From: Zenny <gar...@gm...> - 2012-03-22 16:20:05
|
Thanks for reply. My impressions are inline below: On 3/22/12, Bruce Smith <bw...@re...> wrote: > The server version has extra hardening against attacks, such as grsecurity > and a few other things. The non-server does not have these extra > hardening, it's more of a "standard" Linux distro. > > Basically if you're going to expose Devil-Linux directly to the internet, > such as a firewall or a web server or DNS server, you're a little safer > running the non-server version. If you're running DL as an internal server > behind a firewall (i.e. Samba), not exposed directly to the internet, then > the server version might run better for you. That's because > grsecurity sometimes mistakes high resource using server processes as some > kind of attack and kills them. But when I checked the non-server version, the kernel also has grsecurity patch installed: #uname -a Linux Devil 3.2.11-grsec Then even the non-server version is also vulnerable to false-positive assumption of the gresecurity patch, isn't it? > > If you're running server processes on the non-server version that start > dying for unknown reasons, switch to the server version and see if that > fixes your problems. And it's never a good idea to run internal servers on > your internet firewall, hence the two distinct versions of Devil-Linux. Thanks for the clarification. As for me, I may never prefer to run extra services (except those applications needed to make other applications behind NAT of the firewall to run (like siproxd). BTW, how does the failover and loadbalancing be achieved in DL? I did see pound, but wouldn't nginx be better instead of pound (I did see apache and thttpd under services)? Another question is: by default the firewall service (I gues iptables?) is enabled. Is it necessary to enable both firewall and shorewall if I try to use shorewall wrapper scripts? How can I add additional applications and services to the DL box, I meant customization? Where can I find documentation for 1.6 version? How exactly DevilLinux excel from something like openwall/zeroshell? Thanks for sharing interesting work! > > - BS > |
From: Bruce S. <bw...@re...> - 2012-03-22 16:39:21
|
> > The server version has extra hardening against attacks, such as grsecurity > > and a few other things. The non-server does not have these extra > > hardening, it's more of a "standard" Linux distro. It was early when I wrote that, and I said it completely backwards. The server version does NOT have extra hardening like grsec. The non-server (firewall) version is harded with grsec & other things. > > Basically if you're going to expose Devil-Linux directly to the internet, > > such as a firewall or a web server or DNS server, you're a little safer > > running the non-server version. If you're running DL as an internal server > > behind a firewall (i.e. Samba), not exposed directly to the internet, then > > the server version might run better for you. That's because > > grsecurity sometimes mistakes high resource using server processes as some > > kind of attack and kills them. > > But when I checked the non-server version, the kernel also has > grsecurity patch installed: > > #uname -a > Linux Devil 3.2.11-grsec > > Then even the non-server version is also vulnerable to false-positive > assumption of the gresecurity patch, isn't it? Try the server version and it shouldn't have grsec installed. Sorry for I misspoke above, and thanks for pointing it out. > > If you're running server processes on the non-server version that start > > dying for unknown reasons, switch to the server version and see if that > > fixes your problems. And it's never a good idea to run internal servers on > > your internet firewall, hence the two distinct versions of Devil-Linux. > > Thanks for the clarification. As for me, I may never prefer to run > extra services (except those applications needed to make other > applications behind NAT of the firewall to run (like siproxd). > > BTW, how does the failover and loadbalancing be achieved in DL? I did > see pound, but wouldn't nginx be better instead of pound (I did see > apache and thttpd under services)? I've never run failover and loadbalancing, so I can't answer that. > Another question is: by default the firewall service (I gues > iptables?) is enabled. Is it necessary to enable both firewall and > shorewall if I try to use shorewall wrapper scripts? I've never tried, but you should be able to run any iptables scripts for your firewall. There are a couple sample scripts that get copied over when you select a firewall (depending 2 or 3 NIC's). The boot process runs /etc/init.d/firewall.rules which you can replace with any script that runs iptables. > How can I add additional applications and services to the DL box, I > meant customization? Where can I find documentation for 1.6 version? www.devil-linux.org The last time I looked, the website didn't have 1.6 documentation yet, and 1.5 docs were broken. But the 1.4 documentation should work; I don't think much has changed. > How exactly DevilLinux excel from something like openwall/zeroshell? Devil-LInux is a little different, in that it has a full range of server software installed and can be used as either a server or firewall. It is also created to run off a read-only media (i.e. CDROM or ISO image) so the base install cannot be modified or hacked. And the main reason I use Devil-Linux is the ease of upgrading it to a newer version, and the ease of backing it up, since only a small tar file containing all of your customizations needs to be backed up (unless you're using a live hard drive server data). - BS |
