Cavecreek Newsletter -- Linux more secure than FreeBSD
 

This is from the CaveCreek Newsletter this month:

"Anyone running FreeBSD below version 4.6 is susceptible to an attack. Upgrading the Operating System has been known to be a nightmarish adventure in the past, and the OS is riddled with security problems. <b>Anyone running FreeBSD is urged to consider moving to Linux</b>."

I actually never heard an industry veteran advocate Linux over FreeBSD. what do you guys think?

interesting. any articles about this?

"Anyone running Linux below version 7.3(redhat) is susceptible to an attack. Upgrading the Operating System has been known to be a nightmarish adventure in the past, and the OS is riddled with security problems. Anyone running Linux is urged to consider moving to FreeBSD"

you can find the whole newsletter here:
http://www.cavecreek.net/newsletter

it kindda took me by surprise. i remember, i was hosted at Cavecreek when i first started in this business, few years back, and they used to be big FreeBSD supporters.

maybe they have strong reasons to suggest a move from FreeBSD to Linux.
honestly, i don't think Linux is any securer. I swithched to FreeBSD 2 years ago when my Linux box got hacked through DNS.

They're talking about all the security holes that have been uncovered in BSD lately. Someone has made it their goal in life to uncover new holes every week in OpenBSD, which means that some of them also transfer to FreeBSD. Before that it was Linux, and after this it will be Linux again that will be in the news.

Fact of the matter, most of the time, FreeBSD is much more stable and faster than Linux and if you keep up on security updates you're fine.

Last time I checked Linux was much better in multi tasking and multi processing as well as in SMP.

The development of FreeBSD is faltering, every version of the operating system (including the latest 4.6) has gaping security holes in it. Any script kiddie can get into FreeBSD up to version 4.5 with minimal effort. Version 5 has been in "development hell" for quite some time now and from what I have seen of late I do not believe it will ever be quite finished. Here are several other reasons why we are making the switch to Linux.

-- Security updates require a recompile to implement on FreeBSD.

-- FreeBSD does not have as robust multiple processor support as Linux currently does.

-- FreeBSD's file server is slower than that of Linux currently. Benchmark tests here have shown that Linux is up to 4 times faster serving files on an NFS mount.

-- Linux currently has a larger support community including third party drivers, software and hardware.

-- In addition we are better able to secure Linux servers and are able to offer more services like ASP and frontpage capabilities

CWIE currently hosts over 1000 servers. We now have 350 BSD servers in our data center and that number is becoming smaller on a daily basis. As an ongoing attempt to secure our network, business and the business of our clients I urge everyone that utilizes our services to consider moving to Linux.

that's the funniest thing i've read in a long time. yeah, everyone, move to linux, because it's more secure. nevermind the fact that linux is just a kernel, so you can't just "move to linux". (also nevermind the fact that as vending_machine says, *bsd is just the flavor of the week)

there are many distributions of linux-based operating systems and some are more secure than others. debian is nice. i don't know about the rest.

i wonder which distribution cavecreek is moving to, or if they'll say? that'd be far more meaningful.

as it is now, this letter is just FUD.

It's rare to see an industry leader making a statement like that. They must have had some box's hacked recently.

that's what i was thinking too. something major must've happened. actually i am curious to know too what flavor of linux they're moving to..

part of FreeBSD 5's release is supposed to include merging from TrustedBSD. that'll be awfully nice. since FreeBSD 4.x is secure (when patched) i'll be sticking witih FreeBSD.

anyways, most linux operating systems come with gaping security holes out of the box, too. just a fact of life.

of course they do. same as on linux.

if you're wanting to install binary packages, you can do that on freebsd as well. although admittedly they're not as good about putting them together. but it's really easy to make them yourself. then you'll have a local copy of each package.

in short: you don't need to do any more compiling on freebsd than on linux. this is FUD.

this is true.

do you have a report on this somewhere? in benchmark tests i've done, i've hit wire speed over NFS. if i had two NICs in the box i'd hit wire speed on both. perhaps you need to tune your mount_nfs variables some. this is FUD.

freebsd has support for good hardware. linux has more support for things like IDE, random video card/sound cards, USB - things that don't belong anywhere near a server.

nearly everything that can compile on linux can compile on freebsd.

this is mostly true, but irrelevant.

