Debian Planet










Welcome to Debian Planet

Search

Apt-get into it.
Main Menu

  • Home

  • Topics

  • Web Links

  • Your Account

  • Submit News

  • Stats

  • Top 10

  • Debian

    These are important Debian sites one should not be without!

  • Official Debian site

  • Package search

  • Mailing list archives

  • Bug reports

  • Debian on CD

  • Unofficial woody CD ISOs

  • Unofficial APT sources

  • Developers' Corner

    Other great Debian news sources:

  • Debian Weekly News

  • Kernel Cousin Debian

    (Debian mailing lists digested)
  • Community Groups

    Need help? You're not alone on this planet.

  • debianHELP

    (User support site)

  • Debian International

  • DebianForum.de

    (Deutsch)

  • EsDebian

    (español)

  • DebianWorld

    (français)

  • MaximumDebian

    (Italiano)

  • DebianUsers

    (Korean)

  • Debian-BR

    (Português)

  • IRC

    The place to get help on a Debian problem (after reading docs) or to just chat and chill is #debian on irc.debian.org.

    Many of the Debian Planet staff live there so pop by and say hello.

    Wanna write?

    Got that latest or greatest scoop? Perhaps you have some important news for the Debian community? Submit a news item!

    Or perhaps you've written a rather ground breaking insight into some aspect of Debian and you feel compelled to share it with others? Knock up a longer editorial article and send it to the editors.

    Sponsorship

    DP is sponsored by Xinit Systems and kieser.net.

    Domains paid for and hosted by uklinux.net.

    Buy your Debian merchandise at DebianShop.com.

    Who's Online

    There are currently, 45 guest(s) and 4 member(s) that are online.

    You are Anonymous user. You can register for free by clicking here.

      
    Why Debian is still not as secure as OpenBSD ?
    Contributed by Anonymous on Wednesday, May 30 @ 10:36:36 BST

    Security
    I think Debian GNU/Linux is the stablest OS, But what about security? It seem not to be the most secure one. The initial configuration is not as secure as OpenBSD. However OpenBSD does not appear to be as stable as Debian, but it is more secure. Is it a balance between security and stability?

    Should Debian GNU/Linux take steps to make woody hardened by default? Or should a drastic change like this wait for sid?

    rob: Many other distros have various security options during install, could this be the way forward?

     
    Related Links

  • More about Security
  • News by rob

    Most read story about Security:
    Why Debian is still not as secure as OpenBSD ?

    Last news about Security:

    Printer Friendly Page  Send this Story to a Friend
  • "Why Debian is still not as secure as OpenBSD ?" | Login/Create Account | 34 comments
    Threshold


    The comments are owned by the poster. We aren't responsible for their content.

    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1, Informative)
    by Anonymous on Wednesday, May 30 @ 13:04:14 BST

    Hopefull task-harden (sid only?) should solve most security problems with daemons and such

    - Zoltan Kraus

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 3, Informative)
    by greyheart (kenneth at max.gelooft.nl) on Wednesday, May 30 @ 13:30:47 BST
    (User Info) http://max.gelooft.nl/

    There is a Securing HOWTO for Debian, if you want to secure your system. Just a install of task-harden won't do the job, although it'll help.
    It's in the testing tree now.

    Security always involves serious doc-reading. Even on OpenBSD, with the significant difference is that on OpenBSD everything is closed by default. But the moment you run a daemon and provide services, there's still some doc's to read.

    Never trust a default install. Know your system.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1, Interesting)
    by Anonymous on Wednesday, May 30 @ 13:41:22 BST

    > Never trust a default install. Know your system

    But it is easy to forget some important thing ... It is also difficult to made some choice that are important to the security of the whole system.

    Maybe a secure default configuration should be a good idea.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 2, Informative)
    by greyheart (kenneth at max.gelooft.nl) on Wednesday, May 30 @ 13:44:15 BST
    (User Info) http://max.gelooft.nl/

    That is what task-harden is for.
    But the moment you're actually open a port, lets say 80 for Apache, you automatically expose any Apache (mis-configuration) bugs ... et cetera.
    It isn't a secure default anymore the moment you're starting to do something.
    Always open as much as needed, keep as much closed as you can. That involves some diving into your system.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1, Interesting)
    by Anonymous on Thursday, May 31 @ 14:32:10 BST

    Secure "by default" is a good idea. It is easier to take a secure system and make it more permissive then the other way around. OpenBSD's "secure by default" philosophy extends to all parts of the the default install includeing the configs for the daemons not running by default. So even if you start Apache and sendmail on OpenBSD you have not exposed yourself to significantly more risk. It is worth noteing that OpenBSD does not use any firewalling/port blocking by default.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Saturday, June 09 @ 11:56:52 BST

    task-harden is a good package name cept its a pity all it does is have a few conflicts with packages such as portmap and nfs-server, actually thats all it has... maybe with time...

