Debian GNU/Linux vs OpenBSD in terms of Security

New to Debian (Or Linux in general)? Ask your questions here!

Debian GNU/Linux vs OpenBSD in terms of Security

Postby /tmp » 2012-06-16 00:09

I have read on OpenBSD's website about that project's security and cryptography. However, I have not found a wealth of information benchmarking OpenBSD with Debian GNU/Linux regarding security and cryptography. I absolutely love the latter of the two but I am in need of an OS for pen-testing and I'm not sure which to go with.

In your professional experience(s), how would you compare the two?
Wheezy | Intel Xeon E5520 @ 2.27GHz | LGA 1366 Motherboard | 16 GB RAM | NVIDIA FX Quadro 580

"To check for updates, you must first install an update for Windows Update."
User avatar
/tmp
 
Posts: 386
Joined: 2011-12-31 08:39
Location: GNU Userlands

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby craigevil » 2012-06-16 00:23

use one of the pentesting isos from
ISOs : http://www.expect-us.net/iso.html
Debian Sid KDE Kernel 3.17 Thinkpad R40 Intel M 1.3 CPU 2GB RAM Radeon Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Debian upgrade script smxi | sysinfo script inxi
User avatar
craigevil
 
Posts: 5172
Joined: 2006-09-17 03:17
Location: Oz

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby /tmp » 2012-06-16 00:47

craigevil wrote:use one of the pentesting isos from
ISOs : http://www.expect-us.net/iso.html


Most of those listed were based off of Ubuntu. Plus the "tools" selection comes across as script-kiddy malarkey.

How well does Debian GNU/Linux fare in terms of packet filtering? Are the cryptographic features for Debian GNU/Linux equal to, better or worse than *BSD-based options?

Edit: I have found some opinions circa 2003 from a mailing list. Does anyone have any more modern comparisons?
Wheezy | Intel Xeon E5520 @ 2.27GHz | LGA 1366 Motherboard | 16 GB RAM | NVIDIA FX Quadro 580

"To check for updates, you must first install an update for Windows Update."
User avatar
/tmp
 
Posts: 386
Joined: 2011-12-31 08:39
Location: GNU Userlands

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby craigevil » 2012-06-16 01:20

Backtrack is a widely accepted pentesting distro.

I don't really think iptables in BSD would work any differently than iptables in Linux.
Debian Sid KDE Kernel 3.17 Thinkpad R40 Intel M 1.3 CPU 2GB RAM Radeon Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Debian upgrade script smxi | sysinfo script inxi
User avatar
craigevil
 
Posts: 5172
Joined: 2006-09-17 03:17
Location: Oz

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby p00d73 » 2012-06-16 02:11

Yup, use Backtrack, there aren't many more other pen-test distros still alive (Knoppix STD was awesome, but too outdated now).
I wouldn't download any of those OS from that link though, get it from the official site http://www.backtrack-linux.org/
Anonymous OS was infested with spyware, wouldn't surprise me if these were too.

EDIT: more on topic: you'll have a hard time finding any Linux distribution/community equally paranoid as the OpenBSD one.
Debian sid AMD64 + Xfce *** Linux Mint 13 AMD64 + Cinnamon *** Debian Wheezy ARM + Enlightenment *** Ångström ARM + Xfce
User avatar
p00d73
 
Posts: 32
Joined: 2012-05-19 15:06
Location: Belgium

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby /tmp » 2012-06-17 06:32

p00d73 wrote:Yup, use Backtrack, there aren't many more other pen-test distros still alive (Knoppix STD was awesome, but too outdated now).
I wouldn't download any of those OS from that link though, get it from the official site http://www.backtrack-linux.org/
Anonymous OS was infested with spyware, wouldn't surprise me if these were too.

EDIT: more on topic: you'll have a hard time finding any Linux distribution/community equally paranoid as the OpenBSD one.
craigevil wrote:Backtrack is a widely accepted pentesting distro.


No worries then. On the original link, it said it was based off of Ubuntu and I instantly tuned out; checked out the project's page and it correctly stated Debian GNU/Linux.

