I`ve started thinking about getting a dedicated and get the things done in my own pase. It`s going to be Linux, so I`m wondering; what is the most common reason for the server to crash? How long does it take to get it up again?
:-) I know these questions depends very much on how good you are with these things and how much experience you`ve got. But I basicly want to know how dramatical it can be to run a Linux server. For instance; It`s very difficult to locate an error and they keep heaping up, and the only thing to do is to reinstall the OS (like on my WIN98).
I`m going to run it with WHM for sure, how much does this help me?

Bonus question:
I have NO experience with Linux, but I`ve got time and going to learn it through books, how long do you think this will take? (I loved DOS so I`m not sceptical about moving to a text based OS)

if you do not have any experience with linux, learning it on a dedicated server which is not physically located in your bedroom is a "dangerous" undertaking. You should be aware that, if you break something, it costs you $$$ (for the staff of your dedicated hosting company) to fix it because you cannot do it yourself.

Consider going with FreeBSD instead of Linux, as its a more secure and stable OS. Yahoo and Hotmail servers are actually run on FreeBSD. It is not as friendly as Linux as far as documentation goes, so it will take longer to learn.

Do a search on this bulleting board and you will find references to it. There are links to FreeBSD sites at the bottom of
http://profile.sh/bsdwiki/

The only disadvantage to using FreeBSD is that there is not a current Cpanel build available. Correct me if I'm wrong, but I believe that Haakon currently uses CPanel.

As to whether ot not he wants to use it on his dedicated server, I am not sure. Haakon, perhaps you could provide us with some additional information on your needs?

Regards,
Matt

linux can be as stable and secure as bsd
my linux servers never go down they are stable and secure

Linux is not even close to as stable or as secure as Unix IE Freebsd. JUst because youve been lucky enough for your servers not to go down doesnt say whether linux or unix is better. Weve never had a single customers box who was running freebsd get hacked, on the other hand weve had tons of customers running linux who box have got hacked, I would say thats as close to real world statistics as you can get....

lol
get hacked

man come on
Just because you havent seen a freebsd server get hacked doenst mean it's better or anything

it's all about security
I can take a linux server, and secure it up easy
It'd be just as stable and secure as freebsd

I have done it many many times before

It's not that I don't konw FREEBSD, or dont have experience with it, I just like linux better, but that's just me.

Being secure is also keeping up on patchs. If you don't it is like putting a big sighn up saying, "hack me." I personally like linux(redhat to be specific) over FreeBSD since more programs are available for it. It usually takes awile for them to get ported over to FreeBSD.

That`s correct Matt, "I`m going to run it with WHM" and Cpanel. I`m also going to be really cautious on the security side after reading these posts, but I don`t think FreeBSD would be a option for me since I really like Cpanel.

Maybe a VDI host would work good for you then or maybe Site5, not sure what NOC they are in but I have heard good things about them.

Originally posted by Woody
Maybe a VDI host would work good for you then or maybe Site5, not sure what NOC they are in but I have heard good things about them.
Our servers are currently located at Network Access (www.nac.net). We have found the network quality and speed to be absolutely superb. For more info on the network itself, check out http://www.nac.net/nettech.asp.

Regards,
Matt Lightner
mlightner@site5.com

Linux Red Hat, is the most wide open and insecure Linux brand out there. it's good for home use, but it's not the best thing for a server environment. It takes more to secure Red Hat, than probably any other Linux brand out there. FreeBSD is not only more secure by default, but has certain things implemented in it, it's build to be more secure in the foundation of the OS, Red Hat or Linux in general is not. Linux is open to more attacks and holes than FreeBSD, because of how it's built, not simply how it's configured. FreeBSD is not written the same way, too many things are different to dare try and list. It's less vulnerable to many type's of attacks that you can't fix in Linux, because it doesn't have the ability to do it.

