OpenBSD Journal

Install OpenBSD to Secure Your Web Server

Contributed by mk/reverse on from the bending-it-in-neon dept.

grey notified us about this article by Gregory L. Magnusson.

Targeted at users unfamiliar with OpenBSD, it goes all the way from installing 3.6 to installing and configuring PHP and MySQL while explaining some important details such as httpd being chrooted and disabling anonymous MySQL users.

(Comments are closed)


Comments
  1. By Anonymous Coward (131.130.1.135) on

    I read through the article but cannot find anything at all about chrooting apache or even explaining how/why..

    Comments
    1. By Simon (217.157.132.75) on

      You don't have to do any configuration. Apache is chrooted by default in OpenBSD. Why.... hmm extra security perhaps? Should anyone compromise your webserver, they won't get outside the chrooted area. Because there is no software (cgi excluded) within the chrooted area, compromising an OpenBSD webserver becomes pretty useless for an attacker, unless of cause he simply want to deface your site.

      I find the "article" kind of lame. Guides like that really doesn't help. People should understand what they're doing, you don't gain anything from a step by step guide. Also there is nothing in it that you could learn by reading the FAQ, man pages or by searching through the openbsd-misc archives.

      Comments
      1. By SH (82.182.103.172) on

        I find the "article" kind of lame. Guides like that really doesn't help. People should understand what they're doing, you don't gain anything from a step by step guide.

        Most people learn by examples (or step by step, if you like) as part of understanding what they are doing. The only lame thing here is your condescending attitude.

        Comments
        1. By Anonymous Coward (70.20.155.102) on

          The attitude and poor grammar.

      2. By Anonymous Coward (216.220.225.229) on

        If this is your web server, then it is your web content that matters. Chroot doesn't help you that much in that case, as the web content is within the chroot.

    2. By steven mestdagh (134.58.253.131) on

      Yes, it does not contain any information about how chrooted apache and the php4-mysql module work together. It also says nothing about starting mysqld and httpd from the rc scripts upon booting. You could have distinguished between httpd + mysqld on one machine, or on separate machines. In your case of one machine, you could point to the --skip-networking option, and always connect through the Unix socket. Specifically this socket would need a link from the chroot, etc, etc.

      Some other remarks: - Why would you need 500m in / ? 100m or so should be sufficient.
      - Instead of editing /etc/group, you can just answer "wheel" when adduser asks you to invite the user into other groups.
      - You will want to install the mysql-server-4.0.20.tgz package before you can start mysqld.

      Comments
      1. By knomevol (70.246.103.241) on

        it does contain a positive and introductory review of the greatest operating on earth (unless they're secretly using it on the space station or clandestine satellites). the more the merrier...

        not to mention, gregory does a fine job of fostering a sense of need to financially support the project even when FTP installing.

        i like it!

        Comments
        1. By Anonymous Coward (69.197.92.181) on

          So, anything that says openbsd is good should be praised, even if its a crappy write-up that isn't helpful in any way? Nice attitude, I'm sure openbsd will continue to improve because of blind praise.

          Comments
          1. By Chris (24.76.170.207) on

            Anything that metions OpenBSD (and is accurate) is good because it gets the word out there. People who read this article will most likely not have heard of OpenBSD before.

            Comments
            1. By Anonymous Coward (69.197.92.181) on

              And now they will have heard of it, not care because the article doesn't give any useful information, and assume openbsd is just like linux. Pretending that bullshit like this helps openbsd is just pathetic. This is a site about openbsd, that means its for dicsussing openbsd related things, good and bad. Its not just a place for everyone to get in a circle and jerk each other off because someone put the word "openbsd" somewhere. Stop crying everytime someone doesn't soil their pants in exitement upon reading the word openbsd.

              Comments
              1. By Anonymous Coward (70.246.103.241) on

                why, you little...

                TROLL! GRAB THE SHOVELS! TROLL! MAN THE BATTLESTATIONS! TROLL!

  2. By Frank Denis (213.41.131.17) j@pureftpd.org on http://www.00f.net

    Installating mod_php is nice, but some accelerator like eaccelerator is really needed as well in order to get decent performance.