From: Zenny <gar...@gm...> - 2012-03-22 17:23:22
|
On 3/22/12, Bruce Smith <bw...@re...> wrote: >> > The server version has extra hardening against attacks, such as >> > grsecurity >> > and a few other things. The non-server does not have these extra >> > hardening, it's more of a "standard" Linux distro. > > It was early when I wrote that, and I said it completely backwards. > > The server version does NOT have extra hardening like grsec. > The non-server (firewall) version is harded with grsec & other things. > >> > Basically if you're going to expose Devil-Linux directly to the >> > internet, >> > such as a firewall or a web server or DNS server, you're a little safer >> > running the non-server version. If you're running DL as an internal >> > server >> > behind a firewall (i.e. Samba), not exposed directly to the internet, >> > then >> > the server version might run better for you. That's because >> > grsecurity sometimes mistakes high resource using server processes as >> > some >> > kind of attack and kills them. >> >> But when I checked the non-server version, the kernel also has >> grsecurity patch installed: >> >> #uname -a >> Linux Devil 3.2.11-grsec >> >> Then even the non-server version is also vulnerable to false-positive >> assumption of the gresecurity patch, isn't it? > > Try the server version and it shouldn't have grsec installed. > > Sorry for I misspoke above, and thanks for pointing it out. Never mind! > >> > If you're running server processes on the non-server version that start >> > dying for unknown reasons, switch to the server version and see if that >> > fixes your problems. And it's never a good idea to run internal servers >> > on >> > your internet firewall, hence the two distinct versions of Devil-Linux. >> >> Thanks for the clarification. As for me, I may never prefer to run >> extra services (except those applications needed to make other >> applications behind NAT of the firewall to run (like siproxd). >> >> BTW, how does the failover and loadbalancing be achieved in DL? I did >> see pound, but wouldn't nginx be better instead of pound (I did see >> apache and thttpd under services)? > > I've never run failover and loadbalancing, so I can't answer that. > >> Another question is: by default the firewall service (I gues >> iptables?) is enabled. Is it necessary to enable both firewall and >> shorewall if I try to use shorewall wrapper scripts? > > I've never tried, but you should be able to run any iptables scripts > for your firewall. > > There are a couple sample scripts that get copied over when you select > a firewall (depending 2 or 3 NIC's). The boot process runs > /etc/init.d/firewall.rules which you can replace with any script that > runs iptables. > >> How can I add additional applications and services to the DL box, I >> meant customization? Where can I find documentation for 1.6 version? > > www.devil-linux.org > The last time I looked, the website didn't have 1.6 documentation yet, > and 1.5 docs were broken. But the 1.4 documentation should work; I > don't think much has changed. > >> How exactly DevilLinux excel from something like openwall/zeroshell? > > Devil-LInux is a little different, in that it has a full range of > server software installed and can be used as either a server or > firewall. > > It is also created to run off a read-only media (i.e. CDROM or ISO > image) so the base install cannot be modified or hacked. > > And the main reason I use Devil-Linux is the ease of upgrading it to a > newer version, and the ease of backing it up, since only a small tar > file containing all of your customizations needs to be backed up > (unless you're using a live hard drive server data). Yes, but that can easily be done with the debian-based voyage linux also, a portable stuff with much more packages to install and userbase. Just wondering what makes DL so special and secure compared to others? I could not find the kind of the security measures that DL took or the concept (like http://www.openwall.com/Owl/CONCEPTS.shtml). Any pointers to such docuemnts? > > - BS > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > |
From: Bruce S. <bw...@re...> - 2012-03-22 20:14:15
|
>> It is also created to run off a read-only media (i.e. CDROM or ISO >> image) so the base install cannot be modified or hacked. >> >> And the main reason I use Devil-Linux is the ease of upgrading it to a >> newer version, and the ease of backing it up, since only a small tar >> file containing all of your customizations needs to be backed up >> (unless you're using a live hard drive server data). > > Yes, but that can easily be done with the debian-based voyage linux > also, a portable stuff with much more packages to install and > userbase. Besides iptables, my firewall is running dhcpd with ddns updating BIND for my internal network, radvd for ipv6, ntpd for my internal network, and a dynamic dns service updater. Nothing very fancy, but I can back it up completely in a single tar file that is less than 125KB. If I want an off-site backup, I can encrypt it and email offsite as an attachment. And for an upgrades, all I have to do is download and burn a new ISO image. And if for some reason there is a problem with the update, I can go back to my old ISO. Much easier than a regular disk-installed Linux distro. > Just wondering what makes DL so special and secure compared to others? > > I could not find the kind of the security measures that DL took or the > concept (like http://www.openwall.com/Owl/CONCEPTS.shtml). Any > pointers to such docuemnts? Most of the security measures are listed here: http://www.devil-linux.org/product/features.php Let me know if that's not what you're looking for. - BS |
