# super secure OS



## mia (Jun 6, 2009)

hello friends,

I need super secure OS for my server - When I open my IP in browser My server has to send me words "hello world" only. I don't need any additional services and open ports. It should be the most secure and bullet-proof. 

Is freeBSD right for me? thanks


----------



## rocky (Jun 6, 2009)

FreeBSD is secure but that's your responsibility to make it as secure-as-you-want. I mean you may destroy your efforts by, for e.g., some wrong configurations.


----------



## Oko (Jun 6, 2009)

mia said:
			
		

> hello friends,
> 
> I need super secure OS for my server - When I open my IP in browser My server has to send me words "hello world" only. I don't need any additional services and open ports. It should be the most secure and bullet-proof.
> 
> Is freeBSD right for me? thanks



Probably not. There is no Operating System in existence including FreeBSD which can compensate for user ignorance.


----------



## mia (Jun 6, 2009)

Rocky, thank you for your answer. You are right I know I could destroy OS safety with wrong configuration. 

but the question is the same: Is freeBSD secure enough for this purpose (when I disable all unused services and ports)? Or should I use some linux distro? 

to Oko: thank you, but the question was not if freeBSD can compensate user's ignorance  I know it can't


----------



## graudeejs (Jun 6, 2009)

Lol, linux is not as secure as BSD. lol lol

OpenBSD is most secure system by default.....
But It can be configured to be as secure as windows (lol, not secure at all)


----------



## vivek (Jun 6, 2009)

> I need super secure OS for my server


There is no such thing called secure os. This is your first lesson. I suggest you start with this thread (especially read last General security tips part):
http://forums.freebsd.org/showthread.php?t=4108

Any os can be cracked including OpenBSD / FreeBSD / Windows / OS X and so on. However, continues server monitoring, patching, running only required software, offsite backups, host & firewall security, IPS, IDS, and minimal default  privilege for each service ensures security. You just can't configure server security once and forget it. It needs some sort of automated / manual monitoring system.

As a new freebsd use, you should start configuring server locally inside VMware, virtual box or jails. This way you can learn and break stuff without getting into any serious trouble. Once you understood security and FreeBSD,  start managing real box. 


Good luck!


----------



## rocky (Jun 6, 2009)

mia said:
			
		

> Rocky, thank you for your answer. You are right I know I could destroy OS safety with wrong configuration.
> 
> but the question is the same: Is freeBSD secure enough for this purpose (when I disable all unused services and ports)?



The answer is positive.



> Or should I use some linux distro?



I switch from Linux so it's hard for me to answer this question  If you love Ubuntu you should experience its lastest vulnerability (http://www.ubuntu.com/usn/usn-778-1) which relates to `cron` (a must-have service of system)

BTW, _"disable all unused services and ports"_ doesn't mean you would get the highest security...


----------



## fronclynne (Jun 7, 2009)

Well, a system on a z80 booting from ROM that ran only enough networking to run only enough of a webserver to spit out the words "hello sexy world" could be made pretty secure.  I mean, you can't crack what doesn't exist.


----------



## hitest (Jun 7, 2009)

vivek said:
			
		

> There is no such thing called secure os. This is your first lesson.
> 
> Any os can be cracked including OpenBSD / FreeBSD / Windows / OS X and so on.



Well-said, vivek.  Thanks for the exceptional posts dealing with FreeBSD security!


----------



## MG (Jun 7, 2009)

vivek said:
			
		

> There is no such thing called secure os. This is your first lesson. I suggest you start with this thread (especially read last General security tips part):
> http://forums.freebsd.org/showthread.php?t=4108
> 
> Any os can be cracked including OpenBSD / FreeBSD / Windows / OS X and so on. However, continues server monitoring, patching, running only required software, offsite backups, host & firewall security, IPS, IDS, and minimal default  privilege for each service ensures security. You just can't configure server security once and forget it. It needs some sort of automated / manual monitoring system.
> ...



Why make it so difficult. I'm running FreeBSD server software for years now, just for fun. I never really cared for security. Everything is quite secure by default.
I would say just install Apache, put your "hello world" index.html in it's www root directory and start httpd.
Check the httpd-* files in /var/log regularly to see if anything strange happens.
I have seen a lot dictionary attacks in my log files. Almost daily someone is trying to get in via http/ftp/ssh.
It's important not to use easy usernames and passwords


```
last message repeated 3 times
May 31 00:08:07 P3 pure-ftpd: (?@211.63.60.6) [WARNING] Authentication failed for user [jennifer]
May 31 00:08:27 P3 pure-ftpd: (?@211.63.60.6) [ERROR] Too many authentication failures
May 31 00:08:35 P3 pure-ftpd: (?@211.63.60.6) [WARNING] Authentication failed for user [jennifer]
May 31 00:09:08 P3 last message repeated 3 times
May 31 00:09:24 P3 pure-ftpd: (?@211.63.60.6) [WARNING] Authentication failed for user [jennifer]
May 31 00:09:43 P3 pure-ftpd: (?@211.63.60.6) [ERROR] Too many authentication failures
May 31 00:09:48 P3 pure-ftpd: (?@211.63.60.6) [WARNING] Authentication failed for user [jennifer]
May 31 00:10:07 P3 last message repeated 2 times
May 31 00:10:23 P3 pure-ftpd: (?@211.63.60.6) [WARNING] Authentication failed for user [karl]
May 31 00:10:39 P3 pure-ftpd: (?@211.63.60.6) [WARNING] Authentication failed for user [karl]
```


----------



## mia (Jun 7, 2009)

fronclynne said:
			
		

> Well, a system on a z80 booting from ROM that ran only enough networking to run only enough of a webserver to spit out the words "hello sexy world" could be made pretty secure.  I mean, you can't crack what doesn't exist.



guys thank you for very nice answers.

to fronclynne:  could you please more specify your last post? it sounds good... I would like to start with this easy "system".  thank you


----------



## vivek (Jun 7, 2009)

MG said:
			
		

> Why make it so difficult. I'm running FreeBSD server software for years now, just for fun. I never really cared for security.



