# System Security and Stability of FreeBSD ?



## Spartrekus (Jun 15, 2018)

Hello,

On the topic of System Security and Stability, what would you say if you would attempt to look at FreeBSD, according to your respected own believes, experience, thoughts,...

Please give your thoughts and possible description of your experience using FreeBSD.

Thank you, and I, we, FreeBSD forum wish you a pleasant day!


----------



## vermaden (Jun 15, 2018)

Depends on the hardware, both Ubuntu MATE and Linux Mint freezed after some period of usage (several hours) on Dell XPS 12 first generation, FreeBSD did not freeze.


----------



## Spartrekus (Jun 15, 2018)

vermaden said:


> Depends on the hardware, both Ubuntu MATE and Linux Mint freezed after some period of usage (several hours) on Dell XPS 12 first generation, FreeBSD did not freeze.



It depends how it is installed. Without installed packages, Linux is stable. 
The more you installed on Linux, the more unstable it will be.  Law of ... I don't know. Maybe a new law


----------



## vermaden (Jun 15, 2018)

Spartrekus said:


> It depends how it is installed. Without installed packages, Linux is stable.
> The more you installed on Linux, the more unstable it will be.  Law of ... I don't know. Maybe a new law


Even with 'default' install that Ubuntu MATE and Linux Mint was unstable, it was about kernel drivers not about the 'packages'.


----------



## rigoletto@ (Jun 15, 2018)

The truth is you can get a Linux installation rather more secure using Grsecurity and PaX, but I think Grsecurity is not freely available anymore. However, the usability become more complicated, and even worse if you use SELinux.


----------



## rufwoof (Jun 15, 2018)

Linux is just a kernel, and one that includes blobs - in short insecure. You should be comparing "distro's". Compare for instance Ubuntu and FreeBSD and ... well one 'stable' release of Ubuntu bricked some motherboards (users had to reburn the BIOS, or more likely for many, buy a new motherboard). Compare Debian and OpenBSD and OpenBSD randomises memory locations, encrypts swap, has Pledge checking program stay within what they're expected to do/use, runs nightly validation of bin and lib checksums and validation that configuration files look 'sensible' ... along with other security measures (ongoing security audits ...etc.). Their base system also combines kernel and userland (including X, web server, mail server ...etc.), that is audited as a whole. The base system of OBSD is rock solid. Whilst mostly for servers, I run it as a desktop and its the only 'nix that I've found to consistently run through 12 hour+ video rendering in a reliable manner. Its also pre-configured and secure by default - great for the likes of me that aren't a whiz at setting things up. Updates are a breeze as well. A new stable release every 6 months that takes minutes to install (upgrade to), run M-tier openup between those releases to upgrade the base and installed binaries to the latest security patched versions. Package installation is as easy as well (apt-get and pkg_add). Downside is not as extensive respositories and/or support of hardware (not a issue if you just intentionally buy only hardware that is supported).


----------



## Spartrekus (Jun 15, 2018)

lebarondemerde said:


> The truth is you can get a Linux installation rather more secure using Grsecurity and PaX, but I think Grsecurity is not freely available anymore. However, the usability become more complicated, and even worse if you use SELinux.



If you manage to remove all spywares and systemD redhat inside?


----------



## alx82 (Jun 15, 2018)

Spartrekus said:


> Well, FreeBSD ok, but LINUX ok too.
> Conclusion - "Comparing": likely FreeBSD more secured. LINUX is too highly stable.



I honestly failed to see the point of your post. Your contradictory conclusion seems to suggest that FreeBSD is more secure, but less stable than Linux. I hope you agree that stability bugs are severe bugs, exactly like the security ones!

Use whatever works for your use case. You can share here your experiences/problems with FreeBSD, that probably would be interesting than just  yet another FreeBSD vs Linux security/stability post that won't bring anything new.

Just my two cents.


----------



## rigoletto@ (Jun 15, 2018)

Spartrekus said:


> If you manage to remove all spywares and systemD redhat inside?



I wouldn't advise to use SystemD, better go with OpenRC.


----------



## drhowarddrfine (Jun 15, 2018)

Spartrekus Nothing mentioned in your first post has any affect on security or stability of any software except more eyes on the product but that is debatable.

These such questions pop up on reddit and, fortunately, rarely appear here. It's one of the resons I love FreeBSD. I hope these questions  become more rare to the point I never see it again.


