Hi,

Is FreeBSD more secureable than Linux for webservers? Why or why not?

I didn't list OpenBSD because it's for single CPU systems only -- although I guess if one load balanced some clusered servers, you could include that too to compare. But basically, I'm wondering about BSD .vs Linux.

I know with Linux it depends on the distro -- so pick a good one to compare and/or contrast to FreeBSD.

Basically, if a person wants a server that's easier to secure against crackers, which should they choose and why? I know it depends on how the OS is configured on a server, but given that, which is more *securable* by a non guru -- and why? Are there any *definitive* step by step HOWTOs one can follow and have a very secure server with either OS?

No religious war post, please. Considered opinions -- especially based on experience, please.


Thanks!

Louis

If you want to create a truely secure machine follow these steps:

1. Keep all software packages updated and free of known exploits.
2. Turn off any unused services and keep a good firewall.
3. Unplug your server from the network.

There is no real way to secure a box 100% and that is simply a myth but you can limit the number of sucessful breakins by following at the least 1 and 2. Go to barnes and noble and search for security books. I think they have a few good ones. ;-)

You are really best off searching, this has been answerd into length before. One reason, is it is more out of the box secure, Basicly one way its been put is that linux, especially RH, gets around a lot. Freebsd on the otherhand dosent, so less exploits, at least less are seen. Really, when it comes down to it, they are both capable of being very secure, just depends on the admin. FreeBSD is mainly more secure out of the box.

My Linux distro of choice is Debian, becuase it is much more configurable (IMO) and allows you to be choosier with what gets installed.

Any Linux distro can be "secure", just depends on the admin and how much attention is payed to what is running.

It is up in the air which is better.

Like Debian, but to get most up-to-date packages, you need to use the testing branch, which can sometimes get back packages and screw up some things on the server.

FreeBSD has better memory management, atleast from my experience. It tends to be stricter in security and its ports collection remains fairly up to date and a little more stable. Though I've had it happen before where I update a package and it has to update others and it screws up.

every system security depends how good (also lazy) is the system admin....
By default, I think FreeBSD gets my vote if we compare it to RH

By far the most stable & bug-free release of Linux is Debian. There is no doubt that their package management is far and above Red Hat RPM's and if you keep to the stable releases, Debian is very very stable. It's a swine to install and configure, but once in place it's great.

I have had very few issues with Debian by keeping to the stable releases. They take a while to release stuff, but that's cause it's usually bug free or if a bug is found, it's storted out very quickly. It also is great because it is strict in where files are placed (unlike Red Hat and other distributions which throw them anywhere in effect).

I take the example of Fink for Max OS X - it uses Debian's package management cause it really is that good.

That said, FreedBSD is very good and is more secure out of the box. It's a tough call at the end of the day and all of the points above are valid, but my gut says Debian if you can get your head around the installer.

Any OS is only as secure as the admin makes it. As David said, FreeBSD may be more secure [or to be truthful less vulnerable ;)] than Linux out-of-the-box.

I prefer FreeBSD for its really stable stack, process management and ease of use. After all, it has evolved over several years from the BSD kernel and in reality has a headstart over Linux.

Only 7.2 onwards is RedHat a real server operating system in my foolish opinion [ext3 support].

My only problem with Linux is the too frequent kernel upgrades.

If you dont want CPanel I would recommend FreeBSD. Choice of server software is also a matter of personal taste and priorities.

Linux [in particular RH] has an abundance of documentation and a very large user base; but then FreeBSD has more than sufficient documentation in my experience.

For most needs the handbook is sufficient and quite lucid.

But all this said, in a hosting context [which I assume is what you are looking at] it is the server daemons which you will be working with and configuring, more than the OS, most times ..

.. so FreeBSD with sendmail and BIND may be an inferior combination compared to Linux with djbdns and qmail in terms of security.

Everyman his poison! :)

Cheers
Balaji

By far the most stable & bug-free release of Linux is Debian.

