Security-oriented distro? - Security

This is a discussion on Security-oriented distro? - Security ; What linux distribution should I start with in order to build a reasonably secure box? I am fairly experienced with linux and networking but I cannot spare more than a few hours a week on this project. Also, is there ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Security-oriented distro?

  1. Security-oriented distro?

    What linux distribution should I start with in order to build a
    reasonably secure box? I am fairly experienced with linux and networking
    but I cannot spare more than a few hours a week on this project.
    Also, is there any documentation/manual anywhere available that walks
    you through the motions of securing a linux install prior to connecting
    it to the outside world?

    tia
    - cga


  2. Re: Security-oriented distro?

    On Wed, 07 Dec 2005 23:14:23 -0500, cga wrote:
    > What linux distribution should I start with in order to build a
    > reasonably secure box? I am fairly experienced with linux and networking
    > but I cannot spare more than a few hours a week on this project.
    > Also, is there any documentation/manual anywhere available that walks
    > you through the motions of securing a linux install prior to connecting
    > it to the outside world?


    One approach would be to use Bastille (http://www.bastille-linux.org)
    to help lock down your system, instead of looking for a distribution
    aimed specifically at security.

    People often ask "which distro/OS/... is most secure?" That's the
    wrong question. The most secure anything is the one run by someone
    who knows it well enough to tighten it down and keep it tight. Look
    to see if the distribution you already use is supported by Bastille,
    and if so, use Bastille to help secure it.

    One of the great things about Bastille is that in interactive mode,
    it will give you the information you need to help decide where you
    need to be in the continuum from security to convenience. That makes
    it a good learning tool for what kind of things go into securing a
    system and how to do them.


    Mike

    --
    Michael Zawrotny
    Institute of Molecular Biophysics
    Florida State University | email: zawrotny@sb.fsu.edu
    Tallahassee, FL 32306-4380 | phone: (850) 644-0069

  3. Re: Security-oriented distro?

    On Wed, 07 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
    <4397B31F.5060000@optonline.net>, cga wrote:

    >What linux distribution should I start with in order to build a
    >reasonably secure box? I am fairly experienced with linux and networking


    Then use the one you are comfortable with.

    >Also, is there any documentation/manual anywhere available that walks
    >you through the motions of securing a linux install prior to connecting
    >it to the outside world?


    155096 Jan 23 2004 Security-HOWTO
    278012 Jul 23 2002 Security-Quickstart-HOWTO
    287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

    One or the other of the last two is probably what you need.

    Old guy

  4. Re: Security-oriented distro?

    Michael Zawrotny wrote:
    > On Wed, 07 Dec 2005 23:14:23 -0500, cga wrote:
    >
    >> What linux distribution should I start with in order to build a
    >> reasonably secure box? I am fairly experienced with linux and networking
    >> but I cannot spare more than a few hours a week on this project.
    >> Also, is there any documentation/manual anywhere available that walks
    >> you through the motions of securing a linux install prior to connecting
    >> it to the outside world?

    >
    >
    > One approach would be to use Bastille (http://www.bastille-linux.org)
    > to help lock down your system, instead of looking for a distribution
    > aimed specifically at security.


    Thanks for refreshing my memory. I had heard of Bastille but never got
    down to using it. I was thinking of a somewhat different approach - an
    install/distro that comes with everything locked and you would unlock
    just those functionalities that you need one at a time.. and find enough
    help in (documentation of..) the "unlocking process" so you understand
    the risks you are taking and explain how best to handle them a
    posteriori on a day-to-day basis..

    >
    > People often ask "which distro/OS/... is most secure?"


    What I had in mind was more along the lines of which distro (if any) was
    designed with security in mind and therefore might make the task of
    securing the box an easier and more productive experience.

    That's the
    > wrong question. The most secure anything is the one run by someone
    > who knows it well enough to tighten it down and keep it tight. Look
    > to see if the distribution you already use is supported by Bastille,
    > and if so, use Bastille to help secure it.
    >
    > One of the great things about Bastille is that in interactive mode,
    > it will give you the information you need to help decide where you
    > need to be in the continuum from security to convenience.


    ... what I meant by "reasonably" secure.

    That makes
    > it a good learning tool for what kind of things go into securing a
    > system and how to do them.


    ... pretty much what I had in mind.. the limited amount of time I can
    devote to this project being the main problem.

