I have used Fedora for hosting servers a lot of times. I have never faced any problem. Still all the new users come and tell Fedora is not secure. We should use Ubuntu / CentOS or some other distribution but not Fedora. I never understand what is the problem with Fedora. What makes other distributions more secure.
Few points: 1. Fedora comes with iptables configured to allow only SSH. Plus we can always configure iptables to even block SSH if we want too. So no short coming on firewall.
Fedora releases updates regularly (both security and general patches).
People say distro X releases new version once in 5 years and Fedora once in 6 months. How come releasing once in 5 years makes things secure. IF you feel 5 year old things are secure install five year old OS or dont upgrade for 5 years even if new version comes. Personally I feel not giving new version for 5 years does not adds to security. You would have to release patches for 5 years as and when bugs get detected. So using very old OS just means more patches. If we use recently released version then we have to apply less updates / patches. How releasing once in 5 years makes things secure I have never understood.
All OS uses similar packages like Gnome, Open-Office, KDE, Open-SSH, Apache. Do other distribution developers spend time reading source code of these packages and correcting security errors, if any? Even if they do wont they publish those flaws and all other distributions would release patches for it including Fedora. Or would they secure their own distributions and not bother to notify others. This all assuming they do read all millions of lines of codes of packages as big as apache, gcc, Open-Office. If this things are same in every distribution, what makes Fedora more vulnerable.
Fedora comes with seLinux preinstalled and nicely configured.
Bind runs in chroot by default in fedora. Now with Fedora 11 DNSSEC support is also present by default. See question DNS Server on Fedora 11 where some one pointed Fedora in not good for hosting DNS. I do not know why.
In fact one of the new admins installed Cent-OS 5.3 on one of the test machines. I used it to ping one IP which was not there. I got ping replies. I was astonished since it was not possible. I tried to find out the location from where replies are coming but failed. At end after trying for more than a hour, I removed network cable from CentOS machine. I was still able to ping the IP. Then I tried to ping IP address of the machine. I could ping that too. So I was able to ping two IPs (not others, I tried them too) when machine was configured with one IP and no aliases (eth0:1, etc.) were present. I checked ifconfig output too. I lost complete trust in so called server distributions and installed Fedora 11 on all test machines. Now I do not face such strange problems for things as basic as ping.
I would really appreciate if I could get real life examples which indicate Fedora is unsecure and if in that case it were any other distribution things would have been fine. Do not give examples were admin made mistakes. We cant blame a distribution for that. Also do not give very old Fedora 1, 2 or Fedora 3 examples. Fedora project is very mature now especially last two versions 10, 11. If you have faced security issues which are particular to only them, please share your experiences.
I thought I didn't have anything to add to this, but after having run Fedora in production for nearly two years - for my very important Zabbix monitoring system! - it seems I do have a couple of things to say.
First, it was not my first choice. Typically for anything even vaguely important I will choose CentOS/RHEL for the long-term stability benefits that these distributions provide. However, for this particular deployment I absolutely required features in Zabbix 2.0, while the EPEL repo only provided 1.8. (EPEL now has Zabbix 2.0 and 2.2 packages in addition to 1.8, though it did not at the time. If it had, I would never have tried this.)
So the tradeoff here is: Fedora has the latest software, but its releases are on a very short 13-month lifecycle, with new releases made about every six months. This means I had to plan for a maintenance window to upgrade Fedora twice a year, in addition to the usual periodic installation of updates.
For a monitoring system which is supposed to be keeping track of everything else, it's vital that such maintenance periods be as infrequent and as short as possible. With the requirement to upgrade so frequently, this would usually rule out such a distribution, but remember that I had more pressing concerns; it would be useless without the features I needed. So this is a tradeoff I made with (nearly) full knowledge of the consequences.
Not long ago, I did the Fedora 18-19 upgrade on this server, using Fedora's new fedup upgrade tool. I planned for a two-hour outage, with another two hours to possibly deal with any of the monitored services that might have died and that fact missed since Zabbix was down.
