[ic] Wich linux distribution ?

interchange-users@interchange.redhat.com interchange-users@interchange.redhat.com
Thu Dec 20 14:20:00 2001


Oops..  Make that RH 7.2..  :-)

On Thu, 20 Dec 2001 tburt@timburt.com wrote:

> 
> I was going to start a security thread, and probably still should.  But 
> since you bring it up....
> 
> Many Unix/Linux distributions (and Windows too) arrive out of the box,
> with very poor security for hosting outside a firewall.  A good admin
> knows how to shut off nearly everything, and setup ipchains or iptables to
> protect the box to the max.  Many do not, however, and many an exploit has
> leveraged the fact that some distributions install with anonymous ftp
> enabled..  :-(
> 
> A secure server should be a dedicated server.  You should be able to 
> portscan your own box, and see two ports open.  22 and 443.  And 22 should 
> be firewalled to only allow your source IP.  nmap is an excellent tool for 
> portscanning.  See www.insecure.org.  Fyordor also has a very old, but 
> eye opening list of exploits to peruse.  If you think you can put user 
> accounts, ftp (with plaintext passwords), and other services on a secure 
> server, you are kidding yourself, and doing an injustice to your clients.
> 
> Red Hat has seen the light, and since about 7.1, RH now installs in a 
> pretty good (outside the fw) config, out of the box.  Most services are 
> disabled, and you are asked to setup ipchains during OS install, if I 
> remember correctly...
> 
> The bad news is that I couldn't get IC to run on my RedHat system.  The IC
> rpm's failed to give me a working demo.  I filed a bug report on the IC
> site (ignored), and I begged for help on this list.  I delved into the
> config files and tried to get a handle on what the perl code was doing.
> 
> I was a little stymied by the missing source for rlink.c.  Since this is 
> the starting point of all web requests.  To get it, I was going to need 
> the tarball, and since someone on the list suggested that the tarball 
> works, I removed the rpms and went for the tarball...
> 
> Teeth gnashing, I struggled for many more hours before I finally 
> discovered that my major problem (with the tarball release) was the perms 
> that RH uses on the users home directory..  700.  Arrgh!
> 
> The rpm install may have a workaround for the user home perms, but I never 
> got the benefit of it.  Admittedly, I refused to allow CPAN to auto 
> install the Interchange Bundle, because of a very bad experience I had 
> with CPAN, but I have harped on that issue enough already....
> 
> I love RedHat.  It has been my choice for Linux for several years.  RH 7.3 
> is great!
> 
> It hurts me to see all of the other Linux distro's being recommended with 
> high marks, and nobody says..  USE REDHAT.  Including me.
> 
> I did eventually get it working.  Honestly, it took me almost 20 hours, 
> including time spent building up good will on this list so I could get 
> some helpful answers.  And I documented, for the list, my fixes.
> 
> So, with reservations, I can say..  Use RedHat.  Use the 7.3 release if 
> you can.  It has a pretty good security profile, out of the box.  Don't 
> use the rpm's though.  Use the tarball, and beware of the perms created on 
> a users home folder.  See my prior posts...
> 
> Someday I will post more on how and why to make a secure SSL server.
> 
> On Thu, 20 Dec 2001, alain abraham wrote:
> 
> > Whe are currently running a debian for file server, zope, ezmlm ...
> > 
> > Then I know a little about linux server adm.
> > 
> > But my question is about the bir trouble of security. And especially for
> > running only services necessary for Interchange.
> > And i think the install process for debian give not the choice of a server
> > configuration; The manual choice could be too much complex for me. then i
> > try to know when there is a distribution like e-smith or smoothwall adapted
> > for interchange.
> > 
> > Thanks MESSIEURS
> > 
> > Alain
> > 
> > -----Message d'origine-----
> > De : interchange-users-admin@interchange.redhat.com
> > [mailto:interchange-users-admin@interchange.redhat.com]De la part de
> > David Bronson
> > Envoyé : jeudi 20 décembre 2001 17:27
> > À : interchange-users@interchange.redhat.com
> > Objet : Re: [ic] Wich linux distribution ?
> > 
> > 
> > I agree with Alexander that debian is a great distribution. You may not be
> > happy with it as your first distribution though. The expectation is that you
> > know what you are doing. It can't be beat for Linux network admins though..
> > 
> > Good Luck,
> > 
> > DB
> > ----- Original Message -----
> > From: alain abraham <alain.abraham@urbuz.com>
> > To: <interchange-users@interchange.redhat.com>
> > Sent: Thursday, December 20, 2001 5:34 AM
> > Subject: [ic] Wich linux distribution ?
> > 
> > 
> > > hello,
> > > I looking for "conseils" to choose a distribution for interchange running
> > > on.
> > >
> > > Of course, I think about redhat 6.1, but is there a more server and free
> > > oriented distribution for interchange.
> > >
> > > Merci
> > >
> > > Alain
> > >
> > > _______________________________________________
> > > interchange-users mailing list
> > > interchange-users@interchange.redhat.com
> > > http://interchange.redhat.com/mailman/listinfo/interchange-users
> > >
> > 
> > _______________________________________________
> > interchange-users mailing list
> > interchange-users@interchange.redhat.com
> > http://interchange.redhat.com/mailman/listinfo/interchange-users
> > 
> > _______________________________________________
> > interchange-users mailing list
> > interchange-users@interchange.redhat.com
> > http://interchange.redhat.com/mailman/listinfo/interchange-users
> > 
> 
> 

-- 
--------------------
Timothy Burt
Internet Specialist