back to article Fear not, Linux admins: There are TOOLS to help you

Most Linux distributions have a significant focus on security. This does not mean they are necessarily ready for production out of the box. Tools like SELinux, excellent firewall options, and robust access controls can make Linux exceptionally secure. Despite this, actually deploying a Linux system into production still requires …

COMMENTS

This topic is closed for new posts.
  1. vagabondo

    IOW

    Sysadmins ought to know what they are doing.

    1. Anonymous Coward
      Anonymous Coward

      Re: IOW

      They should also have a sporting chance of setting up a system with which they're unfamiliar based upon sysadmin level knowledge of other systems (ie: Knowing what you want/need to achieve) and a web search engine.

  2. vmistery

    Not sure I agree about using Webmin! In fact a new Linux user should not deviate from the prepackaged stuff in the default repos IMO. It also does not help you learn what is really going on if all you do is use a nice pretty GUI - if you want to do that you may as well use Windows if you can afford it, its hard to move away from a GUIbut is well worth it.

    I think its a shame that SELinux is not enabled by default on Debian though and that the default firewall is set to to allow everything! Dont forget to close down you ipv6 too! Time to switch?!

    1. Vic

      > Not sure I agree about using Webmin!

      Webmin is a Good Thing(tm). It dramatically increases the discoverability of a server's features for the uninitiated.

      But as I say every time the subject comes up, it has two significant problems: you need to be *very* careful if you try to have multiple users (as it doesn't really have them - they're all subsets of root), and you shouldn't do much sendmail administration with it (it writes the sendmail.cf file directly, meaning the sendmail.mc file gets out of sync, so future .mc modifications will roll back your webmin changes...)

      Vic.

      1. Arrrggghh-otron

        Webmin is usually one of the first things I install on Linux just so I can get a visual overview of the system. I generally don't leave it running though...

        It's also handy for finding the name/location of the config files you are looking for but can't remember (locate is great when you can remember some or all of the name of a config file).

      2. Trevor_Pott Gold badge

        Sendmail module on webmin has "M4 configuration." Use that, then have it build your .mc. I have been using it for >5 years, works like a hot damn.

        1. Vic

          > Sendmail module on webmin has "M4 configuration."

          Yes. But if you edit that, it'll throw away stuff you've done with the other config tools, which edit the .cf file directly.

          This is why I raise the issue. Every time, you tell me you get it - then post stuff like this.

          Webmin is a fine tool, but it runs the risk of rolling back changes if you edit the .m4 file after you've used it to effect other changes. I wonder that you keep trying to ignore this very simple fact.

          Vic.

          1. Trevor_Pott Gold badge

            If you use the M4 config editor, it will indeed blow away all other changes in the .mc. I don't know that I'd ever "ignore that fact," Vic. It's pretty much the way M4 is support to work. If you use tools that edit the .mc directly - or you enjoy going in and editing the .mc by hand - then do not use the sendmail module in webmin. Period.

            That said, I was taught emphatically to never edit the .mc file in sendmail directly. In fact, I have been berated and mocked by sendmail devs for doing so. If I go onto a sendmail forum for help, or I try the mailing list, etc...I am repeatedly and forcefully told that I am never to do anything outside of M4. M4 is where configuration changes are "supposed" to be made, and so I make them there.

            Things like virtuser and aliases as generally include files nowadays, so I can use the Sendmail webmin module to edit those without clobbering my config every time I touch M4. This means that the Sendmail module will allow me to do things “properly,” which means that when I need support from the community, I have at least a snowball’s chance in a neutron star of getting it.

            That said, I would never berate someone for editing the .mc directly. There are so many different ways to do something in Linux that I don’t feel it’s my place to tell someone that their method is “wrong,” so long as it works consistently for them. I don’t have the jihadi attitude about such things that is so prevalent amongst Linux nerds.

            So if you are following the “rules” as laid out by the Sendmail devs, you are using M4 to generate ever config change, with aliases, virtuser, generics etc pulled out as includes so they don’t get clobbered by M4 regeneration. In that case, I highly recommend the Sendmail module, because it works…even when something else edits the M4 or the includes.

            If however you edit the .mc directly, the sendmail module in Webmin will screw up your Sendmail something fierce and you should stay away from it!

            1. eulampios

              postfix or something else?

              I suggest postfix, which is much easier to set up. I use my old master.cf and main.cf, aliases etc files heavily wounded with my own comments to set new ones. BTW this would be useless with the webmin approach.

              1. Trevor_Pott Gold badge

                Re: postfix or something else?

                Postfix isn't required for a great many cases. Such as when the local mail elements are being used to mail reports on behalf of a web application, or when you are using the Linux system's mail subsystem only as a pre-filter front-ending another system. (ClamAV + Mailscanner + Spamassassin, etc.)

                They make for good, cheap, easy pre-filters for Exchange, for example.

                1. eulampios

                  Re: postfix or something else?

                  I have spamassassin attached :

                  smtp inet n - - - - smtpd -o content_filter=spamassassin

                  ....

                  etc piped at by postfix daemon. It works. ClamAV would not be very different, I guess. Postfix has a sendmail compatibility interface. gnu or bsd mail-utils and/or mutt are very handy too.

                  I heard that there are instances where sendmail does very complex job that postfix cannot handle. Haven't seen any of those myself.

                  1. Trevor_Pott Gold badge

                    Re: postfix or something else?

                    @eulampios where exactly did I say that postfix couldn't or wouldn't use spamassassin, mailscanner, clamav or other?

                    I said you didn't need postfix to use them. The implication was not that postfix cannot use these technologies, but that postfix is more complicated to configure than sendmail. The further implication of that statement is that postfix is generally A Better Option, but that using the more complex tool isn't necessarily always required.

                    I wouldn’t want to run a full-bore business off of Sendmail – though I do admit that my PERSONAL email server is Sendmail – Postfix or QMail are better options than Sendmail for an actual email server.

                    That said, if I am not using the system to store emails – merely to send them on behalf of a web server, or to filter-and-forward (with or without LDAP lookups) – then I prefer to use the simpler tool. It is kinder to future admins who in most cases won't have 30+ years *nix experience.

                    1. eulampios

                      Re: postfix or something else?

                      Never did I contradict with what you said. I just felt (and heard) that postfix is an easier to set up and maintain option. On FreeBSD sendmail (or its default counterpart) did not seem to be hard to work with either...

                      1. Trevor_Pott Gold badge

                        Re: postfix or something else?

                        @eulampios please try someday to front-end an LDAP-based email service with Postfix. Exchange is common, but I have LDAP QMail systems in the wild as well. Sendmail is significantly easier to set-up in as a simple mailfiter for LDAP-backed systems. (You want to be able to have the MTA do LDAP lookups so that you can do simple things like reject mail for addresses that don't exist, and banhammer systems that repeatedly try multiple non-extant addresses.)

                        Similarly on many Linux distros - CentOS is a great example - you don't need to "set up" sendmail at all. You simply "yum install apache php sendmail" and suddently your PHP scripts can send e-mail out. (In my case, i trap all outbound mail with an edge device and apply whatever filtering I need to there, but the principle of "it Just Works" remains.) If you need to make minor changes in Sendmail, use the M4 config (text-based) or the Webmin module.

                        Postfix is only easier if you are actually using it to host e-mail, rather than simply to process email. (In which case; Postfix all the way; never use Sendmail to host email!)

                        1. Gerhard Mack
                          Stop

                          @Re: postfix or something else?

                          In more modern distros "apt-get install postfix" is enough to get a running mail system hosting whatever domain you want with a local mail store and an external mail server for sending if you so desire.

                          I don't see how you consider it hard to use postfix with LDAP since postfix supports it natively and it's mostly just a matter of putting "LDAP:" instead of whatever other store you could have used.

                          It also has some nice config items I use to restrict message size, ban certain attachments etc before the message reaches my mostly perl based filters.

                          1. Trevor_Pott Gold badge

                            Re: @postfix or something else?

                            @Gerhard Mack

                            Postfix seems to work out-of-the-box if the LDAP server is located on the same system as postfix itself, and that system is configured to talk to it, etc.

                            In my experience, getting sendmail to talk to an LDAP server is two lines in the M4 configuration. I don't have to configure PAM, the LDAP config file or anything else. Sendmail can be set up to talk to a remote LDAP server without having to involve or configure another thing on the Linux box.

                            Postfix only ever seems to work with a remote LDAP system if the Linux box is itself configured to authenticate against that LDAP domain. I prefer to not have to join my servers to the domain in order to do simple lookups.

                            That said, if you happen to have a link to any chunk of the postfix manual (or a decent walkthrough) that can show me how to set up postfix to a Windows Active Directory server without having to get the rest of the Linux system authenticating against AD, I'd be greatly indebted!

                            1. Gerhard Mack

                              Re: @postfix or something else?

                              @Trevor_Pott

                              It sounds like postfix was using system accounts for delivery. That is the default and good for small setups but far from ideal when it comes to larger setups. I am not an expert on LDAP but I dug this up for you and I hope it helps.

                              http://tom.scholten.nu/weblog/postfix_ldap_howto

                              1. Trevor_Pott Gold badge

                                Re: @postfix or something else?

                                @Gerhard Mack

                                Thank you for the link; I will give it a more in depth look tomorrow. At first glance, it looks like a walk-through focused on creating a postfix filterserver using a local LDAP setup. I'll poke at it some and see if I can figure out how to tie it back to Active Directory instead of a local LDAP setup. If I can figure it out, I'll do up a howto.

