Menu
▾
▴
Re: [Devil-Linux-discuss] New to DL : Some more questions?
|
From: Bruce S. <bw...@re...> - 2012-03-22 16:39:21
|
> > The server version has extra hardening against attacks, such as grsecurity > > and a few other things. The non-server does not have these extra > > hardening, it's more of a "standard" Linux distro. It was early when I wrote that, and I said it completely backwards. The server version does NOT have extra hardening like grsec. The non-server (firewall) version is harded with grsec & other things. > > Basically if you're going to expose Devil-Linux directly to the internet, > > such as a firewall or a web server or DNS server, you're a little safer > > running the non-server version. If you're running DL as an internal server > > behind a firewall (i.e. Samba), not exposed directly to the internet, then > > the server version might run better for you. That's because > > grsecurity sometimes mistakes high resource using server processes as some > > kind of attack and kills them. > > But when I checked the non-server version, the kernel also has > grsecurity patch installed: > > #uname -a > Linux Devil 3.2.11-grsec > > Then even the non-server version is also vulnerable to false-positive > assumption of the gresecurity patch, isn't it? Try the server version and it shouldn't have grsec installed. Sorry for I misspoke above, and thanks for pointing it out. > > If you're running server processes on the non-server version that start > > dying for unknown reasons, switch to the server version and see if that > > fixes your problems. And it's never a good idea to run internal servers on > > your internet firewall, hence the two distinct versions of Devil-Linux. > > Thanks for the clarification. As for me, I may never prefer to run > extra services (except those applications needed to make other > applications behind NAT of the firewall to run (like siproxd). > > BTW, how does the failover and loadbalancing be achieved in DL? I did > see pound, but wouldn't nginx be better instead of pound (I did see > apache and thttpd under services)? I've never run failover and loadbalancing, so I can't answer that. > Another question is: by default the firewall service (I gues > iptables?) is enabled. Is it necessary to enable both firewall and > shorewall if I try to use shorewall wrapper scripts? I've never tried, but you should be able to run any iptables scripts for your firewall. There are a couple sample scripts that get copied over when you select a firewall (depending 2 or 3 NIC's). The boot process runs /etc/init.d/firewall.rules which you can replace with any script that runs iptables. > How can I add additional applications and services to the DL box, I > meant customization? Where can I find documentation for 1.6 version? www.devil-linux.org The last time I looked, the website didn't have 1.6 documentation yet, and 1.5 docs were broken. But the 1.4 documentation should work; I don't think much has changed. > How exactly DevilLinux excel from something like openwall/zeroshell? Devil-LInux is a little different, in that it has a full range of server software installed and can be used as either a server or firewall. It is also created to run off a read-only media (i.e. CDROM or ISO image) so the base install cannot be modified or hacked. And the main reason I use Devil-Linux is the ease of upgrading it to a newer version, and the ease of backing it up, since only a small tar file containing all of your customizations needs to be backed up (unless you're using a live hard drive server data). - BS |