i'm curious how you're better able to secure linux servers? i admit i know nothing about ASP or Frontpage extensions except that they're relatively unused in the adult market (at least for mid-size sites and up, 1Mbps+)

i've secured freebsd servers just fine. this may just be a difference in experience, though. i've been doing freebsd administration for ~6 years and not much linux - so i'm not the best person to ask to secure a linux box.

sounds like you got hacked and are covering for it, frankly. :) sucks and sorry to hear it. but i hope you aren't representing to your clients that this move to linux will give them more security - it will not.

btw, free tip. want to boost FreeBSD NFS performance? kill nfsiod. sounds strange, i know, but it works. also, don't limit yourself to working with just one NFS mount. mount the same partition 4 places on your client and get roughly 4x the performance. (plus, this is scalable. say you want to split up/mirror your NFS server. just create a new one, copy the contents over, and mount each server 2x instead of 4x. or both 4x. why not?)

:)

You people are forgetting that it is NOT the OS which gets hacked but is actually 3rd party applications (SSHD, FTPD, LPD) and the list goes on.

If you depend on something to be secure when you get and to remain secure you're living in a dream world and deserve to be hacked.

Remember one thing,

The Security of a OS is only as good as it's administrator.

Joe

exactly. changing OSes isn't going to suddenly make your admins competent to protect your sites. i'd be rather nervous if i was a cavecreek client.

Sorry to interupt the little tech fest here guys, but Cavecreek has been moving people to Linux since before I left there.

I don't know too much tech, but I do know this isn't a brand new deal that popped up overnight.

Cavecreek hosts Linux, BSD, Solaris, NT, 2k and co-los some screaming ass video servers for a company that we host our site videos with. Same company that serves up news video clips for some of the high traffic news sites like msnbc etc.

People's boxes get hacked all the time -- mostly because of things people do to them on their own. Any host can tell you that.

you're right KimmyKim - ultimately that's what does it. but i don't think people are any better off running Linux or FreeBSD or MacOSX. i just think it's irresponsible to suggest that Linux (which in itself is not even defined as an OS) can be more secure than anything else. and as a sysadmin i think it's offensive that someone would try to say such a thing. it's just going to stir up trouble.

It also just might be a way for cavecreek to get everyone to move to a similar platform (linux) to help make their lives easier by managing fewer operating systems. Many large hosting companies like Digex do this. They support only 2 platforms, period. NT and Sun. This way they only have to worry about them. I don't know their methods, but I have had fewer people in FreeBSD boxes then in linux boxes in my lifetime. I think FreeBSD is better in the server environment while, linux is better on the desktop.

AJ

Sorry to the guy who's box got hacked via "DNS". If you were running an exploitable version of Bind on an *bsd box you would have been nailed just as well.

Given a competent admin of either OS, I believe they are equally secure. I can't even remember the last kernel-level type bug that would allow remote access to either of the system. It's all in what apps you run.

Granted, some distributions are better off OUT OF BOX than others, but when you get down to it, no one should be running anything they want to serve critical stuff out of box. If you do, you deserve to get nailed.

I don't know how many times I've seen people with dedicated boxes just leave what is installed on there by default alone (i.e. EVERYTHING it seems. Bind, sendmail, telnetd, some form of ftpd, apache, etc. etc.) and NEVER upgrade it. Much less actually *gasp* watch the security alerts for their stuff.

This is one reason I'm more of a shared hosting or managed dedicated (where your host admins it for you) kind of guy. Let those who know what the hell they are doing admin, and guarantee security.

And if someone else is managing it, why the hell do you care what underlying OS it is? You will not see a difference between Linux and *BSD in terms of performance (assuming competent admins again), so why care? I'd rather be using what my admins are most comfortable with than using something for religious/FUD purposes.

In both OS'es, it comes down to who admins the box. Period. A well administrated network will not be getting hit with your script-kiddie "DNS" (Bind) attacks, as they will have upgraded all the machines the second the exploit hits (we hope, right?).

So for myself since I do hosting, I highly prefer Debian. Why? Just because I know it, can easily do common tasks, and can easily automate my own apache packages and such so I can upgrade 15 servers in the time it takes to compile a new package on the local debian mirror.

However, someone else may be able to make freebsd hum, and if I were hosting with them I'd definitely want them to be using it.

anyways, this got long. :)

peace,

-Phil

If you are running one OS, and have everything already set up, It's unlikely that switching OS's will accomplish anything useful. Just maek sure you are running up to date code from whatever OS you chose.