I really don't want to start a flame war here.. but I'm seriously asking the users of WHT: do you prefer FreeBSD, Linux, or Windows primarily for hosting and why?

I know whatever sells is probably what you offer but I just wanted to know.

Also, has the recent SCO suit scared anyone away from Linux? Even though it's complete BS...

Linux, as i'm familiar with it, Windows is a stupid choice for even a desktop OS, and FreeBSD isn't too popular so not many people realise it's an option, a damned fine option aswell

:)

Damned fine as in anything particular or just overall system maintenance?

FreeBSD offers unmatched stability over linux ... that is ... until 2.6.x.

See, the problem here is that you chose "Linux" as an option, while the other two were very specific. There are many linux distributions, each with their advantages and disadvantages.

Honestly, as horrible as it is, I see the hosting industry (myself included) picking an OS based on what their favorite control panel supports. This is truly bad. The OS should be the first choice ... it should be extensible, support your hardware, and be stable enough for your use. More importantly, of course, is your ability to manage it.

Having a FreeBSD server doesn't do you very much good if you don't know how to administer it. If you're the best Windows admin in the world, you might be able to pull something decent off -- there are open-source fixes sometimes. Overall -- the professional system administrators tend to choose BSDs over Linux. This is a very personal decision, and really there is only the best OS for the admin -- what they feel most comfortable with, and can administer well.

Nicely put cubision

BSD maybe more mature than Linux, but I have dozens of 2.4 kernel machines with uptimes well over 1 year.

Windows is hellish expensive, if I was going to spend money on an OS I'd buy Solaris x86 - commercial / supported OS, much more reliable and secure than Windows - $250 a copy. Even Redhat server is $350 a copy. (Windows is $700 odd)

Originally posted by sjhwilkes
BSD maybe more mature than Linux, but I have dozens of 2.4 kernel machines with uptimes well over 1 year.

What does this comment have to do with anything?

BSD is more stable then linux yeah. i recommend that people start going to bsd over fedora / enterprise, they are somewhat unstable

Originally posted by cubision
What does this comment have to do with anything?

It's an example.

I'm looking at BSD but staying linux for now, I want to see what improvements gentoo make with the new 2.6 kernel gaining some trust

OK, everyone seemed to miss my point. Stable does not mean the box doesn't kernel panic ...

Just because a machine has been running for a year, doesn't make it better, nor does it prove much of anything. If I wanted to ... I could set up a windows xp box, and leave it there for a year, I'm sure it would be fine.

Instead of blindly associating "BSD" with "Stable," you should read -- and understand my comments -- it's not so much about the OS, but about the admin.

People are restating things -- and they are using them in blind-faced arguments.

^^^ Welcome to Technical + Security Issues

this always happens, incidentally if you set up a windows XP box i believe there's a list of over 100 vunerabilities open to a default install.

[Uptime] 2w 5d 2h 9m 31s

^^^^ my windows xp box

[root@localhost root]# uptime
14:12:14 up 31 days, 19:47, 2 users, load average: 0.00, 0.00, 0.00
[root@localhost root]#

^^ one of my home linux boxes slackware

2:15am up 27 days, 52 min, 0 users, load average: 0.00, 0.02, 0.00

^^^ redhat 7.3

Originally posted by Winkie
incidentally if you set up a windows XP box i believe there's a list of over 100 vunerabilities open to a default install.

OH MY GOD ... did you not even read what I said. That was my point -- running a windows xp box for a year doesn't prove anything -- it doesn't prove stability, it doesn't prove security -- which is why I said that saying you can run a BSD or Linux box for a year means absolutely nothing.

Originally posted by thelinuxguy
[Uptime] 2w 5d 2h 9m 31s

^^^^ my windows xp box

[root@localhost root]# uptime
14:12:14 up 31 days, 19:47, 2 users, load average: 0.00, 0.00, 0.00
[root@localhost root]#

^^ one of my home linux boxes slackware

2:15am up 27 days, 52 min, 0 users, load average: 0.00, 0.02, 0.00

^^^ redhat 7.3

I'm sorry ... what does this have to do with anything? They've all been running for about the same time ... so?

By the way ... for those of you who are not familiar with how security vulnerability disclosure works in the real world ...