From: Zenny <gar...@gm...> - 2012-03-22 21:29:59
|
On 3/22/12, Bruce Smith <bw...@re...> wrote: >>> It is also created to run off a read-only media (i.e. CDROM or ISO >>> image) so the base install cannot be modified or hacked. >>> >>> And the main reason I use Devil-Linux is the ease of upgrading it to a >>> newer version, and the ease of backing it up, since only a small tar >>> file containing all of your customizations needs to be backed up >>> (unless you're using a live hard drive server data). >> >> Yes, but that can easily be done with the debian-based voyage linux >> also, a portable stuff with much more packages to install and >> userbase. > > Besides iptables, my firewall is running dhcpd with ddns updating BIND > for my internal network, radvd for ipv6, ntpd for my internal network, > and a dynamic dns service updater. Nothing very fancy, but I can back > it up completely in a single tar file that is less than 125KB. If I > want an off-site backup, I can encrypt it and email offsite as an > attachment. > > And for an upgrades, all I have to do is download and burn a new ISO > image. And if for some reason there is a problem with the update, I > can go back to my old ISO. Much easier than a regular disk-installed > Linux distro. > >> Just wondering what makes DL so special and secure compared to others? >> >> I could not find the kind of the security measures that DL took or the >> concept (like http://www.openwall.com/Owl/CONCEPTS.shtml). Any >> pointers to such docuemnts? > > Most of the security measures are listed here: > http://www.devil-linux.org/product/features.php > They are good features, yet ... > Let me know if that's not what you're looking for. I am looking for something like http://www.openwall.com/presentations/Owl/ which explains in detail the measures taken in order to secure system architecture (not only to patch with grsec, however you confirmed that non-server flavor has no patch either), and the packages that GCC stack overflow was not addressed. Thanks! > > - BS > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > |
From: Heiko Z. <he...@zu...> - 2012-03-23 12:45:37
|
Zenny, Quoting Zenny <gar...@gm...>: > On 3/22/12, Bruce Smith <bw...@re...> wrote: >>>> It is also created to run off a read-only media (i.e. CDROM or ISO >>>> image) so the base install cannot be modified or hacked. >>>> >>>> And the main reason I use Devil-Linux is the ease of upgrading it to a >>>> newer version, and the ease of backing it up, since only a small tar >>>> file containing all of your customizations needs to be backed up >>>> (unless you're using a live hard drive server data). >>> >>> Yes, but that can easily be done with the debian-based voyage linux >>> also, a portable stuff with much more packages to install and >>> userbase. >> >> Besides iptables, my firewall is running dhcpd with ddns updating BIND >> for my internal network, radvd for ipv6, ntpd for my internal network, >> and a dynamic dns service updater. Nothing very fancy, but I can back >> it up completely in a single tar file that is less than 125KB. If I >> want an off-site backup, I can encrypt it and email offsite as an >> attachment. >> >> And for an upgrades, all I have to do is download and burn a new ISO >> image. And if for some reason there is a problem with the update, I >> can go back to my old ISO. Much easier than a regular disk-installed >> Linux distro. >> >>> Just wondering what makes DL so special and secure compared to others? >>> >>> I could not find the kind of the security measures that DL took or the >>> concept (like http://www.openwall.com/Owl/CONCEPTS.shtml). Any >>> pointers to such docuemnts? >> >> Most of the security measures are listed here: >> http://www.devil-linux.org/product/features.php >> > > They are good features, yet ... > >> Let me know if that's not what you're looking for. > > I am looking for something like > http://www.openwall.com/presentations/Owl/ which explains in detail > the measures taken in order to secure system architecture (not only to > patch with grsec, however you confirmed that non-server flavor has no > patch either), and the packages that GCC stack overflow was not > addressed. I understand that you want to know all these details, but... We develop DL in our spare time (and you don't pay a cent for it) and the same goes for any documentation which is available. We also heavily depends on the contributions from our users. If you want to know any more details on DL specific features, you'll have to do the leg-work yourself and google around. There's nothing magic we're doing in DL. Everything we do and use is publicly available. IF you decide to do all this research into all the various security details, how about putting everything into a nice presentation so that we can put it on our website? -- Regards Heiko Zuerker http://www.devil-linux.org |
