Really, thats why the Tek....(maven, doubt that) name is pasted all over the linux forum.

No insult intended, you will just need a different knowledge set to talk about actual system security. If you have this knowledge and are just holding back, then the question is "why?" if you don't have it, you add no value to the conversation in your current state.

It really bugs me when people try to spin someone making an objective statement about their level of knowledge as an insult, but whatever makes you feel better about the situation I guess. I merely ask that you try and take what I say at face value.

*benefit of the doubt*
How do you feel that Linux's access control system compares to NT's? Do you have any thoughts on how these differences may vary as systems get more and more distributed with concepts like ASP and whatnot?
It is my belief that Linux's lack of both modular and centralized granularity of not only access controls but privileges as well will continually force security controls further and further away from the security kernel itself leading to a lower level of assurance across the enterprise resulting in a greater chance of inside compromise and a greater reliance on secure applications. All though this may make specific aspects of development and administration simpler, such that different admins can be responsible for different applications and development is simpler as fewer centralized security restrictions are in place. (Confused yet?)
The only correction I can see to this situation is the removal of the concept of "root" in Linux and the addition of more Harrison, Ruzzo, Ullman influenced access controls allowing greater control of specific resources while ensuring those rights are not propagated beyond their original design.
Now obviously if the Linux security model is followed application bugs will be even more critical than the currently are. I for one feel this is a bad situation as explained above. Naturally the migration to centralized trusted operating systems as access control servers would be ideal, but this would tend to be an impractical and unjustified expense for most organizations.

I'd love to hear your thoughts on the subject.

(your 50 character post)Oh yeah, pls dont answer a question with a question again! It makes you look like you don't know what your talking about. :lol:

Even though I know your banned, your yet you give any proof of your ideas. All you have done is ranted about mindless stuff.

When your unbanned, please show some evidence, and don't flame anyone.

quotes:
I completely agree. If I mess up a setting in Linux, I find that my whole Operating System may not be able to boot, with no way of fixing it.

Just so you know, I'm pretty good at everything Linux. I've been using it on and off for a few years - I'm no newbie by any definition. I'm sure that your set of computer knowledge is a subset of mine.

When your unbanned, please show some evidence, and don't flame anyone.

If you are so good at linux, then how do you mess up a setting that makes your system unbootable, and you can't fix it? Just curious. Also, if you are a moderator here, then why are you putting someone down by saying their knowledge is a subset of yours? And then you tell someone not to flame anyone. Whats up with that? How old are you?
Like I stated before, use the system that will work best for you, and if you want to expand your knowledge, then you can try other systems. To each his own.

I only put people down when I feel they have insulted me, my friends or my beliefs. I made that remark only because of his big statements - with no proof or study backing him up.

I completely agree with your thoughts. I have a mostly Windows network at home, but I do have a Novell NetWare server, and a NAT/DHCP/Firewall machine running Linux (The Smoothwall Distro).

Use what you like, when you see fit. Thats all.

Okay, this thread is *this* close to being locked. Tek, 2 wrongs don't make a right. As a moderator, you should be the first person to uphold all forum rules. You can't go and ban a guy for saying something nasty about someone and then go say something nasty about the guy you just banned for the exact same reason.

The only reason I'm saying this to the public is because I want everyone to understand that we all have to uphold the forum rules and that this is strictly enforced.

Please make this an intelligent debate.

Sorry if I hijacked this thread. I myself don't like to see a flaming war between anybody. If there is another way to communicate with someone, let me know. There are times when something that might need to be communicated, but not out in the open.

Sure, private messaging is available on the forums. There are multiple ways to do so:
Click the "Private Messages" link in the box below the navigation header on top of every page. Click the "User Control Panel" in the nav bar and then browse to private messages. Or click a member's username while viewing their post and click on "Send a private message"

Click the following link for more information.
http://www.daniweb.com/techtalkforums/faq.php?faq=vb_board_usage#faq_vb_pm_explain

Thanks cscgal, I quess I should look around this site for more info.