Most open-source based OSes are patched very quickly once a security vulnerability is released -- this is for a number of reasons, but mainly because there are many people who can directly edit the source code, and release their own patch. This, of course, is a great advantage over closed-source OSes for which you must wait for an official patch. On the other hand ... the patch that you get on a vuln list is not guarenteed, or backed by anything -- so you apply it somewhat at your own risk.

Now ... those rules only apply to vulnerabilities that are released. I have access to quite a few repositories of vulnerabilities that have been around for years, never been released to the public, and there are no plans to. These remain open holes to popular packages in Linux and BSD distributions.

The biggest problem in the industry ... is that we get people claiming BSD and Linux security -- who simply know how to download and apply a patch to some source code -- and then compile it. As a system administrator, it is your duty to understand security itself, instead of how to apply patches, so that you can customize your business servers to be the most secure they can be.

Windows is my preference because I know what I am doing in it and I believe I ran a fairly secured Windows server. A lot has to do with the person administering the machine, any option can be as stable as the other.

I wouldn't say that Linux and FreeBSD is problem free and secured, just look around you get numerous posting each week from people who said that their Linux/FreeBSD crashed and they do not know how to resolve or it has been compromised, hacked and everything got deleted off.

The thing is that no OS is secured out of the box. They do have vulnerabilities in them. It just depends on the administrator to secure it and it is not just a do-once and forget situation but it is an ongoing process.

Opt for the OS which you are familiar and confident in and it will work for you.

The Current Redhat Enterprise is not cheap because you need to pay for the annual subscription to upkeep your machine while with Windows, you pay once and you probably be able to get patches from Microsoft for between 3 to 5 years.

For Redhat, the $349 pays for 1 year of updates http://www.redhat.com/software/rhel/es/ and anything more you probably have to pay the same sum for an additional year of update. So it doesn't make the new Redhat Ent any cheaper than Windows.

Basically if you depend on Redhat to update your Linux, it is not going to be cheaper. However if you opt to compile and install your own stock Linux by hand then you can take advantage of the Open Source kernel and components available on the web. Of course, you need to be familiar with it before you opt for that option.

eddy2099,

Well, I guarantee you I could exploit your windows sever in 30 or 40 ways.

My point is not to say that any other OS is "the best," but only that there are more options with a free OS. Nobody said that "Linux and FreeBSD [are] problem free and secured," maybe you could point me to where you found that.

As for RedHat ... that's why many opt for distributions that provide an updated and reasonably secure set of packages ... for free.

I understand the corporate requirement for certain types of support -- and that's the gamble you take when you go with a company like RedHat.

Communities are much more resilient than companies, and often, if you're any admin worth your salt, you can do fine with no corporate support.

Originally posted by cubision
eddy2099,

Well, I guarantee you I could exploit your windows sever in 30 or 40 ways.



Damn I'm almost tempted to purchase a 2k3 server and challenge you.

inogenius ... it wasn't a threat, nor do I claim to be a windows security expert.

I do, on the other hand, like most security consultants have lots and lots of friends who spend/waste their time writing exploits for vulnerabilities that they never plan to release.

This is not my tactic, I think it's pretty anti-progressional to keep secrets like that, but it's the way the industry works.

Those exploits are freely available, you just need to know where to go.

EDIT: Not to mention the exploits that ARE publicly released, yet it takes Microsoft enough time to release a patch, and for people to download it that you could take a box in a few minutes.

Chris,

My point is not so much an issue of which OS is more secured but rather the level of security and stability depends a lot on the person who administer the machine. I believe you already know that administration is a life long process.

I am not saying that Redhat and FreeBSD is secured out of the box. The thing is that you read the postings in this forum, you realized that there are people who put down Windows are people who assumed that Linux is better.

I know that Linux and FreeBSD is based on open source and there are different people working on different components. But what is not stopping someone who would come out with an open source linux patch with is vulnerable in nature.

So in short, let me repeat.. How secure and stable a server is depends on the administrator.

eddy2099,

I believe if you read my earlier posts in this thread, you'd know I feel much the same way:

"Having a FreeBSD server doesn't do you very much good if you don't know how to administer it. If you're the best Windows admin in the world, you might be able to pull something decent off -- there are open-source fixes sometimes. Overall -- the professional system administrators tend to choose BSDs over Linux. This is a very personal decision, and really there is only the best OS for the admin -- what they feel most comfortable with, and can administer well."

