Gentoo Server Security ( How secure is it? )

[lamotte85]

I've used gentoo for some time now and I LOVE IT!... I am convinced it is the best distribution of linux. I personally am forced to use the ubuntu distribution where I work and have dealt with fedora core and suse. Now while I have experienced these distributions, I dont know in depth how the security of the system is. I was wondering how the security of a gentoo server would compare to the security of a SuSe server. I've read articles stating that SuSe is the BEST in security. Now I know gentoo is probably not used as much due to compiling everything but I seriously dont mind it, in fact I like it. Plus Portage ROX!...

But seriously. How does a Gentoo server standup versus any other distribution as far as Security goes? Gentoo-Hardened? Is it better than SuSe as far as local root exploits or remote exploits go? Also, I've also had experience with the BSD side of life. I've heard that it is the BEST distribution for setting up a router/firewall or any thing really security related. Is this true? Do the power users of Gentoo think that BSD is better and more "Well Built" than Gentoo?

I'm quite interested to see the responses to this Post.

I personally swear by Gentoo, but people where I work swear by Ubuntu and BSD. I'm hoping they're wrong.
_________________
- lamotte

[Mostly Mark]

It's pretty hard to talk about security without first talking about usage. A Windows 95 machine locked in a bank vault with no network connection is going to be A LOT more secure than an Suse box in my office talking to the internet 24 hours a day. Similarly, a Gentoo box with only a single local user serving files over vsftp from behind a firewall is PROBABLY less likely to be broken in to than an OpenBSD machine with 50 local user accounts. It all depends on context.

That being said, I can say that I've had very good results running Gentoo in production on mail, web, and database servers. We have three Gentoo boxes online, sitting behind a firewall in a DMZ with only a few local users. We run daily checks for unauthorized filesystem changes, use SNORT to keep an eye on network traffic, and always keep our packages up to date. So far so good -- I've seen no evidence of system compromise on any of our machines, and attack attempts are few and far between.

In most cases, I would tend to go with the systems that people have experience with. (Though I'd draw the line at NT/2000). Security conscious admins with plenty of FreeBSD experience are probably going to build more secure systems with FreeBSD than Gentoo. The opposite is also true.

Just my 2 cents...

best,
Mark
_________________
Mark Nye
MomentumMedia
Ithaca, NY

[Jake]

I'd like to add that for router/firewalls, all the BSDs support OpenBSD's PF, which many find vastly superior to IPTables on Linux. Quality documentation, more intuitive syntax, more features, and possibly better performance is why you see so many people running BSD firewalls.

[groovin]

assuming youre using a proper config'd firewall and allowing only access to those services you need, then gentoo will be as secure as the admin who keeps things updated with security fixes and implements containment/recovery plans for when your box gets pwn3d.

remember, gentoo is a meta-distro... gentoo is what you make of it. its highly flexible and customizable. so security wise, that can go in many different directions. you can have a gentoo install running everything hardened, virtualized, and chrooted, or you can have everything plain vanilla... its all up to the admin.

in any distro, suse, gentoo, fedora, centos,... whatever.. you have the tools to make a really secure system at your disposal... its all opensource... its just a question of whether your experienced/smart/persistant enough to secure it. you can argue,

but for what its worth, ive heard lots of praises by users of other distros of gentoo hardened. ive even heard some compare it to openbsd... which IMHO is pretty cool.

[lamotte85]

Thanks for your advice and opinions guys... much appreciated.
_________________
- lamotte