Ubuntu good or not

really I'd like to learn how to build from the ground up but thats kinda like my 11 year old trying to learn quantum physics for now.... I dont doubt she has the ability, but it would take some hard work and determination, hopefully with enough reading I'll get it... just looking around and gathering opinions and seeing what works for everyone else... trying to at least cover fifty pages a day but with two toddlers and a step daughter reading can be quite hard @ times.. lol but I am trying as many distributions as possible but I'm taking my time and trying to learn each one as I go..

 

If you REALLY want to learn a bit about the internals, have a look around for the Linux From Scratch "distro". It isn't really something aimed at being a daily use system unless you are a tool, but it will give you a crash course in a lot of the deep fundamentals of Linux. At the very least, reading over the ebook will teach a thing or two.

You could also try Gentoo. Portage is great for installing packages, and emerge is painless for keeping your system up to date. You'll still learn a lot installing and configuring, and you'll probably want to use some prebuilt packages to just save time (unless you like seeing hour upon hour of gcc output or are an absolute ricer), but it puts you right in the drivers seat. The documentation is still an informative read again, even if you don't install it.

Of course, both are probably overkill for the average user, but probably aren't so bad to try installing once just for the experience.

 

Jan, i personally love OpenSuSE, as it's nice and simple in daily use, not to mention dumping the sh*tty KDE for GNOME is as easy as changing the options...
It IS a bit resource heavy, but i don't mind that, and the ability to use rpm's (and having the YaST installer)to install programs makes it a lot easier in use for all the people who are new to Linux/Unix.
Cause let's be honest, compiling a program can be a daunting task for anyone who's just dropped winblows for their first Linux flavor...
Not to mention that you can remove anything from the install menu, so you could in theory just install the kernell and build it from scratch.

I prefer standard Debian *with some extra programs packed into the installer for ease* for all my Pro uses as network auditting, vulnerabillity tests and pen. testing, but for my daily use as a desktop system i'll stick with OpenSuSE *and soon maybe corporate SuSE, since my boss is getting me a legal copy*.

 

Yeah.. I'd love to use SuSE but it just doesn't get on with my hardware. I like lean and mean Debian.

A link for Skitzy http://www.linuxfromscratch.org I built my own for a 486 from there.
I think actually the best way to find out which distro you prefer is to download a heap of live cd's of every flavour you can find and give each one a go for a week each.. Then review your findings and go with the one that you like best.
The rest of us have all kinds of strange issues and prejudices depending on what we do..
I really like Slackware 10 with Gnome. but that's for the brave, I'm using it as a learning platform because there isn't that much support apart from the forums, and it's a lot more DIY than the others.

Just one thing puzzles me a little. Are you ordering cd's from them because of a slow internet connection.. Every kind of Linux can be downloaded free with no wait. Including Redhat, through the Fedora project.. Apart from Linspire (or whatever they call it these days)

 

nah' I've been downloading and burning... even dug out an old dvd rom for that crusty fusker today... lol makes things a lil faster.. as far as connection were high speed.... the problem is I really only have one workhorse and its fully capable of almost anything... the rest are sheep that have long since lost the herd (but I do have a herd) and there even losing there wool in other words basic junk right from the auction (gov deals)*pallets of pc's for like $80 bucks.... it's insane.. thats why I'm having so much fun with project... trying to make that junk my treasure is all...

 

(forgot about the ubuntu disc) yeah When I first took interest I wasnt quite sure yet so I just ordered from ubuntu.... (yet another great Stumble-Upon moment 4 me) saw the ship-it option and said what the hell, why not? plus I have a few friends interested as well and there just kinda following along as I go... So I got the huge pack... but as far as ISO's I have Xandros, Ubuntu, and SuSE currently.... but I've only tried SuSE so far I had a bad burn on the Ubuntu disc... I have quite a bit of information on Red Hat but I have yet to read that far yet..... but I may go ahead and grab its ISO while I'm mowing.... lol

 

@ skitzy..2 words.. Beowulf cluster lol

 

sounds absolutely perfect... I'll definetly have to read more about th@.... thanks

 

"there goes the electric bill"

 

Thoubt you'd like it..scary eh??

 

one thing I have to say for SuSE, on a 2006 model AMD they support all my hardware... thank god

*was reviewing this thread again, and I agree w/ Fiend

 

Oh yes.. Unless it's wireless network hardware or state of the art 3d graphics it's hard to find hardware that isn't supported. That makes a refreshing change, especially with the older stuff.