----------



## scottro (Jun 15, 2018)

Unfortunately, there is a lot of Linux hatred here. And a lot of Mac/Windows hatred on Linux forums, and it continues on and on.  I always think of a cracked.com meme about corporate use of social media when I see it.  Mebbe it's just me, but I think it makes us (or the Linux forums trashing Windows) look petty, rather than make someone think, Oh, they must be right it's much better.

http://s3.crackedcdn.com/phpimages/pictofact/7/4/1/659741_v2.jpg


----------



## Deleted member 54719 (Jun 15, 2018)

scottro said:


> Unfortunately, there is a lot of Linux hatred here. And a lot of Mac/Windows hatred on Linux forums, and it continues on and on.  I always think of a cracked.com meme about corporate use of social media when I see it.  Mebbe it's just me, but I think it makes us (or the Linux forums trashing Windows) look petty, rather than make someone think, Oh, they must be right it's much better.
> 
> http://s3.crackedcdn.com/phpimages/pictofact/7/4/1/659741_v2.jpg



As I get older and more curmudgeony, there is one saying that I think is most apropos when describing my feeling about modern computing environments.

"It's not what new technology I like the most.  It's what new technology offends me the least."


----------



## ralphbsz (Jun 16, 2018)

Spartrekus said:


> I think that Linux has an advantage over FreeBSD, mostly because it has a Stable release, ...


"A" stable release?  It has several dozen releases: RedHat, CentOs, Fedora, Suse, Ubuntu, Debian, ...
FreeBSD also has stable releases.  Strangely, they are called "-RELEASE", while "-STABLE" is actually a development branch.

Actually, it is virtually impossible to even define what you mean by "Linux".  There are so many Linux distributions, with varying quality and goals, with varying distribution models (some are commercial but you get excellent support, some are free, and you get community support, or nothing).  So for the sake of this discussion, let's restrict ourselves to the major Linux distributions.

The fact whether a release is called "stable" or not is not an inherent indicator of anything.  In particular not of quality.  I could write an operating system, call it "stable", and it would still crash all the time; that reflects on my skills, not on the name.  I could also call it "elephant", and it wouldn't have a trunk either.



> ... widely avaible on many mirrors,


That really doesn't matter.  If I'm a RedHat customer (and I have been for many years), I can nearly always get to the RedHat site; it is very rarely down.  Same with other distributions.  Mirrors were a good idea in the early days of the internet, when servers were unreliable, and cross-continental bandwidth or transoceanic bandwidth was sparse.  I presume the major distributions use CDNs (content distribution networks, the same technology that Netflix and Youtube use), or their own mirrors, so you can get to the data efficiently and reliably.

But the same works for FreeBSD.  I don't remember the FreeBSD download sites ever being down when I needed them.



> and the package manager is always up and faultless (really very working around the clock).


Same is true for FreeBSD, as far as I know.  I haven't had any problems with "pkg" that 5 minutes of reading the man page didn't solve.



> Linux is powering many Servers, and it works.


It powers the vast majority of all servers, with Windows far behind in second place, and all other operating systems irrelevant.



> Security is however a lack of Linux, because this is a monster of  things altogether.


Nonsense.  It is perfectly possible to make Linux reasonably secure.  In a previous job I worked with lots of large government labs (the ones that do nuclear simulations or intelligence gathering), and they all run Linux clusters.  Companies like Google, Apple and Amazon use Linux for their internal servers, and you haven't heard about data breaches due to Linux bugs there.

Now, for an individual user who has no clue and doesn't know how to administer a computer ... it might be different.  But I don't care, since I'm not that user.  If Linux is a bad solution for him, maybe he should use something else (like MacOS or OpenBSD).



> I am surprised that the FreeBSD has very often package services, that are are down, non working, and many things may be changing radically. You'd better not to update too often completely the Server. Base System of FreeBSD is not as stable, but actually may be unstable time to time.


That has not been my experience.

What do you mean by "stable" here?  Absence of crashes?  Once I stopped using my FreeBSD server as a wireless AP, it has not crashed a single time (but my longest uptime has been about 6 months, due to power outages longer than the UPS can handle).  But a well-managed Linux machine can also run for months without crashing.

Or do you mean stable against major upgrades that disrupt applications?  That's a very complex question.  Linux distributions have different upgrade philosophies; FreeBSD has an yet a different one.  Layered software you put on top of the OS distribution are even more diverse.  There is no simple yes-no answer.



> However, more People means more People to fix bugs and keep running.


That is a very hotly debated questions.  Does open source, and the fact that many eyes can see the code actually mean that it is of better quality, and has fewer bugs?  The vast majority of people do not look at the code; and many parts of the code (in particular the most difficult ones) are very complex and are understood only by a very small number of people.  It may actually be a better idea to have a small number of well-selected, well-trained, motivated and competent people to write and maintain code.

The same argument can be made for and against blobs.  Rufwoof seems to make the argument above that blobs are inherently insecure.  That is nonsense when taken in the pure form.  They are exactly as secure or insecure as you trust the author of the blob.  And it is not at all clear whether I can trust the author of a blob (be it LSI or Nvidia) more or less than the author of unreadable and complex code (be it a RedHat or IBM employee who contributes to Linux, or a volunteer who contributes to *BSD).



> Well, FreeBSD ok, but LINUX ok too.
> Conclusion - "Comparing": likely FreeBSD more secured. LINUX is too highly stable.