                                It would be nice to have a simple way of front-ending an exchange (or other) mail system using Active Directory as the user interface. Easy in Sendmail, but so far I've never made it work without Postfix using PAM to do LDAP lookups.

                                If I can make it as simple as sendmail...that's a huge step forward!

                            2. Vic

                              Re: @postfix or something else?

                              > Postfix seems to work out-of-the-box if the LDAP server is located on the same system

                              Yes, that's the default. If you want it to talk to a different server, you use the server_host parameter. If you don't specify that parm, you get "localhost"...

                              Vic.

              2. Vic

                Re: postfix or something else?

                > I suggest postfix, which is much easier to set up

                That's somewhat subjective; personally, I find sendmail much easier to set up than postfix, but that's almost certainly down to the fact I have far more familiarity with it than I do with postfix...

                > BTW this would be useless with the webmin approach.

                There is a webmin module available for postfix. I've no idea how well it works...

                Vic.

                1. Trevor_Pott Gold badge

                  Re: postfix or something else?

                  Webmin module for postfix is quite good...unless you want to use LDAP...

            2. Vic

              > If you use tools that edit the .mc directly - or you enjoy going in and editing the .mc by hand

              > - then do not use the sendmail module in webmin

              That's pretty much what I keep telling you. And you keep telling me you know better.

              > I was taught emphatically to never edit the .mc file in sendmail directly

              I very much doubt you were told that.

              You were almost certainly told not to edit the .cf file directly.

              > I am repeatedly and forcefully told that I am never to do anything outside of M4.

              So you *weren't* told not to edit the .mc file. Like I said, then...

              > M4 is where configuration changes are "supposed" to be made, and so I make them there.

              And if you use the sendmail module in Webmin, that statement is no longer true, as it alters the .cf file directly for a number of options. Hence the warning I keep maknig, and you keep telling me isn't important.

              Vic.

              1. Trevor_Pott Gold badge

                I think we have a misunderstanding here; I don't use the Webmin module to edit any part of sendmail that would typically be part of the .cf. I use the M4 generator in the webmin module to exit those. I use the aliases and virtuser and so fort to edit those parts of the config that are in includes.

                But you are correct; there are widgets in that sendmail config module that are flat out bad. They edit the .cf directly. And I would not ever recommend using those chunks of that module. It's useless! As soon as you touch the M4 config - which is how all config changes are "supposed" to be generated - then it wipes out our .cf; including any changes to the cf that you made with the sendmail module.

                So just don't use those bits. I don't. But I do find it a convenient way to edit M4, edit "include-filed" items like aliases and virtuser, as well as manage the queue.

                We are both right here, I think. There is value to the Sendmail module; but not ALL of it. It does edit the cf directly, which it should not do…but there are still other parts of the thing that work properly. I see no reason to throw the whole module away based on that; you just need to know it – and Sendmail – well enough to know what bits you cannot use.

                I’d be far happier if they’d just pull the section that directly edit’s the cf out altogether…but I’ve simply ignored that for so long I just don’t notice it any more.

                Maybe I need to do an article on that? "Webmin's sendmail module; which areas are safe, which break the rules."

              2. Trevor_Pott Gold badge

                Actually...now that I look at a fully up-to-date Sendmail module, it might be that only two sections of twelve are "dangerout/useless." From what I can see "Sendmail Options" and "Network Ports" directly edit the .cf. The rest seem to edit include files that don't get clobbered every time I regenerate the M4.

                That's actually doing better than I remember...

    2. Anonymous Coward
      Anonymous Coward

      Err?

      "It also does not help you learn what is really going on if all you do is use a nice pretty GUI - if you want to do that you may as well use Windows"

      Snob.

      There is nothing wrong with GUI, if that's what you want, provided you understand its limits. Likewise there is nothing wrong with CLI, if that's what you want, provided you understand its limits.

      Rename a thousand files - Use the CLI

      Tell me which of those files is a picture of a dog - Use the GUI

      1. This post has been deleted by its author

      2. vmistery

        Re: Err?

        Not at all snobish. The windows management GUIs are simply much better than webmin.

        The problem I have with GUIs in general is just you dont learn as much about how things work. You need this knowledge for when something breaks and you need to manually edit a zone file or change some permissions somewhere and look at log files,once you have this knowledge then using a script to make the task quicker is a good option or indeed - a gui. Obviously when viewing data or typing a letter you are not going to use the CLI but for most server administration functions there is rarely a need. If nothing else Webmin opens up another area of potential attack and is largely unnecessary IMO.

      3. Robert Sneddon
        Coffee/keyboard

        CLI

        The CLI is best described as powerful, cryptic and dangerous. Many GUIs are basically wrappers around a CLI-like command parser, in part to make things easier for the user to carry common tasks and in part to prevent something Godawfully stupid from happening because of a miskey. Anecdotally, I was using a CLI the day I accidentally reformatted the office dev server's hard drive. It would have taken a lot more effort to achieve this via a GUI.

        1. moiety

          Re: CLI

          I was about to say something like this...it's relatively easy to get truly catastrophic fuck-ups from the command line. A GUI works better for me, certainly. We're a visual species.

      4. JEDIDIAH
        Linux

        Re: Err?

        > Tell me which of those files is a picture of a dog - Use the GUI

        Out of a thousand files? Are you kidding? That's going to be a ton of work.

        It would be far better to do that with an automated tool. The real problem is that no such beast seems to exist. You use the GUI because you don't have a better option, not because it is actually a better option.

        1. Anonymous Coward
          Anonymous Coward

          Re: Err?

          @Jedidiah - I don't know which OS you use, but mine has a preview option that can show filenames alongside a largeish icon of the image. Scroll down the list, it should take you a few seconds, if you're wanting to pick one image out.

          1. JEDIDIAH
            Linux

            Re: Err?

            I don't think you fully comprehend the scope of the problem described.

        2. This post has been deleted by its author

      5. Marshalltown
        Stop

        Re: Err?

        Neither batch-renaming image files nor identifying an image of a dog are normal tasks for a sysadmin. The _limitations- of a GUI are why CLI is more useful.

    3. ch815
      Thumb Up

      Not all GUI's are evil

      I also frequently use Webmin on linux servers along with Virtualmin for web hosting set ups. It can speed up many mundane tasks and is a great way to make learning Linux sys admin more accessible.

      Unlike other control panel type apps (I'm looking at you C'panel) it uses the default config files an packages so you can use it for some tasks while going back to the terminal and config files for other things. Best of both worlds really.

      Really makes life easier having it installed on any linux box.

    4. Havin_it
      Paris Hilton

      Always been a bit gun-shy about webmin myself (though must admit I've not tried it in some years). Not for any failings inherent to itself, but more the worry of incompatibility with a particular distro. Admittedly for something like CentOS I'd expect this to be well-maintained, but I always feared (and did experience at least once) that a module might not match up correctly with that distro's version of the underlying app, and using it would hose something.

      I never really looked into how (or to what extent) webmin's devs had made it respond correctly to different app versions and distro packaging inconsistencies. The former I'd hope they would have a stab at, the latter rests mainly with the distro maintainers. Anyone got some insight on this?

      Paris loves a bit of GUI administration.

      1. Anonymous Coward
        Pint

        apropos

        And just how long have you been holding onto that gem?

  3. Tom 7 Silver badge

    But experience teaches one

    that security is overridden by rank. Most places I've worked are happier to pay for a few days outage due to a virus or firewall breach if it means the boss or other important lackeys can do as they choose.

    I've even sat with some and shown them how security invariably matches almost perfectly with other company ownership issues and their little faces light up with recognition and then a few days later the desire to not have to remember what their job should entail overrides all else.

    Someone has lied about computing being easy for 20 odd years and reality isn’t going to change that in a hurry.

  4. RainForestGuppy

    For [Insert Diety here] sake

    Just changing the port SSH runs on doesn't make it anymore secure.

    If you must expose SSH services at least lock them down to known source locations.

    1. GrumpyJoe
      Meh

      Re: For [Insert Diety here] sake

      Well, I've moved the port WELL upwards and disabled root AND only use PKI login (no interactive password login). Good enough?

      Probably not, I'm no expert, but it's my best try. And in the end that's all you've got for the most part - educated guesses.

      1. -tim
        Alert

        Re: For [Insert Diety here] sake

        Your ssl keys better be protected or when one of your machines gets hit, it and every other machine you connect to will become part of someone's ssh scanning network.

        SSH Communications' ssh server allows key and password but openssl currently only allows key or password. Both products allow the key to be password encrypted on the client end.

    2. Havin_it
      Devil

      Re: For [Insert Diety here] sake

      >Just changing the port SSH runs on doesn't make it anymore secure.

      Maybe not, but it does mean you waste a [Insert Undesirable Afterlife Destination Here] of a lot fewer cycles dealing with botnet dictionary attacks.

      1. storner
        Linux

        Re: For [Insert Diety here] sake

        If you install fail2ban as suggested in the article, then that will automatically kill off the brute-force botnet attacks.

