Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian GNU/Linux vs OpenBSD in terms of Security

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
User avatar
/tmp
Posts: 426
Joined: 2011-12-31 08:39
Location: GNU Userlands
Has thanked: 1 time
Been thanked: 3 times

Debian GNU/Linux vs OpenBSD in terms of Security

#1 Post by /tmp »

I have read on OpenBSD's website about that project's security and cryptography. However, I have not found a wealth of information benchmarking OpenBSD with Debian GNU/Linux regarding security and cryptography. I absolutely love the latter of the two but I am in need of an OS for pen-testing and I'm not sure which to go with.

In your professional experience(s), how would you compare the two?
Bookworm | Intel I7-3667U | Apple Macbook Air 5,2 (Mid 2012) (Laptop) | 8 GB RAM | 3rd Gen Intel Core Graphics

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#2 Post by craigevil »

use one of the pentesting isos from
ISOs : http://www.expect-us.net/iso.html
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

User avatar
/tmp
Posts: 426
Joined: 2011-12-31 08:39
Location: GNU Userlands
Has thanked: 1 time
Been thanked: 3 times

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#3 Post by /tmp »

craigevil wrote:use one of the pentesting isos from
ISOs : http://www.expect-us.net/iso.html
Most of those listed were based off of Ubuntu. Plus the "tools" selection comes across as script-kiddy malarkey.

How well does Debian GNU/Linux fare in terms of packet filtering? Are the cryptographic features for Debian GNU/Linux equal to, better or worse than *BSD-based options?

Edit: I have found some opinions circa 2003 from a mailing list. Does anyone have any more modern comparisons?
Bookworm | Intel I7-3667U | Apple Macbook Air 5,2 (Mid 2012) (Laptop) | 8 GB RAM | 3rd Gen Intel Core Graphics

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#4 Post by craigevil »

Backtrack is a widely accepted pentesting distro.

I don't really think iptables in BSD would work any differently than iptables in Linux.
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

User avatar
p00d73
Posts: 32
Joined: 2012-05-19 15:06
Location: Belgium

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#5 Post by p00d73 »

Yup, use Backtrack, there aren't many more other pen-test distros still alive (Knoppix STD was awesome, but too outdated now).
I wouldn't download any of those OS from that link though, get it from the official site http://www.backtrack-linux.org/
Anonymous OS was infested with spyware, wouldn't surprise me if these were too.

EDIT: more on topic: you'll have a hard time finding any Linux distribution/community equally paranoid as the OpenBSD one.
Debian sid AMD64 + Xfce *** Linux Mint 13 AMD64 + Cinnamon *** Debian Wheezy ARM + Enlightenment *** Ångström ARM + Xfce

User avatar
/tmp
Posts: 426
Joined: 2011-12-31 08:39
Location: GNU Userlands
Has thanked: 1 time
Been thanked: 3 times

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#6 Post by /tmp »

p00d73 wrote:Yup, use Backtrack, there aren't many more other pen-test distros still alive (Knoppix STD was awesome, but too outdated now).
I wouldn't download any of those OS from that link though, get it from the official site http://www.backtrack-linux.org/
Anonymous OS was infested with spyware, wouldn't surprise me if these were too.

EDIT: more on topic: you'll have a hard time finding any Linux distribution/community equally paranoid as the OpenBSD one.
craigevil wrote:Backtrack is a widely accepted pentesting distro.
No worries then. On the original link, it said it was based off of Ubuntu and I instantly tuned out; checked out the project's page and it correctly stated Debian GNU/Linux.

So, in terms of pen-testing I will go with Backtrack. How well does an encrypted Debian GNU/Linux box hold up against a hyper-paranoid box from OpenBSD? In addition to aggressive pen-testing, I'm exploring the defensive side of the fence.
Bookworm | Intel I7-3667U | Apple Macbook Air 5,2 (Mid 2012) (Laptop) | 8 GB RAM | 3rd Gen Intel Core Graphics

User avatar
nadir
Posts: 5961
Joined: 2009-10-05 22:06
Location: away

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#7 Post by nadir »

/tmp wrote: I'm exploring the defensive side of the fence.
The output of tiger is rather elaborative. In case you don't know it. Not sure about harden ( i think it was above me. Not saying that tiger is not above me...). To me the output of rkhunter looks rather short (hence that is what i use... feeling safe without understanding no nothing).
Oh, and if you are in the need for more, here is a rather long list of tools:
http://forums.debian.net/viewtopic.php? ... 40#p423119

On another note there is another interesting distro (based on Fedora):
http://www.networksecuritytoolkit.org/nst/index.html

To me, a noob, it looks like security would depend on loads of things:
If i use Debian, not so secure, but i understand it, instead of OpenBSD, more secure, but i don't understand it, then for me, here and now, it is better to use Debian.

All that is heavy stuff.

I like your sig. I really do. A great mind has gone from here.
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.

richard1558
Posts: 79
Joined: 2011-12-11 14:47

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#8 Post by richard1558 »

In my Opinion, the Security of the System is heavily dependant on the User/Administrator, and not the System per se.

Even Microsoft Products can be secure, provided the User is knowledgable of his System and general Security.