    >
    >
    > Mike
    >



  5. Re: Security-oriented distro?

    "cga" wrote in message
    news:n2Qlf.4906$O05.1462@fe09.lga

    > I was thinking of a somewhat different approach - an
    > install/distro that comes with everything locked and you would unlock
    > just those functionalities that you need one at a time.. and find
    > enough help in (documentation of..) the "unlocking process" so you
    > understand the risks you are taking and explain how best to handle
    > them a posteriori on a day-to-day basis..

    ....
    > What I had in mind was more along the lines of which distro (if any)
    > was designed with security in mind and therefore might make the task
    > of securing the box an easier and more productive experience.


    You're talking about http://netbsd.org out of the box.


  6. Re: Security-oriented distro?

    Moe Trin wrote:
    > On Wed, 07 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
    > <4397B31F.5060000@optonline.net>, cga wrote:
    >
    >
    >>What linux distribution should I start with in order to build a
    >>reasonably secure box? I am fairly experienced with linux and networking

    >
    >
    > Then use the one you are comfortable with.
    >
    >
    >>Also, is there any documentation/manual anywhere available that walks
    >>you through the motions of securing a linux install prior to connecting
    >>it to the outside world?

    >
    >
    > 155096 Jan 23 2004 Security-HOWTO
    > 278012 Jul 23 2002 Security-Quickstart-HOWTO
    > 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO
    >
    > One or the other of the last two is probably what you need.
    >
    > Old guy


    Thanks much. Probably a good starting point.

    This web page also looks promising:

    http://www.puschitz.com/SecuringLinux.shtml



  7. Re: Security-oriented distro?

    On Wed, 07 Dec 2005 23:14:23 -0500, cga wrote:

    > What linux distribution should I start with in order to build a
    > reasonably secure box?


    > I am fairly experienced with linux and networking but I cannot spare
    > more than a few hours a week on this project.


    http://distrowatch.com/search.php?category=Security

    > Also, is there any documentation/manual anywhere available that walks
    > you through the motions of securing a linux install prior to connecting
    > it to the outside world?


    http://flaviostechnotalk.com/wordpre...secure-server/

    --
    -Menno.


  8. Re: Security-oriented distro?

    On Fri, 09 Dec 2005 01:02:52 -0500, cga wrote:
    > Michael Zawrotny wrote:
    > >
    > > One approach would be to use Bastille (http://www.bastille-linux.org)
    > > to help lock down your system, instead of looking for a distribution
    > > aimed specifically at security.

    >
    > Thanks for refreshing my memory. I had heard of Bastille but never got
    > down to using it. I was thinking of a somewhat different approach - an
    > install/distro that comes with everything locked and you would unlock
    > just those functionalities that you need one at a time.. and find enough
    > help in (documentation of..) the "unlocking process" so you understand
    > the risks you are taking and explain how best to handle them a
    > posteriori on a day-to-day basis..


    The problem with that is that locking/unlocking isn't as simple as
    turning services on or off. You've also got things like file and
    directory permissions, application configuration, kernel
    configuration, etc. To paraphrase Bruce Schneier, security is a
    weakest link. If you lock down a bunch of things, but leave one or
    two things open, those are the ones that will get exploited.

    To really lock things down, you would need to get into kernel level
    security policies (selinux or grsecurity) and just getting a working
    policy that doesn't interfere with your day to day work can easily eat
    up most of the time you are budgeting.

    > > People often ask "which distro/OS/... is most secure?"

    >
    > What I had in mind was more along the lines of which distro (if any) was
    > designed with security in mind and therefore might make the task of
    > securing the box an easier and more productive experience.


    The problem with that approach is that the different distributions do
    things differently, sometimes very much so (compare RedHat, Slackware
    and Debian). Something heavily geared towards security will probably
    be configured very differently than what you are used to. That makes
    you spend a lot of your allocated time learning how the new system
    works in general instead of spending it on security.

    > .. pretty much what I had in mind.. the limited amount of time I can
    > devote to this project being the main problem.


    If time is the limiting factor, you need to use it wisely. A complete
    run of Bastille will take an hour or two (including the time to read
    the background and suggestions given by Bastille) and fix many of the
    common misconfiguration issues. You can then spend the rest of your
    time on the details of tweaking the necessary services, etc.


    Mike

    --
    Michael Zawrotny
    Institute of Molecular Biophysics
    Florida State University | email: zawrotny@sb.fsu.edu
    Tallahassee, FL 32306-4380 | phone: (850) 644-0069

  9. Re: Security-oriented distro?

    grenoble wrote:
    > "cga" wrote in message
    > news:n2Qlf.4906$O05.1462@fe09.lga
    >
    >
    >>I was thinking of a somewhat different approach - an
    >>install/distro that comes with everything locked and you would unlock
    >>just those functionalities that you need one at a time.. and find
    >>enough help in (documentation of..) the "unlocking process" so you
    >>understand the risks you are taking and explain how best to handle
    >>them a posteriori on a day-to-day basis..

