6 More Linux Distros for the Truly Paranoid
Previously, on Deepdotweb: I recommended five Linux distros you should check out in the article A Few Linux Distros For Dark Web Explorers.
So, I was asked to write a âsequel,â and as you probably know, itâs a challenge to make a sequel as good as the original. Nonetheless, there are a lot more Linux operating systems out there, and I managed to find a few that you all might want to check out.
âWhat? Did you say Subgraph?â Yes – in spite of the fact that Subgraph OS is easy to learn and use, it is considered by many to be one of the most secure operating systems.
In fact, The Hacker News recently referred to it as a âsecure Linux operating system for non-technical users.â
Part of the reason that Subgraph OS (letâs just call it SOS) is geared toward noobs is that it comes with all the privacy and security options automatically configured. Plus, many other distros that emphasize security are very system resource-heavy, and can only be used with certain hardware.
They can also prove to be a real test for those who arenât accustomed to the steps required to get other Linux systems going.
One of SOSâs design goals is to reduce the number of attack points to which the user might be vulnerable through several of its features, including:
- Automated Enhanced Protection with Application Sandboxing Using Containers â Thatâs a mouthful, huh? SOS includes an interesting feature called Oz, which is a system for isolating programs. Through Oz, the system isolates programs so that if an attacker takes advantage of a security loophole, the rest of your computer will stay mostly unchanged. This is done by delimiting the access that applications have to other parts of the computer; therefore, if an attacker breaks through the security in one application, it wonât easily allow them access to others.
- Mandatory Full Desk Encryption (FDE) â SOS includes mandatory Full Disk Encryption by default, so that users can easily start off with a layer of security.
- Anonymity through Tor â Ah yes, the âTâ word! SOS routes all of your traffic through Tor, making it more difficult for attackers to detect your physical location.
It has many other security features as well; see their site above for full details.
âThe Distro Formerly Known as Lightweight Portable Securityâ is now formally called Trusted End Node Security (TENS).
TENS, like Subgraph OS, creates a secure computing environment from trusted read-only media, and is designed for Intel-based computers. It boots a lightweight Linux-based operating system from a CD or USB drive (not unlike Tails and many of its contemporaries).
It is designed to serve as a Secure End Node; it boots only in RAM. In essence, it can turn an untrustworthy system (e.g. a home computer) into a secure network client.
One of its major features:
- Encryption Wizard (EW) â this is a simple but strong file and folder encryptor designed to protect sensitive (but not classified) information. EW, written in Java, can encrypt all file types for both data at rest and data in transit protection.
It is compatible with Windows, Mac, Linux, Solaris, and other computers that include support for Java.
Something you may (or may not) know is that the designers of TENS are none other than the U.S. Department of Defense, so I suppose it depends on how much you trust them!
One thing to note: if you Google this OS (particularly in Chrome) and try to click on the first few results, you may get a warning like this:
According to the DoD themselves, the links are secure; they go into more detail about it on their main site.
Anyhow, the actual download link (the one thatâs supposedly insecure) is here: Software Protection Initiative – Lightweight Portable Security. Click at your own riskâ¦
Arch Linux, in the words of its creators, is âa lightweight and flexible LinuxÂ® distribution that tries to Keep It Simple.â
Itâs a Linux distro for computers based on IA-32, x86-64, and ARM architectures. AL is, for the most part, based around binary packages, which can easily assist performance on current hardware.
To expedite frequent package changes, Arch Linux uses pacman (an abbreviation of âpackage managerâ), developed by Judd Vinet; if you thought I was referring to the Atari game, sorry to disappoint you!
Among some of the interesting packages you can find in the âpackage searchâ (on the main website) are Accerciser, an interactive Python accessibility explorer for the GNOME desktop; Wireshark CLI, a free network protocol analyzer for Unix and Windows; and AbiWord, a fully-featured word processor.
So yeah â thatâs the fun stuff, but Iâm sure youâre wondering: what are its security features?
AL has quite a few âdefensive features,â but they include:
- A file permissions and attributes system
- Disk encryption
- Mandatory access control
- Sandboxing applications
There are others too, but they wonât be any good without one important element. What is that? â what else? â you must choose a secure passphrase to protect each part of the system! As I discussed in No Dice: Diceware Passphrase Creation System, weak passwords can mean the difference between being a hackerâs prime target or the one they choose to pass up. To see ALâs further advice about passwords, read Security – ArchWiki – Passwords. (In fact, they specifically recommend the Diceware system as well!)