Sure, there are now and then System exploits that can be used, but in the end, it mainly boils down to the User.

A "Mainstream" Cracker relies mainly on the stupidity and ignorance of the User, not the exploits of the System.
If you think about it, it requires less skill to deceive a User, than it is to find a flaw in the System.
... and as we know, it is in most cases, wise to just take the easy path (less effort/time/skill needed).

A few common User Errors:

MySQL Injection.
The System itself may be secure, but if you program your Site, without security in mind, then sooner or later someone will get access to your Databases, or even worse, to your entire system if the Database is running as root.

... another is Cross-Site scripting.
If you allow users of your site to upload/post content, then you must consider that they could inject a script/html/other nasty stuff into your Site.
Like this:
<a href="http://www.somesite.com/">Somelink</a>
(which this Site is protected against, hence the code is escaped)

... another is SSI injection.

... http global variable exploits and other variable exploits.

... and there is many many more...

Quite frankly, I would simply pick the System that I am most familiar with, as the Security of my System mainly relies on how I use and maintain it.

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#9 Post by craigevil »

BackTrack is based on Ubuntu, it has been for several version.

How paranoid do you want to be?

1) Encrypt the entire hardrive during the install processes
2) Install ufw and set it to the default deny
3) Install and run Bastille, disable remote logins and root login
4) disable any unneeded services/processes
5) Install and use the various security apps; Lynis, tiger, tripwire, samhain, snort, aide, psad
6) Disable Flash, Java, and cookies in your browser, using a whitelist to allow cookies on select sites
7) Properly setup any server applications, using passphrase for ssh
8) Keep applications updated, subscribe to the Debian security mailing-list
9) Stick with applications in the Debian repos

As for penetration testing a few useful links:
corsaire - penetration testing guide - http://www.penetration-testing.com/home.html
Penetration test - Wikipedia, the free encyclopedia - https://en.wikipedia.org/wiki/Penetration_test
BackTrack - http://www.backtrack-linux.org/
Setting up a penetration testing lab | Metasploit Project - http://www.metasploit.com/help/test-lab.jsp
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

User avatar
/tmp
Posts: 426
Joined: 2011-12-31 08:39
Location: GNU Userlands
Has thanked: 1 time
Been thanked: 3 times

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#10 Post by /tmp »

craigevil wrote: How paranoid do you want to be?
Full paranoid. :D
craigevil wrote: 1) Encrypt the entire hardrive during the install processes
2) Install ufw and set it to the default deny
3) Install and run Bastille, disable remote logins and root login
4) disable any unneeded services/processes
5) Install and use the various security apps; Lynis, tiger, tripwire, samhain, snort, aide, psad
6) Disable Flash, Java, and cookies in your browser, using a whitelist to allow cookies on select sites
7) Properly setup any server applications, using passphrase for ssh
8 ) Keep applications updated, subscribe to the Debian security mailing-list
9) Stick with applications in the Debian repos
Thank you very much for this list :) I was definitely going to encrypt the entire hdd (I'm installing on another hdd and keeping my production version of Debian GNU/Linux running as-is). However, I have a question regarding encrypting my root partition. Will this prevent me from properly booting my system?
Bookworm | Intel I7-3667U | Apple Macbook Air 5,2 (Mid 2012) (Laptop) | 8 GB RAM | 3rd Gen Intel Core Graphics

User avatar
p00d73
Posts: 32
Joined: 2012-05-19 15:06
Location: Belgium

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#11 Post by p00d73 »

Full paranoid. :D
Consider running browsers and everything with a a network connection on chroot environments, that might confuse exploiters.
Debian sid AMD64 + Xfce *** Linux Mint 13 AMD64 + Cinnamon *** Debian Wheezy ARM + Enlightenment *** Ångström ARM + Xfce

User avatar
/tmp
Posts: 426
Joined: 2011-12-31 08:39
Location: GNU Userlands
Has thanked: 1 time
Been thanked: 3 times

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#12 Post by /tmp »

p00d73 wrote:
Full paranoid. :D
Consider running browsers and everything with a a network connection on chroot environments, that might confuse exploiters.
I'm going to have to read up on the man pages for this; I will be the first to admit that I'm no expert in these matters and I appreciate your advice :)
Bookworm | Intel I7-3667U | Apple Macbook Air 5,2 (Mid 2012) (Laptop) | 8 GB RAM | 3rd Gen Intel Core Graphics

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: Debian GNU/Linux vs OpenBSD in terms of Security

#13 Post by craigevil »

I used lvm and encrypted the entire drive when I installed.

I only have /boot / and /swap.

Code: Select all

$ df -h
Filesystem               Size  Used Avail Use% Mounted on
rootfs                    16G   12G  2.9G  81% /
udev                      10M     0   10M   0% /dev
tmpfs                    203M  364K  203M   1% /run
/dev/mapper/debian-root   16G   12G  2.9G  81% /
tmpfs                    5.0M     0  5.0M   0% /run/lock
tmpfs                    406M  4.0K  406M   1% /run/shm
/dev/sda1                228M   38M  178M  18% /boot
tmpfs                   1013M  2.4M 1011M   1% /tmp
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

Post Reply