6 More Linux Distros for the Truly Paranoid
Previously, on Deepdotweb: I recommended five Linux distros you should check out in the article A Few Linux Distros For Dark Web Explorers.
So, I was asked to write a “sequel,” and as you probably know, it’s a challenge to make a sequel as good as the original. Nonetheless, there are a lot more Linux operating systems out there, and I managed to find a few that you all might want to check out.
“What? Did you say Subgraph?” Yes – in spite of the fact that Subgraph OS is easy to learn and use, it is considered by many to be one of the most secure operating systems.
In fact, The Hacker News recently referred to it as a “secure Linux operating system for non-technical users.”
Part of the reason that Subgraph OS (let’s just call it SOS) is geared toward noobs is that it comes with all the privacy and security options automatically configured. Plus, many other distros that emphasize security are very system resource-heavy, and can only be used with certain hardware.
They can also prove to be a real test for those who aren’t accustomed to the steps required to get other Linux systems going.
One of SOS’s design goals is to reduce the number of attack points to which the user might be vulnerable through several of its features, including:
- Automated Enhanced Protection with Application Sandboxing Using Containers – That’s a mouthful, huh? SOS includes an interesting feature called Oz, which is a system for isolating programs. Through Oz, the system isolates programs so that if an attacker takes advantage of a security loophole, the rest of your computer will stay mostly unchanged. This is done by delimiting the access that applications have to other parts of the computer; therefore, if an attacker breaks through the security in one application, it won’t easily allow them access to others.
- Mandatory Full Desk Encryption (FDE) – SOS includes mandatory Full Disk Encryption by default, so that users can easily start off with a layer of security.
- Anonymity through Tor – Ah yes, the “T” word! SOS routes all of your traffic through Tor, making it more difficult for attackers to detect your physical location.
It has many other security features as well; see their site above for full details.
“The Distro Formerly Known as Lightweight Portable Security” is now formally called Trusted End Node Security (TENS).
TENS, like Subgraph OS, creates a secure computing environment from trusted read-only media, and is designed for Intel-based computers. It boots a lightweight Linux-based operating system from a CD or USB drive (not unlike Tails and many of its contemporaries).
It is designed to serve as a Secure End Node; it boots only in RAM. In essence, it can turn an untrustworthy system (e.g. a home computer) into a secure network client.
One of its major features:
- Encryption Wizard (EW) – this is a simple but strong file and folder encryptor designed to protect sensitive (but not classified) information. EW, written in Java, can encrypt all file types for both data at rest and data in transit protection.
It is compatible with Windows, Mac, Linux, Solaris, and other computers that include support for Java.
Something you may (or may not) know is that the designers of TENS are none other than the U.S. Department of Defense, so I suppose it depends on how much you trust them!
One thing to note: if you Google this OS (particularly in Chrome) and try to click on the first few results, you may get a warning like this:
According to the DoD themselves, the links are secure; they go into more detail about it on their main site.
Anyhow, the actual download link (the one that’s supposedly insecure) is here: Software Protection Initiative – Lightweight Portable Security. Click at your own risk…
Arch Linux, in the words of its creators, is “a lightweight and flexible Linux® distribution that tries to Keep It Simple.”
It’s a Linux distro for computers based on IA-32, x86-64, and ARM architectures. AL is, for the most part, based around binary packages, which can easily assist performance on current hardware.
To expedite frequent package changes, Arch Linux uses pacman (an abbreviation of “package manager”), developed by Judd Vinet; if you thought I was referring to the Atari game, sorry to disappoint you!
Among some of the interesting packages you can find in the “package search” (on the main website) are Accerciser, an interactive Python accessibility explorer for the GNOME desktop; Wireshark CLI, a free network protocol analyzer for Unix and Windows; and AbiWord, a fully-featured word processor.
So yeah – that’s the fun stuff, but I’m sure you’re wondering: what are its security features?
AL has quite a few “defensive features,” but they include:
- A file permissions and attributes system
- Disk encryption
- Mandatory access control
- Sandboxing applications
There are others too, but they won’t be any good without one important element. What is that? – what else? – you must choose a secure passphrase to protect each part of the system! As I discussed in No Dice: Diceware Passphrase Creation System, weak passwords can mean the difference between being a hacker’s prime target or the one they choose to pass up. To see AL’s further advice about passwords, read Security – ArchWiki – Passwords. (In fact, they specifically recommend the Diceware system as well!)
One of the reasons that strong passphrases are so integral to Arch Linux is that they’re used to protect many of its features, such as user accounts, encrypted filesystems, and SSH/GPG keys. If you don’t want total strangers snooping on those, then please don’t use a password like “password.”
