0

Really, thats why the Tek....(maven, doubt that) name is pasted all over the linux forum.

No insult intended, you will just need a different knowledge set to talk about actual system security. If you have this knowledge and are just holding back, then the question is "why?" if you don't have it, you add no value to the conversation in your current state.

It really bugs me when people try to spin someone making an objective statement about their level of knowledge as an insult, but whatever makes you feel better about the situation I guess. I merely ask that you try and take what I say at face value.

*benefit of the doubt*
How do you feel that Linux's access control system compares to NT's? Do you have any thoughts on how these differences may vary as systems get more and more distributed with concepts like ASP and whatnot?
It is my belief that Linux's lack of both modular and centralized granularity of not only access controls but privileges as well will continually force security controls further and further away from the security kernel itself leading to a lower level of assurance across the enterprise resulting in a greater chance of inside compromise and a greater reliance on secure applications. All though this may make specific aspects of development and administration simpler, such that different admins can be responsible for different applications and development is simpler as fewer centralized security restrictions are in place. (Confused yet?)
The only correction I can see to this situation is the removal of the concept of "root" in Linux and the addition of more Harrison, Ruzzo, Ullman influenced access controls allowing greater control of specific resources while ensuring those rights are not propagated beyond their original design.
Now obviously if the Linux security model is followed application bugs will be even more critical than the currently are. I for one feel this is a bad situation as explained above. Naturally the migration to centralized trusted operating systems as access control servers would be ideal, but this would tend to be an impractical and unjustified expense for most organizations.

I'd love to hear your thoughts on the subject.

(your 50 character post)Oh yeah, pls dont answer a question with a question again! It makes you look like you don't know what your talking about. :lol:

0

Even though I know your banned, your yet you give any proof of your ideas. All you have done is ranted about mindless stuff.

When your unbanned, please show some evidence, and don't flame anyone.

0

quotes:
I completely agree. If I mess up a setting in Linux, I find that my whole Operating System may not be able to boot, with no way of fixing it.

Just so you know, I'm pretty good at everything Linux. I've been using it on and off for a few years - I'm no newbie by any definition. I'm sure that your set of computer knowledge is a subset of mine.

When your unbanned, please show some evidence, and don't flame anyone.

If you are so good at linux, then how do you mess up a setting that makes your system unbootable, and you can't fix it? Just curious. Also, if you are a moderator here, then why are you putting someone down by saying their knowledge is a subset of yours? And then you tell someone not to flame anyone. Whats up with that? How old are you?
Like I stated before, use the system that will work best for you, and if you want to expand your knowledge, then you can try other systems. To each his own.

0

I only put people down when I feel they have insulted me, my friends or my beliefs. I made that remark only because of his big statements - with no proof or study backing him up.

I completely agree with your thoughts. I have a mostly Windows network at home, but I do have a Novell NetWare server, and a NAT/DHCP/Firewall machine running Linux (The Smoothwall Distro).

Use what you like, when you see fit. Thats all.

0

Okay, this thread is *this* close to being locked. Tek, 2 wrongs don't make a right. As a moderator, you should be the first person to uphold all forum rules. You can't go and ban a guy for saying something nasty about someone and then go say something nasty about the guy you just banned for the exact same reason.

The only reason I'm saying this to the public is because I want everyone to understand that we all have to uphold the forum rules and that this is strictly enforced.

Please make this an intelligent debate.

0

Sorry if I hijacked this thread. I myself don't like to see a flaming war between anybody. If there is another way to communicate with someone, let me know. There are times when something that might need to be communicated, but not out in the open.

0

Sure, private messaging is available on the forums. There are multiple ways to do so:
Click the "Private Messages" link in the box below the navigation header on top of every page. Click the "User Control Panel" in the nav bar and then browse to private messages. Or click a member's username while viewing their post and click on "Send a private message"

Click the following link for more information.
http://www.daniweb.com/techtalkforums/faq.php?faq=vb_board_usage#faq_vb_pm_explain

0

Where is this going, with the security side of things?

For one, OpenBSD isn't Linux-- it's just another Free OS. The reason it's called "secure by default" is because when you install it, it's got every port closed on it with the exception of port 22, SSH, which is audited for security holes, and can, for all intensive purposes, be considered secure in itself.

But, for logging, it's always sufficed for me. Nearly every network service has the ability to log events like successful/failed logon attempts and access violations. If it doesn't have that function, you'd be silly, IMHO, to use it. My personal opinion has always been that a newbie shouldn't run a server on the internet without fully knowing the implications of doing so. Sure, you can configure any system to be insecure, so "secure by default" is just a baseline, so to speak, that you can be assured of when installing that system.