Really a bold statement. Next thread from OP - i was hacked coz I never cared about security. Please do not provide such advice.  I assumed that OP wanna run something serious for business with dynamic environment.


To op: z80 ( http://en.wikipedia.org/wiki/Zilog_Z80 ). I highly doubt that you wanna start with this kind of embedded stuff.


----------



## oliverh (Jun 7, 2009)

killasmurf86 said:
			
		

> Lol, linux is not as secure as BSD. lol lol
> 
> OpenBSD is most secure system by default.....
> But It can be configured to be as secure as windows (lol, not secure at all)



You can even use Windows and get is as secure as every other operating system. It depends on your experience and some operating system has got the better "basement".


----------



## graudeejs (Jun 7, 2009)

oliverh said:
			
		

> You can even use Windows and get is as secure as every other operating system. It depends on your experience and some operating system has got the better "basement".



Windows philosophy is fail:
*"What is not forbidden, is allowed"*

compared to BSD/UNIX:
*"What is not allowed, is forbidden"*


Pardon me, but i think, that many linux distros fallow windows philosophy (at some point).


----------



## vivek (Jun 7, 2009)

Actually oliverh is right, if you know how to harden Windows XP or 2003 server, it can be secure os. Couple of large site (apart from Microsoft's own properties) such as Intel, Dell and many eCom site runs on Windows server. The main problem is stupid userbase here who clicks on any link that promises semi-nude photos / video and are willing to exchange passwords for chocolates. 

However, most UNIX / Linux / BSD users are smart and geeks. They know more about computers and operating systems. Many have college degree in CS / Security / Networking etc.


----------



## mia (Jun 7, 2009)

vivek said:
			
		

> Actually oliverh is right, if you know how to harden Windows XP or 2003 server, it can be secure os. Couple of large site (apart from Microsoft's own properties) such as Intel, Dell and many eCom site runs on Windows server. The main problem is stupid userbase here who clicks on any link that promises semi-nude photos / video and are willing to exchange passwords for chocolates.
> 
> However, most UNIX / Linux / BSD users are smart and geeks. They know more about computers and operating systems. Many have college degree in CS / Security / Networking etc.



vivek you are right. but on the other hand now I need as small and simple as possible operating system which can connect to the internet and should be as secure as possible too. I don't need special services and functions - my idea is the same as fronclynne's - as fronclynne said "you can't crack what doesn't exist".


----------



## rocky (Jun 8, 2009)

As *fronclynne* said, mounting the whole system in read-only mode is a very good idea, but this is*not* as-secure-as-you-want. Some smart hackers may use you web service to discovery other interesting stuff on your local network 

Security isnot _setting up a server and then let it go_; Security is _setting up a server and keep it in your eyes_. I love the way *MG* showed


----------



## rhyous (Jun 8, 2009)

There are statistics of number of bugs/vulnerabilities per lines of code.

One nice thing about FreeBSD is you can install Base, Kernel and Apache.  That is a lot less lines of code than many other platforms, so with only the minimal items, hackers have less "surface area" to attack.  So statistically it is more secure. 

Also, your general hacker targets common operating systems or common web servers.  So Windows is attacked often, but so is IIS and Apache.  So by using FreeBSD you are not vulnerable to common windows attacks, but you are subject to apache attacks. So Apache and modules it uses are going to be your vulnerability points.

I recommend you use FreeBSD + Apache and lock it down as best you can.  

The level of security you need depends on what you are doing.  If you are taking credit cards, you better have a security ananlyst and work to be PCI compliant.  Cause getting hacked is a huge deal.

If you are just hosting a personal web page or blog, then getting hacked probably isn't a big deal, especially if you back up.  You may get your web page changed to point to some other site or get your server used by hackings increasing bandwidth till you figure it out.  You catch it an restore.


----------



## SirDice (Jun 8, 2009)

Rule of thumb of security, if you don't need it don't run it.

Why run apache at all if you're not going to use it?


----------



## mia (Jun 8, 2009)

Probably OpenBSD is unnecessarily too big package for my small device. My idea is it should have OS for example like routers - in router is some simple OS and it is not necessary to check logs every day (I know it is good idea to do it but users usually don't care about logs). 
I need something when I install it should be so safe as weakest part. Or do you think when I allow communication from only one remote IP it is good enough and to prevent hackers from gaining control of this device? When I allow access from only one IP is it the highest security?


----------



## fronclynne (Jun 9, 2009)

vivek said:
			
		

> To op: z80 ( http://en.wikipedia.org/wiki/Zilog_Z80 ). I highly doubt that you wanna start with this kind of embedded stuff.


Indeed.  The soekris stuff looks like a good way to start moving small, and it seems to run freebsd.

Disabling (or outright removing) unneeded services is very important in todays tubes, though that has little to nothing to do with your hardware.

However:  http://d116.com/spud/


----------