From: Zenny <gar...@gm...> - 2012-03-23 14:37:44
|
On 3/23/12, Heiko Zuerker <he...@zu...> wrote: > Zenny, > > Quoting Zenny <gar...@gm...>: >> On 3/22/12, Bruce Smith <bw...@re...> wrote: >>>>> It is also created to run off a read-only media (i.e. CDROM or ISO >>>>> image) so the base install cannot be modified or hacked. >>>>> >>>>> And the main reason I use Devil-Linux is the ease of upgrading it to a >>>>> newer version, and the ease of backing it up, since only a small tar >>>>> file containing all of your customizations needs to be backed up >>>>> (unless you're using a live hard drive server data). >>>> >>>> Yes, but that can easily be done with the debian-based voyage linux >>>> also, a portable stuff with much more packages to install and >>>> userbase. >>> >>> Besides iptables, my firewall is running dhcpd with ddns updating BIND >>> for my internal network, radvd for ipv6, ntpd for my internal network, >>> and a dynamic dns service updater. Nothing very fancy, but I can back >>> it up completely in a single tar file that is less than 125KB. If I >>> want an off-site backup, I can encrypt it and email offsite as an >>> attachment. >>> >>> And for an upgrades, all I have to do is download and burn a new ISO >>> image. And if for some reason there is a problem with the update, I >>> can go back to my old ISO. Much easier than a regular disk-installed >>> Linux distro. >>> >>>> Just wondering what makes DL so special and secure compared to others? >>>> >>>> I could not find the kind of the security measures that DL took or the >>>> concept (like http://www.openwall.com/Owl/CONCEPTS.shtml). Any >>>> pointers to such docuemnts? >>> >>> Most of the security measures are listed here: >>> http://www.devil-linux.org/product/features.php >>> >> >> They are good features, yet ... >> >>> Let me know if that's not what you're looking for. >> >> I am looking for something like >> http://www.openwall.com/presentations/Owl/ which explains in detail >> the measures taken in order to secure system architecture (not only to >> patch with grsec, however you confirmed that non-server flavor has no >> patch either), and the packages that GCC stack overflow was not >> addressed. > > I understand that you want to know all these details, but... > We develop DL in our spare time (and you don't pay a cent for it) and > the same goes for any documentation which is available. I am yet to use it either. So I have no obligation to pay. You don't go to a shopping spree and start paying before you liked something. And that is more true in the FLOSS movement. Your remark that 'you don't pay a cent of it' sucks in the FLOSS world and gives an impression of what you are made of! > We also > heavily depends on the contributions from our users. If you want to > know any more details on DL specific features, you'll have to do the > leg-work yourself and google around. Nope, the burden of proof lies to the developers. > There's nothing magic we're doing > in DL. Everything we do and use is publicly available. > IF you decide to do all this research into all the various security > details, how about putting everything into a nice presentation so that > we can put it on our website? I already stopped exploring because it was like groping in the dark. Best of luck to your project, but I bid adieu to DL as well as this mailing list! > > -- > > Regards > Heiko Zuerker > http://www.devil-linux.org > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > |
From: Serge L. <ser...@gm...> - 2012-03-23 15:59:12
|
On 03/23/2012 07:37 AM, Zenny wrote: > >> We also >> heavily depends on the contributions from our users. If you want to >> know any more details on DL specific features, you'll have to do the >> leg-work yourself and google around. > > Nope, the burden of proof lies to the developers. ... I'd say that DL's targeted audience is professional admins, which know what they want and why. DL has several major features - stability, security enhancements and distribution specific like "run-from-ram", configuration is separated from the system image, simplicity of customization of course (I use DL as a Cisco ASA replacement actually, much more flexible and powerful replacement). Nobody knows what exactly do you need, besides you of course. DL may be suitable for your needs, may be not. Do not rely on our proofs, get your own. It's a tool which can help in your job, may harm > >> There's nothing magic we're doing >> in DL. Everything we do and use is publicly available. >> IF you decide to do all this research into all the various security >> details, how about putting everything into a nice presentation so that >> we can put it on our website? > > I already stopped exploring because it was like groping in the dark. > Best of luck to your project, but I bid adieu to DL as well as this > mailing list! If you cannot independently "dissect" a linux distribution, most probably DL is not for you. LFS-based distributions are not oriented for newbies, unfortunately. Your right to choose what to use and what not to use. Good luck, Serge |