Where is this going, with the security side of things?

For one, OpenBSD isn't Linux-- it's just another Free OS. The reason it's called "secure by default" is because when you install it, it's got every port closed on it with the exception of port 22, SSH, which is audited for security holes, and can, for all intensive purposes, be considered secure in itself.

But, for logging, it's always sufficed for me. Nearly every network service has the ability to log events like successful/failed logon attempts and access violations. If it doesn't have that function, you'd be silly, IMHO, to use it. My personal opinion has always been that a newbie shouldn't run a server on the internet without fully knowing the implications of doing so. Sure, you can configure any system to be insecure, so "secure by default" is just a baseline, so to speak, that you can be assured of when installing that system.

I would, however, have to agree on the access control lists side. General rwxrwxrwx UNIX permissions can be a little cumbersome. I'm not up to speed on some commercial UNIX implementations, but I do believe that many of them now have support for ACLs in them. There are projects in the works to incorporate ACL support in Linux, and all of the BSDs, if I'm not mistaken. There are some ways around this, NIS, for example, where you can put groups within groups, thus giving you finer and easier control over who has access to what. With the way UNIX permissions are right now, you are still able to assign different users different roles in configuration, just by setting different file permissions.

Personally, I don't mind the root account. If you configure your system properly and keep on top of the latest patches for whatever services you're running, you shouldn't be too concerned about people gaining escalated priviledges on your system. If the admin of the system is judicious about when to use and when not to use the root account, then that's just another way to keep the system safer.

Really, we shouldn't be looking at whether a system's secure "by default" when we set up a server. We should instead be looking at how secure we can make it from an out-of-the-box state. If you look at it like that, you can pretty much lock down any server.

Tekmaven vbmenu_register("postmenu_3714", true); njwnews never said he had 120gigs of ram ,he said he had a 120gig hard disk:!: :cheesy:

Tekmaven vbmenu_register("postmenu_3714", true); njwnews never said he had 120gigs of ram ,he said he had a 120gig hard disk:!: :cheesy:

His original post said 120gb of memory, or something like that. It might have been editied.

RTFM ....

man man

....ect,ect......

Wee...no one should have to man command for everything. When I want to install a fourth window manager, I should have that option, without it being cryptic. pkginstall isn't cryptic, but that's because we know it. The "Newbie" install for Slackware as an example, gives basic functionality like it should, but the Full install is where it's at. You have to consider that a "l00nix" newbie doesn't give a shit which X client GUI is the default, they just want icons and pretty text so they can run Mozilla and dick around with uptime andmaybe configure ls output to their liking. That is, if they can even figure out what the console is really for. They don't care about , resource files, or having to make install everything, they just want the damn software to work without issue, and the first time after installation. Point and click & KISS (Keep It Simple Stupid).

I'mnot saying this isn't possible, but it's not user friendly. If your grandmother can't understand linux, I don't think it's going to be that widely used.

For the record, I've talked to people that have had their parents/grandparents running some variant of linux. And without issue I might add.

I'm loving Gentoo Linux. Its just.. well.. nice :-)

Where is this going, with the security side of things? For one, OpenBSD isn't Linux-- it's just another Free OS.

Really.....? Where did one say it was linux? Well, when I think of serving I think of security IMHO.

Well for one I will start with the inadequacies of hardening, it's simple.
Hardening either before or after shipment typically includes but is not limited to the following actions:

1 Removing unnecessary packages/applications.
2 Removing unnecessary services.
3 Stronger default file permissions (removing suid/guid, adding sticky bits, etc)
Locking down administrative accounts. (Using wheel to limit su, preventing telnet access, etc.)
Utilizing an intrusion detection system. (Tripwire et al to monitor the system.)