Again, Redhat, being the more insecure out of all Linux brands. The structure and file system of FreeBSD can not be emulated by Linux. Sure, FreeBSD has it's security hole's, just like any other OS, and it has a lot, but Linux has and will continue to have far more, in addition to the fact that FreeBSD is built to be more robust and secure, which again, are implementations that Linux brands do not current have or offer. I don't have any available URL's handy to refer anyone to to outline some of these reasons, but by doing a simple investigation, you will see that FreeBSD is superior in quality with security and with experienced person's configuring, setting up and maintaining both Linux and FreeBSD, FreeBSD will also out perform Linux in performance and uptime.

FreeBSD is a more mature OS, the developers of FreeBSD and especially OpenBSD scrutinize over the code, reviewing it for any possible exploits. With a default install, OpenBSD has not had a remote hold for over three years. Ever heard of Linux not having a serious security hole in that long? This isn't just the way it's configured. FreeBSD has better support for low level system calls and more securely. Almost any Linux program will run on FreeBSD, if not, with few changes to the source. If that is too much of a hassle, you can use the Linux compat port, which emulates it and can almost always run Linux compatible programs with ease.

FreeBSD has a 3 stage boot process so it can understand disk slices and load the next boot stage, wherein it gives you options to load different kernels, whereas Linux's lilo will leave your system unbootable if the kernel is shot and you didn't install a good kernel and run lilo. That's not a big deal though, just don't make that mistake. But, FreeBSD backs up the old kernel and you can simply use that last one, if a new kernel install is bad. Automatically, that is. it's better for updating, testing and experimenting in a diskless kernel environment to test out new kernel modules.

Debugging and run level control on Linux with all the scripts using symbolic links to the init.d directory, is a hassle. FreeBSD is much better in that aspect too, by use of /etc/defaults/rc.conf, etc. Forget about just the easier use of it, let's talk about more important things:

FreeBSD's UFS is more complex and superior to Linux's Ext2 file system. It ensures improved, better stable and better data integrity (check out the sofupdates option). This option decreases synchronous I/O and increases asynchronous I/O because writes to a UFS file system aren't synched on a sector basis but according to the file system structure. This ensures that the file system is always coherent between two updates and sofupdates offers significant improvement.

The Linux file system can be tweaked for performance; however, currently ext2 gets its performance from having an asynchronous mount. This is great for speed, but if your system crashes it could take out the file system, its data, and its current state. Often, a hard crash permanently damages a mount. FreeBSD with sofupdates can sustain a very hard crash with only minor data loss, and the file system will be remountable with few problems.

Besides performance, FreeBSD UFS also has one major advantage over Linux in security. FreeBSD supports file flags, which can stop a simple script kiddie dead in his tracks. There are several flags that you can add to a file,
such as the immutable flag. The immutable (schg) flag won't allow any alteration to the file or directory unless you remove it. Other very handy flags are append only (sappnd), cannot delete (sunlnk), and archive (arch). When you combine these with the kernel security level covered below, you have a very impenetrable system.

System Security; FreeBSD and Linux both have runlevel states. With Linux you have runlevels 0Ð6; none of which have security levels associated with them. With FreeBSD you have single-user mode and multi-user mode. However, you can run your kernel at different security levels. These levels vary from -1 (insecure) to 2 (very secure).

If you run your server at level -1 or 0, then the kernel security level doesn't do much. However, increasing the security level to 1 puts the system into secure mode. This means /dev/mem or /dev/kmem can't be opened for writing and
prevents some attacks to your system by using exploits on these files. Also, the file flags cannot be turned off. Running in level 2 gives you all of the level 1 features plus it doesn't allow any disks to be opened for writing except by mount.

The kernel security levels give the system admin more tools. For example, if you set your system's file flags in strategic places and run it in secure level 2, you can create an almost read-only system. A cracker who tries to create a back door by altering a binary-like login, or even sshd, will fail. In addition, employing the sappnd flag on your log files means they can only be appended. So if a cracker tries to clean up after herself, she won't be able to clear your logs or wtmp files. If the cracker wants to really do damage by unmounting the file system and running newfs on it, her attempt will also fail in level 2, because
she won't be able to write to the disks.

