Had a good lunch with Dana today and in the ensuring (computer security related) discussion he mentioned that someone, somewhere had compared Windows 2000‘s defaults services to those of Redhat‘s Enterprise Linux, and found them to have the same number of attack vectors (that’s “vulnerabilities” to normal people π
Since I have no access to Enterprise Linux, but Fedora Core 2 Test 2 was released today, I decided it’d be as good as any a candidate for a check to see how Linux does in that area.
Now I could be mean and say that I’m comparing the latest from the Linux camp with the latest available from the Microsoft camp, but I won’t be. XP was written many years ago while Fedora is using the latest and greatest technologies from the open source community. Sadly we’ll have to wait for another few years for the latest to come from Redmond (unless you’ve got a couple of thousand to get an MSDN membership and get some of the latest things). However, I could quite easily say I’m looking at the latest available from both the Linux and Microsoft camps, and be completely honest. Well, ignoring Windows Server 2003 that is, but that’s not a “consumer” OS IMHO.
Anyway, the first thing I want to address is what services are on by default, which is the whole point of this.
phoenix root # nmap 192.168.2.109Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-29 22:18 PST
All 1659 scanned ports on 192.168.2.109 are: filteredNmap run completed — 1 IP address (1 host up) scanned in 71.819 seconds
Well how about that. I believe I detailed what was on the default install of a Windows 2003 system a while ago.
However, when I installed I did so choosing the defaults for a workstation and let the install script do everything else. Just to be fair I’ll go back and re-install as a server and compare.
While I wait for that, some of the details of what’s included in Fedora Core 2.
- Gnome 2.6
- (actually 2.5 as 2.6 is due to be released on the 31st). The latest and greatest in the GNOME graphical user interface. I don’t know if I like the new “spatial nautilus”, but I’ll give it a bit of use before I decide.
- SELinux
- Security Enhanced Linux… a mandatory access control system built right into the kernel.
- Kernel 2.6.3
- Almost the latest and greatest kernel…. 2.6.4 is the latest released as I write this.
- Diff X11 Server
- Based on XFree86 4.4, but without the licensing issues I’m guessing. Looks and acts the same, which is what is wanted I guess. No hardware accelleration or transparancy yet though π
- Other…
- Full acpi, nifty apps, etc etc etc…
- While the install worked fine, when rebooting I had no GUI because I was under VMWare. Turns out the default setup is for 16bit color and because it’s VMWare it wants to have the same color depth for the vmware client as the host, and my desktop is set to 24bit color. A quick fix as I knew what I was doing, I doubt Joe could have. Of course, chances are Joe would be running VMWare π
- It also asked me a strange question when I first logged in as root to the console, something about creating something. I hit the default. I assume this was some SELinux thing.
- A question about if I wanted to choose a different context than root:sysadmin_r:sysadmin_t came up when I first logged in as root. Something to do with SELinux I’m sure. I hit the default cause I had no idea what it is talking about.
Install
Install was pretty easy, just clicky clicky clicky. The first time as I said above I configured it as a workstation and did everything default…. ie: what would Joe Average do. It wasn’t perfect of course, it’s a beta.
The second install I did as a server and did as Joe Sysadmin would do, selected some servers (mail, web, dns, webmail), and went with only a very small level of configuration. I even tried to turn off the firewall (enabled by default on install) and it warned me not to be an idiot. I left it off anyway to see what would happen when it came up.
phoenix root # nmap 192.168.2.109Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-29 22:53 PST
All 1659 scanned ports on 192.168.2.109 are: filteredNmap run completed — 1 IP address (1 host up) scanned in 71.172 seconds
Well how about that. Still nothing on by default.
Now granted, because Dana is using Debian stable for his server, he’s installing on software of about the same age as Windows 2000. Granted it’s really stable software, but come on, it’s way out of date (2.2 kernel on the latest stable release of a Linux distro? Hello 1999 wants it’s kernel back!).
So in conclusion, Fedora Core 2 Test 2 starts with 0 services running (or at least, exposed to the net), and even with the firewall disabled nothing shows up on a portscan. I had to run /etc/init.d/iptables stop to even get it to show up anything, and when it did it was port 22 and port 111 (portmap, used for FAM).
I downloaded the ISOs of Mandrake 10, maybe I’ll try this on them tomorrow. Heck, maybe a website dedicated to what stuff is enabled by default on OS installs should be setup?
Just FYI, my fully updated and patched Windows XP system (enabling IIS opens up another 4 or 5 ports):
phoenix root # nmap 192.168.2.102Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-29 23:10 PST
Interesting ports on orbit (192.168.2.102):
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3389/tcp open ms-term-serv
5000/tcp open UPnPNmap run completed — 1 IP address (1 host up) scanned in 0.402 seconds