One of the reasons that strong passphrases are so integral to Arch Linux is that theyâre used to protect many of its features, such as user accounts, encrypted filesystems, and SSH/GPG keys. If you donât want total strangers snooping on those, then please donât use a password like âpassword.â
Thereâs a lot more to Arch Linux as well; to see some of its other applications, visit Arch Linux Wiki: List of Applications.
Is it weird that the name âCyborg Linuxâ conjured up images of the Terminator and RoboCop in my head? No, probably not.
Its creators boldly describe it as the âworldâs most advanced, beautiful and powerful penetration distro ever.â Well, can they back it up?
Cyborg Linux, like many other pen testing-oriented distros (such as Kali Linux), consists of an extensive variety of tools aimed at network investigation and vulnerability assessment. Among these are:
- Angry IP Scanner â a very rapid IP address and port scanner, which can scan both of these in any range.
- Nmap â a free, open-source scanner compatible with both Windows and Unix systems.
- Ghost Phisher â a computer security application that includes a Fake DNS Server, Fake DHCP Server, Fake HTTP Server, and other valuable âweapons,â so to speak.
- WebScarab â a framework for analyzing applications that communicate via the HTTP and HTTPS protocols.
Really, these few tools are just a preview of Cyborgâs massive arsenal. All in all, it includes over 750 penetration testing tools. I donât know about you, but if I had that at my disposal, Iâd be like a kid in a candy store (albeit a potentially deadly one).
Itâs also completely free, which is quite handy, especially for those of us on a tight budget. To boot, it has full virtual machine support.
Of course, I wouldnât recommend it to a beginner, but thatâs not whom it was intended for!
Security Onionâs motto is âpeel back the layers of your network.â
It, like Cyborg Hawk and Arch Linux, is a Linux distro designed for both security and penetration testing. Security Onion is based on Ubuntu which, believe it or not, is also highly secure!
Also like its Linux contemporaries, Security Onion is armed with a full repository of tools, including:
- Snort â an open-source network intrusion prevention system
- Suricata â a free, open-source network threat detection engine
- Bro â a network analysis framework
- OSSEC (Open Source HIDS SECurity) â a Unix system security monitor that watches all aspects of activity
SOâs main advantage is that it easily combines three core pen testing functions: full packet capture; network-based and host-based intrusion detection systems (NIDS and HIDS, respectively); and a variety of powerful system analysis tools.
Itâs built on a distributed client-server model, meaning that an SO âsensorâ works as the client, and an SO âserverâ is â what else? â the server!
As with other pen testing-oriented Linux distros, SO can take a fair amount of time to learn and get accustomed to, but once you do, youâre (almost) unstoppable. Itâs nowhere near as simple as Subgraph OS, but it feels as though you can do a lot more with it.
What Iâm not sure of, at the moment, is whether itâs actually better than the other Linux distros that serve similar purposes. In order to determine which one is the best, you would have to have a competition of some kind. Hey guys â wanna have a âbattle of the distrosâ?
Finally, thereâs Pentoo, which, as its name implies, is also designed for pen testing.
Pentoo is a security-focused live CD operating system based on Gentoo. The major difference, with Pentoo, is that it includes many customized tools, such as:
- A hardened kernel with AuFS patches
- Module loading support, in the style of Slax
- Cuda/OpenCL cracking support with development tools
Its dev team is made up of a few guys who happened to be big fans of Gentoo, and wanted to create their own version of it. They go by the names of Grimmlin, Zero_Chaos, Anton Bolshakov (blshkv), and Stefan Kuhn (Wuodan).
If youâre unfamiliar with Gentoo, it might be good to get to know that OS first before diving into Pentoo â thatâs your choice, of course.
Iâm not sure what else to say about, as I unfortunately have less experience with this one. That being said, if the idea intrigues you, check out their site and see what resources they have available.
One page they feature thatâs helpful for beginners is a list of boot cheat codes, which you can use to configure the system at startup. For example:
Changes=/dev/sdXY Allow you to specify where to store configs, etc. In case you have a harddisk partition in FAT, ext2/3 or reiserfs, you can specify it there so you should be asked if you want to store stuff on it.
My impression is that Pentoo, while based on an established distro, is in somewhat of a beta phase, so be careful with it. On the other hand, maybe you could be one of the guinea pigs to try it out, and perhaps even contribute to it!
If thatâs your cup of tea, fork them at GitHub: Pentoo.
Have I Made You a Linux User Yet?
In conclusion, I hope that some of these have piqued your interest, and perhaps even recruited a few new Linuxians!
Most of the above OSâs will take time and concerted effort to learn, but I think it should all pay off. As I always say, if I still havenât included your favorite Linux distro, feel free to suggest it in the comments. I just might try it outâ¦and maybe even feature it in the next article.
By the wayâ¦my âsecure passwordâ is â12345.â