So, in terms of pen-testing I will go with Backtrack. How well does an encrypted Debian GNU/Linux box hold up against a hyper-paranoid box from OpenBSD? In addition to aggressive pen-testing, I'm exploring the defensive side of the fence.
Wheezy | Intel Xeon E5520 @ 2.27GHz | LGA 1366 Motherboard | 16 GB RAM | NVIDIA FX Quadro 580

"To check for updates, you must first install an update for Windows Update."
User avatar
/tmp
 
Posts: 386
Joined: 2011-12-31 08:39
Location: GNU Userlands

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby nadir » 2012-06-17 12:06

/tmp wrote: I'm exploring the defensive side of the fence.

The output of tiger is rather elaborative. In case you don't know it. Not sure about harden ( i think it was above me. Not saying that tiger is not above me...). To me the output of rkhunter looks rather short (hence that is what i use... feeling safe without understanding no nothing).
Oh, and if you are in the need for more, here is a rather long list of tools:
viewtopic.php?f=20&t=76579&sid=01f56bea30975a8d68752279e0623b40#p423119

On another note there is another interesting distro (based on Fedora):
http://www.networksecuritytoolkit.org/nst/index.html

To me, a noob, it looks like security would depend on loads of things:
If i use Debian, not so secure, but i understand it, instead of OpenBSD, more secure, but i don't understand it, then for me, here and now, it is better to use Debian.

All that is heavy stuff.

I like your sig. I really do. A great mind has gone from here.
"I am not fine with it, so there is nothing for me to do but stand aside." M.D.
User avatar
nadir
 
Posts: 5965
Joined: 2009-10-05 22:06
Location: away

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby richard1558 » 2012-06-17 13:36

In my Opinion, the Security of the System is heavily dependant on the User/Administrator, and not the System per se.

Even Microsoft Products can be secure, provided the User is knowledgable of his System and general Security.

Sure, there are now and then System exploits that can be used, but in the end, it mainly boils down to the User.

A "Mainstream" Cracker relies mainly on the stupidity and ignorance of the User, not the exploits of the System.
If you think about it, it requires less skill to deceive a User, than it is to find a flaw in the System.
... and as we know, it is in most cases, wise to just take the easy path (less effort/time/skill needed).

A few common User Errors:

MySQL Injection.
The System itself may be secure, but if you program your Site, without security in mind, then sooner or later someone will get access to your Databases, or even worse, to your entire system if the Database is running as root.

... another is Cross-Site scripting.
If you allow users of your site to upload/post content, then you must consider that they could inject a script/html/other nasty stuff into your Site.
Like this:
<a href="http://www.somesite.com/">Somelink</a>
(which this Site is protected against, hence the code is escaped)

... another is SSI injection.

... http global variable exploits and other variable exploits.

... and there is many many more...

Quite frankly, I would simply pick the System that I am most familiar with, as the Security of my System mainly relies on how I use and maintain it.
richard1558
 
Posts: 77
Joined: 2011-12-11 14:47

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby craigevil » 2012-06-17 18:50

BackTrack is based on Ubuntu, it has been for several version.

How paranoid do you want to be?

1) Encrypt the entire hardrive during the install processes
2) Install ufw and set it to the default deny
3) Install and run Bastille, disable remote logins and root login
4) disable any unneeded services/processes
5) Install and use the various security apps; Lynis, tiger, tripwire, samhain, snort, aide, psad
6) Disable Flash, Java, and cookies in your browser, using a whitelist to allow cookies on select sites
7) Properly setup any server applications, using passphrase for ssh
8) Keep applications updated, subscribe to the Debian security mailing-list
9) Stick with applications in the Debian repos

As for penetration testing a few useful links:
corsaire - penetration testing guide - http://www.penetration-testing.com/home.html
Penetration test - Wikipedia, the free encyclopedia - https://en.wikipedia.org/wiki/Penetration_test
BackTrack - http://www.backtrack-linux.org/
Setting up a penetration testing lab | Metasploit Project - http://www.metasploit.com/help/test-lab.jsp
Debian Sid KDE Kernel 3.17 Thinkpad R40 Intel M 1.3 CPU 2GB RAM Radeon Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Debian upgrade script smxi | sysinfo script inxi
User avatar
craigevil
 
Posts: 5172
Joined: 2006-09-17 03:17
Location: Oz

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby /tmp » 2012-06-17 23:13

craigevil wrote:How paranoid do you want to be?