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 3, Interesting)
    by Anonymous on Wednesday, May 30 @ 14:01:24 BST

    It seem that openBSD are auditing code for security hole. Why Debian does not audit at least the base install for such bug. I know there is a large number of package, so an audit of the whole system is impossible, but It seem reasonable to audit the base installation.

    "We are not so much looking for security holes, as we are looking for basic software bugs, and if years later someone discovers the problem used to be a security issue, and we fixed it because it was just a bug, well, all the better. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills."

    (source http://www.openbsd.org)

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 2, Insighful)
    by Anonymous on Wednesday, May 30 @ 14:35:34 BST

    "secure by default" is only good for good press - that way clueless users get 'secure' install.

    It's the admin that makes system secure, not having closed everything in base system - when you install debian and get only kernel+ash, it won't help anyone.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1, Insighful)
    by Anonymous on Thursday, May 31 @ 01:27:14 BST

    Yeah, but aren't we (meaning the community as a whole) speaking out of both sides of our mouth. Often times we say Linux is either ready, or almost ready for the desktop. Use linux w/ your cable modem or DSL for more security than windows. Bla Bla Bla. I agree with those statements, but I personally believe expecting every user to be a sys-admin is ridiculous. I've been using Linux on my home network for 3+ years now, and though I dare say it's fairly secure (knock on wood) I *still* find very stupid configuration errors I've made, or file I've forgotten to patch w/ known exploits. It's great to think everyone has time to be that security conscious, and I agree any company should, but for home users the maximum available amount of security by default is not a bad thing IMHO

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 2, Informative)
    by lyberth on Thursday, May 31 @ 13:23:06 BST
    (User Info)

    It sounds like you haven't even looked at OpenBSD, or know what it is (maybe other than a OS). It is a fully functional OS with very good implementations of IPSec, Kerberos, Apache, sendmail and meny other things. On top of that its very easy to install (not the easyest at all, but still very easy) even more easy to configure and has an incredebly small footprint. One thing that i like very much is that everything in OBSD is documented very well, all the conf files have explanations to what every setting does. And that is a good thing because even though many of us know what most of the settings does, very very few knows what all the lines in different files does.atsonlencho

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 2, Interesting)
    by Anonymous on Wednesday, May 30 @ 16:58:08 BST

    Being a big fan of both OpenBSD and Debian I feel somewhat qualified to comment. I use OpenBSD when I want a secure ready to go server. I use Debian when I want a all-the-bells-and-whistles workstation. This is how I see the respective OSes by default. Either can be made as feature full or as secure as the other with a bit of work.

    I don't think Debian will ever be as secure as OpenBSD. I don't think you want Debian to be as secure as OpenBSD. OpenBSD strives to be secure. Debian seems to strives to be feature full. Features/functionality and security are typically opposite goals.

    Part of OpenBSD's security comes from the philosophy behind its development.

    OpenBSD's development model is closed and controlled. Debian has a different philosophy. Debian development is open and offers users a lot of choice. When a package is installed with OpenBSD it is disabled by default and the user/admin must enable it. Debian often installs packages and starts the software by default. Samba is a good example of this. Under OpenBSD after Samba is install the user must edit some files to enable it. Under Debian when samba is installed the user is given the choice of running samba from inetd.conf or as seperate daemons. The "no run" option is not present. This is just an example of the different OpenBSD and Debian philosophies.

    If Debian wants to be as secure as OpenBSD Debian has to be more restrictive. It is easier to take a secure system and open it up to add functionality.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Sunday, June 10 @ 12:12:43 BST

    >I don't think Debian will ever be as secure as OpenBSD.

    Please tell me why I - as en intelligent Debian administrator - can't make Debian just as secure as OpenBSD? (I don't really know much about BSD, so please enlighten me).

    If it all comes down to doing a little extra post-configuration with Debian, I don't see how it qualifies as "OpenBSD being a more secure OS than Debian".

    E.g. regarding the issue with installing a new software package, and that Debian gives me no option of doing a "no run": Heck, why not just do a 'samba stop' and 'update-rc.d -f samba remove' afterwards? How hard can it be? It only takes 5 seconds.

    Same thing pretty much goes for everything else, I can imagine. If you know your Debian OS, I am sure you can make it just as secure as any BSD.

    So again, please tell me why Debian will never ever be as secure as OpenBSD.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Wednesday, June 13 @ 12:31:58 BST

    OpenBSD has been through a complete audit of all the code in the base distribution, comes with ssh and the like by default and has security settings at kernel level. This last thing is the most important, you cannot even run X without enabling it beforehand, set some attributes in the file that can not be changed without changing the kernel security level and so.

