LinkBack URL
About LinkBacksAnother vote for Clamwin - free & doesn't slow the system.
Best protection though is a Linux gateway
Another vote for Clamwin - free & doesn't slow the system.
Best protection though is a Linux gateway
best protection is Linux period, no virus worries, no nasty mal/spyware, no excess of services with more holes than swiss cheese.. FC4 is pretty hardened out of the box. If a user screws up, delete his/her account and recreate it, no user error = compromised system.
Last edited by aidanjt; 17-08-2005 at 02:28 AM.
Originally Posted by Agent
Sorry, but anyone can see that's just plain not true. There have never been exploits for Linux systems? There are never kernel and application patches to fix security holes? A well-configured Windows system can be just as secure as a Linux system if the admin knows what they're doing.
the difference is between an inheranty secure and an inherantly insecure setup. XP and 2000, for example, give full admin rights to the main user of a system. if that main user visits a website with a javascript virus renamed to .jpg, then that's the entire system infected.
yes, linux has viruses (about 30 of them, i think, mostly directed at apache), yes there are exploits (mostly for old versions of apache), but it's not on the same scale, especially given the damage limitation of a true multi-user setup
oh there's hundreds of kernel patches, but they're to add support or stability fixes, it doesn't leave the entire system open.. Deamons *can* be exploited, e.g. anchient versions of apache, even at that the exploits available are minimal compaired to the likes of IIS.. not that default distro configurations even run anything.
windows out of the box is inherently insecure, running exploitable services (which you can't disable).
windows by its very architecture is inherently insecure tieing in a bunch of services and drivers into the kernel that don't really need to be there. And even the services in 'user space' are given 'local system' access, which means they can do whatever the hell they want (or are manipulated by buffer overflows to do).
Like directhex said, virus count for Linux: 30ish (most of which have died off completely).
Virus count for windows: in the region of hundreds of thousands.
Even a standard user on a windows network.. when browsing websites a virus can to latch onto the users system bypassing any firewalls, and then it is free to try to exploit the entire network.
Which leaves me confused as to why businesses thinks a windows network is the holy grail, I mean other than exchange server (an inherently unstable mail/schedule/contacts server, dispite there being other solutions available) and office intergration.
Most medium to large scale enterprises have some kind of intranet on their network, it could easily extend to deal with information management and perform all the duties that an exchange server can plus plenty more that it can't do.
Last edited by aidanjt; 17-08-2005 at 12:43 PM.
On the linux vrs windows front. Jiinkies people, if your going to play that card at least get it right, BSD is inherently more secure than linux.
I have hatred for linux, since i had to take an un-expected trip to telehouse because i only patched SSHd (version 1) once in a week. Damn my lazyness. Box got completely taken over. To my knowledge terminal services has never had this sort of issue. Then there were the DoS exploits, because of linux's piss poor proccess management, lack of pre-emptive multithreading, ment that it was INCREDIBLY vunerable to this type of DoS attack.
Issues with PHP and open source forums, there are well known worms which use bugs in PHP (which were patched) to spread an prophegate (trying to keep this on topic about virus rather than general peoples religion).
Now aidanjt, your claim "Even a standard user on a windows network.. when browsing websites a virus can to latch onto the users system bypassing any firewalls, and then it is free to try to exploit the entire network." Windows has stronger proccess management in usermode than linux right upto 2.6 (not to mention much better threading model than 2.2 and 2.4). So how can something spread. A virus latching onto a users computer? When they click "Yes". If the person is running as "user" then its not going to be able to spread to other network machines easily. If the security settings have been turned up (using a slider, such a hard job) then that type of user stupidity is prevented.
Windows networks are good because its a proven stable OS, as my, granted now out of date experiance of SSH shows, you can't take the risk of saying Wednesday 1am at risk period. Because you will be exposed and vunerable. Were as with windows (generally) all you need is a weekly re-patch.
Anyone who says "this platform dosen't have a virus" is an ejit. I wrote a multithreading kernel for a PIC18 series a few years ago. There are no viruses for the platform? why because i'm the only person who uses it. The thing is i know you can actually slam a virus into it via a 'design feature' of my PSP handling on the PIC.
Now its incredible to me that so many people are promoting Linux. The reason why, i've pissed about with it since '98 it wasn't until 2001 i had a spare machine for it to live on. Now i've got my new personal server running Windows 2003 server (i had a spare license) and its much safer, i know all the core programs that can compramise it are made by microsoft. I know i only need it to re-set for patches some time on patch tuesday.
Lets look at MS, the only crippling bug was an RPC exploit. Now ironically there are so many more exploits on a Linux system, and just like that one on windows its not really the kernel, its the stuff around it, take XFree86, the window manager generally runs as root. Hahaha!
Now Linux at present has security by obscurity, that is, people will target the xxx million windows machines, and linux generally dosen't have the stupid users too.
