Security enchanced linux distributions.

[instronics]

Hi all, i was suring the net looking out for different linux distributions that are security enchanced and have found a few that seem to be interesting. Has anyone here used one of these distributions, and if so are you happy with them? I use one of them as a firewall (devil-linux) which so far is really great. Have a look for yourself on all the distros.


White Glove Linux
Developer: Fred Cohen & Associates

When you boot your computer from the White Glove CD, it instantly becomes a Linux powerhouse. It comes complete with firewall software, drivers for most Ethernet cards and Disks, a wide range of networking and other amazing tools, and even complete and secure web and DNS servers. It includes an on-CD manual and tutorial, menu-based services from the X11 graphical user interface, and a set of tools that meet or exceed those you are used to today. It's easy to use, easily fits in your shirt pocket, fast to boot and run, reliable, secure, and inexpensive.

Website: http://all.net/WG/index.html



Trustix/Merdeka Linux
Developer: Trustix Asia

Trustix Merdeka is a Linux distribution which emphazises the desktop and security. The main idea is to provide a desktop Linux distribution which is secure out of the box as well as easy to install. This distribution includes a minimum number packages, though what are considered the best ones, as well as multi-language support.

Website: http://www.trustix.com/



Trustix Secure Linux
Developer: Trustix AS

Trustix Secure Linux is a project to make a hardened Linux distribution for servers. It features OpenSSL, OpenSSH, Apache w/SSL&PHP, Postfix, POP3 and IMAP with SSL support, ProFTP, and ftpd-BSD.

Website: http://www.trustix.net/



Security-Enhanced Linux
Developer: NSA and University of Utah

Secure Linux distribution developed by the U.S. government's National Security Agency and Secure Computing Corporation with the contributions of the University of Utah

Website: http://www.nsa.gov/selinux/



LinuxROM (aka PizzaBox distro)
Developer: KYZO

Using KYZO's unique LinuxROM distribution, a PizzaBox Server boots and runs entirely from a bootable Flash ROM giving the server system security, reliability and ease of use not available form hard disk based operating systems.

Website: http://www.kyzo.com/



KRUD (Kevin's RedHat Über Distribution)
Developer: Tummy.com Ltd.

This distribution is based on Red Hat and emphasizes security. Kevin Fenzi, co-author of the Linux Security HOW-TO is the creator.

Website: http://www.tummy.com/krud/



Kaladix Linux
Developer: Kaladis

Kaladix Linux is billed as a "hyper-secure" system. Here, security is the focus. The distribution contains only what the developers consider the most secure packages.



Fli4L
Developer: Frank Meyer

Fli4l is a single floppy Linux-based ISDN, DSL and Ethernet-Router. It is designed to convert old computers (486's) into productive network machines.

Website: http://www.fli4l.de/english/e_fli4l.htm



EnGarde Secure Linux
Developer: Guardian Digital Inc.

EnGarde is a secure distribution of Linux that implements advanced security techniques. It can be used as a web, DNS, mail, database, e-commerce, and general Internet server.

Website: http://www.guardiandigital.com/products/software/trial/



Devil-Linux
Developer: Heiko Zuerker

Devil-Linux is a mini distribution especially designed for a firewall and promises easy customization. Devil-Linux Boots from CD so there is no need for a harddisk. It supports Intel 486 and higher processors and uses the latest Linux kernel.

Website: http://www.devil-linux.org/

(Thats the one i use and really like.



If you come across any other security enchanced distributions, let me know (only maintained distros please).

Cheers.

[lockejr]

Good post man, My brother in law has a crappy old 366mhz emachine that he wants me to turn into a firewall for him. That Devil Linux looks like it might just do the job.

[t2k2]

Ok, I possibly have a stupid question for you. Do these (or at least the ones you have tried) have any kind of update agent for automatically detecting updates to packages? I am just wondering since I currently use RH 8, and it, of course, includes the RH update agent that connects to the RH Network to pickup updates for the different packages that are installed. I plan to install a few of these flavors to test them out, but right now, I do not have the resources to do so. I was just curious. Although it's great to be able to get a copy of a more secure Linux OS, I think there is an inherent value in knowing how to get a less secure OS to that point. This is just my honest opinion. I am in no way knocking this post. As a matter of fact, I think this is a great post! Thanks for the resource instronics.


Cheers,

t2k2

[gore]

"Crappy"? a 366 is more than enough to run BSD or Linux and actually use it. lol anyway man its cool hes gunna have a machin as a firewall, iv never had this option really but it would be nice

[R0n1n]

OpenBSD is always a good bet for a cheap firewall solution, no frilly extras either.

Good coverage of the Linux Distros.

[gore]

oh yea, open BSD is like....WOW

http://www.openbsd.org

check that out man, Open BSD is prolly one of the most secure OSs ever released, very cool, and they do code checks on it, they go threw every bit of code and make sure theres no holes, i cant imagine how long something like this would take but they do it all the time.

[micael]

I wrote a long time ago a small guide to firewalls "Firewall Tutorial (The Real Basics)".

It covers:

1. Personal Firewalls for Windows:
2. Commersial firewalls:
3. *nix "free" firewalls:
4. Floppy distributions:
5. Secure and dedicated distributions:
6. Security hardening tools and add-ons for *nix:
7. Free online audit and penetrate testing tools:
8. Tools for audit, monitoring, analyzing and penetrate testing:
9. FAQ (firewall questions and answers):
Firewall and other network security references on the Internet.

The 'tutorial' can be found here or somewere in the tutorials forum for those interested. The document is not updated since I wrote it the first time, it may contain dead links and/or old information.

Another interesting and free live-cd firewall (based on freeBSD) is NetBoz, I have not tried it yet but will do it asap I can find some more time.

~micael

[instronics]

t2k2 :

Devil linux does not have an auto update with it. Even if it did, it would not work for me, since i have "bridged" my 2 ethernet cards. That means that non of the 2 cards have an ip number. You cannot connect too or from the firewall. It just filters packets that go through. So it cannot auto-update. Since no connection is possible to the firewall and since it runs of a live cd, and i have no other services running on it, i have not need for updates except the routing, or the brctrl, if it is needed, and that i will do manually. I dont like the idea of auto-updates on a linux security firewall, since it "could" be tricked into auto-downloading malicous code. Second, and most important of all.....we are talking about a security product....which means i would not trust any automated system changes when it comes to security. That is the admins job to make sure that everything works fine. I recommend that you take care of all security related updates yourself. Always. Now i know that redhat, just like SuSE and a few other distros have these auto-update agents, which is ok for a few things, but nothing security related. (imagine someone "hacks" your agent, and configures it to auto download and install malicous code from the hackers own server. When getting updates on security applications, make sure that you use the rsa keys from the server that is offering you the updates to make sure that the files are original.)

Good luck.

[spike054]

I'm going to pass from windoze98 to linux mandrake9.0 any tools security patches I should no about?

[instronics]

spike054, yes, there are many. I recomend you browse AO earlier posts on securing computers and linux security. There are tons of threads regarding your question. Good sources are always google, antionline, linux.org

Try the search feature on AntiOnlines main page, you will be surprised at what you will find.

Good luck spike054.