"Most open-source based OSes are patched very quickly once a security vulnerability is released -- this is for a number of reasons, but mainly because there are many people who can directly edit the source code, and release their own patch. This, of course, is a great advantage over closed-source OSes for which you must wait for an official patch. On the other hand ... the patch that you get on a vuln list is not guarenteed, or backed by anything -- so you apply it somewhat at your own risk."

Originally posted by eddy2099
Basically if you depend on Redhat to update your Linux, it is not going to be cheaper. However if you opt to compile and install your own stock Linux by hand then you can take advantage of the Open Source kernel and components available on the web. Of course, you need to be familiar with it before you opt for that option.

You're not too familiar with linux are you

Debian (http://www.debian.org)
Gentoo (http://www.gentoo.org)

both free, both will remain free, and both will almost always be patched as fast or faster than redhat vulns


Incidentally chris, I was referring to the fact that most modern linux/bsd installs will ask you to update to the latest software on install / do it in the install, wheras a windows xp install does not, meaning it's an unfair comparison, sorry for the bad wording before and I agree with you on every point so far (apart from maybe freebsd vs linux, I know a lot of pro admins who like linux :) )

Originally posted by cubision
eddy2099,

Well, I guarantee you I could exploit your windows sever in 30 or 40 ways.

My point is not to say that any other OS is "the best," but only that there are more options with a free OS. Nobody said that "Linux and FreeBSD [are] problem free and secured," maybe you could point me to where you found that.

As for RedHat ... that's why many opt for distributions that provide an updated and reasonably secure set of packages ... for free.

I understand the corporate requirement for certain types of support -- and that's the gamble you take when you go with a company like RedHat.

Communities are much more resilient than companies, and often, if you're any admin worth your salt, you can do fine with no corporate support.

Wanna exploit my windows 2003 enterprise server i have sitting here beside me? I bet you cant.

if he really can exploit any1's windows server, why doesnt he go try out on dell.com and ebay.com?

that comment itself proved the ignorance.

Originally posted by sjhwilkes
BSD maybe more mature than Linux, but I have dozens of 2.4 kernel machines with uptimes well over 1 year.


Then you have dozens of machines that are extremly vulnerable to quite a few exploits, hope these are not multi user systems.

Uh ... ok ... let me say a few things about my statement ...

No, I don't WANT to exploit anybody's server. I'm not a kid who sits in his mother's basement ... etc (insert stereotypical geek image here). I do security consulting professionally -- I do break into windows servers all the time ... under carefully scripted contracts and with plenty of lawyers checking things.

Paying for penetration testing is a testy part of the law, and I take my business very seriously. I said what I said to make my point. It's completely true, and if you knew anything about the underground vulnerability market ... I wouldn't have to prove anything to you.

Your attempts to make me attack your server were childish. Anybody with any experience in the penetration testing industry knows that the contracts are very particular, and you can't just go on some forum request for an attack.

I have absolutely NO interest in attacking your sever ... honestly, I don't care if it's attacked, I only wish that you try to be aware of the market for vulnerabilities. I believe in the free exchange of information -- I think everyone has the right to know whatever they want -- they just have to get it for themselves. I'm not condoning illegal attempts to steal information -- I think people should be willing to give out whatever they have.

Now, back to the real world -- a company's success can ride on the fact that they have information nobody else does -- and so NDAs are born (Non-Disclosure Agreements for the layman).

I'd be happy to tell you what I can about the industry -- but you must act mature in your requests, rather than turning this into a pissing contest with legal repercussions.

Best choice depends on which OS you are most familiar with. I am not a guru on Operation System, but I do have Windows XP/*BSD/Linux installed on my personal boxes. I personal like Linux the best (which distribution doesn't matter). You want to ask me the reason base on test result or data? I am sorry I can't give you that because I don't do that kind of work, besides, lots "independent agencies" have done that.

What SCO has said or will say won't stop me from using Linux in the future.

Originally posted by cubision
Uh ... ok ... let me say a few things about my statement ...

No, I don't WANT to exploit anybody's server. I'm not a kid who sits in his mother's basement ... etc (insert stereotypical geek image here). I do security consulting professionally -- I do break into windows servers all the time ... under carefully scripted contracts and with plenty of lawyers checking things.

Paying for penetration testing is a testy part of the law, and I take my business very seriously. I said what I said to make my point. It's completely true, and if you knew anything about the underground vulnerability market ... I wouldn't have to prove anything to you.

Your childish attempts to make me attack your server are exactly that ... childish. Anybody with any experience in the penetration testing industry knows that the contracts are very particular, and you can't just go on some forum request for an attack.

