[ic] Wich linux distribution ?

interchange-users@interchange.redhat.com interchange-users@interchange.redhat.com
Thu Dec 20 13:56:01 2001


I was going to start a security thread, and probably still should.  But 
since you bring it up....

Many Unix/Linux distributions (and Windows too) arrive out of the box,
with very poor security for hosting outside a firewall.  A good admin
knows how to shut off nearly everything, and setup ipchains or iptables to
protect the box to the max.  Many do not, however, and many an exploit has
leveraged the fact that some distributions install with anonymous ftp
enabled..  :-(

A secure server should be a dedicated server.  You should be able to 
portscan your own box, and see two ports open.  22 and 443.  And 22 should 
be firewalled to only allow your source IP.  nmap is an excellent tool for 
portscanning.  See www.insecure.org.  Fyordor also has a very old, but 
eye opening list of exploits to peruse.  If you think you can put user 
accounts, ftp (with plaintext passwords), and other services on a secure 
server, you are kidding yourself, and doing an injustice to your clients.

Red Hat has seen the light, and since about 7.1, RH now installs in a 
pretty good (outside the fw) config, out of the box.  Most services are 
disabled, and you are asked to setup ipchains during OS install, if I 
remember correctly...

The bad news is that I couldn't get IC to run on my RedHat system.  The IC
rpm's failed to give me a working demo.  I filed a bug report on the IC
site (ignored), and I begged for help on this list.  I delved into the
config files and tried to get a handle on what the perl code was doing.

I was a little stymied by the missing source for rlink.c.  Since this is 
the starting point of all web requests.  To get it, I was going to need 
the tarball, and since someone on the list suggested that the tarball 
works, I removed the rpms and went for the tarball...

Teeth gnashing, I struggled for many more hours before I finally 
discovered that my major problem (with the tarball release) was the perms 
that RH uses on the users home directory..  700.  Arrgh!

The rpm install may have a workaround for the user home perms, but I never 
got the benefit of it.  Admittedly, I refused to allow CPAN to auto 
install the Interchange Bundle, because of a very bad experience I had 
with CPAN, but I have harped on that issue enough already....

I love RedHat.  It has been my choice for Linux for several years.  RH 7.3 
is great!

It hurts me to see all of the other Linux distro's being recommended with 
high marks, and nobody says..  USE REDHAT.  Including me.

I did eventually get it working.  Honestly, it took me almost 20 hours, 
including time spent building up good will on this list so I could get 
some helpful answers.  And I documented, for the list, my fixes.

So, with reservations, I can say..  Use RedHat.  Use the 7.3 release if 
you can.  It has a pretty good security profile, out of the box.  Don't 
use the rpm's though.  Use the tarball, and beware of the perms created on 
a users home folder.  See my prior posts...

Someday I will post more on how and why to make a secure SSL server.

On Thu, 20 Dec 2001, alain abraham wrote:

> Whe are currently running a debian for file server, zope, ezmlm ...
> 
> Then I know a little about linux server adm.
> 
> But my question is about the bir trouble of security. And especially for
> running only services necessary for Interchange.
> And i think the install process for debian give not the choice of a server
> configuration; The manual choice could be too much complex for me. then i
> try to know when there is a distribution like e-smith or smoothwall adapted
> for interchange.
> 
> Thanks MESSIEURS
> 
> Alain
> 
> -----Message d'origine-----
> De : interchange-users-admin@interchange.redhat.com
> [mailto:interchange-users-admin@interchange.redhat.com]De la part de
> David Bronson
> Envoyé : jeudi 20 décembre 2001 17:27
> À : interchange-users@interchange.redhat.com
> Objet : Re: [ic] Wich linux distribution ?
> 
> 
> I agree with Alexander that debian is a great distribution. You may not be
> happy with it as your first distribution though. The expectation is that you
> know what you are doing. It can't be beat for Linux network admins though..
> 
> Good Luck,
> 
> DB
> ----- Original Message -----
> From: alain abraham <alain.abraham@urbuz.com>
> To: <interchange-users@interchange.redhat.com>
> Sent: Thursday, December 20, 2001 5:34 AM
> Subject: [ic] Wich linux distribution ?
> 
> 
> > hello,
> > I looking for "conseils" to choose a distribution for interchange running
> > on.
> >
> > Of course, I think about redhat 6.1, but is there a more server and free
> > oriented distribution for interchange.
> >
> > Merci
> >
> > Alain
> >
> > _______________________________________________
> > interchange-users mailing list
> > interchange-users@interchange.redhat.com
> > http://interchange.redhat.com/mailman/listinfo/interchange-users
> >
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users@interchange.redhat.com
> http://interchange.redhat.com/mailman/listinfo/interchange-users
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users@interchange.redhat.com
> http://interchange.redhat.com/mailman/listinfo/interchange-users
> 

-- 
--------------------
Timothy Burt
Internet Specialist