Another FreeBSD security feature is the log_in_vain option, which you set on boot by specifying it in the /etc/rc.conf. This feature logs any attempts to connect to your server on an unopened port. So if you're being port scanned, you'll see multiple entries into your /var/log/messages or dmesg. These entries include the port and the remote machine so you can track attempts. Most people who are scanning use a random pause between scans, which prevents software that's looking for scans from detecting them. However, the log_in_vain entries have a timestamp if logged to syslogd, so all attempts are logged regardless.

Other points; Linux has a handy /proc filesystem. Some of its features are pretty nice, like the /proc/self/status file. Any process can get its virtual memory information,
signal information, groups, user ID, and more from this file. Normally this is done by getrusage and other system calls. The problem is, when a process like top wants to get this information for the machine processes it has to use these files. So if you have a very busy file server, top will crawl because it has to start all the files in the /proc dir. and the kernel has to generate them.

FreeBSD offers a means to run daemons different, so you don't get rooted due to these recent exploits, like BIND has. FreeBSD has a better TCP/IP stack, the networking
code of any *BSD is much more efficient than anything under Linux, FreeBSD has had superior kernel design in areas like virtual memory manager (VM).

It may be a minor performance detriment, but the main problem with Linux's /proc file system is that there's too much dependency on it. As a system programmer, I'm very concerned about using expensive parsing routines to gather information. Another example of performance detriments for program ability is the routing table. On Linux I haven't found a good way to get the routing table from the kernel. (Of course, if you're an admin, there are two easy user space programs, route and netstat, which you can use in Perl or PHP, but not in C/C++.) I can parse out the /proc/net/route file, but this action takes up my resources and the kernel's resource when it generates the file. On
FreeBSD, I can just open up a raw socket and dump the routing table into a buffer that I can use.

For speed and security, FreeBSD is the way to go. In no way am I trying to say that Red Hat, or Linux, is that much inferior and much of it is based on the knowledge to configure it and maintain it and secure it, but inherently so, FreeBSD is superior in stability, performance and security and Linux can't accomplish some of the same things FreeBSD can, do to the way it's built. Linux has very good desktop uses, and works well in *some* server situations. But, the FreeBSD 4.x tree is by far the fastest OS running on various hardware that I've ever seen. This translates into all areas, including compilation, file access, network stack, or just running X. And for something to look forward to: A lengthy list of goodies are in the works with the 5.x tree and are due out sometime next year.

Other points of interest, quickly, are the fact that FreeBSD is the OS that has broken records many times, over and over. I.e., Walnut Creek moving over 2 TB a day with no problems. Also, check out:

http://www.futuresouth.com/~fullermd/freebsd/bsdvlin.html


Again, FreeBSd has it's problems too, as does Linux. But, for many reasons, I at least, believe, even though I agree that much of it has to do with knowledge and talent to run any SO properly or for the best performance, that FreeBSD has more potential to go further and remain more stable than Linux, especially Linux Redhat.

Word Count: 1,762
Conclusion: Tim has wayyy too much time on his hands. :D

But... I happen to agree 100%. FreeBSD is much more suited for a server environment than RedHat or even Linux in general.

We run OpenBSD on our primary and secondary nameserver machines, and I must admit... it's extremely secure. As to why most hosting systems choose Linux over BSD as their OS, I'm not really sure. I'm sure that, in time, companies will begin to see the advantages of BSD, and begin to migrate in that direction.

