Allen wrote:
On Thu, Jan 06, 2005 at 01:57:24PM +1300, Mike Tierney wrote:
Allen wrote:
You're on a SUSE list standing up for OpenBSD.
So what? There's absolutely nothing wrong with that.
Very true! Infact it's possibly a bad idea to "stick all of your eggs in one basket" and have a 100% homogenous OS environment. For example, even though we're migrating all of our servers to SuSE SLES, it might be a good idea to have our Firewall running [open|net]BSD.
Why?? Whats wrong with a SLES firewall?? Well if there *did* ever happened to be an exploit that affected the Linux TCP/IP stack, then people might (possibly) be able run rampant across your network! However if you had a different OS for your firewall, then that would add an extra layer of network security. Possibly. Who knows!
If you like it so much tell them on their list.
Hell, maybe *BSD is more secure by default. SLES 9's default sshd_config isn't ideal, that's for sure! (I think it had "PasswordAuthentication no" but then it also had "UsePAM yes" as well... which OVERRIDES the first setting!!! End result... it still allows PasswordAuthentication unless you reconfigure PAM or set it to "UsePAM no"!).
Um, NO, BSD is NOT more secure than SUSE. SUSE lets you install, then update all patches BEFORE it's even been booted for the first time. That alone gives it a HUGE advantage over BSD.
That's not exactly what happens. The kernel HAS booted at that stage. Its just a special envrionment set up directly from the initrd (or something like that, I've never looked how that syslinux thing works exactly). You could run stuff in that stage. In fact, you have terminals available if you want them. You can download using wget and install or simply run programs on the ramdisk. The only thing that hasn't happend yet is the normal boot process with init and all the init-scripts which form the normal envrionment. Of course the point is somewhat moot and I also like the way it is done. It's very flexible.
SUSE has a good firewall front end for IPtables, it updates before booting and X is even not listening by default and you can shut down other services before it boots as well.
Put this in the hands of someone who isn't a complete moron and you have a very secure box. SSH by default.... Ummm, I needed to log in before it let me in, what are you talking about?
I don't have a SLES9 but I believe he means to say that PasswordAuthentication was still possible even with it set to off on sshd.
SuSE is great. *BSD's are all great. None of them are perfect, so there's no harm in comparing them.
I wrote docs for Free BSD, I knwo it's great, but not more secure than SUSE. Let it be known any OS can be made secure. Including DOS. think about it, one user, one task, well, be the one user doing the one task and it can no longer handle anymore applications. You would of course need a custom app to take the risk of more threads being created so someone COULD hack into it, but it can be done.
There are two very great articles on this topic: Why Linux will never be as secure as OpenBSD: http://www.seifried.org/security/os/20011107-linux-openbsd.html Then follow up with Why OpenBSD will never be as secure as Linux: http://www.seifried.org/security/os/20011107-openbsd-linux.html Note that both articles are quite old and are outdated. The essence is still there though. 3 Years ago I tried out LIDS. It can make your linux box absolutely unusable for anyone without the the access key. You can really give everyone the root pw once it's setup. They can't do any damage. But it's a huge PITA to setup. Ultimately though, if you're really really really paranioid, it's the thing to do. As I said that was 3 years or longer back and I don't know where it is today. But you can really seal off a Linux box in a way BSD just can't. Wheter you want or need that is an entirely other matter though. And I believe I've heard that the BSD folks are working on something similar. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -