This is the thread that I wished to start that pertains to OpenBSD. If usage of an SSH app on anyone's phone to access an OpenBSD server isn't relevant from a security point of view, well, let's ignore the communication breach from a hardware/software issue and I ask forgiveness.
I have not opened up my server before for full usage of email, web, database, etc. before. So I'm a total noob on really good security practices. Proper owner:group all over the place. Not covered in hier (7). For example, I read that httpd should not have it's Perl scripts owned by www:www. Well, what IS the right choice here? What about Perl modules I bring in? root:wheel seems wrong to me. If I bring in an outsider to also have a site under httpd, how should I deal with preventing them from getting into the other virtual server folders, which usually contain sensitive information? This would seem to be an owner:group and permission thing. But HOW do I do this right? Do I give them an outside folder to work in and then give them the ability to have my software copy it into the chroot? What about each servers logs? Should I have them written to their home folders? They need to see those but not anyone else's. Overall, What are the right and especially the wrong owner:group all over the general file system? I'm not really asking for a vague outline, I know very well that daemon is especially dangerous and needs to be used in some places and NOT in other's. Right now I just have a hodge-podge all over the place. Is there a manual page that covers this? If not, should there be? Hey, I grew up with DOS, BASIC and Windows. So I don't have any years of knowledge of "just how this obviously should be". (Thanks for the comments left in a project I gave a go at a while back, they were very educational about this topic. I may have failed at that project, but I do look at source code. I respect any requests not to reply to a personal email. I do not ignore such things, that would be extremely disrespectful.) Passwords in general. I'm familiar with the xkcd about password strength. But I see sites with password strength checkers that are clearly wrong now that I have this knowledge. Are there any correct password checkers that I can insert into the passwd routine to keep things safer? I can't prevent anyone for their own mistakes about leaving it out, but I at least want to prevent break-ins with lousy passwords from attackers. What else don't I know? This is one of those questions I have to ask since I don't know exactly what I don't know? There is an excellent pdf on a study about how people who are incompetent are unable to judge their own incompetence until they become more competent. Which is exactly my own problem. I am not competent enough to judge my own competence. I have not worked in IT. I do not know anyone who has, except over this list. I will ask stupid questions and not know it. Any help welcome, Chris Bennett
