Contributed by jose on from the action dept.
Secure, functional, open, all of the principles of OpenBSD in action for someone.
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the action dept.
Secure, functional, open, all of the principles of OpenBSD in action for someone.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Anonymous Coward () on
(N.B. Yes, I do realize that some software currently is better run on other OSs for compatibility or performance reasons -- I'm not saying OBSD is always the right choice or really commenting on this particular business's practices, just the OBSD = firewall idea in general.)
Comments
By anders () on
when pressure is put on the IT people or consultants to secure the network a bit, it is a lot cheaper but still effective to install some secure firewalls and routers, so people look to openbsd. changing everything to obsd (which of course we would certainly be in favor :) costs more and is often not needed, as least from management's standpoint.
thus obsd is seen most frequently as a firewall os, when it really is a lot more.
By garbonzo () on
Comments
By Grant () gbayley at wiretapped dot net on http://www.wiretapped.net/~gbayley/
In a world of compromise, some don't.
By Anonymous Coward () on
By Anonymous Coward () on
It is a too bad so many people feel that OpenBSD is to be used only as a firewall.
I agree. Put a perfect firewall in front of an unpatched IIS web server and you've solved almost nothing. I'm not an expert, but my approach is to run Apache on the OpenBSD box as well, so that even if someone finds a web server vulnerability they hopefully will have a relatively difficult time rooting the box. Once the non-executable stack code is rolled in this strategy should be pretty solid, I think.
Comments
By Anonymous Coward () on
because there are a lot of apache installations on linux, people will know how to exploit them. The same (future) bugs (may) exist on oBSD, but you are less likly to be attacked because no one can be bothered.
the conterpoint is....
all the stack protection, non-exec pages and systrace limit the worth of a oBSD machines compromise to such a level that we probably do not care much. Although a DoS against high profile sites / services appears to be enough for people to be bothered.
By mra () on
In the case of running an unpatched IIS server behind an OpenBSD firewall I again have to say that there is a much better level of protection. The code red may be able to come in, but it can't go out. Same with the OpenSSH bug. I actually didn't patch my firewall right away because the exploit as it was released could not take advantage of my network. The only port going out on that machine already had the ssh daemon bound to it, so Gobbles' shell bound to port 128 did nothing.
Lastly I'd have to say that once the local IT staff find out how easy and inexpesive OpenBSD is they will tend to move it off the firewall and set it up as the internal dns, or dhcp server. No they aren't going to run Oracle on it, but they do start to realize that they can use it for more.
Comments
By Michael Anuzis () on
Very bad security practice. There were *two* exploits released to my knowledge, one that bound to port 128 (which was not the gobbles one) and one that did *everything* on port 22. You're just lucky you didn't get nailed! And to think the thing at stake was root access on that corporate network! When you know something is vulnerable PATCH IT!
Comments
By Michael Anuzis () on
http://www.lucidic.net/whitepapers/manuzis-7-5-2002-1.jpg all on port 22, and this is on an OBSD box behind an OBSD firewall! It still got hacked!
http://www.lucidic.net/whitepapers/manuzis-7-5-2002-13.txt script of the actual Gobbles exploit being used. Firewalls won't do a thing when they're still allowing traffic to vulns like this.
Comments
By Matt Van Mater () on
Sometimes you have to wait a short while before you apply patches. You should really test them as best as possible in a non production environment before you go live with something new (yeah we all knew this already).
Comments
By Anonymous Coward () on
Do I want access to my box but take the risk to give root access to any script kiddie?
or
Do I want to take the risk of losing access to my machine and being sure noone else uses my firewall?
Sincerly, I do not understand how a patch to ssh could have affected your production system... or maybe you use your firewall for something else... which would be worse to leave unpatched.
Anyway, just my 2 francs CFA
By Chris Humphries () chumphries@drauku.net on http://drauku.net
i dont like having to hack up something just to get it to work when it works everywhere else in the world fine (openoffice, mozilla).
some people are fine with all that kde offers or netscape 4, and just some terms, which is totally cool. i am not saying that openbsd isnt a great os for the desktop, i am saying that it just isnt for me.
i think openbsd having the nitch of firewalls and routing boxes is a good nitch to be. i dont think this is a problem. i mean the idear of people not thinking that openbsd is good enough for the desktop shouldnt totally come as a shock, as it doesnt provide the programs that others do (and i wont name names).
it is your OS, do what you want with it. i use many os's and i am fine with it, each has it's own pros and cons. as much as one would like for people to use openbsd for the desktop, that choice is for the user to make, not everyone else.
:)
thanks,
chris
By Chris Humphries () chumphries@drauku.net on http://drauku.net
We are constantly evaluating technology, and certianly not bound by any one thing. If we think it is the best for us to provide what the client demands, then we will use it. Just happens that opensource has been the right choice.
(note: what i say does not officially represent the firm, just my opinions)
thanks,
chris
Comments
By Anonymous Coward () on