        Alternatively, these extra firewall rules right before you accept the ssh-connection will limit the number of attempts to 2 per minute. Can also be used for other services, if you like.

        iptables -A INPUT -m state --protocol tcp --destination-port ssh --state NEW -m recent --set

        iptables -A INPUT -m state --protocol tcp --destination-port ssh --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP

        1. Gerhard Mack

          @storner Re: For [Insert Diety here] sake

          I have an office full of web devs that use SCP with key to transfer files to the server. That's 6 people running SSH connections through our single outgoing IP so take a guess what blindly allowing only 2 connections attempts per minute would do to their ability to get work done.

          Fail2ban is a better option since it only punishes the bad users rather than everyone equally.

    3. Wensleydale Cheese Silver badge
      Happy

      Re: For [Insert Diety here] sake

      "Just changing the port SSH runs on doesn't make it anymore secure."

      Maybe not, but moving it well up stopped a lot of noise from the script kiddies who were active several years ago. I don't just mean noise in the logs, but the disk on my home system used to rattle pretty non stop when it was on port 22; life got more peaceful once I'd moved it.

    4. eulampios

      Re: For [Insert Diety here] sake

      Right, it is usually recommended to disable password login and use key login instead.

    5. Anonymous Coward
      Anonymous Coward

      Re: For [Insert Diety here] sake

      "Just changing the port SSH runs on doesn't make it anymore secure."

      True. BUT: You can now configure your firewall to say "You tried to frob port 22: ON TO THE BLACKLIST YOU GO!" You can do that IMMEDIATELY: no waiting for a log in failure to be created. Under Linux, you can have a firewall rule immediately add that IP to a "recent" IPTables rule, and have that rule be checked at the very beginning of checking an incoming packet.

      You can place the REAL ssh server on another port (with mandatory keypair needed, no keyboard-interactive, no root log in, FAIL2BAN in effect) and greatly reduce the amount of time J. Random ScriptBot can have at your system.

      Ditto for any other well-known port you AREN'T making generally available: Put a (metaphorical) land mine there - touch that port, immediately be blacklisted.

      1. Trevor_Pott Gold badge

        Re: For [Insert Diety here] sake

        @David D. Hagwood

        Would you look at that? Amidst the dross; a sysadmin emerges! Yes sir, someone who understood exactly where I was going with "don't run the thing on a standard port" without having to have it explained. You don't run RDP on 3389 and you sure as all get-out don't run SSH on 22.

        Them is the honeypot ports. Security through obscurity isn't security at all...but a minor dollop of obscurity is useful in catching the obvious idiots who like to eat your CPU cycles with their useless TCP packets!

        Blows my mind that this apparently needs to be explained to "senior Linux administrators," but what're ya going to do, eh?

        1. Gerhard Mack
          FAIL

          Re: For [Insert Diety here] sake

          Using standard ports as a honey pot only works if you have total control over who connects to your system and over what links. The idea fails badly if you ever have offices in more than one country or have people who work from home.

          Do you want to be the guy to explain to a paying client why their whole office can't connect just because someone ran some software on it's default settings?

          1. Trevor_Pott Gold badge

            Re: For [Insert Diety here] sake

            @gerhard mack

            In situtaions like this - where I happen to know what IPs that most people are coming from - I whitelist the IPs. In fact, I generally have the DNS names whitelisted alongside some dynamic DNS deployments for remote/home users.

            Works wonders for more than just SSH. SIP phones for example…

        2. Vic

          Re: For [Insert Diety here] sake

          > you sure as all get-out don't run SSH on 22

          I do. That's where my users expect to find my SSH daemon.

          They don't get in without their keys, though.

          Vic.

      2. Vic

        Re: For [Insert Diety here] sake

        > Put a (metaphorical) land mine there - touch that port, immediately be blacklisted.

        That upsets customers. They don't like being blacklisted for a single mistake...

        Vic.

    6. garetht t

      Re: For [Insert Diety here] sake

      >Just changing the port SSH runs on doesn't make it anymore secure.

      Yes it does.

      It doesn't make it *secure*. It's certainly 'security through obscurity', but it is a mite more secure than leaving it on the default 22.

      >If you must expose SSH services at least lock them down to known source locations.

      Great! Now can you tell me the IP source address of the wifi access point in Terminal 7 of Amsterdam airport, because my boss has just called to say that mail is down, and I need to ssh in quickly to reboot the server.

  5. JimmyPage Silver badge
    Linux

    +1 for Webmin

    OK, I'm never going to be a paid Linux sysadmin. But when I started dabbling with Linux, about 5 years ago now (slight pause for that to register) the one tool which I stumbled across which transformed my experience was Webmin.

    Despite being able to remember DOS 2.0, I am unashamedly a GUI fan. My argument is a *good* GUI can help enforce some sort of understanding of what's going on underneath - a classic example being an input field that is greyed out unless a checkbox is ticked. The GUI shows you the relation between the two.

    1. eulampios

      GUI-SHMUI

      The reason why CLI is alien to you is that Microsoft didn't do it right. DOS was a piece of junk, as was cmd.exe

      Look at the vanilla terminal emulator official msdn tutorials use. Look at the ugly syntax there, you'll gather how much MSFT hated(s) the shell.

      Power Shell is better but still "too innovative" for a shell with its OO idiocy.

      1. Wensleydale Cheese Silver badge
        Thumb Up

        Re: GUI-SHMUI

        @eulampios

        "The reason why CLI is alien to you is that Microsoft didn't do it right. DOS was a piece of junk, as was cmd.exe"

        Absolutely correct. It took me a couple of hours of trial and error to get NT4's 'ntbackup' and 'at' commands working back in 1997. All I wanted to do was set backups off at a certain time of day rather than running them manually. Quite a simple task on any other O/S but Microsoft had a fixation that we should all become point and click merchants.

      2. Anonymous Coward
        Anonymous Coward

        Re: GUI-SHMUI

        Now, I'm a bit of a command line jockey in both Windows and UNIX/Linux, I'll freely admit that some Windows commands are odd, but there are also many UNIX/Linux commands which are also odd, or that don't correspond in terms of switches to other commands which do related tasks. There are commands which are massively under or over engineered (why does 'ls' need more switches than letters of the alphabet, for example.)

        As for PowerShell being "too innovative" you don't get to make that accusation when you were saying the other day that ACLs are too complicated. It seems to be a common attitude amongst UNIX/Linux guys that they think that because they know UNIX/Linux, they magically know Windows and anything they don't understand is rubbish or not required. Let me tell you this is never the case, the last two companies I've worked for I have had to pick apart Windows products which were engineered by UNIX guys that just didn't work and in one case actually lost data, because there just wasn't the level of understanding of Windows that they thought they had.

        Anyway, MS have always strived to make sure that everything is doable at the command line, the current version of Windows server offers no GUI options, the next version is command line by default, GUI as an option.

        1. eulampios

          @AC 24th July 2012 10:34 GMT

          Hello AC,

          FYI, "ls" is a command, it is not part of the shell. Shell is used to call, pipe it and glue it. I bet you can use it in PS too. And, btw, "many is not few". I know those I use quite often, if I need to do more, I'd do "man ls" or "info ls" and search through with "/" or "?"

          PS has a few questionable things to consider:

          1) While a shell should tend to be as simple as possible, OO interface makes it cool, not simple hence not very usable.

          2) as I mentioned above take at (any) MSFT shell and look at the syntax, how do you like it, compared to any *nix shell? those long, hard to read names of the commands are not esthetically appealing. What about those long paths? Hasn't MS realized it could be done with linking to some path (like /bin or /usr/bin etc) and storing in a variable like PATH?

          3) look a the ugly MS vanilla terminal emulator. One can tell about the attitude towards what you do by looking at your workplace.

          4) take this Trevor Pott's article written for (as he points out below) LInux newbies & Windows admins. Why is much so fear before the CLI? Why bother about webadmin ? It's the habit, indeed. Now compare the average Linux and Windows tutorial, guess which is more heavy on GUI? Even Windows 2008R Core almost gui-less has some windowy interfaces left, just to make sure... Those newer ones you're referring to are said to be administered through rdp GUI interface, as advised by MS, right

          5) when did MS finally decided they need a better shell? some 20 years later after the *nix guys got it. And Windows culture hates and tries to avoid the CLI and this is with the reason situated in the City of Redmond.

          Windows products which were engineered by UNIX guys that just didn't work and in one case actually lost data

          Should I tell you about Windows XP tools being incapable to neither see its own backups, nor its own ntfs partition once Windows could not boot.

  6. wheelybird

    Not all that useful...

    You do make some good points, but you should point out that this advice is only of practical benefit if you're placing a Linux box directly on the internet without being behind a firewall. I doubt you'll find any serious Linux setup that isn't behind a dedicated firewall.

    Tools like ClamAV are designed to scan files going through the Linux system that will end up on other systems - Windows and Macs etc. There are very few viruses and trojans for Linux. If you've updated your system in the past year then you're probably safe against the ones that do exist. However you should really mention tools like Chkrootkit which will actually check for this stuff, or Aide which works as an intrusion detection system.

    Incidentally, as a Senior Linux sysadmin with over a decade of commercial experience, I would advise turning SELinux off on your CentOS boxes. It really is more trouble than it's worth. However, Apparmor on Debian/Ubuntu boxes isn't too shabby, so keep that one running.

    1. Vic

      Re: Not all that useful...

      > I doubt you'll find any serious Linux setup that isn't behind a dedicated firewall.

      I can point you at a few thousand...

      > I would advise turning SELinux off on your CentOS boxes.