Following this checklist you will have a very secure system right?(you would think)
Wrong, nearly all computer attacks stem from the following six issues stack overflows, access to services, privilege and privileged accounts, networking resources, shared environments, and other bugs in applications and services. Considering this, it should be painfully clear how little hardening does for actually securing systems. Clearly different architectures and mechanisms are needed to deal with these issues as hardening alone is simply not viable.

I am sureMANY of you were already aware how this type of security falls short, but are probably still thinking that even the paltry security offered by hardening is better than nothing and for the vendor to offer such security by default not only makes your job easier but makes the system overall secure as few attacks happen against it.

Next,the benefits of homogenization. (Important points but a non-definitive argument.)

Nearly all exploits fall into one of two categories:

1. Configuration error.
2. Otherwise correct configuration but inadequate to provide protection against flawed source code.

The Apache.org root via FTP/Apache/MySQL configuration errors is a fine example of the former while the IIS Unicode attacks of the latter. While it is true that two additional types of exploit exist (source error indefensible by a different configuration and design flaws that have no source issues and cannot be fixed via admin configuration) these have not be included as they make up a very small percentage of real world attacks and because they have nothing to do with the subject of this tutorial.
Compare the two systems now really, one is shipped in a soft state (systemA) and one shipped in a hardened state (systemB).

1. Any two instances of systemB are likely to exist in the same state, as implementation/administrative intervention is less likely since a secure system was purchased.
2. Any two instances of systemA are likely to exist in different states, as post-purchase configuration is needed to bring the system into a secure state.
3. Any single instance of systemA is more likely to exist in an insecure state than any single instance of systemB.

This means, that since systemA is more likely to be insecure, valid exploits are more likely to exist. It also means that an instance of systemA, which has been configured to an equal state of security to systemB, is actually less likely to be effected by exploits than systemB is. Consequently the likelihood of systemB being vulnerable to random threats is greater than systemA existing in the same state. SystemA is also likely to be less vulnerable against specific threats since the exact configuration is less likely to be known by the attacker. Your odds of being the victim of packaged attacks are reduced without patches and the odds of you not seeing a 0-day attack coming are also reduced as a greater likelihood of an attacker error exists.
It is true that a systemB implementer/administrator could alter systemBs configuration making it less predictable, but this would not only remove any advantages of having a secure by default system it would also play into bigger issues identified in section three.
If you didn't know already, systems secure by default are little more than a marketing ploy, that prey upon users lack of understanding about the actual mechanisms and architectures that go into secure computing. These vendors feel that they will make more sales by selling a product that seems more secure than one that actually is more secure. (Unless you are like OpenBSD and scare all your clients away with your pompousness.) Odds are they are probably right, but that doesnt mean it is a valid point to consider when comparing two systems.
If you start with something insecure but highly functional, so long as it comes with the tools to lock it down youll be ahead in security assurances, costs, time, and the skill level needed by your implementer. If you dont agree with these facts I can provide reading material.

Wee...no one should have to man command for everything. When I want to install a fourth window manager, I should have that option, without it being cryptic. pkginstall isn't cryptic, but that's because we know it. The "Newbie" install for Slackware as an example, gives basic functionality like it should, but the Full install is where it's at. You have to consider that a "l00nix" newbie doesn't give a shit which X client GUI is the default, they just want icons and pretty text so they can run Mozilla and dick around with uptime and maybe configure ls output to their liking. That is, if they can even figure out what the console is really for. They don't care about , resource files, or having to make install everything, they just want the damn software to work without issue, and the first time after installation. Point and click & KISS (Keep It Simple Stupid).

I'mnot saying this isn't possible, but it's not user friendly. If your grandmother can't understand linux, I don't think it's going to be that widely used.