    >
    > ...
    >
    >>What I had in mind was more along the lines of which distro (if any)
    >>was designed with security in mind and therefore might make the task
    >>of securing the box an easier and more productive experience.

    >
    >
    > You're talking about http://netbsd.org out of the box.
    >

    read the guide over the week end.. quite remarkable. If the OS is half
    as clean as the doc it may well be worth switching rather than upgrading
    my antiquated linux.. when I can find the time.. Strange nobody has come
    up with a linux distro built along the same lines..



  10. Re: Security-oriented distro?

    In comp.os.linux.security cga :
    > What linux distribution should I start with in order to build a
    > reasonably secure box? I am fairly experienced with linux and networking


    Any distro will do, just do a minimal install, install all
    patches, only run services you need. Lock down access using
    tcp-wrapper (if possible) + iptables + packages own access control
    (if available) to a few hosts. Use ssh(2) only to login, disable
    root ssh access, use pam_wheel to control access to the root
    account or use sudo (for better logging) only. Use ssh key-login
    only. Run logwatch and keep an eye on the reports. Intrusion
    detection is another add-on, but you need some work to make it
    usable. Keeping the system updated on a regular base is the most
    important.

    If you are still paranoid, enable selinux, but be aware you need
    to configure it probably or the system will be completely secure
    but unusable. ;-)

    [..]

    Good luck

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 83: Support staff hung over, send aspirin and
    come back LATER.

  11. Re: Security-oriented distro?

    cga wrote:

    > Michael Zawrotny wrote:
    >> On Wed, 07 Dec 2005 23:14:23 -0500, cga
    >> wrote:
    >>
    >>> What linux distribution should I start with in order to build a
    >>> reasonably secure box? I am fairly experienced with linux and
    >>> networking
    >>> but I cannot spare more than a few hours a week on this
    >>> project.
    >>> Also, is there any documentation/manual anywhere available that
    >>> walks you through the motions of securing a linux install prior to
    >>> connecting it to the outside world?

    >>
    >>
    >> One approach would be to use Bastille
    >> (http://www.bastille-linux.org) to help lock down your system,
    >> instead of looking for a distribution aimed specifically at
    >> security.

    >
    > Thanks for refreshing my memory. I had heard of Bastille but never
    > got down to using it. I was thinking of a somewhat different
    > approach - an install/distro that comes with everything locked and
    > you would unlock just those functionalities that you need one at a
    > time.. and find enough help in (documentation of..) the "unlocking
    > process" so you understand
    > the risks you are taking and explain how best to handle them a
    > posteriori on a day-to-day basis..
    >
    >>
    >> People often ask "which distro/OS/... is most secure?"

    >
    > What I had in mind was more along the lines of which distro (if any)
    > was designed with security in mind and therefore might make the task
    > of securing the box an easier and more productive experience.



    Generally for that, people tend to use one of the BSDs.
    Astaro Linux is a distro that is meant to be secure and
    hardened out of the box. For real security, ACLs and
    SELinux extensions can be used, most modern server distros
    have SELinux ACL capabilities in the kernel. But that gets
    real bitchy.









    >
    > That's the
    >> wrong question. The most secure anything is the one run by someone
    >> who knows it well enough to tighten it down and keep it tight.
    >> Look to see if the distribution you already use is supported by
    >> Bastille, and if so, use Bastille to help secure it.
    >>
    >> One of the great things about Bastille is that in interactive mode,
    >> it will give you the information you need to help decide where you
    >> need to be in the continuum from security to convenience.

    >
    > .. what I meant by "reasonably" secure.
    >
    > That makes
    >> it a good learning tool for what kind of things go into securing a
    >> system and how to do them.

    >
    > .. pretty much what I had in mind.. the limited amount of time I can
    > devote to this project being the main problem.
    >
    >>
    >>
    >> Mike
    >>


    --
    "There is a word in Newspeak," said Syme.**"I*don't
    know whether you know it: duckspeak, to quack like
    a duck.**It is*one*of*those*interesting*words*that
    have two contradictory meanings.**Applied*to*an
    opponent, it is abuse; applied to someone you agree
    with, it is praise."
    ****-George*Orwell*"Nineteen*Eighty-Four"


    Cheerful Charlie

+ Reply to Thread