      I wouldn't.

      SELinux is very, very effective. Russell Coker used to publish his root password on his website and let you shell into his machine to play with it. It was quite a stunning demonstration.

      SELinux often needs to be disabled because the admin doesn't understand it well enough - and that's fine, it's still a fairly new technology. But it should be left enabled if at all possible, because it really does stop bad stuff happening.

      Vic.

      1. wheelybird

        Re: Not all that useful...

        SELinux isn't new technology; it's at least a decade old. It is is badly designed and poorly documented technology though.

        The point I was making, however, is beginner Linux admins ought to turn off SELinux because they'll try and do something simple and it won't work because of SELinux. There are other things they could do which aren't mentioned in this article which will make their systems more secure anyway and won't be such a pain-in-the-arse.

        For one, CentOS has a stupid amount of services running as default, most of them ridiculous. If I remember correctly, one is a bluetooth service or something mad like that. The first step to securing a box is to stop unnecessary services. Another is not to run Webmin which, If I remember, has had some pretty nasty vulnerabilities in the past.

        There are indeed thousands of Linux boxes directly on the net. In fact my personal server is. But when I say serious, I mean serious as in "Let's hire a sysadmin to look after this" type serious. I would expect at least a screened subnet type network setup for running a serious network system, whether Linux or any other OS. Not only does it aid security, but allows you to move from a server that's a single point of failure to something more highly available.

        The conclusion is of course that this article is aimed at hobbyists rather than people employed as a sysadmin, therefore SELinux would be a hindrance.

        1. Gordan

          Re: Not all that useful...

          Largely agree - SELinux shouldn't be disabled unless you REALLY know what you are doing. If you don't know what you are doing and it's getting in your way, you should learn enough about it to configure it's rules to make the problem go away.

          Having said that - SELinux DOES cause quite an observable performance penalty. So if you really do know what you are doing and have made sure the system is otherwise suitable bolted down (or it isn't in a security-sensitive environment, e.g. not exposed to the internet), you can squeeze a bit more out of the machine by adding selinux=0 to your kernel command like (and/or putting SELINUX=disabled in your /etc/selinux/config).

    2. Morg

      Re: Not all that useful...

      A dedicated firewall is a linux box running iptables, or a proprietary piece of crap that does the same, but with more bandwidth limitations and no additional services.

      Do you really want to put it behind yet another firewall ? because it's a linux box, so you know, according to your Senior advice ...

      1. wheelybird

        Re: Not all that useful...

        Are you joking?

        Look up some basic network design and then get back to me when you understand it. You are, like the author of the article, assuming that you have one server and it's directly on the internet. I mentioned things like high availability before, which is one aspect of good network design which is what you do if you're professional. How the hell do you get high availability with a single box whether or not it's got iptables on it?

  7. Anonymous Coward
    Anonymous Coward

    "For pain reduction, I recommend Webmin for experienced admins and first timers alike."

    I just about knew you were going to say stupid stuff like that. It paints you one of those adherents to the idea that just because fancy GUIs make you feel safe, this must necessarily be a good thing for everybody else. This is curiously at odds with your powershell infatuation. Or maybe it isn't, but I don't really care.

    Point is, you really don't get the point of simple stuff. Like, oh, system defaults. What else would you recommend linux distributions ship as a default instead of the IANA-assigned default port for SSH then? Suppose they pick some obviously much more secure port, say number 24. So people that run scanners take notice, and now scan 22 and 24. Congratulations, burned another port. And for what? A gazillion questions by confused newbies and angered admins why ssh doesn't "just work"? The centos crew must just love your wonderful suggestions.

    Granted, allowing root login is a bit poor, but that too is something experienced admins will immediately amend to comply with their site's policies. Like, no password logins, no ssh logins anywhere from the outside except to one or two bastion hosts, that sort of thing. But none of that has much place in a default install.

    In fact, I don't necessarily agree that a "firewall" is a good idea on a default install. The preceived necessity of such a thing mostly stems from shoddy code and defaults entirely unsuited to the open internet...by your favourite vendor. I say systems should be hardened enough to be reasonably safe out-of-the-box without packet filtering installed. That's not to say you shouldn't use one, there are many reasons why you might want to anyway, but I am saying the system should be solid enough without. If you ship then with a packet filter anyway, it's because your audience cannot be trusted to configure the system without opening themselves up to abuse. Like forgetting to limit the database in the lamp stack to localhost only, that sort of thing.

    The rest is more listing of your preferences, without much of an argument at all why everybody else should agree with your tastes. You may have a point but you're not exactly exerting yourself making it.

    The only thing I can really take away is a point you didn't actually make, and that is that it's a pity that SELinux isn't equipped with more accessible documentation and tools to make it work, leaving little option for everyone except experts in SELinux to just turn the cursed thing off and so do away with the obscure interference it causes, preventing many an app from "just working". If that could be achieved with little effort, then you are much less forced to know a gazillion tricks to work around SELinux' insufferability.

    1. vmistery

      Re: "For pain reduction, I recommend Webmin for experienced admins and first timers alike."

      I agree about SELinux, if the devs actually had a suggested config for their apps added as part of the package install process it would be a breeze.

  8. DrXym Silver badge

    I don't think it's a too unreasonable default config

    If you install a server inside an enterprise it's likely that port 22 is going to be firewalled anyway. So for the sake of convenience I don't think it's unreasonable to enable it even though the root should not be. Most installers ask for user id for the administrator anyway and users are encourages to sudo from that.

  9. My Alter Ego
    Thumb Down

    SSH on port 22

    Always do it, but then I also run fail2ban which will block an IP for a day after 3 attempts. It can be quite amusing seeing some of the usernames bots attempt. I'm now a big fan of PKI too. Initially I used Webmin, but then after a while I got fed up with it not being flexible enough and learnt how to edit the configuration by hand - I haven't gone back.

    Fail2ban is a great tool, and I use it to check against auth, mail, sql & http logs. The only issue is that one guy has a habit of locking himself out (from home) when he flattens his iPhone and gets his email credentials wrong.

    I suppose I'm not really into the whole security by obscurity thing, though I might set up an SSH honeytrap on a non standard port and see how many hits it get.

    1. Chemist

      Re: SSH on port 22

      "I might set up an SSH honeytrap on a non standard port and see how many hits it get."

      I have SSH on a very non-standard port and with only one very unusual username allowed and never see any attempts on that port - on the other hand I see many on 22

      1. PyLETS
        Linux

        Re: SSH on port 22

        I always run SSH on port 22, as I manage and share work on too many systems to remember obscure port numbers. I disable root logins on SSH, run Denyhosts (equivalent of fail2ban) before I expose a system to the net by forwarding the port and enforce strong enough passwords so that 5 attempts won't make any dent on the number of guesses likely to be needed. The attacker has to guess login account names as well, and the logs show this doesn't happen successfully very often, though 15 addresses or so get blacklisted every day for trying on the typical SSH server I operate.

  10. Medium Dave
    Trollface

    "There are tools to help you"

    The last junior tech I got lumped with was a tool, but was no help at all...

    1. Havin_it
      Thumb Down

      Re: "There are tools to help you"

      Inb4 someone gives you a thumb-up for repeating the same joke as the article subheader... >:)

      1. Medium Dave
        FAIL

        Bugger. I missed that.

        A tool am I...

  11. Just a geek

    I like webmin

    It's handy for the initial config of a linux box and for getting an overview. For the low level stuff then I agree that cli is better.

    I also tend to turn off the linux firewall though because these are internal boxes so don't need a firewall. Oddly enough, the only linux box with the firewall on is the one in the testlab as thats mimicing a live environment that uses hardware firewalls.

  12. Jacqui

    webmin is OK

    or configuring DNS zones - it takes some of the grunt work out of generating IDs etc.

    But for systems such as postfix or apache configs its a real PITA.

    For me its far far easier to configure down from defaults and apply simple to understand configs.

    Its also OK for configuring a basic shorewall but I like to add rules by hand as its more flexible.

    and you get to add comments :-)

    Jacqui

    1. Wensleydale Cheese Silver badge
      Thumb Up

      Re: webmin is OK

      @Jacqui

      "and you get to add comments :-)"

      That gets a big thumbs up from me.

      This is what is missing from many GUI tools. Editing raw text files may be slower than point and click, but you can put a full change history in there.

  13. itzman

    One of te best things about linux

    Is that you cant just install it and click on a few buttons without understanding anything about it.

    Well you can on a user desktop, to be sure, but not as a server.

    That forces sysadmins to be sufficiently competent to not make at least the more basic of mistakes.

    Dumbing down critical tasks is not necessarily a Good Thing.

  14. Gordan

    SSH and Mitigating Brute Force Dictionary Attacks

    There are reasonbly elegant ways to mitigate SSH brute force attacks that are available out of the box.

    For example, if your machine has IP address 10.0.0.1, you could apply iptables rules along the following lines:

    iptables -t filter -A INPUT -d 10.0.0.1/32 -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name filter_10.0.0.1_22 --rsource

    iptables -t filter -A INPUT -d 10.0.0.1/32 -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name filter_10.0.0.1_22 --rsource -j DROP

    iptables -t filter -A INPUT -d 10.0.0.1/32 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

    This will effectively limit the number of ssh connection attempts for a particular IP to 1/minute which will make brute force dictionary password attacks unfeasible (unless somebody is running a large botnet from which they are brute forcing the attack).

