Date: 12 Jun 2000 15:14:14 -0400 From: Lowell Gilbert <lowell@world.std.com> To: Dean Wilson <deano@1011tenn.net> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Stability and Security Message-ID: <443dmid855.fsf@lowellg.ne.mediaone.net> In-Reply-To: Dean Wilson's message of "Sun, 11 Jun 2000 12:17:57 -0500" References: <Pine.LNX.4.10.10006111151180.3155-100000@server.1011tenn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Dean Wilson <deano@server.1011tenn.net> writes: > I've used Linux for the past 5 years or so, and have had pretty > happy with it -- until my (Linux) firewall was hacked the other day. > I thought I had taken all the necessary security precautions (no > telnet, etc...) but I was apparently wrong. ;) Now I'm re-doing my > firewall, and am interested in FreeBSD. My question: While I happen to think that it's easier to keep a system secure under FreeBSD than under the Linux releases I've used, I think the differences probably don't matter as much as your own knowledge, and that's an ongoing struggle. You have to know what's running, you have to know what you need, and you have to know what's theoretically reachable. Furthermore, you have to keep up with the ongoing discoveries of vulnerabilities in anything that you *are* leaving reachable from the outside. When you get down to brass tacks, I suspect that more Linux and FreeBSD machines are cracked through third-party applications than through problems with the OS itself. This isn't necessarily an indictment of those applications themselves, but it does indicate that picking a more secure OS is of limited help if you're going to support, for example, CGI applications on that machine. If you're not attached to the Internet, you can be a lot more conservative, but if your machine is up all the time, and reachable from the general Internet, there's really no getting around the fact that security is an ongoing process. > I understand that the BSD releases are as follows: > > FreeBSD CURRENT = developmental version > FreeBSD RELEASE = latest version released for general use > FreeBSD STABLE = latest version of FreeBSD-RELEASE with all the possible bug fixes applied That's roughly right, but it confuses two different concepts, either of which could be covered by the word "version". One is a code base, which is something that changes every time a committer "checks in" new or changed code to the official database of FreeBSD source code; there are over a hundred committers now, so that's a moving target. In other words, -STABLE as of a month ago has substantial differences from -STABLE today, so you have to mention *when* you upgraded in order for people to know exactly what you have. A release, on the other hand, is (by definition) frozen at the moment of its release. If you install, say, 4.0-RELEASE today or next year, you will get the exact same thing as somebody who put it on their machine last month. > But what I'm looking for is a release that's been found tried and true -- one that's known to work as a firewall without any hitches. Is this true for 4.0? How about 3.2? I have the CD's for 3.2 -- should I use those, or should I FTP/get CD's for 4.0? > > In short, which is the *most* stable and security-hole free? All else being equal, you're best off running the most recent -STABLE release. If you have the time and energy to keep up with things, you could update *more* often than that, and track -STABLE on a regular (e.g., monthly, weekly, even daily) basis. In any case, you should keep an eye on the security advisories to see if you have any vulnerabilities you should act on. All else may not be equal; if you have limited Internet bandwidth, it may be easiest to install 3.2 and upgrade from there. I don't recommend this for a beginner, though. > While trying to find an answer, I came across this at http://www.freebsd.org/security/ : > > At this time, security advisories are being released for: > FreeBSD 3.4-STABLE > FreeBSD 4.0-RELEASE > FreeBSD 4.0-STABLE > FreeBSD 5.0-CURRENT > > This would make me think that there have been security holes found in the versions listed above, and that I should use FreeBSD 3.2-STABLE. But then the next line says: > > Older releases are not maintained and users are strongly encouraged to upgrade to one of the supported releases mentioned above. > > > So which line of thinking is correct? That because the older version has been tested thoroughly, it's less likely have a security hole, or because the newer releases are still maintained, they're more likely to have the security holes identified and fixed? The latter. Many of the security advisories for the "still maintained" releases apply to 3.2 as well, but because it's not being officially supported, the security officer doesn't issue advisories against it, regardless of whether or not the problems apply. [I'm slightly oversimplifying here, but not in a way that affects your question.] > Does anyone have any suggestions as to which version I should install? I dont' know you well enough to be sure, but at a guess, I'd say the 4.0 release looks like the way to go. Good luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443dmid855.fsf>