    There are some patches for the Linux kernel that do things like that, but as they are not part of the main kernel, they might break something and don't come by default.

    One thing I like of OpenBSD is that it has emulation libraries for other OSs, such as Linux and Solaris.

    On the other hand, I have had OpenBSD dying on me while installing packages (and not the base ones), so stability is not that great (I've only managed to crash Debian with PCMCIA and nm256).

    See ya

    Gabriel

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Friday, June 15 @ 12:28:46 BST

    Features/functionality and security are typically opposite goals.

    I guess mr.Gates would agree with that statement. 😉

    [ Reply ]


    Re: two security issues. (Score: 0)
    by Anonymous on Wednesday, May 30 @ 19:10:47 BST

    the first and easiest to deal with is which daemons are left on as part of standard install.

    Just have a checklist of the benefit/security

    risk these services represent, ie the positive and

    negative consequences of turning them off or leaving them on, and suggested alternatives.

    This could be the last thing the install does.

    At the very least, the Install should have a reminder of the existence of, and a pointer to this list ( be it a man or a pop up box whatever )

    A check list would assuage those who feel that

    Portmap should always be installed.

    Personally, I feel that it should be neither

    automatically included or excluded.

    Just have it as an install option, right at the

    end. As a default? Sure, why not, but give the user the option to nix it right from the get go.

    The second issue of auditing code for security

    bugs is a much more difficult and massive undertaking.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1)
    by pabellon (itura at rocketmail com) on Wednesday, May 30 @ 21:34:19 BST
    (User Info)

    However OpenBSD
    does not appear to be as stable as Debian,

    Oh, I thought all BSD's were more stable than the Linux kernel.

    Where could I get more info about this statement made by Anonymous? Is really Debian more stable than OpenBSD?

    Here just a Debian user, but somewhat interested in Free/OpenBSD.

    Thanks.

    [ Reply ]


    Stability (Score: 2, Interesting)
    by Anonymous on Wednesday, May 30 @ 22:26:19 BST

    The word 'stable' is a bit ambiguous, and I wish the submitter would have been a bit more clear on this point. (Including sources to backup the statements).

    It can mean (at least) either of these two things:

    • A system that does not change very much. No bleeding edge stuff, but conservative selection of packages. (True for Debian 'stable', not true for 'unstable' or even 'testing').
    • A system that is crash-resistant. This of course depends very much on the kernel and basic libraries in use, restricting direct hardware access from user programs (such as X, window managers), etc.

    I have long wanted to try out OpenBSD (and other *BSDs), but so far I have not seen the incentive to invest time in installing and getting familiar with it. The one thing that would make me do so is if there were opportunities to learn about unique design concepts (esp. wrt. security) not found elsewhere. "Secure by default" is nothing special, in that any system can be made as secure by simply disabling services and replacing bugridden packages with more secure alternatives. I am looking for something more along the lines of cryptographic filesystems, implementations of access control (role based administration, say), finding ways to protect machines where physical access cannot be avoided, and so on. Does anyone have a clue what OpenBSD might have to offer in such areas?

    [ Reply ]


    Re: Stability (Score: 0)
    by Anonymous on Sunday, June 03 @ 15:40:32 BST

    If you want to learn about something that

    might make a real difference to security

    (eventually!)

    look at www.eros-os.org

    Rob

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Thursday, May 31 @ 14:17:17 BST

    short answer: no.

    OpenBSD dosen't make any big changes and due to the code audit the code is mostly bug free. Stability is a part of good security. On the other hand there are more hardware drivers for Linux, and the linux drivers tend to be a little more tolerant of bad/flaky hardware. So like Linux, OpenBSD is rock solid if you have good hardware.

    I consider OpenBSD more stable then Debian. OpenBSD is like Debian/stable, but it is no more then 6 months old.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Thursday, May 31 @ 20:44:33 BST

    you say you think BSD is more stable but you don't back that up. care to do so?

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Wednesday, May 30 @ 21:46:51 BST

    another problem with debian is it's nature as a distribution made by contributing individuals.

    if you use a certain package, you have to trust the package maintainer not do put backdoors in their package. for a really important system, i would therefore never use debian.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1, Informative)
    by Anonymous on Wednesday, May 30 @ 22:07:59 BST

    well, you don't HAVE to trust them. Download the src-deb and look at the source!

    --G

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1, Insighful)
    by Anonymous on Thursday, May 31 @ 16:21:40 BST

    this is not a practical solution. of course you could read through the source, but you won't be able to do that for more than a few packages, and even then it is highly likely that you won't be able to find well placed backdoors.

    in any way, in a critical environment i'd rather go for a more "closed" distribution and have them responsible for the content.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Friday, June 08 @ 04:03:57 BST

    I think that's a bit of a fallacy. Anyone with write access to upstream programs can put in trojans, and I would bet that it would get into most of the other distributions. You don't actually think Red Hat audits all the code they release, do you?

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 2, Insighful)
    by Anonymous on Thursday, May 31 @ 01:01:36 BST

    In openBSD, you have to trust Theo de Raadt !!! 😉

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 0)
    by Anonymous on Thursday, May 31 @ 01:02:43 BST

    I want to know if there is a guide line for creating secure package ?

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1)
    by Anonymous on Thursday, May 31 @ 21:15:24 BST

    This is reversed. With Debian, you always know who is responsible for a package, so if a Debian developer deliberately put a backdoor in a package, she would get kicked off the project when it comes to light - and it always does.

    It's probably not much different with the *BSDs, but compare this to other Linux distros like SuSE or RedHat...

    [ Reply ]


    security and stability are virtually synonymous (Score: 2, Insighful)
    by xah on Thursday, May 31 @ 03:20:13 BST
    (User Info)

    The article said that Debian is more stable, but OpenBSD is more secure. Does this include DoS attacks? In my view, a stability problem deprives the user of the ability to control his computer. A security problem also deprives the user of the ability to control his computer. So, why do you consider these to be different?

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 3, Informative)
    by Anonymous on Thursday, May 31 @ 17:02:32 BST

    There are also a few kernel level issues:

    • OpenBSD supports encryption of virtual memory, AFAIK, linux does not.
    • OpenBSD uses stronger encryption than the standard unix crypt. Sure, this isn't that important what with shadow passwords, but it still makes it more secure.
    • OpenBSD supports one time passwords, i.e. S/KEY logins(can this be done in linux?)
    • Also OpenBSD appears to support more crypto hardware than linux, but only a few extra devices.
    • Of course, IMHO all this doesn't really matter for average users/admins like myself. I think OpenBSD is so secure because Theo and his gang are obsessive, egocentric hackers who judge their self worth by how few OpenBSD exploits pop up. I don't know of any other OS which can claim that.

      For me, inside firewall == debian, solaris, outside firewall == openbsd

    [ Reply ]


    S/KEY support (Score: 2, Informative)
    by Anonymous on Thursday, May 31 @ 18:35:54 BST

    > OpenBSD supports one time passwords, i.e. S/KEY logins(can this be done in linux?)

    # apt-get install libpam-opie opie-client opie-server

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 3, Informative)
    by Anonymous on Thursday, May 31 @ 21:18:26 BST

    > OpenBSD uses stronger encryption than the standard unix crypt. Sure, this isn't that important what with shadow passwords, but it still makes it more secure.

    Debian offers MD5 passwords...

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 4, Interesting)
    by Alain_Tesio on Thursday, May 31 @ 23:45:24 BST
    (User Info) http://onesite.org/

    Arguments for both sides here :

    Why Linux Will Never Be as Secure as OpenBSD

    Why OpenBSD Will Never Be as Secure as Linux

    At least for easy choices, I see no reason to

    have some services enabled by default in

    inetd.conf, and then read in the security howto

    that they should systematically be disabled.

    [ Reply ]


    Re: Why Debian is still not as secure as OpenBSD ? (Score: 1)
    by castlan on Friday, October 05 @ 10:38:53 BST
    (User Info)

    As informative as this may be, this is missing one thing.

    Debian is not Linux. It runs on top of Linux, but can also run on top of HURD, and soon enough will be supported on top of a BSD kernel.

    Of course the more integrated OpenBSD currently is more secure because it is more stable (hold on), that is not the end of the story. It is stable in that the foundations have not been changing very significantly... the code audits tend to reinforce previous structure, not introduce new uncertainties. With well supported hardware, this will make the system more stable (as in robust, non crashing).

    While OpenBSD will remain highly secure in its default configuration, in practice Debian will surpass OpenBSD eventually. As Debian tools become more widely used and platform independant, they will be forced to become more robust to deal with the variety of systems they handle. The always changing Linux kernel will be the weakest link as the Debian system stabilizes in spite of Linux.

    At this point, you will choose from the best of both worlds. Run a robust and dynamic Debian system on a stable, well defined kernel like OpenBSDs. Mua-ha-ha-ha!!!

    [ Reply ]


    Encrypted paging (Score: 0)
    by Anonymous on Saturday, February 09 @ 20:30:19 GMT

    Couldn't you do encrypted paging in Linux
    by paging to an encrypted loopback filesystem?

    (However, I spent a few evenings trying to get
    the encrypted loopback filesystem to work with
    the 2.4.17 Linux kernel I'm running and I
    ultimately gave up, so maybe this is a bogus
    alternative.)

    [ Reply ]


    Based on: PHP-Nuke

    All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2000 by Debian Planet

    You can syndicate our news using the file backend.php.