    If you are particularly bloody minded and have the TARPIT iptables target patched into your kernel, you could replace "-j DROP" above with "-j TARPIT" for good measure, which will also tie up the attacker's connections on IP stack level while making the attacking process get stuck waiting for a response.

    Of course, this doesn't mean it's OK to run with direct root ssh access enabled. :)

    You could apply something similar on a leyer further up the networking stack, for example to mitigate brute force attacks on your blog account login:

    -A INPUT -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -m string --string "/wp-login.php" --algo bm --to 64 -m recent --set --name filter_10.0.0.1_80 --rsource

    -A INPUT -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -m string --string "/wp-login.php" --algo bm --to 64 -m recent --update --seconds 120 --hitcount 3 --rttl --name filter_10.0.0.1_80 --rsource -j DROP

    Again, you can replace "-j DROP" with "-j TARPIT" if you have TARPIT patched in.

    You can also drop access attempts to known attack targets (which you hopefully don't have publically reachable on your servers):

    -A INPUT -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -m string --string "phpmyadmin" --algo bm --to 1024 -j DROP

    Or drop access attempts from unmasqueraded penetration testing tools (you'd be amazed how many script kiddies don't bother changing the agent string):

    -A INPUT -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -m string --string "ZmEu" --algo bm --to 1024 -j DROP

    And in those last two cases, again, you can replace "-j DROP" with "-j TARPIT".

    All pretty basic stuff and all the tools required ship in the base distro. It's not the tool you have, it's what you do with it that counts. ;)

  15. RICHTO Silver badge
    Mushroom

    Linux - Exceptionally Secure??!! LOL

    Linux in fact has the worst security of any commonly used OS, and is years behind Microsoft for instance.

    The average distribution has ten times as many vulnerabilites than a Microsoft OS and twice as many as OS-X. See Secunia.org http://secunia.com/advisories/product/12192/

    Linux having far higher vulnerability counts also holds true with a 'package adjusted' Linux that only provides the equivalent functionality of a Microsoft Server OS.

    For an example of the impact of this in a market sector where Linux is actually used (so not desktops) - see http://www.zone-h.org/news/id/4737

    You are many times more vulnerable running Linux, even allowing for market share.

    1. Chemist

      Re: Linux - Exceptionally Secure??!! LOL

      We've heard you dribble on before about this - most adults KNOW that you are wrong.

      Otherwise there is an icon for Troll

    2. John G Imrie Silver badge
      Trollface

      Re: Linux - Exceptionally Secure??!! LOL

      If you are going to spout crap, at least spout crap that can't be immediately disproved by going to the link you provided.

      http://secunia.com/advisories/graph/?type=sol&period=2012&prod=12192

      12 advisories this year, all patched.

      1. RICHTO Silver badge
        Mushroom

        Re: Linux - Exceptionally Secure??!! LOL

        3557 Vulnerabilities in total for SUSE10. QED.

        For reference, even Windows XP only has about 450 and Windows 7 about 200. OS-X has about 1600

        1. eulampios

          @your rubbish

          Richto, amigo. Not even checking your numbers...

          1) vulnerabilities can be severe and not that severe

          2) it is important to note, how fast those severe ones are fixed, and Microsoft is not a good example here

          3) Windows XP/VIsta/7 has probably 1% of software apps any Linux/BSD distro can offer

          4) XP and VIsta and still 7 need no vulnerabilities to become a good target due to the poor design and some idiotic decisions

          1. RICHTO Silver badge
            Mushroom

            Re: @your rubbish

            1.) Current Windows OSs have fewer and less severe vulnerabilities than Enterprise Linux distributions, and this has been the case every year since 2003

            2.) That on average are fixed faster with fewer days at risk compared to Linux.

            3.) The above still holds with a 'feature set' adjusted Linux distrubition to match the content of Windows

            4.) 7 onwards is inherently more secure in pretty much every way than Linux. Older OSs it varies, but i did say current versions. things like secure boot chain, ASLR, NoExecute came first in Windows. Linux had to implement bolts ons like SEL to even come close to what is out of the box in Windows.

            See http://blogs.technet.com/b/security/archive/2012/03/20/trustworthy-computing-learning-about-threats-over-10-years-part-5.aspx

            http://blogs.technet.com/b/security/archive/2008/10/27/download-h1-2008-desktop-vuln-report.aspx

            http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx

    3. JEDIDIAH
      Linux

      Re: Linux - Exceptionally Secure??!! LOL

      > The average distribution has ten times as many vulnerabilites than a Microsoft OS and twice as many as OS-X.

      You can kid yourself all you like. That won't alter the fact that 99.9% of the malware that exists is for WinDOS.

      You are trying to confuse the issue by conflating every single little bug that never hurt anyone with Windows worms that have managed to effectively disable the entire Internet. Of course they're not the same thing.

      So you're not kidding anyone.

      1. eulampios

        @ Trevor Pott 's reasoning

        We should downvote our current and respected author Trevor Pott, since he insinuated:

        CentOS doesn't have any default activated anti-malware... Linux systems....play host to some pretty nasty pieces of software. My preferred front line defences are the ever popular ClamAV and LMD.

        Indeed, the anti-malware tools are Windows oriented indeed. When using those, you want to protect your Windows clients (more frequently with mail servers, not web servers). The whole idea of the at times very resource demanding database of the known bad things plus some questionable empirical methods with both high false positive and false negative outcomes do not very well agree with KISS and what the entire *nix administration stands on. Other more reasonable and open tools like SELinux/AppArmor should be used instead ( a properly set up system is taken for granted).

        A Windows admin decided to write about Linux. It is pretty laudable, however should be taken with the appropriate grain of salt.

        1. Trevor_Pott Gold badge

          Re: @ Trevor Pott 's reasoning

          Linux systems never get compromised? That's a larf. They most certainly do; almost always through some badly coded PHP something or other. (To be fair, they also tend to compromise windows systems.)

          Yes, you generally need anti-malware on Linux systems. If for no other reason than to ensure that your web applications haven't been hijacked by someone looking to poison the rest of the net. Or do you have even the remotest shred of evidence to say that every single compromised website is IIS based? How do you dismiss a decade's worth of evidence that shows several thousands new LAMP systems compromised every month?

          I’m legitimately curious.

          1. eulampios

            Re: @ Trevor Pott 's reasoning

            Trevor, in any case, now tell me how much any of these AV tools apply to any of those compromises? Do they look for some "common" *nix malware known to cause any of the said compromises? If you think they might, you're very wrong. If one gets a "malware" because he/she downloaded&installed some crap from an insecure source having logged in as root... the best remedy is the GB tools (good beating)

            As far as the compromises are concerned they are of mainly two (+ one) types:

            -I) unknown 0-day (at the time) vulnerability in the software -- happens pretty rarely, call it "many pairs of eyes over very few" advantage. AppArmor and SELinux (and good policies) are your best friends to mitigate the risks therein.

            -II) poor security policies, like root ssh login, poor passwords, or password ssh logins, systematic disgust of security updates, too many unneeded features, modules and apps running -- to mention just a few

            -gamma) with php taken too much ad liberty (without the suhosin patch) by non-experienced admins all of the above should be cited as a separate one.

            Although, Windows might involve similar risks, the anti malware would be helpful for none of those with Linux/BSD administration. Suggesting AV to fight those is very unprofessional indeed. Nevertheless, in the Windows parallel world where the fundamental constants are proclaimed to differ very much, it is a part of a pretty well paid profession.

            1. Trevor_Pott Gold badge

              Re: @ Trevor Pott 's reasoning

              @eulampios: ClamAV is actually quite terrible at finding website compromises. It does find some however, and is better than nothing. LMD does a far better job, but isn't included in the primary repositories.

              The issues of the type I am discussing are neither "you must be logged on as root and download some Trojan by using Linux as a desktop" issues nor are they 0-days. In nearly every case, malware on Linux occurs because someone forgot to - or couldn't, because of chained dependencies - patch.

              In most cases it is a flaw in some PHP application that an admin has installed on their Apache setup. A privilege escalation bug or some other issue allows someone access to the webserver. They then alter the extant CMS/Application/whatever to include links to malware, typically as part of a drive-by-download attack targeting Windows (though increasingly Mac) users.

              In general, this sort of malware does not compromise the Linux system itself. IMHO, anti-malware trying to defend the Linux operating system itself is completely pointless. Every available anti-malware package for Linux is so woefully inadequate that if and when your Linux system is compromised you nuke the whole thing are start over. (It’s quicker than defanging the thing.)

              No, anti-malware on Linux is almost exclusively for cleaning e-mail and cleaning compromised websites. Generally compromised websites targeting windows systems.

              I wouldn’t prescribe anti-malware for Linux for the same reasons as I would Windows. Frankly, Windows anti-malware is far more robust. It has to be; Windows has so many deep flaws (and is such an attractive target due to market share size) that there are many vectors to infect the OS itself.

              Linux has a smaller attack surface in getting at the OS + core packages proper. That said, when it is infected, it’s pretty much a total loss. When a Windows system is compromised, even a half-assed Windows admin can clean the thing in ~80% of cases with less than an hour’s applied effort. (Assuming you ignore “the progress bar is going” in the effort calculations; most admins go do something else while waiting for progress bars.)

