January 16, 2008

Annvix: A stable, secure, no-frills server distro

Author: Preston St. Pierre

Annvix is a distribution aimed at providing a secure, stable, and fast base for servers. Be warned, however: Annvix is not for everyone.

When you boot the Annvix netinstall CD, you're greeted with a shell and informed that the root password is "root" and should be changed. It also advises that you set up your network and use lynx on another terminal to browse the documentation for the install. Already I could tell that this was not going to be your average user-friendly GUI installer.

Before doing that, however, I tried to switch my keyboard to Dvorak using loadkeys dvorak as usual. This did not work. I assumed that Dvorak wasn't included and continued, setting up my network and reading the documention. It assured me that Dvorak was installed, and after looking in the appropriate directory I found that to be true. I had to give loadkeys the full path for it to work, which is not the behavior I'm used to, but I guess that's why its one of the first things mentioned in the documentation.

After setting up my partitions with fdisk and adding the swap partition manually as instructed by the docs, I mounted the soon-to-be-Annvix partition and executed the install-pkgs command that the netinstaller uses to copy packages over. Despite my having done as the documentation told me and manually setting a new root password, the installer prompted me to change it again. It then copied all the packages over fairly quickly while I read a bit about Annvix on its Web site. The front end to the package manager is clearly APT, but the back end used is RPM. The developers feel that APT offers a more usable interface than yum, and that RPM is a good package manager.

When the copy was complete I rebooted. The initial boot was so surprisingly fast that I rebooted to time it. It took 17 seconds from the bootloader to a login prompt, including just over five seconds of waiting on DHCP, which could be avoided. This is much faster than any other vanilla install I've booted on my AMD Sempron 2800 with 512MB of memory. Certainly there didn't seem to be much bloat in Annvix.

When I logged in and ran apt-get update && apt-get dist-upgrade to pull down the latest code, it ran smoothly, and repeating it caused a kernel upgrade as well. I rebooted to the new kernel and everything ran properly except the loadkeys dvorak comand, which now worked without the full path but only if I added the extension to the file -- again, nonstandard behavior.

I tried to install nano, my preferred text editor for quick updates, only to find it wasn't in the repository. As a matter of fact, when I looked around, I found there were a lot of things missing from the repository, the most notable of which is probably X11/xorg. There are a few libraries referencing x11 but nothing complete, and no xorg packages. I could also find no window managers, which only reinforced my belief that the packages referencing x11 were ghost packages. Clearly the Annvix developers are keen on cutting unnecessary bloat.

There were, however, many important server packages available. While perhaps not containing the widest variety of each type of server, they cover a large range of requirements with Apache2, MySQL, PostgreSQL, NFS utils, Samba, OpenLDAP, OpenNTPD, SpamAssassin, Subversion, Pure-FTPD, Exim, BIND, Dovecot and OpenSSH. Also notable were gcc and all the related libraries, Perl, and Python. A package for Apache+Perl and one for Apache+PHP were both available, so I installed the Apache+PHP package as well as MySQL. I set up the users for MySQL, then attempted to run a test page. While PHP had been installed, Apache had not been automatically configured to use it. After all the manual configuration Annvix had required so far this didn't really surprise me. MySQL proved to work properly without any interference, and after I set up Apache, everything I required from my server seemed to work.

It was certainly as bare-bones as it could get. But was it secure?

Two important packages in the repository are Snort, a network intrusion detection system (IDS), and Aide, a host-based IDS made to replace Tripwire. A network IDS monitors network traffic for known attack patterns and possible security concerns. A host-based IDS monitors essential system files, such as the password and shadow files, to see if they have been modified. When they are modified in ways that don't meet the security policy (for example, a new user being added may be OK, but the root user's password changing may be flagged) the software contacts the system administrator. These are both essential tools, along with regular updates, involved in keeping a server secure. I installed both of them, then used Nikto and Nmap on a separate system to scan my Annvix server. Snort picked up on the regular scans as expected, but it surprisingly also picked up on and properly identified the scans which were specifically designed to evade detection systems. This, coupled with the fact that Nessus picked up no viable vulnerabilities while also being detected by Snort, gave me fair evidence that the Annvix install was relatively secure.

All in all, Annvix proved to be almost exactly what it advertised -- a stable, secure, server-oriented distribution providing a base platform for whoever needs it. It is very well documented and reliant on an administrator for configuration instead of scripts. If you have been wanting to get into the nitty gritty of GNU/Linux for some time and didn't know where to start, Annvix is a great base until you're ready to build your own distribution from scratch. It will force you to learn by doing, and it guides you each step of the way. Anyone looking for a server distribution might find Annvix a viable alternative to a solid but out-of-date Debian base. Either way, Annvix is worth looking into.

Categories:

  • Distributions
  • Linux
  • Reviews
  • Annvix