Complete and utter nonsense.  FreeBSD may be OK, and it may not be OK.  The same goes for Linux.  You simply can't "compare" them, other then in details.  Even saying that one is more secure and the other more stable is nonsense; it depends on intended usage.

The real question is: does the OS fulfill the expectations of its users?  Those expectations can be sorted into various categories, such as reliability (absence of crashing, uptime), availability (includes reliability, but also includes downtime for upgrades and maintenance), security (not easy to hack, exploits are quickly fixed, designed to be safe), data reliability(the file systems and device drivers such as RAID are built well, can handle device shenanigans, and don't grenade your file systems), cost (include the cost of support if it is needed), and most importantly features (which is in particular availability of particular software).  Those expectations have to be seen in light of the needs of the user; the single biggest distinction there is desktop/laptop versus server/cluster/cloud, but there are many more fine-grained distinctions.

I am getting VERY tired of the same small number of members of the forum always starting these pointless debates with nonsensical blanket accusations and dumb generalizations.  Dear Spartrekus: Please just shut up.  You are not doing anyone a service by posting inflammatory nonsense, even if you are perhaps trying to learn by reading the answers.


----------



## ShelLuser (Jun 16, 2018)

Not sure I want to touch this, but since I'm in the mood..

When it comes to security then seriously, there is no better operating system. Security isn't gained by installing some product and then considering yourself safe, that's just about the dumbest thing to do. Security is an ongoing _process_ in order to both secure your environment and then keeping your environment safe.

If I put my mind to it then I can set up a Windows 7 environment which is just as safe as a default FreeBSD setup (which is pretty safe because not too many processes got started yet).

The problem though is that most people rely on default settings while considering themselves safe because they installed "$product x", but sorry to burst the bubble: it doesn't work that way. That is... it does work, as in: you get some results. But you'll be hardly as safe as you may think.

_For example..._

Let's set up a firewall on FreeBSD. And because we want to be safe we'll use pf because that's the OpenBSD firewall and as we all know OpenBSD is about the safest OS you can get. Let's get to work: `# vi /etc/pf.conf`. We add some rules, we set up our box, and done. Safe!

_bzzzzt._

See, I'm a local user on that box and you just set up your firewall rules with default permissions (644). Worse yet: you also put them in their default location: the one place every attacker would look first, especially because it's documented all over the place.

So after informing them about this mishap the guys set out to work and they found a much better place (sort off): /usr/local/etc/conf/pf.conf.

Unfortunately for them I was still able to quickly find it, but unfortunately for me they smartened up this time and actually set the right blocking file permissions.

How did I find it?  Simple really, all I had to do was peek in /etc/rc.conf which is fully unprotected by default on most systems (not mine, and after this fun session also not on their server).

Now, this was a bit of a fun session I once had on a colleagues server, but seriously: I still think this is a good example of what true security measures really boil down to: a basic understanding of your environment, customization, and keeping an eye out for details.

Look... why is Windows a relatively easy target when it comes to compromises? Because the OS itself is insecure? Nonsense. The main problem is actually two fold:

It's a widely used operating system (which makes it appealing).
It's fully standardized: if you find an exploit on one OS you can bet it'll work on all the others too.
And it is that second issue which is so important here, and why customization of your setup is the key to hardening your system.

If I gain "obscure" local access to a box and I learn that it's FreeBSD then generally speaking I can pretty much rely on the fact that the firewall configuration will be located in /etc. I'll probably only have to look out for 3 files. And that's the first step towards disaster.

Cool that you installed fail2ban to warn you for these kinds of intrusions. Shame that most people rely on defaults so when I really start doing some work I'll know up front that I'd better wipe /usr/local/etc/fail2ban/fail2ban.d, maybe try to make it look like an accident of some sort. OR... Maybe I should simply add a rule of my own 

The biggest problem when it comes to security, in my opinion of course, is people relying on products to keep them safe, and to add insult to injury they're also not bothering themselves to customize those products but are happy to use default settings. Settings which got changed for their setup, sure, but which are still located in default locations nonetheless. Ready for the picking.

Why do you think rootkits are a thing?


----------



## Spartrekus (Jun 16, 2018)

drhowarddrfine said:


> Spartrekus Nothing mentioned in your first post has any affect on security or stability of any software except more eyes on the product but that is debatable.
> 
> These such questions pop up on reddit and, fortunately, rarely appear here. It's one of the resons I love FreeBSD. I hope these questions  become more rare to the point I never see it again.



ok, I remove my description, based on my opinion. I wasn't sure that I explained well its content. I have not much time to make better roman. I removed the versus which brings a debate, and we want to avoid comparing.

(1) Of course, stability, reliability, security,... are important topics.

(2) Moreover, *"*_Comparing_*" *in all cases will not bring (+) so much, because there are different user opinions. In other words, this is maybe a bit like religions, everyone has own choice for using a given configuration/system.

Have fun & best wishes.


----------