              When a Linux system is compromised, this isn’t really the case. In these instances the malware is generally (by necessity) significantly more complex than your typical Windows software, written by people who know far more about the OS than the sysadmin trying to defend the thing.

              Comb through the logs for long enough, test permissions and run fuzzers on enough things and you might figure out what was compromised, how, how many friends it downloaded, what they affected, etc. Then you can kill it pretty easily. In that timeframe however you could just have backed up your core configs/data, reinstalled and been on your merry way. (This isn’t remotely as easy on Windows; even with folder redirection, AD, etc, backing up configs can be a PITA.)

              So, to re-cap: anti-malware is generally necessary on Linux for the two most common roles that Linux sees. Namely, e-mail (either as a pre-filter or actual server,) or web hosting. The actual usefulness of anti-malware is different than it would be on Windows, but it is still recommended nonetheless.

      2. RICHTO Silver badge
        Mushroom

        Re: Linux - Exceptionally Secure??!! LOL

        That there is Malware for Windows desktops is because people actually use Windows versus the ~1% Linux share in that space.

        Where Liinux is used as a high market share - like webservers - it is hacked to shreds.

        The facts stand in terms of security as measured by vulnerabilities, Linux sucks. All other things being equal it is much easier to hack Linux.

        1. Chemist

          Re: Linux - Exceptionally Secure??!! LOL

          "things being equal it is much easier to hack Linux."

          Off you go then - see how far you get !

        2. Trevor_Pott Gold badge
          FAIL

          "All other things being equal it is much easier to hack Linux."

          What

          The

          Fuck?

          If you honestly believe this - honestly and truly - please go back to the article proper and select "email the author." I will post for you a CentOS 6.2 Virtual Machine DEFAULT INSTALL hosted on an external IP address. I will use *NONE* of the security measures mentionned in this article. I will even turn the firwall off.

          You can hack away to your heart's content. I will monitor all of the packets in and out (naturally) to see exactly how you "hack" my off-the-shelf, completely unsecured virtual machine. I will bet you a barrel of ale you cannot do it.

          On the other hand, I could post a Windows 7 system (fully patched) default install to an external address and with the firewall turned off I don't even need you to hack it. Within a week an IP address from China will have done it for you.

          Hell, there are a few hundred IRC servers where you can buy zero-day software to do exactly that for $100 USD.

          "Easier to hack Linux" my ASCII.

          1. RICHTO Silver badge
            Mushroom

            Re: "All other things being equal it is much easier to hack Linux."

            Good luck hacking a current Windows server. Statistics prove you are many times more likely to be hacking running Linux as an internet facing server: http://www.zone-h.org/news/id/4737

            1. Trevor_Pott Gold badge

              Re: "All other things being equal it is much easier to hack Linux."

              A) I have hacked the current Windows Servers. 2008R2 (fully patched) as well as 2012. (They fixed the bug.) Sometimes you just dtumble across zero-days...

              B) Considering Linux systems are oftem left unpatched as "fire and forget" systems, sure, I'll buy that more people manage to bust into a webapp on a Linux system than compromise Windows. Busting out of that web app to compromise the Linux system? I doubt that.

              It also still isn't comparing like for like. Compare a modern Windows to a modern Entriprise Linux. Out of the box, fully patched...firewall off. That is not a contest Windows wins.

      3. RICHTO Silver badge
        Mushroom

        Re: Linux - Exceptionally Secure??!! LOL

        I think you have forgotten that the worst Internet worm ever was on UNIX systems and took out the whole internet at the time for a couple of days....

        1. Anonymous Coward
          Anonymous Coward

          Re: Linux - Exceptionally Secure??!! LOL

          ! worst Internet worm ever was on UNIX systems "

          You do realize that was in 1988 - you were probably in nappies then !

    4. Fatman Silver badge

      Re: Linux - Exceptionally Secure??!! LOL

      Is that you Loverock Davidson???

      I guess you are too ashamed to use your ZDNet "handle" here?

      1. eulampios

        even worse

        It could be Ed Bott himself!!!

  16. RonWheeler

    Who is this article aimed at?

    The target audience seems to be homebrew amateur running linux server in the bedroom just to tinker.

    1. Trevor_Pott Gold badge

      Re: Who is this article aimed at?

      Article is aimed at Windows admins who are cautiously branching out by deploying a few Linux systems.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who is this article aimed at?

        When I went out to learn Linux around 2000, I was struck my the lack of "here's what you do in Windows, here's how you do it in Linux" type of help. I even spoke to Red Hat to see if they had a Linux course which was targeted at advanced Windows users wanting to convert, I got a hostile answer. The "Linux web community" gave hostile answers.

        It's rather depressing to see that things haven't really changed in the last twelve years and anyone who tries to help Windows guys learn Linux is slagged off by the Linux community, it's almost as if they still really want to keep it a private club, despite their protestations.

        1. Anonymous Coward
          Anonymous Coward

          When I set out and learned Unix[tm] back when, I freed myself from windows.

          Attitude is in fact one reason why I left "linux" and its gn00munity behind. I'm not interested in taking over the world nor in taking over the guys bent on taking over the world. I'd like to get some work done and I like to be left alone, too. Yes, I still use "unix" a lot, but I tend to the *BSD family. Much better documentation, for one.

          Yet it might be instructive to look at it from the other side. What would your attitude be if you had to deal with a constant influx of people who demand (yes, demand) things to Work Just Like They Were Used To On Windows, even if that obviously makes no sense whatsoever?

          So it's not entirely strange that the already cranky bunch (high octane code hackers tend to poor social skills and are prone to tunnel vision) isn't overly welcoming. Goes for linux' own too (qv Con Kolivas), for that matter.

          Best to drop the "but I already know computers" idea entirely since what you know is such a bunch of things ripped-off from elsewhere, badly, that it leaves you with a worldview so jumbled it needs knocking on the head before you can really continue. Much like you'd experience in a GUI sense going to mac (even if you never touch the underlying darwin), but in a much more text oriented direction, so to speak.

          This, by the by, is what brings Trevor the flak too: He's a windows admin and probably knows things I will never know (nor want to know, TYVM), presumably good enough to manage a bunch of sites, but is completely oblivious to how things are best done on Unix[tm] and its family and friends, yet he doesn't discern between administrating the two, justifying himself by pointing to a web interface. "Look, GUI! Pretty buttons to click! All the same, see?" That's a sure-fire way to rile up the natives. If that's what he wants, well, he's spot on there.

          1. Trevor_Pott Gold badge
            Linux

            Re: When I set out and learned Unix[tm] back when, I freed myself from windows.

            @AC

            I get the difference between GUI and CLI. I just don't make the value judgement that one is "better" than the other. I don't see the point in writing long treatises on CLI apps or CLI systems administration largely because of the community attitude issues.

            I spend months at a time neck deep in the command line, getting work done. Then I’ll spend months working on GUI-based systems. I don’t see the difference, really. The CLI is more powerful and far more flexible, but a GUI is easier and obfuscates a lot of the scut work that – frankly – I couldn’t give a rat’s ass about micromanaging.

            So when I write things for a sysadmin blog I have some choices about who I target. Unix/BSD admins are few and far between. Even given that this is a tech site of some repute, they will still only make up a tiny fraction of the readership. I could write things aimed at them…but would they – or anyone else – care?

            My experience with most Unix/BSD admins falls into a one of a small number of categories. They discount what I have to say because (one or more of the following):

            1) I’m too young

            2) I didn’t go to the right school and/or get the right degree

            3) I choose to also work with Linux and Windows

            4) I use a version of Unix they don’t approve of

            5) They are crotchety old coots who just don’t listen to anyone.

            So I could target this small niche of my potential audience who won’t listen to anything I have to say no matter what…or I can target someone else.

            So what about Linux admins? Why not target them? Every now and again I make the attempt. Truth be told though, it’s a pain in the ass.

            In truth, the majority of Linux admins I meet are actually good people with good critical thinking skills and the ability to function in society. They are rational and able to socialise in an acceptable manner.

            Unfortunately, the Linux community attracts a highly disproportionate quantity of irrational individuals, tunnel-vision OCD folks and paranoids. They ruin it for everyone.

            Take the absolute hatred that some have for GUI administration tools. There is no rational reason for the vitriol that these people spew against this class of tool. I have never encountered rabid ad hominem attacks against a gardener for using an automated sprinkler instead of watering every inch of the lawn by hand; yet within the Linux community it is everyday practice to attack people for using a GUI, the “wrong” distro, a given package rather than another…even tabbing conventions regarding comments in a config file!

            I would want to deal with these people on a regular basis why, exactly?

            So yeah, I’ll talk about GUIs. I’ll talk about Windows. I’ll discuss interfaces and applications instead of my favourite new way to combine grep with a neat new regex I discovered. I do that because I get more out of the community feedback writing about the GUI-enabled world than I do the CLI-only world.

            Windows, Apple and mixed GUI/CLI Linux admins seem pretty open to careful, considered debate of a problem. They will come up with helpful – even novel – solutions to problems. I learn as much from commenters in these threads as I do from documentation.

            A Linux article or forum thread is just bickering. Endless, circular, heated, hostile bickering. It's fun once in a while...but really, I'm starting to get too old for it.

            That said, I will say what I have said many times before: I am entirely open to requests and suggestions regarding what I write about. If someone has a particular topic in mind that they would like me to address, I would be entirely willing to do so if I felt it were within my capabilities.