I would, however, have to agree on the access control lists side. General rwxrwxrwx UNIX permissions can be a little cumbersome. I'm not up to speed on some commercial UNIX implementations, but I do believe that many of them now have support for ACLs in them. There are projects in the works to incorporate ACL support in Linux, and all of the BSDs, if I'm not mistaken. There are some ways around this, NIS, for example, where you can put groups within groups, thus giving you finer and easier control over who has access to what. With the way UNIX permissions are right now, you are still able to assign different users different roles in configuration, just by setting different file permissions.

Personally, I don't mind the root account. If you configure your system properly and keep on top of the latest patches for whatever services you're running, you shouldn't be too concerned about people gaining escalated priviledges on your system. If the admin of the system is judicious about when to use and when not to use the root account, then that's just another way to keep the system safer.

Really, we shouldn't be looking at whether a system's secure "by default" when we set up a server. We should instead be looking at how secure we can make it from an out-of-the-box state. If you look at it like that, you can pretty much lock down any server.

0

Tekmaven vbmenu_register("postmenu_3714", true); njwnews never said he had 120gigs of ram ,he said he had a 120gig hard disk:!: :cheesy:

0

Tekmaven vbmenu_register("postmenu_3714", true); njwnews never said he had 120gigs of ram ,he said he had a 120gig hard disk:!: :cheesy:

His original post said 120gb of memory, or something like that. It might have been editied.

0

RTFM ....

man man

....ect,ect......

Wee...no one should have to man command for everything. When I want to install a fourth window manager, I should have that option, without it being cryptic. pkginstall isn't cryptic, but that's because we know it. The "Newbie" install for Slackware as an example, gives basic functionality like it should, but the Full install is where it's at. You have to consider that a "l00nix" newbie doesn't give a shit which X client GUI is the default, they just want icons and pretty text so they can run Mozilla and dick around with uptime and maybe configure ls output to their liking. That is, if they can even figure out what the console is really for. They don't care about <insert whatever daemon here>, resource files, or having to make install everything, they just want the damn software to work without issue, and the first time after installation. Point and click & KISS (Keep It Simple Stupid).

I'mnot saying this isn't possible, but it's not user friendly. If your grandmother can't understand linux, I don't think it's going to be that widely used.

For the record, I've talked to people that have had their parents/grandparents running some variant of linux. And without issue I might add.

0

Where is this going, with the security side of things?
For one, OpenBSD isn't Linux-- it's just another Free OS.

Really.....? Where did one say it was linux? Well, when I think of serving I think of security IMHO.

Well for one I will start with the inadequacies of hardening, it's simple.
Hardening either before or after shipment typically includes but is not limited to the following actions:

1 Removing unnecessary packages/applications.
2 Removing unnecessary services.
3 Stronger default file permissions (removing suid/guid, adding sticky bits, etc)
Locking down administrative accounts. (Using wheel to limit su, preventing telnet access, etc.)
Utilizing an intrusion detection system. (Tripwire et al to monitor the system.)

Following this checklist you will have a very secure system right?(you would think)
Wrong, nearly all computer attacks stem from the following six issues stack overflows, access to services, privilege and privileged accounts, networking resources, shared environments, and other bugs in applications and services. Considering this, it should be painfully clear how little hardening does for actually securing systems. Clearly different architectures and mechanisms are needed to deal with these issues as hardening alone is simply not viable.

I am sure MANY of you were already aware how this type of security falls short, but are probably still thinking that even the paltry security offered by hardening is better than nothing and for the vendor to offer such security by default not only makes your job easier but makes the system overall secure as few attacks happen against it.

Next,the benefits of homogenization. (Important points but a non-definitive argument.)

Nearly all exploits fall into one of two categories:

1. Configuration error.
2. Otherwise correct configuration but inadequate to provide protection against flawed source code.

The Apache.org root via FTP/Apache/MySQL configuration errors is a fine example of the former while the IIS Unicode attacks of the latter. While it is true that two additional types of exploit exist (source error indefensible by a different configuration and design flaws that have no source issues and cannot be fixed via admin configuration) these have not be included as they make up a very small percentage of real world attacks and because they have nothing to do with the subject of this tutorial.
Compare the two systems now really, one is shipped in a soft state (systemA) and one shipped in a hardened state (systemB).

1. Any two instances of systemB are likely to exist in the same state, as implementation/administrative intervention is less likely since a secure system was purchased.
2. Any two instances of systemA are likely to exist in different states, as post-purchase configuration is needed to bring the system into a secure state.
3. Any single instance of systemA is more likely to exist in an insecure state than any single instance of systemB.

