On Mon, Apr 03, 2006 at 02:40:50AM -0600, David B. wrote:
> hi, I see 3.9 is getting ready to be released. Do you plan on bundling
> Apache2 with it? it would seem a logical thing to do, since the Apache
> version currently bundled with it seems to have problems.
>
> I just lost my entire development box to a hack this week, right through
> smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as
> the middleware. All settings were default and the only port I had open was
> 80 through smoothwall. I even had all packets dropped that came from asia,
> south america and africa.
>
> The point being, if you sell security as your market niche, you might want
> to make sure that, at least, Apache be up to date, and not a version from 5
> years ago where who knows how many hacks there are out there for it.
>
> I don't mind rebuilding my development box from scratch because that's why
> I had it on the net like that anyway, simply to see how long it would take
> for someone to crash it. It took less than a month - that's not very good
> from a default security viewpoint.
>
> I'm assuming of course that Apache is the problem, as there are no logs or
> anyway to tell what happened, but the hard drive started to make an awful
> screaching sound as the drive was apparently being forced to track the
> heads back and forth very quickly. The drive is fine, but apache and
> postgresql won't start, and the wtmp file was erased, so that when I did a
> 'last' only my most recent login came up.
As pointed out, Apache 2 won't make it into base. Also, as I like to
say, PHP is more likely to be the point of entry. And the oldish version
of Apache, with lots of fixes, that is in OpenBSD is *less*, not more,
likely to have major bugs than the current Apache.
As to getting hacked - OpenBSD is only secure by default, or when run by
someone who knows what he's doing.
Joachim
