thelinuxlink.net

I am surprised Troels has not spammed this board already with the news

allix wrote:I am surprised Troels has not spammed this board already with the news

Well, I'm extremely busy writing a paper which is a part of my exams in Danish, so I havn't had the chance to upgrade one or more of the three machines that I run OpenBSD on. Plus, I get the feeling, that I am the only OpenBSD user in here, so I've come to assume that people don't really care.

I think Pat planned on using a flavor of BSD for his mail server. Perhaps OpenBSD 4.1 would do the job?

I use openbsd on the server but I dont plan on upgrading any time soon. I was actually thinking about backing everything up and giving freebsd a shot since I haven't tried it in a few years.

Tsuroerusu wrote:

allix wrote: Plus, I get the feeling, that I am the only OpenBSD user in here, so I've come to assume that people don't really care.

As much as I love Linux, OpenBSD is still God for servers. I own many OpenBSD releases in the great box sets that they get shipped in.

schotty wrote:

Tsuroerusu wrote:Plus, I get the feeling, that I am the only OpenBSD user in here, so I've come to assume that people don't really care.

As much as I love Linux, OpenBSD is still God for servers.

Oh! I see I'm not all alone in using OpenBSD and being on this forum!

I'm running a web server on OpenBSD, and let me tell you something, I have just gone nuts with the security settings!
Apache is running through SSL, with the chrooting. Since I don't mind not having it, I've eliminated any sort of root access over the network (If I need root access, I use a serial console prompt). I've put schg kernel flags recursively on the /bin, /sbin, /usr/bin, /usr/sbin and on a bunch of files in the /etc directory. I also run the system at securelevel 2, because I can!

Sure, I don't think anyone is gonna really try to get into my web server, but I'm a security junkie. OpenBSD ships cryptography because they can (See for yourself: http://www.openbsd.org/crypto.html#why), I deploy Pentagon-like (OK, maybe not) computer security in my room because I can!

schotty wrote:I own many OpenBSD releases in the great box sets that they get shipped in.

I have 3.9 and 4.0, I plan to buy 4.1 when I get the cash for it.

Although OpenBSD is secure , there are a lot of security technology that is almost taken for granted in FreeBSD, linux and at least Solaris if not other systems , which is not available in OpenBSD.

Some of the technology missing in OpenBSD is mandatory access control,(MAC) filesystem Access Control List,(ACL) Basic Security Module,(BSM) Pluggable Authentication Modules (PAM) , system-level virtualization (eg. FreeBSD jails). WPA 1/2

Due to the missing above, quite a few people question OpenBSD's security....

I fully understand that OpenBSD takes the simple security opposed to complex security.


/me awaits Troels reply

I love security as much as the next guy but is that all really necessary? Maybe if I was someone like Google I would run it but other than that I don't think too many boxes running Linux have been hacked, I would be more concerned about speed. I think encrypting your memory and harddrive is a little extreme but maybe I am wrong in this respect. How many Linux computers do you know of that have gotten hacked?

CptnObvious999 wrote:How many Linux computers do you know of that have gotten hacked?

The more important number to know is how many have been hacked that we don't know about.

Linux boxes get hacked on a regular basis I'm sure. And it's done through either lax security or unpatched software vulnerablities (yes, both can be considered one reason).

CptnObvious999 wrote:I love security as much as the next guy but is that all really necessary?

We tend to take it for granted. If you did not have all the security, you would want it .

CptnObvious999 wrote:How many Linux computers do you know of that have gotten hacked?

According to http://www.zone-h.org/ , every day there are web sites running on some form of linux that have defaced, proberly due to incorrectly setup web servers than software insecurities.

Bruce Scneier often talks about how you can have the best mathematically sound encryption, but if the user does not know how to use it , its worthless.

Eh, ultimately the only secured computer is one unplugged from the internet, locked away somewhere. For me, and most other people Linux is secure enough. I don't feel like my system is any less secure than BSD, Solaris, Mac OS X, or anything else out there. It just comes down to where your comfort zone lies. Where you draw the line between security and functionality, and security and convenience. I've been running Linux on my machines at home for 3 years now, and I have never gotten a virus, or hacked in any fashion to my knowledge.

It's possible to run ANY operating system securely, as long as the system administrator is competent. A fully patched Windows XP SP2 box can be more secure than an OpenBSD box that is full of security holes, and being run by a script kiddie who doesn't know what he's doing. The user is the most unpredictable and unstable element, and is really the biggest security threat.

Tsuroerusu wrote:

allix wrote:I am surprised Troels has not spammed this board already with the news

Well, I'm extremely busy writing a paper which is a part of my exams in Danish, so I havn't had the chance to upgrade one or more of the three machines that I run OpenBSD on. Plus, I get the feeling, that I am the only OpenBSD user in here, so I've come to assume that people don't really care.