    Comments
    1. By Anonymous Coward (69.197.92.181) on

      No it isn't. Just plain old apache + PHP is more than adequate for the vast majority of people, it can handle dozens of requests per second on ordinary hardware. For those rare cases where performance is of the utmost importance and you need to use a php accelerator, you would also use a fast webserver like lighttpd, not apache. And you would use a fast OS like linux, not openbsd. And ideally you would use a fast language too, PHP is an order of magnitude slower than python for instance.

      Comments
      1. By Luiz Gustavo (200.165.152.197) on


        ``A fast OS like Linux''

        I find interesting how people tend to make strange choices, but since security is always the last topic usually discussed perhaps there is something to think about.

        Look at the problem. Do you really believe that running a distro with your average apache can handle the load? Yes I bet and OpenBSD will handle it fine as well.

        OpenBSD more paranoid instance can be used as guideline for your Linux setup and you can hype around how much scalable your kernel is to handle your ten page views per day.

        Learn how to configure apache, use a better webserver when possible, enjoy testing a squid reverse proxy, play with the options. Otherwise your Linux box will be pathetic. Great deal pal.

        Comments
        1. By Anonymous Coward (69.197.92.181) on

          I don't mean to be rude, but have you tried reading my post? I mean, fuck, I was specifically pointing out that plain old apache + php on openbsd is more than adequate for the vast majority of people, how exactly is you saying the same thing helpful?

          And quit making stupid assumptions about what I know and what I do. I run my business on openbsd, I am posting this from openbsd, I maintain ports for openbsd, and I converted the last place I worked at from linux to openbsd, with hundreds of machines. The fact is, linux performs better. Acting like a child will not change this.

          Its just like I said, if you need the highest performance possible, then installing a PHP accelerator isn't the way to go, and if you don't need the highest performance, then adding another layer of security problems to the already horrible php for no reason is just stupid. Ditching apache for lighttpd, ditching php for python, and ditching openbsd for linux will make a far greater difference on performance than a PHP accelerator, and will be more secure anyways simply because PHP is so horrible security-wise, that moving down to linux from openbsd is more than made up for by not having PHP.

          Comments
          1. By Luiz Gustavo (200.165.152.197) on

            Running your business on it matters?

            Since your post didn't mention anything you said right now, what kind of start point I had?

            In the end is much more you the plataform you LIKE then anything else.

            Comments
            1. By Anonymous Coward (69.197.92.181) on

              Again, simply reading the post you reply to would be more than enough. There was nothing in my post to warrent your bullshit.

              Comments
              1. By Luiz Gustavo (221.254.203.118) on

                Interesting how Anonymous Coward's always write using strong words.

                Keep it going pal.

      2. By Anonymous Coward (69.158.152.101) on

        You mention that "PHP is an order of magnitude slower than python". Can you back that up some how? I'm not arguing with you here just for the hell of it, I really am curious. I was under the impression that mod_php performed way better than using fastcgi + python or any combination like that.

        Comments
        1. By Anonymous Coward (83.147.128.114) on

          See for yourself at this benchmark

          Comments
          1. By Anonymous Coward (69.158.154.114) on

            Thanks!

  3. By Anonymous Coward (81.182.20.62) on

    Hardlink creation necessary inside the jail for MySQl socket. Without hardlink MySQL connect will cannot work, because Apache chroot'ed...

    Comments
    1. By Anonymous Coward (69.197.92.181) on

      No it isn't. Mysql can create its socket in the chroot, there's no need for a hardlink.

    2. By Anonymous Coward (66.92.166.240) on

      in addition, hardlinks won't work if you dedicate a slice for /var/www - something one should think about when it matters...use the method suggested above - let mysql create the socket.

  4. By Charles Hill (216.229.170.65) on

    From the article: [Author's Note: Because OpenBSD is a Canadian-made product, export of the security suite and source code is not restricted in any way. However, while U.S. readers can download (import) OpenBSD, exporting or re-exporting cryptographic software from the US is still a serious criminal offence. For those of you living in the US, do not attempt to export the OpenBSD operating system once you've downloaded it. If you are an American citizen located outside the US, do not download OpenBSD from an American site. You have been warned! Of course, downloading OpenBSD from an American site to an American location is fine. Always choose the server nearest you.]