Just my $0.02

Regards,
Matt Lightner
mlightner@site5.com

Originally posted by Site5-Matt
Word Count: 1,762
Conclusion: Tim has wayyy too much time on his hands. :D
Just my $0.02

Regards,
Matt Lightner
mlightner@site5.com

Holy no-life, Batman! You counted my words and say *I* have too much time on my hands? *L* I assume people use Linux, because they might be better inclined to run it better, be more familiar with it and understand it better? Like everything, some people are better suited for other things, but if something is a better product, I think more people should make a better effort to try.. it doesn't cost anymore than Linux -- Free. :-)

Personally, we like solaris running on nice ultra sparcs. Ummm.. Ultra Sparcs....

Tim,

Your post was longer than my average essay.... :)

Originally posted by Tim_Greer
Originally posted by Site5-Matt
Word Count: 1,762
Conclusion: Tim has wayyy too much time on his hands. :D
Just my $0.02

Regards,
Matt Lightner
mlightner@site5.com

Holy no-life, Batman! You counted my words and say *I* have too much time on my hands? *L* I assume people use Linux, because they might be better inclined to run it better, be more familiar with it and understand it better? Like everything, some people are better suited for other things, but if something is a better product, I think more people should make a better effort to try.. it doesn't cost anymore than Linux -- Free. :-)
Actually... EditPlus counted your words. Took me about 5 seconds to do. I was just astonished at the length of your post. ;)

Regards,
Matt Lightner
mlightner@site5.com

I wonder if Tim were to continue writing, if vBull, would split his post into pages? So his one post would actually be page 2, 3, and 4? :)

Lucky for him, it was a good post to read (as his generally are), hee hee.

Originally posted by Site5-Matt
Originally posted by Tim_Greer
Originally posted by Site5-Matt
Word Count: 1,762
Conclusion: Tim has wayyy too much time on his hands. :D
Just my $0.02

Regards,
Matt Lightner
mlightner@site5.com

Holy no-life, Batman! You counted my words and say *I* have too much time on my hands? *L* I assume people use Linux, because they might be better inclined to run it better, be more familiar with it and understand it better? Like everything, some people are better suited for other things, but if something is a better product, I think more people should make a better effort to try.. it doesn't cost anymore than Linux -- Free. :-)
Actually... EditPlus counted your words. Took me about 5 seconds to do. I was just astonished at the length of your post. ;)

Regards,
Matt Lightner
mlightner@site5.com

Oh, wow.. I thought you were joking... I think I need help!! :-)

Originally posted by Tim_Greer
Originally posted by Site5-Matt
Originally posted by Tim_Greer
Originally posted by Site5-Matt
Word Count: 1,762
Conclusion: Tim has wayyy too much time on his hands. :D
Just my $0.02

Regards,
Matt Lightner
mlightner@site5.com

Holy no-life, Batman! You counted my words and say *I* have too much time on my hands? *L* I assume people use Linux, because they might be better inclined to run it better, be more familiar with it and understand it better? Like everything, some people are better suited for other things, but if something is a better product, I think more people should make a better effort to try.. it doesn't cost anymore than Linux -- Free. :-)
Actually... EditPlus counted your words. Took me about 5 seconds to do. I was just astonished at the length of your post. ;)

Regards,
Matt Lightner
mlightner@site5.com

Oh, wow.. I thought you were joking... I think I need help!! :-)
Nope... I really counted them. So Tim, exactly how fast do you type? :D

I wonder if there's a limit on the depth of "nested quotes" allowed in a message...

Regards,
Matt Lightner
mlightner@site5.com

[Edited by Site5-Matt on 04-02-2001 at 01:56 AM]

Originally posted by Site5-Matt
Originally posted by Tim_Greer
Originally posted by Site5-Matt
Originally posted by Tim_Greer
Originally posted by Site5-Matt
Word Count: 1,762
Conclusion: Tim has wayyy too much time on his hands. :D
Just my $0.02

Regards,
Matt Lightner
mlightner@site5.com

Holy no-life, Batman! You counted my words and say *I* have too much time on my hands? *L* I assume people use Linux, because they might be better inclined to run it better, be more familiar with it and understand it better? Like everything, some people are better suited for other things, but if something is a better product, I think more people should make a better effort to try.. it doesn't cost anymore than Linux -- Free. :-)
Actually... EditPlus counted your words. Took me about 5 seconds to do. I was just astonished at the length of your post. ;)

Regards,
Matt Lightner
mlightner@site5.com

Oh, wow.. I thought you were joking... I think I need help!! :-)
Nope... I really counted them. So Tim, exactly how fast do you type? :D

I wonder if there's a limit on the depth of "nested quotes" allowed in a message...