This means, that since systemA is more likely to be insecure, valid exploits are more likely to exist. It also means that an instance of systemA, which has been configured to an equal state of security to systemB, is actually less likely to be effected by exploits than systemB is. Consequently the likelihood of systemB being vulnerable to random threats is greater than systemA existing in the same state. SystemA is also likely to be less vulnerable against specific threats since the exact configuration is less likely to be known by the attacker. Your odds of being the victim of packaged attacks are reduced without patches and the odds of you not seeing a 0-day attack coming are also reduced as a greater likelihood of an attacker error exists.
It is true that a systemB implementer/administrator could alter systemBs configuration making it less predictable, but this would not only remove any advantages of having a secure by default system it would also play into bigger issues identified in section three.
If you didn't know already, systems secure by default are little more than a marketing ploy, that prey upon users lack of understanding about the actual mechanisms and architectures that go into secure computing. These vendors feel that they will make more sales by selling a product that seems more secure than one that actually is more secure. (Unless you are like OpenBSD and scare all your clients away with your pompousness.) Odds are they are probably right, but that doesnt mean it is a valid point to consider when comparing two systems.
If you start with something insecure but highly functional, so long as it comes with the tools to lock it down youll be ahead in security assurances, costs, time, and the skill level needed by your implementer. If you dont agree with these facts I can provide reading material.

Wee...no one should have to man command for everything. When I want to install a fourth window manager, I should have that option, without it being cryptic. pkginstall isn't cryptic, but that's because we know it. The "Newbie" install for Slackware as an example, gives basic functionality like it should, but the Full install is where it's at. You have to consider that a "l00nix" newbie doesn't give a shit which X client GUI is the default, they just want icons and pretty text so they can run Mozilla and dick around with uptime and maybe configure ls output to their liking. That is, if they can even figure out what the console is really for. They don't care about <insert whatever daemon here>, resource files, or having to make install everything, they just want the damn software to work without issue, and the first time after installation. Point and click & KISS (Keep It Simple Stupid).

I'mnot saying this isn't possible, but it's not user friendly. If your grandmother can't understand linux, I don't think it's going to be that widely used.

For the record, I've talked to people that have had their parents/grandparents running some variant of linux. And without issue I might add.

People, please do not post opinions that resulted in some form of users error.
Windows 2000 server has a lot more complicated bits underneath if you know about them.
What I like about Linux, and I recommend to anyone who feels the same, is the feeling of control - you can see what's going on, and turn it off if you don't like it. The same can't (usually) be said with Windows.
Also, while giving a pretty UI, some of the server bits in Windows 2000 (NT to a lesser extent) are actually pretty complicated, and work in a non-trivial and counter-intuitive way. I always felt that the underlying semantics were what made something hard, not how pretty (or not) the GUI works.
You try setting up file replication in Windows 2000 server ... it may have a pretty GUI but it's still a b^H female dog
*Nix is the first step to actually achieving realization of your skill. What you need to do, is jump headlong into linux, realize that you aren't good with it, read manuals, books, tutorials, etc, then go back to it... you will then realize your potential. People don't undermind yourselfs.

But IMHO I recommend solaris for server use. Granted, the configuration assistant just about drove me insane everytime i tried to boot into solaris (until I figured out how to turn it off), so did the user registration thing,(hey, I like throwing my keyboard against the wall) I've had peticuliar network problems related to hostname lookups and dhcp -which I've managed to pinpoint and fix, I'd rather have the menu-based install like freebsd has (I guess I've just grown so accustomed to it) Everything wentgreat when I was given the correct hardware.
After all, it makes sense that an operating system made by sun would run better on hardware made by sun. I currently have my ultra 10 box running solaris 9 performing dns, mail, etc services.

0

plz how can i join channels
i need help which to design my new network using win 2000 server

0

Really.....? Where did one say it was linux? Well, when I think of serving I think of security IMHO.

...I don't want to resurrect a flame war or anything, but I just wanted to make a point of clarification, on my behalf-- Big*B*Affleck seemed to lump OpenBSD in with Linux systems. It's just one of my pet peeves to ensure that people know *BSD != Linux.

Call me picky. That's mainly what I meant to get across with that statement. :) I'm more than happy to step aside anyone more knowledgable on a subject comes along. Obviously, WEATHER CHANNEL, you know your stuff. Would you mind posting a link to the materials you mentioned, regarding being ahead in all of those factors you included, if given the proper tools for a less secure system? There's a spot on my bookmarks list that needs filling...

