From: Zenny <gar...@gm...> - 2012-03-22 17:23:22
|
On 3/22/12, Bruce Smith <bw...@re...> wrote: >> > The server version has extra hardening against attacks, such as >> > grsecurity >> > and a few other things. The non-server does not have these extra >> > hardening, it's more of a "standard" Linux distro. > > It was early when I wrote that, and I said it completely backwards. > > The server version does NOT have extra hardening like grsec. > The non-server (firewall) version is harded with grsec & other things. > >> > Basically if you're going to expose Devil-Linux directly to the >> > internet, >> > such as a firewall or a web server or DNS server, you're a little safer >> > running the non-server version. If you're running DL as an internal >> > server >> > behind a firewall (i.e. Samba), not exposed directly to the internet, >> > then >> > the server version might run better for you. That's because >> > grsecurity sometimes mistakes high resource using server processes as >> > some >> > kind of attack and kills them. >> >> But when I checked the non-server version, the kernel also has >> grsecurity patch installed: >> >> #uname -a >> Linux Devil 3.2.11-grsec >> >> Then even the non-server version is also vulnerable to false-positive >> assumption of the gresecurity patch, isn't it? > > Try the server version and it shouldn't have grsec installed. > > Sorry for I misspoke above, and thanks for pointing it out. Never mind! > >> > If you're running server processes on the non-server version that start >> > dying for unknown reasons, switch to the server version and see if that >> > fixes your problems. And it's never a good idea to run internal servers >> > on >> > your internet firewall, hence the two distinct versions of Devil-Linux. >> >> Thanks for the clarification. As for me, I may never prefer to run >> extra services (except those applications needed to make other >> applications behind NAT of the firewall to run (like siproxd). >> >> BTW, how does the failover and loadbalancing be achieved in DL? I did >> see pound, but wouldn't nginx be better instead of pound (I did see >> apache and thttpd under services)? > > I've never run failover and loadbalancing, so I can't answer that. > >> Another question is: by default the firewall service (I gues >> iptables?) is enabled. Is it necessary to enable both firewall and >> shorewall if I try to use shorewall wrapper scripts? > > I've never tried, but you should be able to run any iptables scripts > for your firewall. > > There are a couple sample scripts that get copied over when you select > a firewall (depending 2 or 3 NIC's). The boot process runs > /etc/init.d/firewall.rules which you can replace with any script that > runs iptables. > >> How can I add additional applications and services to the DL box, I >> meant customization? Where can I find documentation for 1.6 version? > > www.devil-linux.org > The last time I looked, the website didn't have 1.6 documentation yet, > and 1.5 docs were broken. But the 1.4 documentation should work; I > don't think much has changed. > >> How exactly DevilLinux excel from something like openwall/zeroshell? > > Devil-LInux is a little different, in that it has a full range of > server software installed and can be used as either a server or > firewall. > > It is also created to run off a read-only media (i.e. CDROM or ISO > image) so the base install cannot be modified or hacked. > > And the main reason I use Devil-Linux is the ease of upgrading it to a > newer version, and the ease of backing it up, since only a small tar > file containing all of your customizations needs to be backed up > (unless you're using a live hard drive server data). Yes, but that can easily be done with the debian-based voyage linux also, a portable stuff with much more packages to install and userbase. Just wondering what makes DL so special and secure compared to others? I could not find the kind of the security measures that DL took or the concept (like http://www.openwall.com/Owl/CONCEPTS.shtml). Any pointers to such docuemnts? > > - BS > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > |