I Love Linux, But...

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Leo, you bring up some valid points, however we should remember that Linux is a tweakers system only. You should only have a Linux server if you know something about computers. Comming from a Windows world, you tend to expect things all wraped into one, and for it to "just work." This is not however the philosophy of Linux software. In Linus (and Unix in general) on program should do one thing right, and then let another application take the next step. So you will need to install a firewall, I would just mount one on the rack instead of using software. And, in the grand scheme of things, we should keep in the light that windows has issues as well, so if you want a computer that has less problems (aol keyword less), than mac is the only choice.

Well, I guess that's my point: Linux isn't for "normal" people :-). Sadly, though, by holding to that strategy, Linux will continue to be an elitist, niche product, and less than 'l33t' users users will continue to get compromised.

Yes, you do need additional parts (small peices each doing their job well is a wonderful, wonderful, thing). I just don't see why some - if not most - of the distros don't include those parts ready to go. There's nothing I'll do to my build out that couldn't be there by default. By making it a difficult, extra step, they're allowing it to remain either, as I said, a niche platform, and/or a big security risk for folks that want to use it for the many things it's oh so good at.

All I can say is you HAVE to be kidding me. It took Microsoft a long time to get security? They STILL haven't gotten it. Remote intrusion is an awfully narrow way to look at security. It must be one of the top things to consider yes, but as an IT professional I have to say, I have had nothing but security problems on Windows through browser problems etc. (Not me but customers of course, I use Firefox)

You say you have to do a laundry list of things to make Linux secure? This WAS the case with older Linux distributions. But all the tools and functions were/are included to do it. I don't have to purchase expensive software like I do on Windows to make this happen.

The only way to rely on having a secure Windows system is not to rely on Windows. You HAVE to get 3rd party software (which is usually pricey) to lock things down.

With that said, any system you buy you have to consciously ensure it is locked down. And the more you understand the security risks, and how you can be exploited, the better off you are. In fact, Windows users have to understand these things just as much (if not more due to so many holes in things like IE). You really made it sound as if you are a Windows user, there is nothing you need to do. Which is terribly irresponsible, even if you didn't mean to make it sound that way.

Linux is only as secure as Windows 98? Come on, you have to be joking. This podcast sounds as if it is purposely flame bait.

In the 8 years I have used Linux, I have had 1 machine hacked into and that was 6 years ago. I have had numerous Windows servers compromised repeatedly. My company has had the same problems as well. They have not had a single Linux box busted open in the 4 years I have been here.

This cast is obvious it is from someone who is not aware of the options available for software updates. You make it sound as if it is almost rare, and if it is there it doesn't work. Are you kidding me? Package management and updates are a dream, and frequent at that.

Everyone is of course entitled to their opinion, but to me it seems this one is based on lack of knowledge about a specific platform.

No, Linux is not for my grandma. Windows has some great features and some great software. Each have their place, and I like each of them for their own strengths. I am no Linux snob. In fact I have 2 Windows machines, 1 Linux machine, and my main machine is a G4. Linux has some problems to overcome, this is true. Windows has problems to overcome, and these I find far more serious.

I have to admit, I am so amazed by the lack of insight in this single podcast that I do not think I could rely on objective, educated insight on any other topics. I am sure you have allot of knowledge about allot of things, but based on this podcast, I simply cannot rely on the right answers. I listened to my last one.

I'm sorry to lose you as a listener, but so be it.

I certainly don't mean to infer that Windows is perfect - far from it. But one of my obvious frustrations with Linux is what I consider to be a fairly myopic view by many of it's supporters that it's so much more secure than Windows. Obviously I disagree. It's insecure in different ways, of course, but still to assume that an out of the box Linux install even tries to be secure is a frustrating falacy.

My laundry list costs nothing but time. It includes things like the simple advice that so many people "just know" - turn off ftp, disable remote root login, and much more. It includes a lot of good, FREE software, such as firewalls and monitoring solutions, and a lot more. My question is not that those things aren't available, my frustration is that they're not there to begin with. Why is there not a distro that has these types of solutions in place, ready to go?

If there is, please tell me. I've been through several and have yet to find one that meets my criteria. What I have found, on several very helpful Linux community sites, are instructions to build what I want myself - the fodder for my laundry list.

Yes, I feel the same frustration that many Windows users feel. I just want it to work - I don't want to, nor do I feel I should have to - go running around to add all the utilies and tweak all the config settings to make it safe.

I stick with what I inferred: I have yet to find a truly reliable automatic update solution for any Linux distro. Redhat's subscription (for $$) is perhaps the best and what I'll be relying on in the future, and Debian's looks promising as well. But neither are perfect, and both have caused me issues in the past.

Thanks for your comments though, even if you choose to leave.