Also, I full well realize "Secure by default" is a marketing ploy. As far as OBSD is concerned, the base OS is all that's audited, right? Out of the box, sure it's secure by default-- isn't it true that the only thing it runs after a default install is OpenSSH? Sure, it's secure, but all you're going to be able to use it for is an SSH server. Using that logic, NetBSD, which has no ports open after an initial install, would be even more secure by default.

0

I used to think Windows servers would be more vulnerable to attack because hackers often hate MicroSoft. Then I found out the hard way that hackers use Linux boxes to learn how to hack.

0

I used to think Windows servers would be more vulnerable to attack because hackers often hate MicroSoft. Then I found out the hard way that hackers use Linux boxes to learn how to hack.

Not really directed to a specific person: It's Microsoft, not MicroSoft, or Micro$oft, or any other variation. Its just one of my pet peeves. (Also.. its Windows Server 2003; not Windows 2003 Server.)

Linux machines are just as vulnerable to attack. Nothing is perfectly secure; if its connected to the internet it will eventually have some type of problem.

*Yawn* I feel like we've been talking about this for my entire life.. lol

0

I currently have a Gateway Desktop ! I was wondering, what server software should I put on this computer. Windows 2000 Server or a Linux Server. The reason I need a server is for my 2 domains. I currently host DCDJ.net with another server and dcwdservices.com is parked. If you could please help me by telling me which software to install, that would be great. By the way, if you think Linux is better, tell me a place where I can put it on a disk and It will boot from the CD disk drive. Thanks. My email is admin@dcdj.net.

Nick

At what point does njnews say he has 120 gig or RAM?? it says, "with 120 Gig Hard Disk!" no mention of ram!

njnews erm, how much ram? lol

0

At what point does njnews say he has 120 gig or RAM?? it says, "with 120 Gig Hard Disk!" no mention of ram!

njnews erm, how much ram? lol

If you would have read the whole thread, you would have seen that this was an edit. It did originally say 120 gig of ram, and it had been edited since then. Please try to avoid from duplicate posts.

-1

Thats the funniest thing I've ever heard. How secure do you think a linux newbie could make a computer?

Also, if Linux was more mainstream, there would be a lot more security holes found.

Well, to be honest Linux is used extensively in the modern hosting world... and when looking at strictly at the facts, it is preferred over Windows (in this realm at least). Why? Well it could be because of the hosting software control panels available to the Linux OS, or it could be because people are more experienced with remote administration of Linux than that of Windows. Further I disagree with anyone saying that Linux is more secure then Windows, or vice versa, a server’s security lies within its administrator. In my experience I have enjoyed Linux more then Windows, simply because I find it’s easier to move around in and customize… but hey that’s my opinion. Every OS has its holes and vulnerabilities, a server’s security all depends on how active and skilled the administrator is

Votes + Comments
Cmon man, my points were really valid!
0

a server’s security all depends on how active and skilled the administrator is

Exactly. This is why Windows Server 2003 will usually be more secure than linux will ever be. N00bish administrators only know how to point and click; and they arent going to know how to play with some obscure text setting file. So there you go; you just told us all that Windows Server 2003 is really better :cool:


Not to mention, on the same piece of hardware, Windows Server 2003 outperforms any linux serving task; usually exponentially. On an 8-Way Xeon webserver, Windows Server 2003 with IIS6 can serve like 8x the server load that a linux server could.

Microsoft.com: Get the Facts on Windows and Linux

0

I personally prefer Linux server because I have not found a Windows/Apache control panel. For my sites to work proply I have to have something like mod_rewrite and the windows exquivelent it costs money that I don't have

0

Actually, all novell servers, from 1.0 and on run on DOS! FreeDOS, Dr. Dos, MS-Dos, some type of dos. Basically, dos loads, loads the autoexec.bat and runs SERVER.EXE, the Novell loader. Novell isn't a kernel, just everything else. Just an interesting fact ;-)

Alert! Entirely off topic! But...

That's not entirely true...Novell uses a kernel, just like everything else. It doesn't have a bootloader and needs a helping hand to get going doesn't mean it uses DOS. Back in the days when I ran Novell boxes I always used the "REMOVE DOS" command in the system startup...

I still think back to the day when the first server I ever personally built (NetWare 4.11) finally got switched off to replace it with a shiny new NT4 box. It was summat like 3 days shy of 2 years uptime...(quietly wipes a tear from the corner of his eye...)

0

Exactly. This is why Windows Server 2003 will usually be more secure than linux will ever be. N00bish administrators only know how to point and click; and they arent going to know how to play with some obscure text setting file. So there you go; you just told us all that Windows Server 2003 is really better :cool:

N00bish administrators only know how to point and click? Gee... my 7-year old sister also knows how to point and click, so I guess a 'N00bish administrator' (whatever that is) is no better than her.

Regarding security, when NT first came out, it had so many holes it was worse than swiss cheese. Windows security has gotten somewhat better over the years, but that isn't really saying much and one look at the news and it is all but obvious how *bad* MS server technology security still is compared to *nix. We have yet to see how much of an impact MS' publicized security initiatives will really have. It is extremely hard to both secure an OS and make it easy to use at the same time and MS has traditionally chosen the latter over the former whereas *nix takes the opposite approach.

Not to mention, on the same piece of hardware, Windows Server 2003 outperforms any linux serving task; usually exponentially. On an 8-Way Xeon webserver, Windows Server 2003 with IIS6 can serve like 8x the server load that a linux server could.

Pure, utter bunk. Do you even understand what the term 'exponentially' means? And where'd you pull out that 'can serve like 8x the server load' assertion?

One thing I've noticed, there's very little difference between a Linux zealot and a Windows zealot. Both are ill-informed about not only the OS they're ranting against, but the OS they're using as well.

Kernel techologies
=============
NT technology has certainly improved a whole lot since the days of NT 3.5 and it is starting to become a match for *nix. User-friendliness wise it has its advantages (but all that point-and-clickiness actually tends to get in the way of experienced administrators). However, *nix still holds important advantages in many critical areas. The new Linux 2.6 kernel, for instance, does a good job in keeping Linux core technology apace with, and in many key areas, ahead of NT (such as in thread scalability - i.e. you will get superior performance for servers which use one thread per connection). Linux 2.6 also finally supports asynchronous I/O - a very important performance feature which NT has had for some time now (called overlapped I/O in its case).

API design
========
OS API-wise, Linux's are far more elegant than the mind-numbing function calls that you see in Win32. This is the advantage of a development process which hies more to technical requirements than marketing ones. MS is forced to engineer compromises in the semantics of their APIs in order to get features out sooner. This rush, in conjunction with the need to maintain backwards compatibility with bad decisions of the past, is what's responsible for ugly, hard-to-use (from a programmer's standpoint) APIs. With Linux, the development process can be compared to that of aging a fine wine. A lot of thought and debate is put into it before it is approved, but once that happens, the API design scales gracefully to take new developments into account and doesn't need to keep on changing - very much unlike MS' style where, for example, you see a Winforms that's barely out there almost immediately being replaced with by a non-backwards compatible Avalon.


Linux's real shortcoming
=================
The one major area where Linux glaringly comes up short is in the desktop technologies department and I don't see that being resolved anytime soon although there are certainly very interesting efforts afoot. MS has a far from elegant graphics architecture in GDI and DirectX but it's still a helluva lot better than anything Linux has right now. But then this has zero to do with its appropriateness as a server platform.

Conclusion
========
Despite the ridiculous claims in the aforementioned post, NT technology is no longer something to be regarded with disdain. The Linux zealots are starting to look more and more foolish when they make their own stupid claims of unqualified Linux superiority. I've started becoming more and more of an MS fan ever since I started using Win2K on the desktop, but I still keep a close eye on Linux because it has its own very interesting set of advantages. Windows Server 2003 may (or may not) be closing the gap, but I have little doubt that at this point in time, Linux still makes for a much better server platform and the more experienced one is, the more obvious that will become.

0

Also, I full well realize "Secure by default" is a marketing ploy. As far as OBSD is concerned, the base OS is all that's audited, right? Out of the box, sure it's secure by default-- isn't it true that the only thing it runs after a default install is OpenSSH? Sure, it's secure, but all you're going to be able to use it for is an SSH server. Using that logic, NetBSD, which has no ports open after an initial install, would be even more secure by default.

Absolutely , OpenBSD always gets justifiably ragged on for this 'secure by default' claim.

0

I used to think Windows servers would be more vulnerable to attack because hackers often hate MicroSoft. Then I found out the hard way that hackers use Linux boxes to learn how to hack.

Hackers use Linux boxes to learn how to hack, but what they learn on Linux they use to attack Microsoft boxes because administrators of the latter invariably have a shallower understanding of technologies and thus are unable to properly secure their systems beyond installing service packs and patches if and when they do come out.

Most serious *nix administrators understand the inner workings of their servers to a greater degree and have far far greater control of how their servers operate (it has to do with the design philosophy of the OS) and are thus more proactively in control of their machines - they are able to deal with security problems effectively even if a patch has not yet arrived.

0

I love these Windows vs. Linux discussions, looks like we have material to fill up databases with TB of opinions and points of view. ;)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.