Solved

Simple Question about Red Hat security

Posted on 2003-10-27
13
342 Views
Last Modified: 2010-04-22
Hi

I never touch a red hat before but would like to know if using Red Hat O/S to run as a platform for webhosting.

how good is the security is ?  

i heard it will easily break in by hackers but since thousand people using it as well out there for hosting biz.

Anyone can clarify this ?

thanks
0
Comment
Question by:kunglao
13 Comments
 
LVL 12

Accepted Solution

by:
paullamhkg earned 20 total points
ID: 9632012
Well personal idea, no matter what OS you are using, there will be a chance hack by the hackers, the only concern is how to secure your network and servers.

Someone like to use the hardware firewall like check points, someone like to use the linux box as firewall, so firewall will be the 1st gate to protect your network.

each OS nowaday have it's own security method, M$ Win2K or WinXP or Win2k3 have the security setting you can use. where as linux box also have ipchain or iptables to setup the rules etc...

And yes, lots of webhosting company using linux as the platform, and some use the freeBSD, some use linux, some mixed linux + freeBSD + Unix.

eg. http://www.webhosting.net/21.html, http://www.webhosting.com/pages/dedicated/os.shtml

Hope this info can help :)
0
 
LVL 6

Assisted Solution

by:mbarbos
mbarbos earned 20 total points
ID: 9632667
Easy to break in - that sounds like a M$ line.
No, a well secured linux server is actually very hard to break in. NetBSD is supposed to be even harder. Linux / Unix is a lot safer than windoze anyway, no matter what M$ sais.

IMHO you should first create a quite secure server and after that setup a firewall. A firewall is just a simple filter, it cannot make an unsecure server more secure, it just restricts a little bit what an attacker can do.

So, yes RedHat would be a good choice for your web server, a lot better than windoze with IIS.
0
 
LVL 2

Assisted Solution

by:jetnet
jetnet earned 20 total points
ID: 9635538
Any OS is insecure, if you set it up wrong.  If I setup NetBSD with old versions of Samba, Sendmail, SSH, you name it, it can be exploited.  Some versions of *NIX systems take a stronger stance at security, but when it comes down to it, it ALL depends on how well the admin sets the computer up.

I have run RedHat on 40+ servers for an ISP for 3+ years.  We have had 1 known breakin, and that was due to neglagence of the admin that set the computer up.  After that one problem, we have not had a single known problem.  You have to know how to set the system up, and you have to know what to put on there, and what not to put on there.  If you do not need a service, DO NOT RUN IT.  Its that simple.  And most the time, you only get to know this stuff by trial and error, or by reading and asking questions.

Personally kunglao, if you want a very secure system for your company, *NIX is a VERY secure platform.  Have faith in *NIX systems, just dont be ignorant of what what can happen with your systems.  RedHat can be just as secure as any other flavor of OS out there.  Just play around with it.  

If your looking for INSANE security, look into selinux.  But expect hours and hours and HOURS of getting everything setup.  But once its done, you can basically give the root password out, and no one is going to be able to do anything to it.
0
 
LVL 1

Assisted Solution

by:ajenkins
ajenkins earned 20 total points
ID: 9717615
Once it's done, nobody is going to be able to do anything on it?  Talk about worse than useless advice.  No networked system is ever totally secure.  Unix got more secure several years ago (Role Based Access Control, proper ACLs), and Linux is now getting there.  mbarbos is misinformed.  Windows NT was certified as secure by the US Government at a time when Linux and most flavours of Unix were not, and Windows 2000 server etc. is still easier to secure than most Linux distributions.  RedHat is the most hacked platform, last I heard.  If you think your system hasn't been broken into, chances are it has.  The hacker has probably installed replacement binaries or you are too stupid to see they've changed the password on an inactive account and started using that.

If you even have to ask a question like this, the answer is not to host your own website.  Get someone who is knowledgeable about web hosting and network security to do it for you.  They can have your web server sitting behind a properly configured stateful firewall, with a rule set so that only you can change your web pages, and most likely they can also do such things as traffic shaping, optimal routes, etc. too.  

If you really must host your site on your own Red Hat box, run all the security updates the vendor has available, and keep Apache etc current.  Use netstat -l to see what ports you have "listening".  You really shouldn't need much besides port 80 for your Web server (and 443 if you're hosting secure pages) and maybe 53 for DNS depending on how you're doing DNS resolution.  Make sure you have remote root logins disabled, and things like root logins for X disabled.  If you want to be able to update it remotely, enable port 22 and use scp/ssh to login and transfer files.  You can use su/sudo to do root-level operations. Then run something like Lokkit to help you set rules for iptables, and deny/ignore all ports but the ones you left open.  Even if you do all that, you'll probably still get owned, so make sure you make backups and keep your eye open for suspicious activity on your system.  Argh that was like explaining how to write your name holding a biro with your toes.  Silly question, silly answers, why?  
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Expert Comment

by:jetnet
ID: 9717880
Yeah, before you go off and make comments like that, why dont you check out SE Linux real fast.  Thats how they test the box out.  They set it up, then give out the root password, and see if anyone can break it. http://www.nsa.gov/selinux/  But thanks for the ever so confident comments.
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 20 total points
ID: 9718583
Red Hat is a mainstream version of Linux. As a result:

1.    There are more installations of Red Hat out there than most other Linux variants.
2.    There are more installations to hack.
3.    There are more successful hacks as much of the code is the same as many other Linux Variants.
4.    There are more publically hacked systems.
5.    Vulnerabilities are better publicised.
6.    Patches to solve vulnerabilities are more widely available.

....therefore shouldn't Red Hat be the most secure solution for webhosting available?

Answer is no....because:

1.    Most sysadmins don't keep security patches up to date because they have pressure on them to solve more high profile problems.
2.    Most people do not initially secure their server properly.
3.    Most people do not have sufficient time to check logs for probing attacks.
4.    Remember that the hacker has to be lucky once, and the sysadmin always!

Therefore, unless you have time to deal with and understand the becauses, then get someone else to host your system. If you do keep your system up2date (:)) and take the time to secure it properly, then RedHat systems can be as good as (if not better than) any of the alternatives as a wwebhosting solution.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11716630
I think that mbarbos, jetnet, ajenkins and myself have all put in valuable input to what is actually a very vague question. Overall, I think we all agree that most Redhat Linux can be made as secure as is likely to be necesary for the asker of the question. It just depends on the amount of care taken.

Overall, I think the points ought to be split. (all 30 of them - hehehehe)
0
 
LVL 20

Expert Comment

by:Venabili
ID: 11942647
We cannot split the points. We need at least 20 per expert  So in such cases the points go to the first correct answer ...
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now