OpenBSD likes to consider itself very secure, and it is, but some of the distro team have their head so far up their arse ..... you get what i mean.
in short, no platform is 100% secure. Virus scanners are a good idea. Saying using a linux gateway for security, ur stupid. Hardware firewalls are good (m0n0wall been my favourate free one) but without packet inspection its not going to be a great protection against user stupidity.
throw new ArgumentException (String, String, Exception)
aidanjt - take a look at some stats for exploits of IIS6 vs Apache 2, and then try and tell me Apache is safer/more secure than IIS.
I'm not trying to argue Windows is safer than Linux in the hands of idiots (note that the opposite isn't true either, both are equally vulnerable if misconfigured) - rather, a properly-configured Windows machine can be just as secure as a properly-configured Linux machine (plus IMHO it's far easier to properly configure a Windows machine with a good GUI).
as much as i want to disagree with aidanjt, it has to be said, the average linux box is more secure than the average windows box. This is due to the level of compitence of the average user of each. Its like most OSX boxes can be easily exploited
But even on my Acorn system (the core part of the OS of which is stored in ROM) i have a virus scanner. Trying to keep on topic.
throw new ArgumentException (String, String, Exception)
Right.. let me get this straight, you're coming up with this wildly exaudrated post on the basis that your old old old old box was at one time compromised because you used an unpatched SSH deamon that existed in the time of Linux 2.2... and you're blaming the system instead of yourself?.. right.
I'm using linux 2.6 on both my server and my desktop machines, I've looked at my server system logs to see a no end of barage of windows based worms attempting to brech my system, in fact, i have to echo "" > the logs once a week because if i dont the endless information contained within makes my hard drives spazim when i grep them.
Neither Linux or BSD opens listening ports, saying one is more secure than the other is retarded..
I didn't say Linux didn't have any viruses, we said there's 'very little' of them, and none of them can do any damage these days as all software has been patched to tie up the loose ends.
RPC isn't the only vunrable windows service, IIS, and MSSQL, both suffer from weak buffers that can allow worms to control the entire system, look at the Blaster worm crippled internet backbones when it triggered. Have you heard of any Linux/MySQL machines doing that?
btw.. X.org runs on FreeBSD and GNU/Linux, with its session manager (sockets only, no TCP) running as root which then spawns another process for the user it logs in, how is that insecure?.. OpenSSH operates the same way.
As on the Linux kernel, if you look in menuconfig you'll clearly see 'pre-emptive kernel' stated, it's process management is solid, you can kill any process you want and the system continues working fine.. try killing certain services for on windows (assuming task manager/service control allows you to kill it at all), and watch your system crash and burn. Hows that for 'stronger process management'? I'm begining to wonder weither you mean Linux 1.2 as aposed to todays 2.6.12
Sure... you can slide the 'Security' settings in I.E. way up, but then you can't view half the websites you browse, handy.
Microsoft releasing 30 patches a week to catch up with the 10,000 odd known bugs in their software (and that bug list grows daily) doesn't mean your system will be secure. At that rate of patching it will take Microsoft about 9 years to patch the bugs known today. They'll have another 2 or 3 'major' operating systems released by that point.
With that number of 'bugs' in your software its a clear indicator that you should scrap it and start over again with people who know how to write software.
Sure, no system is 100% secure (unless you disconnect the network cable and HID's),
but throwing more money on an inherently insecure system is about as good as throwing it on a bonfire.. Linux powers my netgear router which has stateful packet inspection, as well as firewall rules.. it seems the experts know what Linux is good for, we must all be stupid then.
seanbee.. as for your apache2/iis6 compairsion, i wouldn't know, I use Apache 1.3.33 since Apache 2.0's threading modules aren't fully developed... however the difference is.. if you exploit Apache, only your 'nobody' or 'apache' user accounts are effected.. i.e. the exploit cannot touch anything other than your website files (assuming you were stupid enough to give apache write access to your website).. if an IIS system is compromised the entire system is open for abuse.
Last edited by aidanjt; 17-08-2005 at 02:38 PM.
I think u missed the point, i am blaming SSHv1 for needing constant patching as been insecure. The same way your blaming RPC for needing patching. I'm not going to continue talking with you in this thread which i'd be taking way off topic.
I dislike people who have double standards and aren't honest about them.
throw new ArgumentException (String, String, Exception)
SSHv1 is a protocol, not a deamon, OpenSSH is a very secure implimentation of SSHv1 and SSHv2, it doesn't protect against brute force cracking attacks.. but a strong password will fair a much better chance. I'm *am* being honest.. the stack of bugs and sloppy buffer code in windows is gigantic compaired to the fewer and rapidly repaired bugs that present on POSIX systems.
And while we're on it... do you *NEED* sshd either a) installed on your system, or b) running even if it is installed... the answer is.. no, you don't, to both.
Do you *NEED* RPC installed and running on Windows.. why yes, you do.