    Isn't that just special -- and wrong.

    The U.S. export controls on crypto changed some time ago. Open Source crypto is freely exportable without a license (you know, like Canada's exception for freely available software), as long as you aren't sending it to: N. Korea, Cuba, Syria, Sudan, Iran, Tabliban-controlled sections of Afghanistan, and, if they haven't yet been removed, Libya & Iraq.

    Similar to Canada's Area Control List (currently only Myanmar, IIRC) or an area currently under U.N. Sanctions (like Sudan) -- which Canada observes.

    http://laws.justice.gc.ca/en/E-19/SOR-81-543/100049.html
    http://www.dfait-maeci.gc.ca/trade/eicb/military/intro-en.asp

    So, if you're an American citizen, feel free to re-export to your heart's content, as long as it isn't on the controlled list (non-authoritative summary above). Ditto for Canada (much shorter list, but it *DOES* exist).

    -Charles

    Comments
    1. Comments
      1. By Charles Hill (216.229.170.65) on

        Most likely, and this is just a guess I don't have any inside information, is that the U.S. regulations that Canada agreed to are a convoluted, ever-changing pain-in-the-ass.

        As best I can tell, the U.S. ITAR regulations don't apply to FOSS crypto any more (since 1996) and the restrictions for export apply to "designated terrorist states".

        One big question is the U.N. Embargo list, to which both Canada and the U.S. adhere. The U.S. probably considers crypto to be "munitions" or "defense technology" for this list, but I'm unsure about Canada. This list can be pretty long (Angola, Zimbabwe, Ivory Coast, Sudan, Myanmar, etc.)

        I read the linked page on the research done by Marc Plumb on re-exporting from Canada but he didn't specify WHERE he applied to export to. Also, that info is from 1995/1996 and things have changed significantly since then. He does acknowledge, right up top, that there are places Canada doesn't allow you to export to.

        It really looks to me like "if we exclude the American stuff, there is the WHOLE PILE OF SHIT we don't have to deal with" decision.

        My complaint has always been to presentation of "We're Canadians, we can export ANYWHERE, unlike you fascist Americans." No, you can't. There are countries that Canada has embargoes against (e.g. Myanmar & Angola) to which the crypto exemption does not apply.

        After spending the last 3 hours digging thru the various American regulations and getting a headache from the whole mess, I can say with confidence (as an American): Damn good decision. What a mess!

        -Charles

  5. By Michael (24.152.208.217) mmitton@ssi-c.com on

    This "guide" is riddled with errors and misleading statements. Take
    For PHP to work, you must create an index.php file:
    
     TYPE vi index.html
    for instance. I'd love for him to explain how editing index.html creates index.php. Plus, it seems everyone has been naming systems wrong for a very long time. What you really need to do is put the name of the system in brackets, and the name of the nic after that! ([ftknox] dlink530TX)

    Comments
    1. By Greg Magnusson (204.83.48.28) glm@cyborgspiders.com on

      Editing index.html creates index.php when it is saved as index.php using the vi editor. Rather than writing out a new web page template, I simply inserted <?php phpinfo(); ?> into the standard Apache index.html file and then saved that file with the .php extension.

      page 4
      ---------------------------------------------------------------------
      TYPE vi index.html

      Remember, press i for insert mode. Beneath the <body bgcolor="#ffffff"> tag, add <?php phpinfo(); ?>. Press ESC:wq index.php. This saves the file as index.php with your changes. Test this out:


      TYPE lynx 127.0.0.1/index.php
      ----------------------------------------------------------------------

      I stand corrected on the missing brackets in the hostname.
      Symbolic (host) name for vr0? TYPE: "[ftknox] dlink530TX". ENTER.

      should read

      Symbolic (host) name for vr0? TYPE: "([ftknox] dlink530TX)". ENTER.

      Thanks for bringing that to my attention.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]