The actual service downtime was 11 minutes. That's from the time Zabbix stopped before reboot to the time it was back up and monitoring services after the completed upgrade. I did not realize that the downtime would be so short! I was expecting much more trouble, even though I know from experience that significant upgrade problems are uncommon with Fedora. (And it's been improved further: When I did the Fedora 19-20 upgrade, the complete downtime was an amazing six minutes. The same time for 20-21.)
This service will almost certainly be moved onto RHEL 7 when it becomes available.After this experience I'm much more confident in Fedora as a server and now intend to keep it, even with a major upgrade every six months. Moving off to RHEL would be much more disruptive, and might limit me in the future, because of the following:It's unfortunate that Red Hat has such a long time between major releases; a similar delay between EL5 and EL6 led me to actually put an Ubuntu installation into production, something I am still kicking myself over to this day. (For that system, I considered Fedora, but strangely it did not have the software I needed packaged at all at the time, despite an older version being in EPEL.)
One "problem" no one mentioned about running Fedora is that you will see many new things, both large software projects and tiny enhancements, well in advance of their inclusion in RHEL. So when you go to manage your RHEL/CentOS systems you will miss them. For example, Fedora has a large number of bash completions which aren't yet in RHEL by default; one notable one is tab completion for package names in the
yumcommand line.So, it's certainly possible to use Fedora in production, so long as you can accept the tradeoffs:
All things considered, Fedora is still not my first choice for a server platform, and probably never will be. (Though I've been a happy Fedora desktop user for its entire existence.) In the case where you absolutely need more current versions of software not available in a more "enterprisey" distribution, and you can accept the tradeoffs, then there is nothing wrong with using Fedora.
Finally, since you asked specifically about security, a few words on that.
As previously noted, there's no real difference in the pace of security updates between Fedora and any other distribution. Fedora packagers make special efforts to stay close to upstream and get these sorts of updates out as quickly as possible, sometimes even before the upstream project does.
Like its enterprisey big brother, Fedora also ships with a fairly locked down security configuration: services (except ssh) ship off by default; the default-deny firewall is enabled by default for both IPv4 and IPv6; SELinux is enforcing by default. In addition, Fedora is hardened in a number of other ways.
On the other hand, you get to see new security technology very early; one example is the recent introduction of FirewallD, which still isn't quite ready for prime time, though switching back to the previous firewall is easy.
There's nothing that dictates that Fedora is unsuited for use on servers, nor is there anything that dictates that "server distros" is the only choice for servers. It depends on your particular needs.
What you may gain from using the "server distros" is:
My main "complaint" for the server-distros is that software/libraries tend to to be somewhat old, and the range of supported packages is much smaller than community driven efforts.
I.e. the long term support and the non-changing API's is something that commercial software vendors love, they won't have to rebuild their application for the newest libraries because the API suddenly changed. They can develop for Vendor Y Release X and know that this platform will be around for several years to come.
It's more about stability and rate of change than security, per se. Fedora is a platform for Red Hat to roll out new features and applications to validate their relevance, provide a platform to experiment, and work out integration issues.
That is usually not what you want a server to do -- you generally want a server to perform a function in the most stable way possible.
Depending on what you are doing, Fedora may be just fine. If you're developing Linux desktop apps, working with the bleeding edge may be desirable. Likewise, if you're working on a semester-long school project or some other limited duration project where the high tempo of changes isn't a concern, Fedora is fine as well.
The key point that keeps me from using Fedora for a server and preferring Debian, Ubuntu or CentOS instead is the stability and length of support. When you're running a server you want stability, security and longevity. Yes, almost every distro is packaging the same software so it doesn't matter there. It's a matter of what is tested, has security updates and is supported.
Fedora's release schedule of every 6 months is nice if you want bleeding edge but when talking about a server bleeding edge is not always a good thing. Add on top of that the fact Fedora only supports the last three versions that means you're looking at an unsupported OS in 18 months and having to upgrade. If you've ever done a Fedora upgrade they are usually bad and it's easier to do a clean install which on a desktop/laptop might not be so bad but for a server that means downtime and is unacceptable to most system administrators.
CentOS by far has the longest support cycle and during that time it is supported and security patches and updates are released so it's not the same release the entire time. The advantage of this is that you're not spending all your time preparing for the next upgrade. You have a stable server with stable tested software running on it.