            To date, I’ve had several requests for looks at virtualisation, Windows apps, Apple administration and so forth. No formal requests for Linuxy anything. Just a lot of complaining that I’m “biased,” “a Windows loving Microsoft shill,” and even some conspiracy theories about how I’m part of “the machine” designed to keep Linux in the shadows.

            Some people…

            1. Anonymous Coward
              Anonymous Coward

              That argument doesn't stack up

              I think you're making a pretty clear value judgement there, right next to that sentence claiming you don't.

              Personally I don't have a problem talking to "old guy" sysadmins. Then again I'm told I "sound old" already, so it may be me. OTOH, as the joke goes, "Sure unix is user friendly, it's just picky about who its friends are", and sure enough there's a learning curve and if you want to be taken seriously you need to show basic clue or at least capacity for absorbing same. No, m4d linex sk1llz are no entrance ticket no matter how many stuffed penguins you have. Though no-one I know actually cares about formal degrees; having a chat about what-if scenarios and past exploits, for example, is a much stronger indication of capabilities.

              So I'd posit that it could well be you. Not so much because you "do" windows and linux both, but more because of a combined bouquet of MCSE, RHCE and A+ networking, the stench of obstructive cluelessness. If that's not you, well, switch deo brands or something.

              Then again you might just be talking to the wrong people. Just like the windows community has its clueless, so does the wider unix community; linux fanbois don't have a monopoly on fanboiism. In fact, windows gets to keep its fanbois along with a large but shallow pool of "mere users", middle managers, and the like, where linux in particular has long been a welcoming home for windows-disaffected. That doesn't combine well, so no point complaining about the occasional clashes.

              I indeed left windows behind for linux, then left linux behind for something even better, IMO. Partly because of the communities, partly because the software (and documentation) was and is genuinely better. Doesn't stop me from calling you out on writing articles written on shaky or broken premises.

              And yes, I'm guilty of accusing you of liking your vendor too much, in the context of fawning over powershell like it was the bestest thing evar, right when said vendor is trumping it up as a really cool feature added to the system a score or so years down the road when a wide choice of similar and at least as good, and much better known alternatives have been available for, oh, half a century or longer. Not to mention 4DOS.

              The reasons why pushing GUIs for administration get so much vitriol shouldn't be hard to see once you understand the GUI's inherent limitations, and how they relate to administration. To properly explore it takes a bit more than this paragraph, but it's the equivalent of epoxying the bonnet shut, claiming this will "ease understanding" or some similar malarky. Yet this sort of thing has been pushed wholesale on everyone regardless of whether it'd fit the workflow of the victim for quite a while. Guess who based their entire marketeering strategy on exactly this, to further their well-known goal of proprietarising the world? You're poking in a lot of history here; some people are perhaps a bit too sensitive about it but barging in like you do you're bound to meet some resistance. Even more likely so when that whole contraption is on the backswing.

              Then there's the claiming you write for "linux admins" (cf the title) and now trying your hardest of disowning same claim, twice now under the same article. Bit of a poor show there, Trevor. And yes, it's the little things like that, that sneak up on you and do you in. No points for blaming the ants for disagreeing with your poking their nest.

              1. Trevor_Pott Gold badge
                Pint

                Re: That argument doesn't stack up

                Okay, even before I sit down to really nitpick this...can I get a dime bag of whatever you're smoking? I cannot connect any of your statements to reality.

                “Combined bouquet of MCSE, RHCE and A+ Networking?” Um…what? I have two MCP exams? I think? They were necessary to get a discount on Microsoft Action Pack licensing.

                At what point have I ever "fawned over powershell?" I loathe powershell. I think it's fantastic that powershell is something Microsoft is investing real resources in...but how - unless you are engaging in some serious mental gymnastics - does that translate into "fawning over ?"

                “Liking my vendor too much?” Who is “my vendor?” I like to believe I am an equal opportunity offender, thank you very much. I criticise and employ cynicism in the general direction of everyone. Except possibly Intel; Intel haven’t actually done anything I consider overly stupid, malicious or anti-consumer in at least three or four years.

                Regarding “claiming to write for Linux admins,” I don’t write the titles. The sub-ed does. That aside; a Windows admin who is dipping their toes into Linux is now a Linux admin, albeit a junior one.

                Regarding GUIs, well…I wrote an article on that. Just for you.

                TL;DR on that future article: I think people who limit themselves to “CLI OR GUI” without the mental capability to conceptualise “CLI AND GUI” are placing themselves at a complete disadvantage. But hey, if you want to cut off your happy bits because your religion told you so, far be it for me to tell you otherwise.

                But if you want to spend yoru days spraying your religion around to the detriment of others, don't get all shocked and shaken if I think you're a complete twatdangle.

                Cheers!

              2. Trevor_Pott Gold badge

                Re: That argument doesn't stack up

                Special bonus question: where exactly am I making a "value judgement" in my post?

                I do not consider the GUI “better” than the CLI. I do not consider the CLI “better” than the GUI. That means I am not making a value judgement about either of these tools; I believe they have their own separate and distinct uses.

                Where exactly am I making a value judgement there?

  17. Anonymous Coward
    Anonymous Coward

    Ramblings of a mid-career Linux admin

    OK, not even going to go through all the replies, but the authors methods ring bells of many a middle level Linux admin, not a seasoned one.

    Was not impressed by some of his suggestions, webmin, I mean please. So some muppet can edit a BIND zone? LOL.

    Most admins spend their time in vi/vim configuring nice raw configuration files. If an admin can't configure a service without the aid of web interface due to not knowing the underlying configuration files and parameters, then he should be on the Windows admin team LOL.

    Also on a note about distros, CentOS ... nah thanks, prefer to go Scientific Linux if you're not stumping up the cost of a RHEL licence

    1. Anonymous Coward
      Anonymous Coward

      Re: Ramblings of a mid-career Linux admin

      Suggests the author of the article doesn't know what he's talking about: Check

      Suggests everything should be done at the command line: Check.

      Suggests that you should go back to Windows, if you don't want to use the command line: Check

      Suggests that the wrong version of Linux has been chosen: Check

      Obvious troll is obvious troll: check.

  18. dz-015

    Firstly, great to see some attempt to make a sysadmin article which isn't about Microsoft products.

    However... as an experienced Linux/Unix sysadmin, I would say that, in practical terms, there really is no "easy" way for Windows admins to just have a go at Linux administration.

    Windows administrations fundamentally consists of pointing and clicking on the right boxes and trusting that Microsoft, or one of their development partners, has made sure that nothing's going to go wrong for you.

    Linux administration, on the other hand, requires much deeper sysadmin skills. You need to understand for yourself what you are doing and take responsibility for it. You don't get easy tick-boxes with pop-ups and links to a paid support if you don't understand something. You do, on the other hand, get a huge pile of wonderful tools for all sorts of jobs which can be linked together creatively and usefully if you know what you are doing. You also get manpages which tend to be written by the actual software engineers so you actually know exactly what you can do with the tools available instead of having to read through some Microsoft-style waffle written by somebody on first line support.

    Linux administration is about understanding how to see for yourself EXACTLY what a machine is doing and having complete and total control over it so that you can build and configure it PRECISELY how you want it. Webmin is a very poor substitute for proper CLI administration and using it is wasted time which could have been spent learning how to actually administer the system properly. If I saw someone in a sysadmin team deploying a server configured using webmin then I would raise an appropriate alarm immediately. I'm sure it's fine for someone playing around in a test environment, or for a hobbyist messing about with his own Linux box, but it simply isn't appropriate for professional system administrators to be using such things in place of doing the job properly. Building a server yourself and knowing precisely what it is doing at all times is the only way to make it secure AND to ensure that it is going to be tuned for the kind of performance you want out of it.

    And this raises the issue of all the waffle on here about securing systems. People seem to have all sorts of elaborate schemes involving honeytraps, auto-ban systems, blacklists, dynamic firewalls rules. All of these things have their place but they're all largely missing proper underlying sysadmin approaches to things, i.e. to strike up a good balance between security and other things you need to achieve such as performance, functionality for users, etc. Only when you know how to build and run a system properly, from scratch, tuned and trimmed to perfection using all the elegant and powerful tools which Linux has to offer, are you going to achieve this. Just setting up systems then hoping that fail2ban is going to make you safe is not the correct way to approach security, just as using webmin is not the correct way to configure a server for deployment in a production environment.

    If Windows admins are incapable of making the jump to full-blown Linux system administration and accepting the steep but fulfilling learning curve involved with such a transition then they should stick to their easy, safe, blame-passing Microsoft world. But for those who want to take responsibility for administering systems fully and properly, getting stuck in there with the CLI and learning what Linux can REALLY do is the way to go.

    P.S. for all those people saying that moving SSH off the default port does not make a system more secure: understand that system security is not a black/white on/off scenario. No system will ever be 100 percent secure. It's all about balance and compromise and risk management. If it's convenient for you to move SSH to a different port, and if doing so will reduce SSH probes on your server from one every five minutes to one a month, then it's clearly a no-brainer to do this AS PART OF a proper, overall, holistic security strategy.

    1. RICHTO Silver badge
      Mushroom

      Not true. Pretty much all current Windows admin GUI tools run Powershell behind the scenes, and you can do exactly the same from the command line if you choose. Windows is just more powerful, flexible and has a lower TCO and reduced learning curve in offering you both options.

