an os that has a good package system--and tools to automatically update your distro. This is so that when exploits are discovered security updates can be applied. Some examples of good packge system/distros are: apt/debian (or a debian based distro like libranet), swaret/slackware, portage/gentoo, rpm/to many to list. I would choose slack or deb based--they seem to do a better job of dealing with dependencies. Gentoo might be a little too steep of a learning curve, though the package system is said to be the best.
4. Set up a statefull fire wall. This can be done with iptables that come built in to most distros, however building the script yourself if your new to linux is quite a daunting task. I suggest going to this site and following the prompts, at the end it will give you a great script--then cut and past into your rc.firewall. It will be well commented--just read the comments and edit appropriately.

Just my $ 0.02


have fun, be safe