Vendor-by-Vendor View of Security


Caldera

Security holes: 19; warnings: 9

Two holes were related to the version of OpenSSH (a suite of network productivity tools) and 17 holes belonged to cadlock2, one of which may result in a buffer overflow with root privileges attached. Warnings included a false positive on port 631 (indicating a possible Microsoft vulnerability), port 6000 possible X denial of service, four warnings belonging to cadlock2, Internet Control Messaging Protocol (ICMP) timestamp. Two warnings were provided again by OpenSSH.

Mandrake

Security holes: 0; warnings: 3

OpenSSH obliged us with two of our warnings and the third is the ICMP timestamp warning.

Red Hat

Security holes: 1; warnings: 2

One hole was an ICMP modem vulnerability, allowing the attacker to control the modem. One ICMP timestamp and one predictable IP ID were the only warnings. No vulnerabilities let a remote user gain privileged access to the box.

Slackware

Security holes: 8; warnings: 9

Services that presented security holes were two FTP vulnerabilities, two OpenSSH holes, a possible Telnet overflow allowing superuser control, two possible buffer overflows resulting in root privileges provided by Simple Mail Transfer Protocol (SMTP), and one possible SMTP denial of service. Ident, netbios-ssn, login, shell and ICMP timestamp all reared their heads as security warnings.

SuSE

Security holes: 0; warnings: 3

Two security warnings were related to the version of OpenSSH. The only other issue was an ICMP time-stamp warning. No vulnerabilities let a remote user gain privileged access to the box.

Turbolinux

Security holes: 2; warnings: 3

Both security holes and two warnings were related to an old version of OpenSSH, which allows a remote user to execute arbitrary commands as root. The only other issue was an ICMP time-stamp warning.

If you are new to Linux and will be using the default installs, then SuSE and Mandrake will provide the best security. All systems, minus Red Hat, required an upgrade to the SSH daemon. If you are using time-based authentication, or if you just don't want someone to know the date on the server, then you will need to filter out the ICMP requests. As for Caldera (the worst performer), just stopping the cadlock2 service will tremendously reduce your risk of attack.

Overall, by upgrading the SSH version and properly configuring packet-filtering, there is no reason why any of the OSs can't provide adequate security.

Up Close With the Distributions
Methodology