For the record, I've talked to people that have had their parents/grandparents running some variant of linux. And without issue I might add. People, please do not post opinions that resulted in some form of users error.
Windows 2000 server has a lot more complicated bits underneath if you know about them.
What I like about Linux, and I recommend to anyone who feels the same, is the feeling of control - you can see what's going on, and turn it off if you don't like it. The same can't (usually) be said with Windows.
Also, while giving a pretty UI, some of the server bits in Windows 2000 (NT to a lesser extent) are actually pretty complicated, and work in a non-trivial and counter-intuitive way. I always felt that the underlying semantics were what made something hard, not how pretty (or not) the GUI works.
You try setting up file replication in Windows 2000 server ... it may have a pretty GUI but it's still a b^H female dog
*Nix is the first step to actually achieving realization of your skill. What you need to do, is jump headlong into linux,realize that you aren't good with it, read manuals, books, tutorials, etc, then go back to it... you will then realize your potential. People don't undermind yourselfs.



But IMHO I recommend solaris for server use. Granted, the configuration assistant just about drove me insane everytime i tried to boot into solaris (until I figured out how to turn it off), so did the user registration thing,(hey, I like throwing my keyboard against the wall) I've had peticuliar network problems related to hostname lookups and dhcp -which I've managed to pinpoint and fix, I'd rather have the menu-based install like freebsd has (I guess I've just grown so accustomed to it) Everything wentgreat when I was given the correct hardware.
After all, it makes sense that an operating system made by sun would run better on hardware made by sun. I currently have my ultra 10 box running solaris 9 performing dns, mail, etc services.

plz how can i join channels
i need help which to design my new network using win 2000 server

Ummmmmmmmmm, search microsoft.com? Come again. Better yet PM me.

Really.....? Where did one say it was linux? Well, when I think of serving I think of security IMHO.

...I don't want to resurrect a flame war or anything, but I just wanted to make a point of clarification, on my behalf-- Big*B*Affleck seemed to lump OpenBSD in with Linux systems. It's just one of my pet peeves to ensure that people know *BSD != Linux.

Call me picky. That's mainly what I meant to get across with that statement. :) I'm more than happy to step aside anyone more knowledgable on a subject comes along. Obviously, WEATHER CHANNEL, you know your stuff. Would you mind posting a link to the materials you mentioned, regarding being ahead in all of those factors you included, if given the proper tools for a less secure system? There's a spot on my bookmarks list that needs filling...

Also, I full well realize "Secure by default" is a marketing ploy. As far as OBSD is concerned, the base OS is all that's audited, right? Out of the box, sure it's secure by default-- isn't it true that the only thing it runs after a default install is OpenSSH? Sure, it's secure, but all you're going to be able to use it for is an SSH server. Using that logic, NetBSD, which has no ports open after an initial install, would be even more secure by default.

I used to think Windows servers would be more vulnerable to attack because hackers often hate MicroSoft. Then I found out the hard way that hackers use Linux boxes to learn how to hack.

I used to think Windows servers would be more vulnerable to attack because hackers often hate MicroSoft. Then I found out the hard way that hackers use Linux boxes to learn how to hack.

Not really directed to a specific person: It'sMicrosoft, not MicroSoft, or Micro$oft, or any other variation. Its just one of my pet peeves. (Also.. its Windows Server 2003; not Windows 2003 Server.)

Linux machines are just as vulnerable to attack. Nothing is perfectly secure; if its connected to the internet it will eventually have some type of problem.

*Yawn* I feel like we've been talking about this for my entire life.. lol

I currently have a Gateway Desktop ! I was wondering, what server software should I put on this computer. Windows 2000 Server or a Linux Server. The reason I need a server is for my 2 domains. I currently host DCDJ.net with another server and dcwdservices.com is parked. If you could please help me by telling me which software to install, that would be great. By the way, if you think Linux is better, tell me a place where I can put it on a disk and It will boot from the CD disk drive. Thanks. My email is [email]admin@dcdj.net[/email]. Nick

At what point does njnews say he has 120 gig or RAM?? it says, "with 120 Gig Hard Disk!" no mention of ram!

njnews erm, how much ram? lol