Just taking this back to the original thread...

My views simply come down to peoples ability to secure a box, whether it's Linux or Windows, or whether it's an OS on a specific appliance, eg. IOS on Cisco Routers/switches.

While with Windows, the options are a bit more limited, and patching is really the only best defence against having vulnerabilities to hackers/crackers can exploit other than making sure there is a solid firewall on the network boundary.

Linux OTOH can be set up so, for example, the MySQL database could only be accessed via 127.0.0.1 if it was only for the local webserver, or opened up only to the hosts that need to access the database server.  Furthermore, IPTables could be set up so that requests to TCP/3306 is accepted by the authorised hosts and denied by everyone else, and better still, those hosts would be sited on a dedicated network interface or vLAN so the IPTables can restrict by layer3 port which protects from spoofing.

Also, services that aren't needed are disabled, for example, would you have samba running on a colocated webserver ?

In saying that, it's also very important to keep the Linux system up to date.


>From my Cisco world experience, I have come across vulnerabilities with IOS, not a huge amount, but they are there.  Due to the complexity by nature with the number of features that the IOS has to offer, there will be security vulnerabilities, but if the switch or router was configured properly, then the chance of the vulnerability being exploited is vastly reduced if not eliminated.


In saying that, I would also take heed with Ian's caution.
But I would also consider taking other steps in securing a box.

On Mon, 2007-10-08 at 13:15 +1300, Ian McDonald wrote: 
http://www.osnews.com/story.php?news_id=18738

The moral of the story is that unsecured (particularly unpatched)
Linux boxes are just as bad (or worse) than Windows boxes.

I've seen a lot of people just install Linux machines and leave them
running. Yes they run forever, but that doesn't make them secure. It
seems like Linux is now more and more a target.