I Love Linux, But...

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

*Sigh*. For an "expert" it's a wonder you have not heard of bastille. I have been using it for years.

http://www.bastille-linux.org/

"The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works."

"Bastille supports a number of Linux distributions and operating systems. In the RPM-focused world, it supports Fedora Core, Red Hat Enterprise, Red Hat Classic (Red Hat 6 through 9), SuSE and Mandrake systems."
http://www.bastille-linux.org/redhat.html

Compare the above instructions deploying bastille on Redhat or Suse to Microsoft's guide to securing win2k3 server.
http://go.microsoft.com/fwlink/?LinkId=14845

With it's inline documentation, Bastille is actually a lot easier for beginner and intermediate skilled administrators to deploy.

It now also includes an assessment mode, which I have found to provides a far more reliable report than Microsoft recent "security center".
http://www.bastille-linux.org/assessment.html

"This work was sponsored by the U.S. government's Technical Support Working Group (TSWG). TSWG funded the U.S. Navy's Space and Naval Warfare (SPAWAR) Systems Center San Diego to provide Bastille Linux with an auditing capability. The effort also provided for adding some additional Department of Defense hardening steps within Bastille and documentation. The project is called Fort Knox for Linux."
http://software.newsforge.com/software/05/04/19/1256244.shtml

If you stick to the packages provided in distribution, I have found both Redhat and Suse far more easier to maintain and keep up to date than either Win2k or Win2k3 servers.

Leo,
As with any computer system, it is quite nearly impossible for any one person to be an expert in the security arena. I personally and corporately have been supporting Mandriva, which was Mandrake Linux.
In the initial install, you are definitely given options to default your system to completely locked down.
In my opinion, as long as your distro can be kept up-to-date (mandriva's urpmi or their club membership and proprietary update software do the job at different levels), then the shorewall/iptables solution offered defaulty on Mandriva installs should protect 90% of linux users. When holes need to be opened into the firewall, then those users should hold themselves responsible for keeping those applications up-to-date and secure.

SuSE linux activates the firewall at install time, you can use Yast (an exceptional graphical configuration tool) to configure it afterwards.

The desktop setup will not install any dangerous server software (turning off ftp? if you don't need it why did it ever get installed?). You can always use Yast to add and configure these packages later if you find you need them, and it will automatically open only the required ports in the firewall.

Automatic updates are handled by YOU (Yast Online Update) which can be enabled in fully automatic mode, or with a system tray icon that is green when you're up to date, yellow if non critical updates are available and red for critical updates.

I've tried many linux distros, for those who prefer to avoid the command line SuSE is my winner by a mile. Maybe you should look at that, or another Norton distro, like SLES, if you need the enterprise versions for work.

Thanks Paul. In my case, I'm in the opposite camp: command line all the way. These are remotely hosted servers, and everything is via ssh, and any installed web-based control panels.

My experience with SuSE was only "OK". I personally find Debian a little more intuitive to setup and run, and more compatible with more of the hardware I had at the time I tried it all.

Leo,

Everyone here seems to agree on the firewall issue, you can easily enable firewall at install time in nearly every mainstream distribution, RedHat since there 7 series if I remember correctly. You choose from a simple list of services to open up. Your done. (tweaking is always good no matter what OS you use)

I would like to encourage you to do one thing in your laundry list. Remember, when working with a distribution, that is what you are reviewing, a distribution, not Linux in general.

We have given you a list of alternative distributions to go after. If you are locked down to RedHat Enterprise or Debian, you have to write from a perspective that these don't cut it for you. Believe me, there are allot of choices, and that is the point in the Linux world. There has to be one that fits your needs. Try and be a little flexible on it.

I would highly recommend getting a system and installing all the distributions we have suggested to you. See which one fits the bill for you. I think everyone here has been helpful with giving you a good place to start. Hope it all works out for you.

Oh Leo, one more thing. I noticed you mentioned you use ssh and web based control panels. I am sure you are aware of it, but I will state it anyway. Take a look at www.webmin.com. Webmin is one of the best web based control panels you can find. And it has a great developer, Jamie Cameron who is VERY responsive to feedback. It is very mature and makes allot of tasks very easy to perform, including firewall configuration. Have a look.

Thanks again, KryptonianSon. In this case my customer's not really interested in learning yet another web admin tool (having been through Ensim and cPanel). We're settled on cPanel, which has done reasonably well by us, *if* you're also aware of what it *doesn't* do (which fed my frustration in the first place). I also use Plesk on one of my servers.

I've heard good things about Webmin, but I also just checked, and it's not offered by the server farm we're dealing with.

Thanks again.

Gentoo... add the use flag "hardened" ... and take a look at the handfull of hardening apps in portage. Portage does almost all the legwork for you.

While Gentoo is non-trivial to install... it makes almost everything post-install trivial if you use portage correctly.

All: I've added an article that is the laundry list I used: http://ask-leo.com/how_should_i_set_up_my_linux_web_server.html

i love linux
but presently my headache was how to use ssh or telnet coz right now im using mysql database
and working inside root directory which is not common
somebody can help me to solve this problem

(im only using one computer ((server/client)itself))

or just give me some idea on how to use mysql in client side

i dont even know how to connect to server side (
im using mandrake linux 10.1

thanx

geo

To post a comment on "I Love Linux, But...", please return to that article's main page.