Regards,
Matt Lightner
mlightner@site5.com

[Edited by Site5-Matt on 04-02-2001 at 01:56 AM]

Hmm, I think probably between 95 and 120 WPM, but it depends on how involved I am. I can type at a normal pace of 65 WPM usually, but when I am not not casually typing, probably around 90 WPM or so... If I an pissed off or really want to say a lot before I forget everything I want to type, it probably hits the 120 to 125 WPM mark. Mind you, I type a lot, but if I'm not typing, I am probably playing guitar (and yes, I grew up in the 80's, so I am into the fast playing sometimes), so I'm always warmed up and ready to go nuts. A nested quote limit? Hmmm, I think I've seen it get pretty far before...

isnt this like comparing Qmail and Sendmail? Qmail is eaiser to secure, while sendmail takes longer to secure?

You are doing this hard for me Tim. But are you also saying that I can run WHM/Cpanel by using a Linux emulation app.?
Maybe the Darkorb people could change the source a little to make it fit freeBSD.

Did you write this one TIM:
http://www.webtechniques.com/archives/2001/01/infrrevu/


[Edited by Haakon on 04-02-2001 at 04:53 AM]

Originally posted by Haakon
...
Did you write this one TIM:
http://www.webtechniques.com/archives/2001/01/infrrevu/
So that's how he types so fast. :)

Originally posted by Tim_Greer

Besides performance, FreeBSD UFS also has one major advantage over Linux in security. FreeBSD supports file flags, which can stop a simple script kiddie dead in his tracks. There are several flags that you can add to a file,
such as the immutable flag. The immutable (schg) flag won't allow any alteration to the file or directory unless you remove it. Other very handy flags are append only (sappnd), cannot delete (sunlnk), and archive (arch). When you combine these with the kernel security level covered below, you have a very impenetrable system.


Actually, ext2 (and reiserfs) also have various file attributes available. Immutable and Append-only for sure; have not had much use for any others so don't know about them. Try man chattr or lsattr.


System Security; FreeBSD and Linux both have runlevel states. With Linux you have runlevels 0Ð6; none of which have security levels associated with them. With FreeBSD you have single-user mode and multi-user mode. However, you can
...
[snip]
...
an unopened port. So if you're being port scanned, you'll see multiple entries into your /var/log/messages or dmesg. These entries include the port and the remote machine so you can track attempts. Most people who are scanning use a random pause between scans, which prevents software that's looking for scans from detecting them. However, the log_in_vain entries have a timestamp if logged to syslogd, so all attempts are logged regardless.


I believe the lids kernel patch can do similar stuff to all of this. Granted, you have to do the work of patching and stuff. And using lids is a _real_ headache. See http://www.lids.org

Originally posted by Site5-Matt

We run OpenBSD on our primary and secondary nameserver machines, and I must admit... it's extremely secure


Yes, it's undeniably a lot more secure in the default installation. That doesn't mean it's safe to just install and pray nothing goes wrong, of course... It's still best to know how everything works :)

Actually, my comment to this is that security is never assured, especially if the server is in some remote far-away place that you can't physically monitor. Short of having syslog log to write-only media, dropping stealthy network sniffers around your server to monitor break-in attempts, etc... How do you really know a computer has not been cracked?

Originally posted by Haakon
You are doing this hard for me Tim. But are you also saying that I can run WHM/Cpanel by using a Linux emulation app.?
Maybe the Darkorb people could change the source a little to make it fit freeBSD.

