How secure is LFS?

Nicholas Charles Leippe ncl3 at email.byu.edu
Tue Feb 26 11:06:50 PST 2002


> How secure is a LFS linux system (lets suppose you added some other
> progs like BIND, sendmail, Apache, cyrus-imap... and you are using it
> as a internetserver for the according services)?
> 
> Or: how seucre can I get it and what is needed to do so?
> 
> 2nd or: How secure is it compared to security optimized distributions
> like "Engard Linux"?
> 
> 
> I would be glad if you could share some opinions with me.

The best way I can think to put it is:

LFS is only as _insecure_ as _you_ make it.

A fresh LFS is very secure--there are _no_ services running.
Only kernel (protocol stack) exploits, or local access exploits
are possible.  (local access is a moot point--w/physical access
to the hardware all bets are off anyways).
Remember, LFS is just the base install, so once extra programs
are added, it's not really LFS, just based on LFS--it's really
_your_ distro at that point.  So the question then becomes,
how secure is your distro?

Imo, (undoubtedly laced with a false sense of security), my machine
is quite secure.  It has exactly one service running--sshd.  No
other open ports.  I do feel confident that I could install
tcp_wrappers + portsentry + apache, etc, and only be as insecure
as they are--no worse.  Whereas w/shrink-wrap distros, at best you
are only as insecure as those services, but usually worse.


Nick
aka kamikaze

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list