 

Yeah, I was sure... read a post somewhere where someone was saying Linux didnt support alot new stuff... I just dont see how that is.. of course it doesnt support alot windows stuff.. lol I hope thats not what he meant... but hardware drivers really were my only concerne.. When you can dual boot who gives a fusk if your windows apps dont work on linux... boot in windows
but anyways trying to figure yast out now...


~forgot to mention the sig... lol I even gave the penguin a beer
cheers!

 

Now I know I'm going a bit back with this but this is my first day at afterdawn and I can't sleep so...

I've found Ubuntu to be the most streamlined distro I've ever used. I've used redhat 5.1, 7.3, Mandrake 7.0, 8.0, 8.1, Lindows, Fedora Core 4, whatever mandrake is called these days and Debian Sarge and the difference between Ubuntu (breezy badger) and the others I've used was ginormous. While some of the others felt like they slung a whole bunch of programs at the OS and kept what stuck as a default install Ubuntu worked as if they were in harmony. As for security of course you change the passwords and setup a firewall before connecting. Everything has holes but open up synaptics daily and apt-get your updates and you'll be fine. Remember you don't have to have the most secure system in the world, you just have to be more secure then the windows users. And hacking individuals just really isn't done anymore; those who can have bigger fish to fry and those who can't use a program made by somebody else. Since linux doesn't handle exe's the same way windows does your fine. I was going to give this link (and I still will) but I'm surprised how old some of this stuff here is. It's still good info but this is where I went 6 years ago as a linux noob to learn how to get a driver for my old conextant winmodem. That was a right of passage since it was kinda potluck if your modem had a driver or not.

Now $80 a pallet of golden oldies that sounds like fun! Gonna have to get me a piece of that action!

 

Now, for the sake of argumentation, and the fact that i'm bored today, do you know how many security holes, buffer overflows and other exploit types are found in Ubuntu ? You'd be surprised.
As for you saying that

I'd say that statement needs a closer inspection...

Some fun facts :
1)70% of WareZ site "treasure chests" are rooted/exploited computers of regular users that are used for FTP server type storage and access.
2)There are still a LOT of script kiddies around, *a fact that won't change, ever* who like to "b3 1337 4nd Pwn s0m3 l4m3 n00b'5 5y573m" just so they can brag to their loser friends, and let's not forget the recent outbreak of data hijackers.

Now back to Ubuntu.
I feel that any Linux distribution that works with sudo users should be taken off the net, as this poses an even greater security risk than having unshadowed passfiles.
Also, here's a personal story :
I had a customer last a few weeks ago that wanted to see how secure his Ubuntu really was, and requested we'd do some pen. testing to see what we could find.

Now i won't go into details of which exploits i ran against his system, but i can tell you that in the course of 2 days, i found 7 working 0day exploits.
Now, i'm not saying that all other distro's are better off, but finding 7 0day exploits in 2 days made me wonder what the hell the Ubuntu folks where doing...

 

Anyone know much about Mepis? Security-wise that is.
I use Kubuntu on my machine, dual-booted with windows, and too be honest it's helped me out loads.

I tied a few distros over a couple of years and never managed to stick with it, but Kubuntu changed that. Now, I'm not the most paranoid person, but don't like the idea of having an unsecure system, I do all updates when available and even have AV installed and updated, but Fiend, ya got me uneasy now haha.

I installed mepis a while back on a test server because they did an out of the box install with everything needed and it was sooo simple, but I never fancied it for my desktop.
The new version that has been released is now using Ubuntu/kubuntu repositries, as well as Debian (which the Buntus aren't all together happy with) and also it's own, so software wise it sounds a hell of a lot better. Just not sure about security wise.

Any opinions guys?

 

I have mixed feelings with Mepis, but it has less issues for sure *as it's been around longer*, and if properly set up it should be a lot better than ubuntu.

 

Ok now I'll admit that I left the "security enthusiast" side of me behind a while ago and am by no means up to date in the latest and greatest (or not so great) secure systems in the world. And in fact I am surprised you found so many holes. But any system fresh out of the install is going to abound with security holes. As for the fun facts it stands to reason that...

1) Any personal user who is using linux or any non-windows alternative with maybe the exception of macs takes pride in knowing what's going on with their system which of course is the best security measure. I'd bet that of those 70% percent of ftp servers 3 of them at any given time are non-mac/windows. Now I'm saying personal computers not servers.