Full paranoid. :D

craigevil wrote:1) Encrypt the entire hardrive during the install processes
2) Install ufw and set it to the default deny
3) Install and run Bastille, disable remote logins and root login
4) disable any unneeded services/processes
5) Install and use the various security apps; Lynis, tiger, tripwire, samhain, snort, aide, psad
6) Disable Flash, Java, and cookies in your browser, using a whitelist to allow cookies on select sites
7) Properly setup any server applications, using passphrase for ssh
8 ) Keep applications updated, subscribe to the Debian security mailing-list
9) Stick with applications in the Debian repos


Thank you very much for this list :) I was definitely going to encrypt the entire hdd (I'm installing on another hdd and keeping my production version of Debian GNU/Linux running as-is). However, I have a question regarding encrypting my root partition. Will this prevent me from properly booting my system?
Wheezy | Intel Xeon E5520 @ 2.27GHz | LGA 1366 Motherboard | 16 GB RAM | NVIDIA FX Quadro 580

"To check for updates, you must first install an update for Windows Update."
User avatar
/tmp
 
Posts: 386
Joined: 2011-12-31 08:39
Location: GNU Userlands

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby p00d73 » 2012-06-17 23:15

Full paranoid. :D


Consider running browsers and everything with a a network connection on chroot environments, that might confuse exploiters.
Debian sid AMD64 + Xfce *** Linux Mint 13 AMD64 + Cinnamon *** Debian Wheezy ARM + Enlightenment *** Ångström ARM + Xfce
User avatar
p00d73
 
Posts: 32
Joined: 2012-05-19 15:06
Location: Belgium

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby /tmp » 2012-06-17 23:23

p00d73 wrote:
Full paranoid. :D


Consider running browsers and everything with a a network connection on chroot environments, that might confuse exploiters.


I'm going to have to read up on the man pages for this; I will be the first to admit that I'm no expert in these matters and I appreciate your advice :)
Wheezy | Intel Xeon E5520 @ 2.27GHz | LGA 1366 Motherboard | 16 GB RAM | NVIDIA FX Quadro 580

"To check for updates, you must first install an update for Windows Update."
User avatar
/tmp
 
Posts: 386
Joined: 2011-12-31 08:39
Location: GNU Userlands

Re: Debian GNU/Linux vs OpenBSD in terms of Security

Postby craigevil » 2012-06-18 01:11

I used lvm and encrypted the entire drive when I installed.

I only have /boot / and /swap.

Code: Select all
$ df -h
Filesystem               Size  Used Avail Use% Mounted on
rootfs                    16G   12G  2.9G  81% /
udev                      10M     0   10M   0% /dev
tmpfs                    203M  364K  203M   1% /run
/dev/mapper/debian-root   16G   12G  2.9G  81% /
tmpfs                    5.0M     0  5.0M   0% /run/lock
tmpfs                    406M  4.0K  406M   1% /run/shm
/dev/sda1                228M   38M  178M  18% /boot
tmpfs                   1013M  2.4M 1011M   1% /tmp
Debian Sid KDE Kernel 3.17 Thinkpad R40 Intel M 1.3 CPU 2GB RAM Radeon Mobility 7500
Debian - "If you can't apt-get something, it isn't useful or doesn't exist"
Debian upgrade script smxi | sysinfo script inxi
User avatar
craigevil
 
Posts: 5172
Joined: 2006-09-17 03:17
Location: Oz


Return to Beginners Questions

Who is online

Users browsing this forum: stevepusser and 14 guests

fashionable