New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What ready made hardened Linux distributions are there, with good management tools?
What ready made hardened Linux distributions are there, with good management tools?
I am talking about distros which have everything locked down and are but have good GUI tools to unlock and configure the parts which need to be accessed. Scripts which can also harden basic installations but have good GUI management tools are also welcome.
I have been aware of http://configserver.com/index.html for some time. Any good experiences with it? Are there other similar systems?
Thanked by 1rokok
Comments
This seems a little mixed up to me. You don't have "everything locked down" and hardened, and then add GUI management tools. There's a bit of a disconnect there.
If this is for a desktop, I use Qubes OS. It's excellent.
debian 8 servers with openssh private/public key pairs, with ufw allowing ports on ssh ports, and anywhere else needed and with default deny on.
Any minimal Linux distro install is "hardened". There simply isn't anything to exploit, besides sshd maybe. Then the users un-harden it by never installing updates (especially for content management systems) and by using control panels.
So, there is no difference between a distro that properly configures SELinux or AppArmor and one that doesn't or installs a pretty-much-anything-goes policy?
While partly true, it differs if you just install software on this core system or install it and also harden it by using different tools like SELinux mentioned by @singsing
I would recommend to check out https://wiki.gentoo.org/wiki/Project:Hardened
In a server situation, that may be at least mostly true. For a desktop, things are different. If you're looking for privacy and security then the truly paranoid (and there are many), consider Linux to be almost as much of a security nightmare as other operating systems. The required thinking really depends on the threat model.
Linux is no panacea, so be sure. But I wouldn't go so far as to put in the same boat as Windows ...
I bet you're right. I just have never used Windows and therefore am always a little careful about what I say about it. However, I see what looks like perfectly competent people using it, and that always surprises me. It makes me think that they know something that I don't know. Either that or they just have different priorities.
PS: I wasn't actually thinking about Windows, but all those other Nixes and stuff. Besides there's so much more than the OS when it comes to security. Just ask Snowden.
A ready made VM or OS template is more like it. A ready made templaet with the necessary hardening in place and the GUI tools to unlock and secure whatever facilities which need to be opened up it is the idea.
I'm guessing this is for server use, since that's what is mostly discussed here. But I'm still not sure.
Sorry, but security is the inverse of convenience. There is not any magic dial you can turn from "1 is least secure, 10 is impenetrable" with cool checkboxes. You really do have to learn system administration. You probably have to read.
Put another way: it's not the on/off, config, etc. - it's the concepts you need.
If you want ultrasecure, http://www.openbsd.org .
He'll really like that.
I know...I was being cruel. Though unlike Linux, every single everything in OpenBSD is documented in beautiful, it's-a-bug-if-they're-not-up-to-date man pages.
Atomic Secured Linux springs to mind. I don't know if it's good as I've never used it. Also, as others have said, it's just a bunch of utilities to make good administration easier.
OpenBSD has some nice advantages - "encrypted memory", randomised memory addressing, a debatably better firewall, but you have to weigh up how hard it is to realistically achieve a secure system against any potential gains of the software. If you're not an expert, CentOS+CSF is probably much better than attempting to do it yourself.
There's Alpine Linux "Alpine Linux was designed with security in mind. The kernel is patched with grsecurity/PaX out of the box, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities."
It's a nice minimal distro - Ramnode has ISOs for their KVM VPSes or you could use Lunanode or VULTR to mount a custom iso of it if you plan on running it on vpses.
I personally just use Debian 8 and only allow ssh key access, set ufw to deny all incoming and only allow 22, 80, and 443 outgoing, keep everything up-to-date with only the main repo enabled, fail2ban with custom nginx rules, etc etc.
Although I'm a fan (just because of the man pages), I have to agree. OpenBSD is a definite tilt towards more security and less convenience, which is why it's niche.