Last edited by aidanjt; 17-08-2005 at 02:53 PM.
okay, my personal server, was at that time an old box i'd scavenged in a mates rack i wasn't paying for, using a few gb a month @ 99th percentile i wasn't paying for.
The point is i didn't really touch it. I didn't want to have to touch it. I don't want to have to patch it, i want to be able to let a package management do all of it. Same goes with my windows security. Problem is, bugs were comming out too fast, and "proof of concept" exploit scripts allow even goose stepping morons to take the box over if i've not patched it.
Take Apache2, its terrible comapired to IIS6 (previous version of IIS were awful too thou). Apache2, 3 months ago now, i'm having a coffee with a mate, mobile goes off, one of the boxes has been compramised. He'd patched it with the patch on friday, but it was now sunday. Honestly, thats not secure.
When I see someone say linux verses windows, i emidatly think embedded NT, or NT with nothing on it. Because linux is just the kernel. If you say a distro like debian, then turns out u need less patches for windows than that token 2.2.god-knows-how-many-patches debian potato distro box needs.
If you want to talk kernel security, then please, thats one of my intrests, i will lecture you at great depths about how the thunking layer in linux is totally inapropriate. NT is a much better kernel (which i'm assuming you know) the only fault is some reliance on DCOM. But as most people use X which has not only the security compramise, but also performance for sake of distrabutability which 90+% of people don't use. Damnit i'm ranting. But BSD is a much better kernel than linux security wise, but linux will be faster if its just one proccess.
the point, you can't say that the SSHd i was running happily in the protocol 1 days needing patching more than 1nce a week is my fault, enless you say the windows box that caught blaster is that persons fault. (also i'm guessing u mean slammer for the SQL worm?) But if all you can fault the average joe users windows security on is ONE rpc exploit in the history of since 4.0 Thats amazing!
The number of bugs on a Server 2003 machine is tiny, and its so damn easy to keep it safe with windows update (granted some good distro's make it easy too, but the problem is you don't know when each 'project' will realease their patches, this is the big security issue, i can't afford to say well i might have to update the server tommorow, i can however say every tuesday night.)
throw new ArgumentException (String, String, Exception)
Oviously you didn't read a word I said.
By the way, how do you know the NT5.2 kernel is better than Linux 2.6.12?.. Have you read the source code for the NT kernel?.. Since you're not a Microsoft employee (and if you were you're arguments would become defunct as it would be totally biased) I doubt it.. So either you're blindly going with the opinion of Microsoft or you're trolling.
Apache 2.0 is just that, 2.0, i.e. its had a major rewrite with no minor updates added yet, so if you want to use 'bleeding edge' i.e. generally untested software in a production enviroment then you're stupid.. Apache 1.3 is still being maintained and is for the moment, more stable and secure. The only time you should use young software is if it has features that you absolutely and possitively must have use of.
i'm confused on this one. you say you were exploited because your patch cycle wasn't frequent enough, yet you rely on a monthly patch set from microsoft? are bugs in windows only discovered the day before the scheduled patches appear? i was under the impression most publicised windows security vulnerabilities are denied by microsoft until a patch is already written for the next monthly set, at which point how is this a more secure option?
Of course, Microsoft's means of security is via obscurity, the RPC exploit existed from NT4.0 all the way up to WinXP, how else could such a major exploit exist so long?.. Its well known that Microsoft cites security reserchers as 'irresponsible' for releasing exploit discoveries into the public domain.
In fact, the only thing Microsoft can do right is propaganda, see how they make us reason that its only our fault for security problems because we don't have a Virus scanner, ad/malware scanner, and a firewall installed on each and every machine to protect ourselves from their sloppy coding?.. Enterprise networks need to block all incoming and outgoing connections to client machines in order to filter traffic through proxy servers, incoming and out going mail needs to be scanned for viruses and spam.
Another thing Microsoft is great at is standards, not aiding the development of standards mind you, but inventing their own, trying to push them in standards committees on royalty basis, and breaking existing standards.. take a look at Active Directory, mostly based on various open source components but hacked up to make them a 'unified' Microsoft standard.. and It seems that Microsoft is trying to sqeeze out OpenGL now..
Can we keep this on topic please ?
I think the key factor is that *any* system , if poorly configured and designed can be a security risk.
Thinking of the larger picture is the key here.
A well configured and hardened system should be able to prevent attack inspite of a few unknowns. In my book thats more of a feautre of the underlying infrastructre , rather than the OS the server runs on.
eg. Wireless AP is comprimised
so what ? Its on a quarentined segment of the LAN, unless you can then crack the IPSEC tunnel then you wont have much luck seeing the rest of the network.
I wouldn't ever deploy a software box on the edge of my network , thats a job for some form of hardened OS ( be it an embedded linux or IOS )
so - lets keep it to discussion about Av , not about "my Operating system's dad is bigger than your operating systems dad"
my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