I have absolutely NO interest in attacking your sever ... honestly, I don't care if it's attacked, I only wish that you try to be aware of the market for vulnerabilities. I believe in the free exchange of information -- I think everyone has the right to know whatever they want -- they just have to get it for themselves. I'm not condoning illegal attempts to steal information -- I think people should be willing to give out whatever they have.

Now, back to the real world -- a company's success can ride on the fact that they have information nobody else does -- and so NDAs are born (Non-Disclosure Agreements for the layman).

I'd be happy to tell you what I can about the industry -- but you must act mature in your requests, rather than turning this into a pissing contest with legal repercussions.


Well if you cant do it, well ok.

Originally posted by eddy2099
I am not saying that Redhat and FreeBSD is secured out of the box.


Since when? I've never seen a default redhat install *not* start the RPC services and bunch of other services that are historically vulnerable out of the box.

FreeBSD is a little better, in that it starts SSHd and asks if you want inetd, ftpd, nfs etc run, it doesnt assume you want to run them.

Originally posted by thelinuxguy
Well if you cant do it, well ok.

Wow ... I so hope that you meant to put a smiley face on the end of your comment. If not ... I wish you luck -- welcome to my ignore list.

lol ignore me because you cant do it

cubision,

much to your dismay, Windows *can* be run in a secure fashion and I promise you that you could not exploit every windows installation like you implied. Sweeping statements like you made will only get you in trouble because they are either blatant lies or if you do truly believe it then it shows how naive you are when it comes to the industry.

Originally posted by eBoundary
cubision,

much to your dismay, Windows *can* be run in a secure fashion and I promise you that you could not exploit every windows installation like you implied. Sweeping statements like you made will only get you in trouble because they are either blatant lies or if you do truly believe it then it shows how naive you are when it comes to the industry.

There is no secure environment. It's a philosophical concept more than anything else. I don't mean that in the example of "the only secure server is one that's off" ...

Unfortunately ... I would personally find it very hard to patch security vulnerabilities that only 5 people know about -- since Microsoft is the only one releasing patches. If you're refering to alternative methods of securing an "entire server" through more general methods of security, they all have flaws as well.

There are some excellent cryptography books that embark on the philosophy behind security -- they're good reads.

I understand your statement, but I don't agree, and I don't think that I'm naive -- it was a "sweeping statement," but I don't take it back, I used it for effect, to strengthen (maybe controversially) my argument. If you don't agree, more power to you. I encourage people to speak their minds -- to reach whatever audience they want.

cubision:

i can believe that this "vulnerability market" exist and i completely understand that there are companies out there pay millions of dollars for security consulations from experts. however it was ur post that initiated immaturity. u said " I guarantee you I could exploit your windows sever in 30 or 40 ways" without even knowing ANYTHING about the person/company's server. do u know what softwares he uses? do u know what applications/services he runs? tell me HOW u gonna "exploit" my comp sitting next to me with no iis, no sql, no ftp or wutsoever running? sure anyone can talk. i can hack dell.com in 30 days. but well i dont do it because its illegal and if i get caught i will get in trouble. will you believe me?

u made ridiculous statements on something that u have no clue about and u cannot back urself up. if eddy's hosting clients were here reading this thread, should they believe u and get worried because some1 can exploit their server in 30 days? i doubt it.

feel free to ignore me too. no1 here cares about ur underground security agency anyway.

I find it particularly hard to respond to comments that are written in a mixture of horrible English and poor grammar -- not to mention the replacement of "you" with "u."

If you would like ... I can amend my statement -- since it was just interpretation. I also never said that I could do so remotely. Never forget about physical security. Firewalls are never solid, and there has yet to be a security system that hasn't been proven vulnerable (no matter how long it takes -- and no matter what measures can be taken to break in).

Think about it like this. A company claims that they now are using off-site storage of all of their customer's credit card information, this storage is not connected to the internet, it's manually moved from one place to the other. Their claim is that nobody can now steal their customer's data once it's been moved to this location. Now ... what happens when someone breaks into the building, and steals the tape disks?

EDIT: Personally, I'm done with this thread. People can continue to start these contests and requests for arguments. I'll be somewhere else providing help to those that need it.

Too far off topic now to recover, these threads always go down hill fast.

Suffice to say, stay with the OS you know and understand as you will always be able to administer that the best.