[Tfug] Multiple distros for security?

Jordan Aberle jordan.aberle at gmail.com
Thu Jan 22 22:05:27 MST 2009 

Honestly, this sounds cheesy but a server is only as secure as you make it.
If you have good firewall rules and implement GRSecurity into your kernel
you will be very secure.  Even if someone gains access to a normal user
account it's almost impossible to gain root with the GRSecurity kernel
patch.  http://www.grsecurity.com  (grsecurity works with any linux
kernel/distro but it requires configuration and a recompile of your kernel.)

I use to run a shell server and had several hack attempts by several very
smart individuals without success, they couldn't even modify .bash_history
to cover up what they were trying to do, grsecurity rocks.

If you have any questions about it feel free to email me directly
jordan.aberle at gmail.com

-Jordan


On Thu, Jan 22, 2009 at 9:54 PM, Matt Jacob <matt at mattjacob.com> wrote:

> Thanks for the suggestions, but I'm not really looking to switch to
> something else. I'm wondering if 3 locked-down Debian boxes, or 3
> locked-down CentOS boxes, or 3 locked-down FreeBSD boxes are
> inherently any less secure than 3 boxes comprised of 1 of each of
> those.
>
> I'm aware that some distros are more secure than others out of the
> box, but like I said, the distro isn't important. This is more about
> theory.
>
> Matt
>
> On Thu, Jan 22, 2009 at 9:49 PM, Tyler Nienhouse
> <flakeparadigm at gmail.com> wrote:
> > Agreed. As I have heard, OpenBSD is one of, if not the most, secure
> > operating system out there.
> >
> > -Tyler
> >
> >
> > On Thu, Jan 22, 2009 at 21:44, Jordan Aberle <jordan.aberle at gmail.com>
> > wrote:
> >>
> >> If you want a locked down secure server I would recommend openbsd,
> >> http://www.openbsd.org/
> >> They have only had two remote exploits in the last ten years, and even
> >> those never made it past proof of concept.
> >>
> >>
> >> -Jordan
> >>
> >> On Thu, Jan 22, 2009 at 8:40 PM, Matt Jacob <matt at mattjacob.com> wrote:
> >>>
> >>> Hi everybody,
> >>>
> >>> An issue came up at work recently while discussing the architecture
> >>> for a new DNS server deployment. It was suggested that using different
> >>> distros (Debian, FreeBSD, and probably CentOS) across each DNS server
> >>> would provide greater security in the event of a 0-day exploit against
> >>> a particular distro. While I don't disagree with that thinking, an
> >>> obvious con is that maintenance will take longer, software versions
> >>> will be out of sync, and admins will be forced to manage systems
> >>> they're not comfortable with.
> >>>
> >>> The question, then, is whether there is enough merit in distro
> >>> diversification to outweigh the added complexity and management time.
> >>> My feeling is that proven distros such as Debian, CentOS, Fedora,
> >>> SUSE, etc. are secure enough to stand on their own, and I think we've
> >>> seen this verified in the wild. However, I can't forget about the
> >>> Debain OpenSSL vulnerability not so long ago that seems to disprove my
> >>> theory. On the other hand, attacks against a particular piece of
> >>> software would apply to any system (Apache, MySQL, PowerDNS, etc.).
> >>>
> >>> Alright, enough of me thinking out loud. Spark some discussion and try
> >>> to convince me one way or the other.
> >>>
> >>> Thanks!
> >>>
> >>> Matt
> >>>
> >>> _______________________________________________
> >>> Tucson Free Unix Group - tfug at tfug.org
> >>> Subscription Options:
> >>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> >>
> >>
> >> _______________________________________________
> >> Tucson Free Unix Group - tfug at tfug.org
> >> Subscription Options:
> >> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> >>
> >
> >
> > _______________________________________________
> > Tucson Free Unix Group - tfug at tfug.org
> > Subscription Options:
> > http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> >
> >
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20090122/6ba727c1/attachment-0002.html>

More information about the tfug mailing list