      1. dz-015

        Powershell is just a glorified cmd.exe, and Windows is still a GUI-based OS. It's great that Windows enables you to use a half-decent CLI for certain things nowadays should you wish to do so, but that's a world away from the total paradigm shift that I'm talking about.

        On my Linux servers I choose not to install a GUI because it's unnecessary for me and uses up resources that would be better dedicated to the daemons running on the server. When you can customise Windows to be CLI-only then your comment will be valid, but I very much doubt that day will ever come.

        "Windows is just more powerful, flexible and has a lower TCO and reduced learning curve in offering you both options."

        Well that's certainly the funniest sentence I've read all day. LOL.

        1. RICHTO Silver badge
          Mushroom

          Windows has been able to be installed completely without a GUI since 2008. (Windows Server Core)

          Welcome to the 21st Century.....

          1. RICHTO Silver badge
            Mushroom

            (Oh and just to point out that you dont have any idea about this either - Powershell is also much more flexible and powerful than any out of the box Unix Shell scripting like Bash, etc. as it combines similar basic scripting capabilities, but with a much more powerful object orientated approach and enterprise functionality like digitally signing of scripts, etc.)

    2. Vic

      > If I saw someone in a sysadmin team deploying a server configured using webmin

      > then I would raise an appropriate alarm immediately

      You need to be a little careful with that...

      I frequently install webmin on new builds - not because I need it (although it's rather useful as a MySQL browser), but because I might not be there when something goes wrong. Talking someone through a webmin interrface over the phone is very much easier than talking them through a CLI...

      Vic.

      1. Trevor_Pott Gold badge

        Webmin's other big use for a production server is management of the crontab and log rotation. You can easily do both from the cli, but I find the visual representation of information easier to parse large amounts of data "at a glance."

      2. dz-015

        "I frequently install webmin on new builds - not because I need it (although it's rather useful as a MySQL browser)"

        MySQL Workbench or equivalent running across a VPN or SSH tunnel is far better solution for that, for many reasons.

        "I might not be there when something goes wrong"

        That's what remote access is for. There are many handy and convenient ways of doing that nowadays. Installing webmin just for that reason is... odd, to say the least.

        1. Trevor_Pott Gold badge

          @dz-105 I don't see what that's odd. Vic has a good point. Sometimes you are just walking someone through something over the phone. Usually when you are *gasp* not in front of a computer (Maybe you discovered members of your preferred gender and decided to experiment with organic entertainment.)

          If you are on call, you have to provide support; but the ability to provide said support wihtout having to remote in and do it yourself can be sanity-saving.

          1. dz-015

            Well OK, perhaps there are situations where that sort of thing is acceptable, but those aren't situations I come across in my work life. I work in environments where expectations are high, and bolting a rather kludgy GUI onto a production server and letting people loose on it who can't perform relatively basic tasks in Bash would not be acceptable as far as I or my clients are concerned. A far better solution would be to find people who have a reasonable amount of CLI experience or to get them trained to that level where they can do basic support in Bash - surely it's not _that_ hard for someone with a brain!

            Also, if it's a choice between the agony of talking an inexperienced support person through something on the phone, or just logging on and doing it myself, I'd far rather take the second option every time. It would be a lot quicker and lot less painful, leaving you more time to enjoy experimenting with that exciting organic entertainment you have procured.

            1. Trevor_Pott Gold badge

              @dz-105 well, your solution doesn't work for everyone. Most of my customers don't have local IT staff. They're too small. As for me, I don't live in front of a PC. So when I'm out socialising, I do rather enjoy the ability to not have to either leave where I am to get to a PC or try to fix something in bash from a smartphone.

              But hey, if you get a real kick in the knickers from punching bash commands into a touch screen, you go right ahead. Me, I’ll accept the ~25MB of RAM per VM that running Webmin costs me.

              My free time is just worth more to me than the “purity” of eschewing GUIs for…what exactly? I still haven’t gotten a good reason from anyone that wasn’t pure rhetoric.

              “I love Apple because they’re just better than Microsoft” sounds exactly the same to me as “GUIs are evil because command lines are just better.” I’ll keep on using both, not limiting my options, and see where that takes me…

              1. dz-015

                In that sort of specific situation where you're setting things up for customers with no IT staff at all, and leaving them to try and run things when you're not there, you're far better off using Windows IMHO. Chances are the UI will be much more familiar to them, and it's a safe point-and-click environment with simple setup for the relatively basic things they probably need, plus the option of paid support from Microsoft and/or whichever other software vendors are appropriate.

                I wasn't suggesting GUIs should be eschewed for the sake of it. I was attempting to make the point (as various other seasoned Linux/Unix admins on here have also tried to do) that trying to get into Linux administration by using webmin is like trying to become an artist by colouring in a paint-by-numbers picture. You might be lucky enough to end up with a result that looks OK, but you won't have gained any of the deeper, next-level knowledge and understanding that comes from getting stuck in with the CLI from the ground up and working through that learning curve. You may as well just stick with Windows. That's not rhetoric, it's a very valuable and important thing to understand.

                1. Trevor_Pott Gold badge

                  Why would clients have to "run things" at all? Excepting under exceptional circumstances - such as a power outage during a certain type of cron job - everything from Windows to Linux "just works."

                  Why should they use Windows and not Linux? I flat out don't understand the difference here other than your own prejudicial snobbery about keeping Linux "pure." I can – and do – walk users through Webmin on Linux just as easily as Windows. I will use the best tool for the job, not whatever tool makes narrow-vision nerds feel less “polluted.”

                  You make the argument that in order to learn Linux, one needs to learn ALL of Linux, from the ground up. You go from knowing nothing to knowing damned near everything with no stops in between. There should be nothing to help you, nothing to guide you, nothing to ease your transition. You simply study really hard, memorise everything and it is one, or it is zero.

                  I say bullshit. Your entire argument is bullshit. There is no requirement for that. A GUI can – and does – help someone learn the differences between operating systems. It can ease the transition.

                  What’s more, I know your argument is bullshit because I have seen dozens of living, breathing, regular human beings make the transition form Windows to Linux because of GUIs. GUIs helped them learn about things like “the differences in file structure” and “different naming conventions” while still using a relatively familiar environment.

                  GUIs – Webmin, Gnome, Unity or otherwise – have never in my experience prevented someone from learning the command line and continuing on to a more in depth knowledge of Linux and its fundamental differences from Windows. Quite the opposite; they made the transition a hell of a lot less intimidating.

                  In the end, they don’t use only one or the other interface. They use both. GUIs and CLIs. If that makes you – or anyone else – feel put upon because there are people who didn’t learn as you learned, didn’t suffer as you suffered…cope.

                  A hammer is for nails, a screwdriver for screws. Use all the tools in your toolkit; don’t limit yourself, or others.

                  1. dz-015

                    "Your entire argument is bullshit."

                    I did start off by saying it's good that you had a go at a non-Microsoft-focused article for once, and it's raised some interesting discussion; but I have to say that as the author of this article, I think it's rather inappropriate for you to be so graceless and unaccepting of commenters who have different opinions, and more experience, than you do; especially when I don't think the full gist of my point has really been grasped fully... but there we go.

                    1. Trevor_Pott Gold badge

                      I have no problem with folks having different opinions than me. I have lots of problems with people who take those opinions and use them for homenim attacks.

                      I enjoy debating things with commenters. Many commenters can and do hold a fantastic debate. Several have taught me new things. Others have pointed out mistakes, shown me when I was wrong and I am grateful for all of them. I love The Register's commenttards...most of them at least.

                      But I do reserve the right to take up the debate when I disagree. Most especially when I feel that the commenter in question is turning purely professional or philosophical arguments into ad homs against myself or others. (Or when the person who evidences a difference of opinion does so with multiple easily pointed out logical fallacies.)

                      If you are particularly objectionable in your conversation, I will call you on it. If you’re a dong, I’ll call you on that too. If you repeat ad homenims against me, personally – especially if you back them up only with logical fallacies, rhetoric and baseless assertions – I am going to treat you like the complete twatdangle that I believe you to be.

                      Why would I do otherwise? I see absolutely no reason to take crap from you or anyone else.

                      I can and do respect the experience of the commenttards on El Reg. What I don’t do is blithely accept that your experience makes you “superior” simply on your say so. I don’t accept your opinion or life experience as more valid than my own or as more valid than those of the other systems administrators I have the pleasure of working with.

                      If you advocate something different from what I advocate, back it up. With solid evidence (primary research is best) and no obvious logical fallacies. Certainly no appeals to completely unverifiable authority. Above all; don’t cap your debates with snide comments about how I should “stick to Windows articles” or other such tripe.

                      Who – exactly – are you to tell me what to do? Who – exactly – are you that your experience, opinion and philosophical beliefs are automatically superior to mine, or that other guy over there with 30 years under his belt, or these million sysadmins over here?

                      You are a block. The validity of your arguments will flow from the evidence you provide. Nothing more.

                  2. RICHTO Silver badge
                    Mushroom

                    Absolutely agree - and Windows is in the position of having both the best CLI and the best GUI....

                    1. dz-015

                      @RICHTO You're a comedy genius! "Windows is in the position of having both the best CLI and the best GUI"? ROFL. Fantastic stuff. Thanks again for cheering me up after what's been a rather stressful day.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019