Skip to comments.Vanity: What is the most secure distro of Linux?
Posted on 02/02/2014 11:46:37 AM PST by Jeff Chandler
My FIL does his banking on his comp and I want to install Linux on it.
What do you mean by secure? Security is a process not point in time or single application. Security can mean an emphasis into one or more of the following areas:
anonymity - no sees who you are or what you are doing
egg shell - preventing outsiders and the unauthorized from gaining access
PUMA - privileged users monitoring and accounting which is the monitoring of authorized users, limiting them to doing on the the things they are authorized to do, and then creating an audit(able) trail.
I prefer Mint Linux. Go with that.
CentOS or Fedora might be good choices. That said, the most important fact about security is not the OS as such but how it’s configured and the behavior of the users using it.
There’s some additional features, like SE Linux, that can be configured.
There’s no magic bullet, there’s lots of attack vectors that can be used against any machine regardless of operating system. Linux user-space components could also have vulnerabilities and as they’re written by thousands of developers on different projects they have varying quality (wrt security) in each.
My main advice is to always live behind a firewall and know the firewall configuration, that and don’t run any software that you don’t know about or trust (free downloads). Keep your web browser up-to-date, or better yet, don’t browse on that machine. Another safeguard might be to run a guest OS with VirtualBox, do “less safe” tasks in the guest OS.
It is a big topic, there’s certainly holes in Linux, it’s just that there’s fewer people targeting it and the software is open source, so anybody can look at it. If somebody is doing something nasty it’s not easy to keep it secret. It’s “security through transparency” vs. “security through obscurity” (open vs. closed software).
Check out Instant Webkiosk or an equivalent, running in live mode via USB flashdrive. A Linux thread yesterday had a discussion of how the kiosk distros function.
I don’t know that it is the “distro” but the applications that are run on the base distro. Fedora, CentOS, RHEL, (open)SuSE; all great. Ubuntu, yup, nice. But one app that starts up and “listens” on a TCP (or UDP) port above 1024 can make your install vulnerable if it can be exploited. To combat, you will need to get familiar with iptables and selinux (especially selinux). Personally, I prefer openSuSE. For my needs it has a decent balance of usability vs. security and most (i.e., 90%) of the hardware I run it on is detected at install time. From an enterprise perspective however, Fedora is a better choice as most shops are running CentOS or RHEL and it is a better fit for integration. Just my $0.02
Whatever you pick, just buy a $30 router and put it between him and the cable/dsl modem. Best protection money can buy.
He is using XP. End of life for XP is approaching. All he does is browse and do his banking.
Burn a Live cd and see that it supports all of your hardware BEFORE installing anything.
He is using XP. End of life for XP is approaching. All he does is browse and do his banking.So naturally, you thought he would get a real kick out of editing lpd.conf and sendmail.cf in vi, eh?
That’s a stupid comment. At least be helpful.
I use CentOS.
But the keys to real security are:
A) Have as little as possible installed (languages, services, etc.). What you don’t need, don’t install.
B) What is installed and running or used, verify that it is installed such that it is secure, i.e., its configuration does not leave holes for malware to get in and operate.
C) Contrary to popular belief, once you’ve got it locked down, do not upgrade or update anything or install anything willy nilly just to upgrade. This avoids the latest and greatest versions (new versions) that are bound to have new vulnerabilities thus be harboring what are called “zero-day” exploits, i.e., those that no one knows about currently. When you do upgrade, you need to take the time to review everything you do for security; there is not just “slap it in and let it run”, as default configurations are often disastrously open configurations. So for this point, you will turn off all auto-updates. If you leave them turned on, you’re leaving yourself open to zero-day exploits (you may find out about one the hard way).
D) Be very careful when using a printer attached to the machine, IMHO, don’t run printing services. If you need to print, it’s best to physically disconnect from the internet, then physically connect the printer, start the printing services, do your printing, stop the services, disconnect the printer, then connect to the internet again. Printing services are designed to share information. If you have the time to research, you maybe could figure out how to set up printing services in a 100% secure fashion. But that’s a big maybe.
E) make sure your iptables is very simple and very tight (again google for good configurations). This is very importantant. Turn on IPV6 and make sure its configuration is secure (it’s actually not secure to simply not configure it any more).
F) Once you think your iptables is good, run nmap (need to install the package) against your machine to verify that it is not listening on all but the most essential ports.
G) On CentOS, I’d recommend gnome, not kde.
H) Turn on SE Linux enforcing (as always, google if you ever have an issue).
Go through every running service and do some research on what it is, decide if you want it - then go search for servicename vulnerabilities, and then methodically go through its configuration, setting things up to rule out the vulnerability.
Review the documentation on the software you choose to install.
Don’t install httpd, mysql, etc., unless you really need them. If you must httpd, forget about supporting php.
I would think “office” suite, email client, web browser, video plugin, flash player, etc., is a good start. (browser must be configured in a paranoid fashion, of course, and emails need to be previewed before opening, just delete the junk without opening).
I would keep the config, like the /etc directory, and all ones data in one’s home directory (keep it all in one place) backed up on USB removable storage, of course only connecting that storage when you run backup. Then, if your machine is ever trashed, you simply reinstall from the install DVD you started with, review your old configuration and set it up in the new install, and finally put back your old home directory.
I have a good but simple script that error handles while copying my directories to 2 external media in one run. If any step in the script fails, my script will give me an error.
Every password you use must be very long, 12+ chars, with the highest quality passwords. They can be kept in a spreadsheet that you store only on your backup media (keep at least 4 backup media, (2 rotated pairs)).
A lot of packages can be installed and used without much difference to security.
CentOS, being Red Hat, has wide corporate distribution, a large user base for lots of real-world security testing that you’re benefitting from when you use it. Red Hat’s target market is really corporate users.
The consumer-oriented distributions, on the other hand, being widely used by individuals, would present a better target for hackers, since they seek machines whose administrator is the most bumbling, and they seek targets for their sheer quantity, as in, widely distributed amongst home-based users throughout the world.
All the hacker needs is one key mistake to be made.
If you’re not running httpd or a mail server or a db server, or ssh server, i.e., you don’t have any way to access your machine remotely, you’ve removed those as a way in to your machine. nmap will verify what your machine will listen for.
Then it pretty much comes down to a) safe web browsing and b) safe email client (which for the most part means do not open strange emails), just like a normal “user” oriented machine like XP.
Physical security becomes critical for a) access to your machine (stay logged out when there) and b) access to your backup media. You could additionally print your password spreadsheet for more reliability, in case all your computer media fail at least you are not locked out of your online accounts; this paper is then critical media. Your passwords will be long and confusing enough that you will want to copy and paste them into your logins from your spreadsheet.
Of course, safe browsing means that when logged in to any online account - your spreadsheet and browser the ONLY applications running, and your browser has ONLY ONE tab open - the one you’re logged in to (avoids cross-site scripting attacks).
I think I figured out dosbox but some of the games don’t have sound
Oh, on that last point, the spreadsheet with passwords only needs to be open while the password is copied and pasted during login, of course. Then one can close the spreadsheet and continue using the site.
Check out the enterprise distros like SLES. They typically lag behind the regular release but are given more attention in terms of reliability and security. You’ll also want a patch subscription.
He’s likely using old hardware, if he’s on XP. Take a look at Lubuntu. It runs smoothly on a dog of a Dell netbook. Didn’t need to do anything. If just ran.