Did you write this one TIM:
http://www.webtechniques.com/archives/2001/01/infrrevu/


[Edited by Haakon on 04-02-2001 at 04:53 AM]

I don't know how they coded it, or what underlying components are working with it, etc. but it's possible. However, judging by the code and how (I think) it's compiled into the OS somehow, I'd not be too sure it's likely.

As for writing that, obviously I took parts that were written by Nathan Boeger, as that page says. I found it after I said that I didn't know of a good URL. This is when I pasted the text in the post. I was only going to quote portions at first and said screw it.

As for it being a Qmail/Sendmail issue, not at all like that. And, Sendmail is, as their README says, not really the problem, as much as the setup and configurations are the problem. Qmail is basically like Sendmail with some basic security in mind and it would save time to use Qmail, rather than learn how to secure something as complex and feature-filled as Sendmail. But, with FreeBSD and Linux, we're talking about underlying issues, that are not cosmetic or of the configuration variety only, which can solve a problem with Sendmail.

Originally posted by IntelligentHosting.com
Originally posted by Haakon
...
Did you write this one TIM:
http://www.webtechniques.com/archives/2001/01/infrrevu/
So that's how he types so fast. :)

I didn't think with all my posts that are always so long, that not writing every word of the entire post (or even a good portion of it) was the only post people were talking about. In that case, let me take that back and say that I type 5,000 WPM. :-) Actually, I once got on a typing tutor program and run it and I just hit as many of the most common keys and vowels as I could and I think it said 980 WMP with 20% accuracy... *L* Of course, 20% of most words having e, a, t, s, n, etc. in them.

Originally posted by pyng
Originally posted by Tim_Greer
Besides performance, FreeBSD UFS also has one major advantage over Linux in security. FreeBSD supports file flags, which can stop a simple script kiddie dead in his tracks. There are several flags that you can add to a file,
such as the immutable flag. The immutable (schg) flag won't allow any alteration to the file or directory unless you remove it. Other very handy flags are append only (sappnd), cannot delete (sunlnk), and archive (arch). When you combine these with the kernel security level covered below, you have a very impenetrable system.


Actually, ext2 (and reiserfs) also have various file attributes available. Immutable and Append-only for sure; have not had much use for any others so don't know about them. Try man chattr or lsattr.


System Security; FreeBSD and Linux both have runlevel states. With Linux you have runlevels 0Ð6; none of which have security levels associated with them. With FreeBSD you have single-user mode and multi-user mode. However, you can
...
[snip]
...
an unopened port. So if you're being port scanned, you'll see multiple entries into your /var/log/messages or dmesg. These entries include the port and the remote machine so you can track attempts. Most people who are scanning use a random pause between scans, which prevents software that's looking for scans from detecting them. However, the log_in_vain entries have a timestamp if logged to syslogd, so all attempts are logged regardless.


I believe the lids kernel patch can do similar stuff to all of this. Granted, you have to do the work of patching and stuff. And using lids is a _real_ headache. See http://www.lids.org


Yeeaugh.... Why not just use Immunix? I'd rather do that, then bother with patches and utilities here and there, when you can have a better standard to build from. But LIDS is certainly a viable option to help in that aspect nonetheless.


Originally posted by Site5-Matt
We run OpenBSD on our primary and secondary nameserver machines, and I must admit... it's extremely secure


Yes, it's undeniably a lot more secure in the default installation. That doesn't mean it's safe to just install and pray nothing goes wrong, of course... It's still best to know how everything works :)


Yes, of course. If someone is more familiar with Linux over FreeBSD and understands the ramifications better, they are better off using Linux. Some people are better off using NT. It just depends. However, again, if someone excelled at both, equally, I have no doubt they'd opt for *BSD.