/gives Tsuro a great big hug.

I'm actually a big OpenBSD fan, since around 3.2. The only reason I don't run it currently is that my FreeBSD 4.11 server is insanely stable so I see no particular reason to change.

First off, I also believe that users are probably the biggest security hole. I have to admit though that I used to run SimplyMepis 3.1 on a box and ran a website off of it, and never had any issues with this machine showing any signs of being hacked. This was when I was a dumb super newbie too. Now I'm so concerned about security I don't run any computers as webservers facing the internet, because I'm afraid I just don't know enough to keep them safe.

A few months back at our LUG we had a presentation showing kernel hacking. The presenter was running a Debian server as his example. The night before he was going to present, he ran "apt-get upgrade" and the next morning the security hole he was going to use to "hack" the kernel had been plugged in the last upgrade. So all he could talk about was the theory behind hacking into the kernel in C, but because of Debian's faithful security team, he couldn't actually "hack" the machine.

I also think it is great that guys are running OpenBSD and enjoying using and testing the security of those systems. Most of the people who are doing this sound like their are doing it at home as part of their computing hobby. That is just cool that you could run a more secure server in your home thanks to free and open source software than companies who spend thousands on their computers and operating systems each year. Keep running the BSD's and Linux's and all this great stuff!!!

allix wrote:

CptnObvious999 wrote:How many Linux computers do you know of that have gotten hacked?

According to http://www.zone-h.org/ , every day there are web sites running on some form of linux that have defaced, proberly due to incorrectly setup web servers than software insecurities.

Bruce Scneier often talks about how you can have the best mathematically sound encryption, but if the user does not know how to use it , its worthless.

Now how many Linux boxes are on the internet? A crapload, only a very small percentage get hacked.

Wally Balljacker wrote:Eh, ultimately the only secured computer is one unplugged from the internet, locked away somewhere. For me, and most other people Linux is secure enough. I don't feel like my system is any less secure than BSD, Solaris, Mac OS X, or anything else out there. It just comes down to where your comfort zone lies. Where you draw the line between security and functionality, and security and convenience. I've been running Linux on my machines at home for 3 years now, and I have never gotten a virus, or hacked in any fashion to my knowledge.

It's possible to run ANY operating system securely, as long as the system administrator is competent. A fully patched Windows XP SP2 box can be more secure than an OpenBSD box that is full of security holes, and being run by a script kiddie who doesn't know what he's doing. The user is the most unpredictable and unstable element, and is really the biggest security threat.

Thats my stance, I have never had any security problems with Linux so I am happy with it and I don't think most people need that kind of security.

mowestusa wrote:First off, I also believe that users are probably the biggest security hole. I have to admit though that I used to run SimplyMepis 3.1 on a box and ran a website off of it, and never had any issues with this machine showing any signs of being hacked. This was when I was a dumb super newbie too. Now I'm so concerned about security I don't run any computers as webservers facing the internet, because I'm afraid I just don't know enough to keep them safe.

True, there is no patch for human stupidity. But if you are smart you are at much less a risk.

Wally Balljacker wrote:Eh, ultimately the only secured computer is one unplugged from the internet, locked away somewhere. For me, and most other people Linux is secure enough. I don't feel like my system is any less secure than BSD, Solaris, Mac OS X, or anything else out there. It just comes down to where your comfort zone lies. Where you draw the line between security and functionality, and security and convenience. I've been running Linux on my machines at home for 3 years now, and I have never gotten a virus, or hacked in any fashion to my knowledge.

Exactly, not to your knowledge? We can all agree the your ordinary, garden variety virus isn't going to break into your system. but that means that who ever does try and break into your system is sophisticated. Do you know how to detect a rootkit on your machine? do you run an IDS? All I'm trying to say is that I wouldn't get too comfortable.

Wally Balljacker wrote: It's possible to run ANY operating system securely, as long as the system administrator is competent. A fully patched Windows XP SP2 box can be more secure than an OpenBSD box that is full of security holes, and being run by a script kiddie who doesn't know what he's doing. The user is the most unpredictable and unstable element, and is really the biggest security threat.

Obviously security is a process and human beings are the weak link, but OpenBSD really isn't just hype. For example, OpenBSD by default incorporates propolice stack smashing protection and W^X memory page protection. Granted you can get something similar on Linux but you'd need to a specially patched 3.X series GCC to compile a patched kernel. I'm not sure there are any non-firewall distro of linux comes with both in the default install.

Also, just in general if you look at some of their kernel code, you can see how incredibly paranoid/careful/disciplined they are about every single memory allocation and pointer. If you want to see good C code, OpenBSD is where you should go.