Debian has a release schedule that is longer than Fedora but shorter then CentOS but is always up on security updates. The other advantage of Debian is a clean upgrade path. Debian releases are tested for both clean install and live upgrades and not actually released until it is able to be done successfully without problems. This attention to detail and willingness to push back a release date to clear more package bugs is one of it's strongest pros. The DEB package structure itself is also engineered to make upgrading very smooth and maintain your configurations. The only thing it's lacking really is commerical support, in which case you can look to Ubuntu which takes it's packages from Debian just like CentOS takes much of it's packaging from RHEL.
Edit: Added bold text to draw attention to fact that was obviously missed that I do not consider Fedora stable enough for a server platform.
My biggest argument would be:
Servers are not its primary intended audience
Likewise, I would not recommend using Ubuntu for a server environment, and many would disagree with me, but that's simply not the primary target.
Software that is targeted at home users and desktops tends to be lacking in the departments that are server-oriented, just like things that are targeted at the server don't work as well for home users.
Additionally, platforms targeted at home users tend to attract more home users, thus, the bugs that are discovered, reported, and fixed, will be prioritized due to that effect.
Likewise, platforms targeted at server use will tend to attract server use, and thus bugs related to server use will be more likely to have been found and solved by the time you get to them.
( I have at least one friend who has professional experience with Ubuntu in production environments and says he was entirely horrified by it, and would much prefer CentOS for production servers because. )
seLinux
Its important to note that seLinux does not imply security.
From the NSA's own seLinux website:
No Support.
Fedora does not have tech support contracts like Red Hat enterprise. There is no one to call if you have a show-stopping issue.
I'm a big fedora fan, I think it's wonderful, and I run it on all my desktops/laptops, but I wouldn't run it on any of my servers.
Fedora aims to be closer to the 'bleeding edge'. This means you will get newer software that has spent less time being tested. Since no release comes out at the exact same time it's hard to get exact numbers on this, but I feel that ubuntu is often one release behind on new features, while debian/centos/redhat are much further behind.
It's my impression that because of this there are more updates on fedora , but again I don't have any numbers to back this up.
What really swings it though it the lack of the LTS model that ubuntu has. You can install an ubuntu LTS a few months after it's been released and know that it's had plenty of time to sort out any major issues and settle down somewhat.
After that you know you have a minimum 4 years of further support and upgrades before you have to upgrade your server. I could live with any of the other potential issues with running fefora, but not with having to move release on each box a minimum of once per year (probably twice though).
Edit: Found some numbers...
Fedora 11 comes with openssh server version 5.2. When it's released ubuntu karmic will only have version 5.1, the same version that debian lenny has. The centos website is too crap for me to be able to find a version, but afaik they're on 4.x
It's not that fedora is insecure. It's that it ships with bleeding edge packages, and that it refreshes very quickly, so you have to go through upgrades every year or so to keep getting security updates. That's a big deal if you've got any non-trivial number of servers, especially given that the fedora update process (iirc) requires downtime.
The use of Fedora on a server versus something like CentOS, Debian, Ubuntu, Gentoo, Slackware, SLES, etc really comes down to the right tool for the job.
The main complaint you will find from server admins about Fedora on the server is the upgrade cycle every 6 months to a year (depending on whether you always want to be on the latest or skip every other release). As you pointed out, Fedora installs "secure by default" configurations and provides a lot of tools for maintaining a secure system. Especially on a server, the preupgrade tool will handle migrations between different Fedora releases just fine which mitigates that concern somewhat.
If you want a longer release cycle, then something like CentOS (which is essentially the free version of Red Hat Enterprise Linux) may be easier on your workload.
To summarize, I think you're just fine with Fedora if you're happy with it. I've never seen any evidence to indicate that Debian, Ubuntu, or CentOS are particularly more secure than Fedora.
Any operating system can be made secure. Two points about Fedora as a server. One, every time you upgrade a software version you are running the risk of introducing new bugs and security problems not present in the prior version. This is why companies will want to wait a year after software comes out before installing it, so a lot of the bugs and security issues can be fixed. You don't want to switch to new versions every time one comes out do to the migration headaches and new security issues involved. Second Fedora doesn't have the ability to get corporate support like RedHat or Ubuntu.