There’s a lot more to Arch Linux as well; to see some of its other applications, visit Arch Linux Wiki: List of Applications.
Is it weird that the name “Cyborg Linux” conjured up images of the Terminator and RoboCop in my head? No, probably not.
Its creators boldly describe it as the “world’s most advanced, beautiful and powerful penetration distro ever.” Well, can they back it up?
Cyborg Linux, like many other pen testing-oriented distros (such as Kali Linux), consists of an extensive variety of tools aimed at network investigation and vulnerability assessment. Among these are:
- Angry IP Scanner – a very rapid IP address and port scanner, which can scan both of these in any range.
- Nmap – a free, open-source scanner compatible with both Windows and Unix systems.
- Ghost Phisher – a computer security application that includes a Fake DNS Server, Fake DHCP Server, Fake HTTP Server, and other valuable “weapons,” so to speak.
- WebScarab – a framework for analyzing applications that communicate via the HTTP and HTTPS protocols.
Really, these few tools are just a preview of Cyborg’s massive arsenal. All in all, it includes over 750 penetration testing tools. I don’t know about you, but if I had that at my disposal, I’d be like a kid in a candy store (albeit a potentially deadly one).
It’s also completely free, which is quite handy, especially for those of us on a tight budget. To boot, it has full virtual machine support.
Of course, I wouldn’t recommend it to a beginner, but that’s not whom it was intended for!
Security Onion’s motto is “peel back the layers of your network.”
It, like Cyborg Hawk and Arch Linux, is a Linux distro designed for both security and penetration testing. Security Onion is based on Ubuntu which, believe it or not, is also highly secure!
Also like its Linux contemporaries, Security Onion is armed with a full repository of tools, including:
- Snort – an open-source network intrusion prevention system
- Suricata – a free, open-source network threat detection engine
- Bro – a network analysis framework
- OSSEC (Open Source HIDS SECurity) – a Unix system security monitor that watches all aspects of activity
SO’s main advantage is that it easily combines three core pen testing functions: full packet capture; network-based and host-based intrusion detection systems (NIDS and HIDS, respectively); and a variety of powerful system analysis tools.
It’s built on a distributed client-server model, meaning that an SO “sensor” works as the client, and an SO “server” is – what else? – the server!
As with other pen testing-oriented Linux distros, SO can take a fair amount of time to learn and get accustomed to, but once you do, you’re (almost) unstoppable. It’s nowhere near as simple as Subgraph OS, but it feels as though you can do a lot more with it.
What I’m not sure of, at the moment, is whether it’s actually better than the other Linux distros that serve similar purposes. In order to determine which one is the best, you would have to have a competition of some kind. Hey guys – wanna have a “battle of the distros”?
Finally, there’s Pentoo, which, as its name implies, is also designed for pen testing.
Pentoo is a security-focused live CD operating system based on Gentoo. The major difference, with Pentoo, is that it includes many customized tools, such as:
- A hardened kernel with AuFS patches
- Module loading support, in the style of Slax
- Cuda/OpenCL cracking support with development tools
Its dev team is made up of a few guys who happened to be big fans of Gentoo, and wanted to create their own version of it. They go by the names of Grimmlin, Zero_Chaos, Anton Bolshakov (blshkv), and Stefan Kuhn (Wuodan).
If you’re unfamiliar with Gentoo, it might be good to get to know that OS first before diving into Pentoo – that’s your choice, of course.
I’m not sure what else to say about, as I unfortunately have less experience with this one. That being said, if the idea intrigues you, check out their site and see what resources they have available.
One page they feature that’s helpful for beginners is a list of boot cheat codes, which you can use to configure the system at startup. For example:
Changes=/dev/sdXY Allow you to specify where to store configs, etc. In case you have a harddisk partition in FAT, ext2/3 or reiserfs, you can specify it there so you should be asked if you want to store stuff on it.
My impression is that Pentoo, while based on an established distro, is in somewhat of a beta phase, so be careful with it. On the other hand, maybe you could be one of the guinea pigs to try it out, and perhaps even contribute to it!
If that’s your cup of tea, fork them at GitHub: Pentoo.
Have I Made You a Linux User Yet?
In conclusion, I hope that some of these have piqued your interest, and perhaps even recruited a few new Linuxians!
Most of the above OS’s will take time and concerted effort to learn, but I think it should all pay off. As I always say, if I still haven’t included your favorite Linux distro, feel free to suggest it in the comments. I just might try it out…and maybe even feature it in the next article.
By the way…my “secure password” is “12345.”