Focus on Linux
Selecting OS for High-availability/mission-critical web portal Nov 29 2006 02:13PM
Mohammad Halawah (mhalawah gmail com) (3 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 04 2006 09:08PM
Ronald MacDonald (ronald rmacd com) (2 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 06 2006 10:30AM
Javier Miguel Rodríguez (javier miguel talika eii us es)
RE: Selecting OS for High-availability/mission-critical web portal Dec 06 2006 08:08AM
Mario A. Spinthiras (mario netway com cy) (1 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 08 2006 07:26PM
Corey A. Johnson (cjohnson cniweb net) (1 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 12 2006 08:05PM
Razvan Cosma (razvan cosma catv telemach ro)
Re: Selecting OS for High-availability/mission-critical web portal Dec 03 2006 02:57AM
hwertz voltron homelinux org (1 replies)
RE: Selecting OS for High-availability/mission-critical web portal Dec 02 2006 07:08PM
terry (tvernon24 comcast net) (1 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 03 2006 10:43PM
Vishal (vishal gnutech gmail com)
hi there ,

security is not alone depends on an OS doesnt matter if its BSD or Linux
, it depends how you configure your services , are you patching them ?
are you keep looking at new security problems of OS and the apps you are
running on the server ? .

For example you will be running Apache on your server , now if you are
not going to configure it properly then of course thats a security problem,
so to avoid that you can run apache on some other port , you can use
mod_security module with apache.

You said DOS attacks well these days ppl have broadband connections and
have nice powerful machines so D0s is kinda dead but still you can
prevent them all if you know how to use iptables and how to block
ICMP/UDP protocols .

Then if you know about Denyhost script you can prevent ssh brute force
attacks , tunnel your ftp / telnet sessions through IPV6 .

as terry said a kernel is only a kernel its on you how you configure it.

comparing too different OS's is not good, OS security is the last
thing i will see then application security and the management of server
, i mean beat this -- " you have a secure OS / secure apps / but a lame
root passwd ? what in that case an OS going to do? for me nothing.

so instead of bothering about OS see how can you make it secure.

i have 20 servers running on gentoo linux and having no problems with
them and all of them have uptime more then 3 years now .

so its all how you manage your stuff .

if you require more info or any help do mail me

Regards

vishal

terry wrote:
> Here's a better question. How experienced are you with either? Why those two
> for a comparison? If I were going to do anything with OpenBSD it might be a
> firewall on a low bandwidth network. It isn't much use for anything else
> with FreeBSD being available. It's legendary security comes from having
> everything turned off by default, turn it back on then it's no better than
> any other. It's a gimmick with the whole "default" wordplay. Performance as
> you said is terrible.
>
> Any one of the good Linux distros would suit you fine. A 2.6.x kernel is a
> 2.6.x kernel no matter which company ships it. Make sure your source
> directories stay up to date with the STABLE release of whichever OS you
> choose. If you are stuck on BSD FreeBSD is the best current option. However
> if you have no experience with any of these security won't matter. A simple
> mistake could let the whole world in or cause it to crash (IE- using the
> wrong compiler flags while trying to squeeze performance out of a system)
>
> If I were you and had this task I'd get a copy of your own favorite linux
> and strip the kernel down to what is only needed to run whatever software
> you're running, recompile, then keep an eye on your applications security
> advisories and update as necessary. Don't run software that you don't need.
> SELinux always broke whatever it was I was trying to use so I don't have any
> good stories about it. A small kernel, limited applications, and common
> sense go a long way with security and stability.
>
> Terry
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
> Behalf Of Mohammad Halawah
> Sent: Wednesday, November 29, 2006 8:14 AM
> To: focus-linux (at) securityfocus (dot) com [email concealed]
> Subject: Selecting OS for High-availability/mission-critical web portal
>
> Dear all,
>
> I am a new system administrator for a company planning to create a web
> portal
> which provides email, IM, e-buisness, and search engine. Liferay is our
> portal management tool.
>
> I am searching for the best OS to be our platform. The required featuers are
> :
>
> Attack resistance (I expect lot of attacks specially DoS).
> Stability.
> Performance.
>
> Linux and OpenBSD are the main candidates for this mission.
> Here I am listing my findings.
>
>
> OpenBSD:
> Pros
> ^^^
> Security oriented on its base level (compilers, syscalls).
> System over all stability.
>
> Cons
> ^^^
> Performance is not the first priority. Benchmarks shows clear performance
> degradation when compared to Linux 2.6.x.
> Package management is not easy to handle like (e.g. apt-get and yum).
> User community/developers are quite small.
> By using third-party packages (e.g. liferay, apache), system security falls
> back to those applications security level. (The system is secure as the
> weakest link in the chain).
> The project has financial problems (e.g.
> http://www.linuxsecurity.com/content/view/122166/169/) which means that it
> might not survive.
>
>
>
> Linux Debian with SELinux:
> Pros
> ^^^
> Apply mandatory access control (SELinux)
> SELinux improves access control as whole, and immunity towards malware
> (proactive approach).
> Larger community, more howtos.
> Stability.
> Tons of ready made packages.
> Very easy security patching system, supported by good security team.
> Our main services (Apache MySQL, Tomcat, and Liferay) were tested mostly for
>
> Linux boxes.
>
> Cons
> ^^^^
> Performance degradation of 7% (SELinux)
> (http://www.crypt.gen.nz/selinux/faq.html#WWW.14).
>
>
> My thoughts are that:
>
> *OpenBSD will become vulnerable as much as the running service on top of it.
>
> Hence I will lose the legendary security it has.
>
> *When I look at top 51 (http://uptime.netcraft.com/perf/reports/Hosters)
> Linux
> had 45% share. Which means that it is highly secure.
>
> * With OpenBSD I am not going to spend time hardening it but rather trying
> to
> get the services (MySQL, Apache, ...) running on top of it. While in Linux
> installing the services is easy but I need to spend good time hardening the
> OS itself.
>
> Any hint/comment is welcome.
>
>
>
> Best regards,
> Mohammad
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus