which linux?

[learning c]

ok so i have been trying to find an install of linux that I can recommend to friends to do the basics: internet, word processing, sound and cd burning in a secure fashion... i don't want to tell them hey get this version of linux and then 2 days later have them tell me their account is empty

so, apart from writing a secure linux kernel myself, is there an install that I can recommend to non serious computer users?

i looked at hardened gentoo, but i couldn't tell if the security page was serious or not

[sunburnt]

ok so i have been trying to find an install of linux that I can recommend to friends to do the basics: internet, word processing, sound and cd burning in a secure fashion... i don't want to tell them hey get this version of linux and then 2 days later have them tell me their account is empty

so, apart from writing a secure linux kernel myself, is there an install that I can recommend to non serious computer users?

i looked at hardened gentoo, but i couldn't tell if the security page was serious or not

There is no reason to go looking for a specifically "secure" form of Linux for desktop use. Honestly, any modern Linux distribution you install will be "secure." Ubuntu, Red Hat / Fedora, SUSE, etc are all very good desktop systems that can handle everything you listed above. They all ( I think ) provide easy tools to install and remove software as well as keep installed software up to date.

Hope this helps!

[LogicalVue]

I've tried a bunch over the years (Mandriva, RedHat, SuSe, PCLinux, Linspire) and I like Ubuntu the best.

-- Paul

[learning c]

well ubuntu and fedora were easy to install... arch and slack not so (so i didn't persist)

and with the default firewall settings with fedora it seems to put fedora in front of ubuntu from a security perspective at the moment (altho it seems like a strange distro)... any other suggestions?

is suse worth trying? what abt hardened debian?

[tr333]

I don't see why you're looking specifically for a "hardened" linux distro, unless you have important personal/corporate information that you think is likely to get stolen.

Any of the popular linux distros should be quite adequate for general use. Ubuntu comes with iptables unconfigured, so you can install a firewall quite easily if you think you need one.

[learning c]

ubuntu although it doesn't have everything had a pleasant vibe... the forums were great etc so it was well supported and seems like competition to vista although there must be better distros available... i just haven't tried them all and i am chewing through my bandwidth this month.

yes you can assume i have valuable data to protect hence the need for a hardened or secure version of linux.

i did find enguard but it has no desktop ... i also read about ipchains have you heard of it tr333?

[sunburnt]

ubuntu although it doesn't have everything had a pleasant vibe... the forums were great etc so it was well supported and seems like competition to vista although there must be better distros available... i just haven't tried them all and i am chewing through my bandwidth this month.

yes you can assume i have valuable data to protect hence the need for a hardened or secure version of linux.

i did find enguard but it has no desktop ... i also read about ipchains have you heard of it tr333?

These "hardened" distributions you keep mentioning are generally not for desktop use; they're for high profile servers containing gigantic databases of credit card numbers, social security numbers, classified information, etc. Honestly -- scout's honor -- if you are setting up a desktop OS for personal use, you do not need to look at any special "secure" versions of Linux. Linux itself is inherently "secure" by design, and is made even more so since Windows is a much bigger target (much greater market share) for trojans, viruses, etc.

If you are really that concerned about it, there are several things you can do to make any Linux distribution more secure, such as running bastille , configuring a firewall with iptables or one of it's frontends like shorewall, uninstalling/disabling unused services, and so on.

Hope this helps!

[learning c]

These "hardened" distributions you keep mentioning are generally not for desktop use; they're for high profile servers containing gigantic databases of credit card numbers, social security numbers, classified information, etc. Honestly -- scout's honor -- if you are setting up a desktop OS for personal use, you do not need to look at any special "secure" versions of Linux. Linux itself is inherently "secure" by design, and is made even more so since Windows is a much bigger target (much greater market share) for trojans, viruses, etc.

If you are really that concerned about it, there are several things you can do to make any Linux distribution more secure, such as running bastille , configuring a firewall with iptables or one of it's frontends like shorewall, uninstalling/disabling unused services, and so on.

Hope this helps!

i saw the bastille but i didn't go near it ... have you tried it? i tried iptables there has to be more than one firewall ... that is why i was also considering ipchains ... besides if there is only one firewall a hacker only needs to crack it and then get access to all linux distros if you see what i mean.

yes altho i need a hardened one for personal use so that bank account and personal/work docs are safe.

[sunburnt]

i saw the bastille but i didn't go near it ... have you tried it?

I have not tried bastille, because I don't think that there is really any need for it unless you are running a server.

i tried iptables there has to be more than one firewall ... that is why i was also considering ipchains ...

There are plenty of software firewalls out there for Linux. Shorewall and Firestarter are the two that come to mind; however, they are all based on iptables. ipchains is an iptables predecessor, that is generally no longer used.

besides if there is only one firewall a hacker only needs to crack it and then get access to all linux distros if you see what i mean.

This doesn't make any sense. You can't "crack" a "firewall," unless you're in a Die Hard movie. It's a mechanism for disallowing certain connections based on patterns and rules.

yes altho i need a hardened one for personal use so that bank account and personal/work docs are safe.

Would you trust your bank account and personal/work documents on a Windows XP or Vista machine? You don't need to run Windows 2012 Ultra Secure Server Edition SP3 to protect this information; similarly, there's no reason to run Hardened [Whatever] Linux. A standard distribution will work just fine.

[learning c]

I have not tried bastille, because I don't think that there is really any need for it unless you are running a server.

why no need for secure personal desktop?

There are plenty of software firewalls out there for Linux. Shorewall and Firestarter are the two that come to mind; however, they are all based on iptables. ipchains is an iptables predecessor, that is generally no longer used.

i was surprised to only find a few, but maybe that was only with the default installs, are there any sites that specialise in linux software?

This doesn't make any sense. You can't "crack" a "firewall," unless you're in a [url=http://www.penny-arcade.com/comic/2007/07/16Die Hard movie[/url]. It's a mechanism for disallowing certain connections based on patterns and rules.

if a person can find a way through iptables then they have gained access to all linux distros as they all use the same default firewall ... unless iptables is perfect firewall which i doubt.

Would you trust your bank account and personal/work documents on a Windows XP or Vista machine?

only if there was no internet connection.

[learning c]

anyone tried suse yet? it is 3 cds as a base install and i have already used all but 1000MB this month so it would take me 3 nights to download it (as nights are unlimited but i can only get one cd every night)

[kregg]

I've tried openSUSE today and the package manager is just horrible. Honestly, if you are more interested in looks and usabillity over updates and new software, then I would strongly recommend openSUSE.

AFAIK for security in mind, a really good distro would be a Red Hat based one. They usually have firewall set up and ready, and in the setup, (some) check the password for strength and advise you otherwise.

And one thing that you would like when it comes to security is that you will always need the root password when doing system changes, unlike Ubuntu where you will need only your password to do system changes. In my (personal) opinion, this isn't really that safe, as if someone knew my logon password, then I'm basically stuffed in Ubuntu. However, for Red Hat based distros, that isn't the case.

And let me clarify that I don't usually put Red Hat products over Ubuntu. I have been with Ubuntu for quite a few months now, and it has never let me down. However, it's not exactly completely hacker proof, like other OSes. I personally think that Red Hat distros have an advantage when it come to this matter.

[tr333]

https://help.ubuntu.com/community/RootSudo

Read this for a description of why Ubuntu uses 'sudo' instead of the root account.

[learning c]

I've tried openSUSE today and the package manager is just horrible. Honestly, if you are more interested in looks and usabillity over updates and new software, then I would strongly recommend openSUSE.

AFAIK for security in mind, a really good distro would be a Red Hat based one. They usually have firewall set up and ready, and in the setup, (some) check the password for strength and advise you otherwise.

And one thing that you would like when it comes to security is that you will always need the root password when doing system changes, unlike Ubuntu where you will need only your password to do system changes. In my (personal) opinion, this isn't really that safe, as if someone knew my logon password, then I'm basically stuffed in Ubuntu. However, for Red Hat based distros, that isn't the case.

And let me clarify that I don't usually put Red Hat products over Ubuntu. I have been with Ubuntu for quite a few months now, and it has never let me down. However, it's not exactly completely hacker proof, like other OSes. I personally think that Red Hat distros have an advantage when it come to this matter.

well at least that sounds like it actually went on... many of the distros have less than great instructions to do even the basics to get the install running meaning that it is pot luck regarding help from forums.

yes fedora is a red hat derivative that i tried and it is supposed to have all the security features according to wiki but it was a strange forum to get help from ... ubuntu has the better vibe although prolly has much lower security (also according to wiki).

i tried gentoo hardened but it fell over without even a sqelch ... and the live install had loads of problems... i guess the philosophy is make the user do some work to get them up and running but it was all gtk stuff which put me off putting in the time to get it to run.

so what's the suse install like? k or gtk based?

[tr333]

Maybe you should read https://help.ubuntu.com/community/Security for a bit of info on how to secure Ubuntu.

[learning c]

Maybe you should read https://help.ubuntu.com/community/Security for a bit of info on how to secure Ubuntu.

isn't it bit late to install security updates after the initial install? and worse is that they are only available from an online source?

i got a great security idea... lets let the enemy into the castle and then lower the portcullis

[sunburnt]

isn't it bit late to install security updates after the initial install? and worse is that they are only available from an online source?

If you can figure out a better way to distribute security updates, I'd love to hear it!
Installing updates is part of the initial install if an internet connection is present.

This is the same way that any other version of Linux distributes updates and the same way that OS X and Windows do it. When updates are available, you can download them as needed.

Where else are you going to get security updates from?


I really think that you're going overboard here.

[learning c]

If you can figure out a better way to distribute security updates, I'd love to hear it!
Installing updates is part of the initial install if an internet connection is present.

This is the same way that any other version of Linux distributes updates and the same way that OS X and Windows do it. When updates are available, you can download them as needed.

Where else are you going to get security updates from?


I really think that you're going overboard here.

well why don't we make sure the portcullis is down before the enemy charge?

[grilkip]

I've tried openSUSE today and the package manager is just horrible. Honestly, if you are more interested in looks and usabillity over updates and new software, then I would strongly recommend openSUSE.

AFAIK for security in mind, a really good distro would be a Red Hat based one. They usually have firewall set up and ready, and in the setup, (some) check the password for strength and advise you otherwise.

And one thing that you would like when it comes to security is that you will always need the root password when doing system changes, unlike Ubuntu where you will need only your password to do system changes. In my (personal) opinion, this isn't really that safe, as if someone knew my logon password, then I'm basically stuffed in Ubuntu. However, for Red Hat based distros, that isn't the case.

And let me clarify that I don't usually put Red Hat products over Ubuntu. I have been with Ubuntu for quite a few months now, and it has never let me down. However, it's not exactly completely hacker proof, like other OSes. I personally think that Red Hat distros have an advantage when it come to this matter.

Yes, the first user you create in Ubuntu during the install will have SU rights. You can still create users with lesser rights after that.

[TomGibbons]

One thing to look in to if anyone is concerned about hardening Linux, is SELinux. Red Hat Enterprise Linux and Fedora will come with SELinux by default. I've heard that it's quite trivial to install on SUSE.

Word of warning though, the extra security comes at a price; it's very complicated to get in to. It's not easy to learn and it's not easy to troubleshoot. That being said, standard Linux security pales in comparison to an SELinux secured box.

[deepgrewal]

openSuSE

[grilkip]

yay, you like openSuSE.

[kregg]

well at least that sounds like it actually went on... many of the distros have less than great instructions to do even the basics to get the install running meaning that it is pot luck regarding help from forums.

yes fedora is a red hat derivative that i tried and it is supposed to have all the security features according to wiki but it was a strange forum to get help from ... ubuntu has the better vibe although prolly has much lower security (also according to wiki).

i tried gentoo hardened but it fell over without even a sqelch ... and the live install had loads of problems... i guess the philosophy is make the user do some work to get them up and running but it was all gtk stuff which put me off putting in the time to get it to run.

so what's the suse install like? k or gtk based?

Both. The menu thing was like Windows XP's start menu with the list of frequently used programs and then another menu for other programs.

One distro that I really do not like with a passion is SimplyMEPIS. I've tried this while trying openSUSE and let me put it this way: If openSUSE is terrible, then this one is gobsmackingly awful. I was allowed for some strange reason to press back while the distro was installing (I pressed back because I wanted to see a tip that I missed on the setup screen) and it took me about 7 attempts at such a simple job just to install it. In the end I just gave up.


To me you seemed really, really fussed about security. At the end of the day, try out loads of distros, pick three that you like, and research using wikipedia and google for security methods. Also try out forums, they come in handy. Try to relax about Linux distros, because there is always security in mind, and even more you could probably get more software to harden your OS (e.g. SELinux).