I was just wondering what distribution of Linux you were using at the time of this incident? About the only way you can have such a security compromise is if you expose your root account and password to the outside world. This could be possible if you were running a very old distro with remote access via an unencrypted protocol or if your choice of passwords did not follow simple security precautions.

I would suggest you take a look at ClarkConnect (http://www.clarkconnect.org) if you are looking for a basic server system with all your requirements (firewall/security/services) preinstalled. If you need more than this then checkout any of Novell's (http://www.novell.com/products/linuxenterpriseserver) Linux server products or Red Hat or one of their free alternatives (http://www.centos.org/). All of this distributions have everything that you are looking for and some great support resources.

P.S. You are a brave person to hold your hand up, proclaim your love of Windows and then proceed to outline your worries about Linux security. Good luck and get in touch if you need any help :-)

I have to ask, what distribution are you using and what version? Answers to both questions are important. What distribution/version were these systems that were busted into?

It has been a while (several years) since I have used a main stream Linux distribution that didn't have the firewall configuration as part of the initial installation process. Turn it on and your done, no extra work. And you can choose which ports/services you want.

Let's use Redhat as an example. If you do a desktop installation you don't get these extra daemons you are referring to. If you do a server install, then it is expected that is what you want, server software. Go in custom and don't install those services during install time. All this gets saved in your anaconda config file in /root. Anytime you want to have that configuration you can pop in a floppy (and many other ways) to grab the file and it will preserve your settings.

Now, I have used Windows since 3.0 with media extensions ( ;-) How is that for showing age heh. ) I can go back years to show that a Firewall has been included in default installations, and configuration as part of the installation. No one can say that as a track record for Windows.

You mention a "laundry list" of things that has to be done. I think it would be helpful for you to give us that list. Perhaps someone will have a good/easy solution for you so you don't have to do anything tedious. Perhaps some distro developers/maintainers will read it and a light will go on and they will fix the issues. Or, maybe there is a distribution that someone knows of that will take care of all your issues. The only way to give advice, is to know the complete problem, I am sure you would agree. If not for this reason, I think it would be important to list this out in your reply just so we have a better idea of what is causing you all this trouble.

On to software update management etc. One word, yum. It has a daemon that will take care of it all for you. And up2date works with it (well). Give that a shot. I have not had a single issue with it. I haven't had to manually update any packages in well over a year. I have had nothing but success with current version of up2date (included in Fedora). I will agree, up2date had a shaky start, but again, that was a few years ago.

Please note, that my responses are with utmost of respect. Again, I agree, we all have a right to our opinions.

This podcast is just flame-bait. There was absolutely no intelligence or valid argument to it at all.

It should have been obvious at the beginning, but I took the bait. Erg! I mean come on! Leo might know enough to secure a windows box (which requires many more steps), but doesn't have a damn clue about securing a Linux box.

Managing servers is not for idiots with "Security Centers".

David: thanks for the pointers.

Absolutely the compromised systems were running old/out of date distros. (Redhat 9, which hit end-of-life). No question there.

My frustrations and issues are around the next generation that I'm building out. It'll be Redhat Enterprise. What I've seen so far indicates that it'll still take further tweaking to lock it down appropriately.

Brave? I dunno. Considering some of the other posts I'm seeing here, I'm not sure brave is the word I'd use. But I believe in raising issues and awareness, and I knew I'd learn more out of the resulting discussion (when it *is* a discussion, that is :-).

Thanks for your comments.

KryptonianSon: RH9, past end of life. So the system compromise is, in hindsight, not at all unexpected. As I said to David, my frustations surround the things that still have to be done to harden the system out of the box - even current systems.

Certainly most, if not all, linux distros include ipchains/iptables - not sure if that's what you're refering to as a firewall. I *love* iptables, it's incredibly powerful - if there's a basic configuration in place out of the box, then I'll be happier. But configuring it, as I'm sure you're aware, is non-trivial. And while there are packages like APF, which looks very interesting and which I'll be looking into as a wrapper for iptables, I'd really expect that to be part of the distro these days. (If it or something like it is ... fantastic!)

As for my laundry list - yes, I do plan to publish it, actually, as I work through the build-out. But if things like "turn off ftp" and "disable remote root ssh login" still have to be on it, then I'll be quite disappointed. (Those are just simple, obvious, examples of a longer list.)

I'll absolutely be looking at YUM.

And thanks again for your comments ... they're appreciated.

Fungus: sorry you feel that way. My frustations, and opinions, are genuine. Yes, yes, I know that security centers aren't neccessarily the way to manage enterprise servers ... but the example represents a basic level of functionality that, in all honesty, I found missing in Linux.

I see it as a huge lost opportunity for the Linux community to make Linux more accessible to more people by simply making the default distro more secure out of the box. My experience so far is that has not been the case.

Some of the comments I've seen so far here give me a little hope that my next experience will prove me wrong.

Thanks,

Leo

To post a comment on "I Love Linux, But...", please return to that article's main page.