Actually, my comment to this is that security is never assured, especially if the server is in some remote far-away place that you can't physically monitor. Short of having syslog log to write-only media, dropping stealthy network sniffers around your server to monitor break-in attempts, etc... How do you really know a computer has not been cracked?


True, but I have yet to see any cracked server that doesn't have some tell tale sign of being cracked. There's many, simple things you can do to secure a system and there's also many things you can do to be notified. Even without an off-server monitoring, logging means, you can do something as simple as having the server email a remote address on some large ISP's network to warn you, maybe capture the output of last and/or w or other things every so-many minutes, whereas someone would have to know to get in, shut down certain services, find your hidden service to stop from being logged, at the very least.

Also, not only unique off-site alerts and logging, but internal logging, time synchronized backups and special mounting, both primary and secondary drives. A file system "wrapper" type of implementation, if you will, etc. Shell mimicking and not just some weird chroot env either. Have fake information presented, interacting with them, make it very difficult to get a handle on what's even going on, which by the time they might get a clue, which can be very unlikely, you will be there saying "Hello, care to explain to me of how you got even this far? Maybe I won't press charges if you tell me the exploit you used!" or something fun, since that's been done has been done anyway, and it should be nothing yet, by that time anyway.

And, I should be clear here, I'm speaking of privileged accounts, not any user that needs to use certain tools. And, the user's in question that aren't known to be a trusted person with their account information, will have certain tools and services and programs denied or filter, to still give them all the access they could want or need, and leave a cracker basically helpless when it comes to using a regular user's account to do any rooting. There's many ways and courses of action to take to secure any type of system, but having a more stable and secure platform to tweak is a definite step.

I mean, I've seen people worry about local user's using exploits trying to cause buffer overflows, but these people don't bother to implement a good partition scheme, they don't mount certain partitions to deny SUID, etc. programs, wherein simple things like this, can prevent user's from exploiting on a different file system partition. So, there's lots of small things to do, from partitions to permissions, to limiting and denying tools and services to certain users, simple and obvious things such as disbaling services, upgrading them, replacing them or hacking the code or plugging a hole and potential exploit, implementing various kinds of wrappers for different protocols and commands, filters and many other things, that are not OS specific, other than in the nature of the code.

Of course, there's other things in that spirit as well, but surely, there's the basics, the common and in-depth security aspects as well. And, that's true on any system. I'm not just talking about adding and hoping that obscurity will save the day, and in fact, that has nothing to do with it. The point was about FreeBSD in comparison, and inherently so, not just inherently more secure with a default install, although that is true as well, but the implementations and reasoning for being able to do special things in FreeBSD and it's architecture that makes it a superior choice -- but only for people that know how to utilize those tools and knowledge. That's the same with any OS, so FreeBSD might not be the best choice for everyone, but for people that retain that knowledge, it just might be more likely to be. Still, Red Hat has got to be the worst of the Linux brands in that aspect. Perhaps due to it's popularity being a main issue. Nonetheless, a fact, but still depending in other aspects, sure.

[Edited by Tim_Greer on 04-02-2001 at 07:08 AM]

Originally posted by Haakon
I have NO experience with Linux, but I`ve got time and going to learn it through books, how long do you think this will take? (I loved DOS so I`m not sceptical about moving to a text based OS)

It took me just 2 months going from scratch. I got a Linux server installed in local network and experimented with it to death, I think I had to re-install the OS 5 or 6 times before I learned the ways to recover it without re-installation. The best thing which helped is http://www.linuxdoc.org project, suggested by many people here.

Originally posted by Tim_Greer
Yeeaugh.... Why not just use Immunix? I'd rather do that, then bother with patches and utilities here and there, when you can have a better standard to build from. But LIDS is certainly a viable option to help in that aspect nonetheless.


All AFAIK;

Immunix/Stackguard only covers a subset of what FBSD and LIDS do.

Subdomain is different, and surely seems to be an interesting way of doing restricting access in a chroot-like manner without actually having to chroot.