2) Script Kiddies don't know there ass from third base. I can only think of one unix trojan (I'm sure there are more but not many). Essentially any non-windows box is virtually lost in a sea of windows and almost totally obscured.

3) My real point was to say that pc users aside from viruses for the most part fly under the radar. Anybody that knows how to apply an exploit either A. won't for whatever reason or B. would rather take down a server where they can get something useful or get credit for their takedown. To take it a step further, unless they're looking for a challenge and not a goal, 99/100 are gonna go for the easier windows.

Now this does surprise me, were these ubuntu specific holes or individual packages that had problems? Also by 0day do you mean that the exploit was found that day and you used it? I really never got into exploits. We did some wargames but I was mostly support and to be honest I've only heard the term 0day used in terms of day of release warez.

To clarify I hold a relatively loose view on security. While our router is secure, my windows computer doesn't have anti virus because its a resource hog. We just don't do stupid stuff with it and if need be we use panda activescan.

On a lighter note I'm impressed with the quality of users in this forum. While over the years I've seen afterdawn from time to time I never really looked into the forums and I'm impressed by some of the topics here namely in the linux section. Nice site.;-)

 

First off, to shed some more light on the situation, the system i was asked to pen.test was not a fresh install, this customer had finished setting up his hardware firewall next to his already fully worked over Ubuntu and wanted an Audit done, so i got to work.

Now, 0day is widely used nowadays in release scene stuff, wether it be legal or illegal.
In exploit terms the 0day basically stands for the same thing in all cases: freshly discovered goods, but with exploits, it also stands for non publicized exploits (or in lamen's terms, exploits that have not been reported for the "greater good", and haven't been discovered yet by the white hat people).
In my case, i personally found 1 kernel specific exploit (where the exploit goes straight for the ol' heart and lungs), and got one from a coworker, i found 1 exploit that messed with Ubuntu's Sudo account systems *don't ask me how it worked exactly, i didn't "create" it myself*, and 4 package problems *that where Ubuntu specific, they would not execute on my Debian test machine that mostly has the same packages*.

Now, i know for a fact that there are a number of *nix based trojans, some of the classics like Sub7 and Back Orifice to name a few (i won't give out any more, as i already feel i'm revealing too much harmfull stuff here).

And as for Script kiddies knowing f*ck all, i wouldn't be too sure of that, as i would easily qualify as a script kiddie *except of course that i do this kind of sh*t for a living, and i'm too old to be a kiddie*, because tbh, i know a bunch of stuff about security and it's ToolZ, but i wouldn't be able to write a simple Pong! game in C if my life depended on it * i can do it in Basic though ;-) *.

To react to your fun fact #1, the % lies at an alarming 24% as far as non windows systems are concerned, and it is estimated that of that 24%, 18% are *nix based systems.
To further clarify, most of these systems aren't FTP servers when they get rooted/cracked, just mere desktop systems for the most part.

Then your fun fact #3...
You should not underestimate the number of exploits used in attacks made by script kiddies.
With Metasploit rapidly gaining popularity *and rightfully so, it's just too easy to work with*, and the number of people that know how to use it increasing daily, it's pretty obvious thatit's not justed experienced hacker/crackers/security guys using this program.

Hell, i even recently read a script kiddie guide from the elitehackers site that explains it in such a simple way that my 12 year old kid cousin could work it if i gave it to him, which i wouldn't, but that's beside the point here.

I could go on and on with facts and trivia, but since i'm kind of tired now, i think i'll leave you with this info, and wait for your next reply.

 

The kid who took out my server was 14 and thought he was in a desktop machine. he's apologised very sincerely but that doesn't stop the fact that I believed my machine to be as secure as I could make it, while keeping it's primary function, and it was still taken down by a kid with little knowledge of the tools he was using and the damage they can cause. Though he didn't mean any harm he messed up the database and lost me a hell of a lot of data, he was only looking around and found my admin backdoor that I forgot about when configuring the automount reboot on powerloss... Done me a favour really.. Now it really is about as hardened as you can get. Doesn't compensate me for 3 weeks downtime, but I suppose it was my own stupid mistake.

Ubuntu is full of holes..some so basic as to beggar belief. User password in a globally readable file which is also default root password through sudo after install...enough said! There are probably thousands of other little holes for the determined and malicious hacker. I dumped it very quickly when I had problems installing a firewall on it. Not good enough Ubuntu team..It's supposed to be the new users introduction..you should at least make it something like secure.. Even winblows has a token attempt at security.