[PLUG] Joe Jobbed

Ed Sawicki ed at alcpress.com
Sun Oct 7 18:13:50 UTC 2007


M. Edward (Ed) Borasky wrote:
> Ed Sawicki wrote:
>> Most people on this list use distributions. They expect that the
>> distributor will keep all the software current. If they try to
>> keep their systems more current than the distribution they can
>> mess things up unless they know what they're doing.
> 
> 1. It is nearly impossible to add software, secure or insecure, to a 
> standard stable distribution like RHEL/CentOS or Etch, with standardized 
> repositories and built-in security, bug fix and new feature update 
> services. If you want to run a stable, secure server using such a 
> distro, *don't* think outside the box. Don't run "testing" or "unstable" 
> packages, don't get RPMs or DEBs from anywhere other than the built-in 
> repositories, and don't install anything from raw source. Period. Full stop.

It's not nearly impossible. I do it regularly. You just have to
know what parts of the filesystem are off limits to you because
the distribution's package management "owns" that space. You _do_
have to pay attention to, for example, which TCP and UDP ports
daemons use, system startup weirdness, and more.

> 
> 2. The *only* advantage a secure Linux server has over a secure Windows 
> server is that the major Linux server distros release security updates 
> much more frequently than Microsoft does. *Both* are exploitable, *both* 
> are targets of hackers and crackers, and *both* require eternal 
> vigilance as the price of security.

Given that we're talking about servers here - not desktops:

I think you're giving the open source development model too little
credit for generally producing much more secure code. I'd rather
run older versions (weeks or months older - not years older) of
open source daemons that current Windows services.

I assume you know that there are other advantage of running a
secure Linux server and you limited your comments to security
issues only. If not, I have much more to say.


> 
>> I think it's
>> unrealistic to expect them to take on this task, especially when
>> they're running sites where a rare break-in is not going to
>> bankrupt a business or leak national secrets.
> 
> Leaving aside the difference between a hobby server and a business 
> server, if Linux becomes the kind of tool for distributed denial of 
> service attacks that Windows has become, it's all over for Linux! The 
> corporate giants will shove Linux into the flaming pits of Heck.

You're probably correct about this. It's one reason why I'm
not anxious to have Linux replace corporate desktops. That's
Apple's job.

Ed


  You
> won't be able to get CentOS -- you'll have to buy RHEL. You won't be 
> able to get openSuSE, you'll have to buy Novell's version, and you won't 
> be able to get Etch/Lenny/Sid, you'll have to buy Ubuntu.
> 
> So take on the task! Run secure or face oblivion. :)
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug




More information about the PLUG mailing list