LIDS and FBSD kernel levels protect you, even against root compromises. You may be able to gain root, but still be unable to reboot/change webpages/kill services, etc, depending on how lids is configured. In short, they're quite different things.

SuSE's secumod kernel module also does some similar things to openwall, has some of the functionality of stackguard, and also has some nice features of its own too.

I wouldn't want to think about the horrors of using (and administering!) a system that has been multiply-patched, with various possibly conflicting modules loaded, though.


True, but I have yet to see any cracked server that doesn't have some tell tale sign of being cracked. There's many, simple things you can do to secure a system and there's also many things you can do to be notified. Even without an off-server monitoring, logging means, you can do something ...
[snip]
...
knowledge. That's the same with any OS, so FreeBSD might not be the best choice for everyone, but for people that retain that knowledge, it just might be more likely to be. Still, Red Hat has got to be the worst of the Linux brands in that aspect. Perhaps due to it's popularity being a main issue. Nonetheless, a fact, but still depending in other aspects, sure.



You know, I was actually going to start typing a response to this... but I give up! You simply type too much, Tim, so you win =D

Thanks for sharing your experience dabystru. Guess this is more difficult than I had hoped for. I`ll delete one of my PC`s and start experimenting before going with my own dedicated.

Originally posted by pyng
Originally posted by Tim_Greer
Yeeaugh.... Why not just use Immunix? I'd rather do that, then bother with patches and utilities here and there, when you can have a better standard to build from. But LIDS is certainly a viable option to help in that aspect nonetheless.


All AFAIK;

Immunix/Stackguard only covers a subset of what FBSD and LIDS do.

Subdomain is different, and surely seems to be an interesting way of doing restricting access in a chroot-like manner without actually having to chroot.

LIDS and FBSD kernel levels protect you, even against root compromises. You may be able to gain root, but still be unable to reboot/change webpages/kill services, etc, depending on how lids is configured. In short, they're quite different things.

SuSE's secumod kernel module also does some similar things to openwall, has some of the functionality of stackguard, and also has some nice features of its own too.

I wouldn't want to think about the horrors of using (and administering!) a system that has been multiply-patched, with various possibly conflicting modules loaded, though.


True, but I have yet to see any cracked server that doesn't have some tell tale sign of being cracked. There's many, simple things you can do to secure a system and there's also many things you can do to be notified. Even without an off-server monitoring, logging means, you can do something ...
[snip]
...
knowledge. That's the same with any OS, so FreeBSD might not be the best choice for everyone, but for people that retain that knowledge, it just might be more likely to be. Still, Red Hat has got to be the worst of the Linux brands in that aspect. Perhaps due to it's popularity being a main issue. Nonetheless, a fact, but still depending in other aspects, sure.



You know, I was actually going to start typing a response to this... but I give up! You simply type too much, Tim, so you win =D



HA HA HA !! I win, A WIN!! Whooptie-do... uh... Anyway, I know what you're saying... But, I was talking about Immunix in general, in a whole, not just comparing it saying if you used it, you'd not need other tools to better secure it. I just meant it seemed to be a better base to work off of. Of course, I've never used it, so I'm not sure how well it would do, but it's features look interesting and this platform can save a lot of people a lot of time trying to secure their Linux Redhat servers. I agree about throwing a lot of stuff on it though, that can be a mess.

Originally posted by Haakon
Thanks for sharing your experience dabystru. Guess this is more difficult than I had hoped for. I`ll delete one of my PC`s and start experimenting before going with my own dedicated.

You can likely just do a dual boot system, and boot into the OS of your choice, rather than deleting everything you have now. If you are interested in that idea, let me know and I'll help you out and let you know how to do it. However, if you are able to just install something on an extra system, that's certainly going to give you more comfort and less worries and possibly more freedom.

Thanks for your concern Tim, but I have these ancient standard pentiums lying around wich I can play with; I have two so maybe I can network them and have one of them spam the other :D