Yeah and everyone else you talk to will say something different. Personally I like Slackware because of its stability and bug-free releases. Don't listen to the bigots. Go with what you know. The better you know the system the better you can secure it.
Sadisitkal

Go with your gut at the end of the day, and no doubt read what other user's have as issues and how they combat them. Nothing is perfect or 100% secure, but some systems are less vulnerable as MotleyFool says. They are all good in their ways - but I still like Debian over Slackware :D

Originally posted by sadistikal
Personally I like Slackware because of its stability and bug-free releases.

Yeah, that's why I was able to root my own computer with Slackware 8 installed. ;)

OK I'll bite:

How did you root your own computer with Slack 8 on it? rooting your own box generally isn't hard btw :D. Did you keep it patched? All OS's have problems that come up...security/bugs etc.

I had a friend who thought he got rooted ...except he typed
mail his@address.com > /etc/passwd . Stupid to start with...wrong direction as well....AFAIK thats what you did :P
Sadistikal

lol...no, I'm not THAT stupid...well...okay, I CAN be sometimes, but who doesn't have their stupid moments? :stickout

Slackware 8 came with a vulnerable version of sendmail that could be exploited to gain root access.

Don't get me wrong. I like Slackware, but like you said, most operating systems have issues that come up, and it's up to the admin to update software where necessary.

Ahhh so it was sendmail not slack :stickout

And yes my friend was a ----> :dunce:

It is true that your box is only secure as the admin makes it but I'd like to point out some things.

BSD's in general do not support the "bleeding edge" as Linux does. BSDs generally don't package the newest packages out there as Linux does. This can be seen as a security precaution since some of the software Linux distros package have been less tested.

Some FreeBSD features also has some security features over Linux such as log in vain and blackholing but of course it's possible to set these up on Linux as well.

FreeBSD and Linux are both great operating systems, but as everyone else said, your box is only as secure as your admin makes it. An NT box could be more secure than an OpenBSD box, it all depends on the admin.

I agree with most of your post.

BSDs generally don't package the newest packages out there as Linux does

I'm trying hard not to turn this into a flame war but it really depends on what distro of Linux your talking about. Generally Red Hat will package the "bleeding" edge. Where a Slackware usually waits until its tested first. *cough* gcc *cough*.

Your last line sums it up:

An NT box could be more secure than an OpenBSD box, it all depends on the admin. ^^^^^^^hit the nail on the head.

My comments were based on general terms, not specific as I had stated.

And I find it hard to believe that you think an NT box can't be more secure than OpenBSD. Yes OpenBSD is very secure but a dumb admin can open up huge security holes. I know some very very very smart NT admins (yes they do admin Unix boxes as well) and their NT boxes recieve huge amounts of attackson a daily basis just on the basis of the kind of sites it hosts (none or illegal).

Nono I agreed with you when I said you hit the nail on the head. I mean you were correct. I used to work for a Systems Administration Consulting company that was nation-wide. We had VERY VERY good people in Windows/UNIX/Mainframes/Security etc etc etc and our NT people were VERY good with NT and they could secure a windows box about as good as one COULD be secured :D

Sadistikal

Originally posted by stlouislouis
Is FreeBSD more secureable than Linux for webservers? Why or why not?


To me, Linux and FreeBSD are pretty much the same when FreeBSD is set to use "moderate" security. FreeBSD has this thing called "securelevels" that blocks certain operations and daemons from running, even as root. The higher you go, the less that can be opened and the less access from the Internet that is possible.

Of course, the very best thing to do would be to subscribe to a security mailing list and patch holes up as soon as they are known. If you need more security you could build a cheap 1U firewall system with 2 Ethernet ports running FreeBSD and enable transparent routing so that people don't know you are behind a firewall.

Dont you all ridicule M$

NT is really 100% secure...


... when used as a standalone!

<sorry couldn't resist it!>

http://www.penny-arcade.com/view.php3?date=2002-07-22

PA is great. I check for updates every day :) My favorite...and a bit off topic is this one:

http://www.penny-arcade.com/view.php3?date=1999-12-15