Re: Save ports
Turn off inetd to close 13,37,133. Configure sendmail not to listen on ports 25 and 587, That leaves 22(ssh) and 53(domain). On 2/20/07, Bray Mailloux <[EMAIL PROTECTED]> wrote: I ran an nmap -sS localhost which output port state service 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 113/tcpopen auth 587/tcpopen submission This BSD box will be serving solely as a router so few of the above services are needed (submission, auth, domain, smtp). How do I begin closing down these services? -- ID: AF133028 fp:9D6B DC0F CCDA 53FA 3F04 A551 BC23 374D AF13 3028
Re: OpenBSD speed on desktops
On 3/19/07, Karel Kulhavy <[EMAIL PROTECTED]> wrote: On Sat, Feb 17, 2007 at 12:36:00PM -0500, R. Fumione wrote: > Hello, > > I am using OpenBSD on server since few years now, and I am very happy > with it's easy maintenance and it's stability. I want to try on > desktop, and I am having trouble. > > Everything is much slower than existing Linux system. For example, > Firefox takes 3-5 seconds to start on Linux but ~10 seconds on > OpenBSD on same machine! I have the same problem. The FFS doesn't seem to be as fast as ext2. Instead of making vague, unprovable statements like that, we would like to see some solid benchmarks (bonnie, bonnie++), to back this up. Making such statements helps nobody.
Re: make build crashing
On 3/21/07, Bray Mailloux <[EMAIL PROTECTED]> wrote: I am updating my 4.0 system to the latest ~stable build and each time my "make build" is crashing. What information should I post in order to insure maximum clarity with the problem? Post the exact command, the output of the ``make build'', the output of ``uname -a''.
Re: Is OpenBSD good/best for my 486?
On 3/22/07, Douglas Allan Tutty <[EMAIL PROTECTED]> wrote: You mean OpenBSD has encrypted swap out-of-the-box? That's fantastic. It took a while to set up on my debian etch box. That is why we call it ``secure by default''
Re: Microsoft gets the Most Secure Operating Systems award
On 3/22/07, Marc Espie <[EMAIL PROTECTED]> wrote: On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote: > Their challenge is that they need to provide choice so they > have what they call reasonable defaults. No, they don't need to provide choice. At least not that many. They decide to do so. That's most of what's wrong with OS stuff these days. Too many choices. Too many knobs. Every day, I see people shoot themselves in the foot, not managing to administer boxes and networks in a simple way, making stupid decisions that don't serve any purpose. ACL, enforced security policies, reverse proxy setups, user accounts, network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... so many choices. So many wrong choices. At some point, the people who package the software need to make editorial decisions. Remove knobs. Provide people with stuff that just works. Remove options. Or definitely give them the means to do the trade-off correctly. Security comes from this. As Bruce Schneier and Niels Ferguson write in ``Practical Cryptography'', on page 12, ``There are no complex systems that are secure. Complexity is the worst enemy of security, and it almost always comes in the form of features or options.'' We try not to be as bad, to provide default configs that work, and not so many choices. Again, from the same book, ``One of the things we have tried to do in this book is to define simple interfaces for cryptographic primitives. No features, no options, no special cases, no extra things to remember.'' The fact that an OpenBSD system is secure out of the box is the main reason I started using it.
Re: bcw(4) is gone
On 4/11/07, Mike Erdely <[EMAIL PROTECTED]> wrote: On Wed, Apr 11, 2007 at 08:20:51PM +0200, Timo Schoeler wrote: > On Wed, 11 Apr 2007 20:08:44 +0200 Marc Balmer wrote: > > > [X] -- communism isn't as bad as the GPL ;) > > [X] marco is a communist > no; if so, he's as good as communist as George W. Bush as president. WTF! What the hell does GPL, communism or GWB have to do with OpenBSD? Let this thread die. -ME /me agrees. This is a list about OpenBSD. Discussion about the GPL *may* have its place, but *please* don't interject politics into the discussion. I dislike the GPL, but calling it communism is useless.
Re: force password changes
On 4/12/07, John N. Brahy <[EMAIL PROTECTED]> wrote: What's the best way to force users to change their passwords? If you are needing technical measures, the posters below have it. If by ``force users to change their passwords'' you are asking us for our favorite LARTs, in general, the electrified doorknob, the cat5-o-nine-tails and in the worst cases, the flamethrower tend all to work very well. However, low-yield tactical nuclear weapons, while rather effective against lusers, causes electromagnetic pulse which brings down network links and all computers in the area.
Re: SSHJail patch for OpenBSD
On 4/26/07, Rico Secada <[EMAIL PROTECTED]> wrote: Hi Before I testrun this http://paradigma.pt/~gngs/sshjail/ does anyone already know if this patch would work with OpenSSH on OpenBSD > 3.9? Instead of asking, try the patch.
Re: OpenBSD 4.1 Torrents
On 5/2/07, Mike Erdely <[EMAIL PROTECTED]> wrote: On Wed, May 02, 2007 at 08:07:10PM -0400, Clint M. Sand wrote: > On Tue, May 01, 2007 at 02:33:50PM -0700, andrew fresh wrote: > > http://openbsd.somedomain.net/index.php?version=4.1 > Just out of curiosity... > > Is it logical to use an OS for the intense focus on security and > correctness, yet download the binaries from a random person on a mailing > list instead of any official source with reasonable file integrity > checking process in place? > > Seems odd that people would use OpenBSD because they trust the code, yet > download the binaries from random torrents on the internet. man 1 cksum ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/CKSUM Seems odd that people would use OpenBSD because they trust the code, yet use a CRC32 to verify the integrity of said operating system. Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps
Re: Prevent circumventing dansguardian with pf
On 5/4/07, Henning Brauer <[EMAIL PROTECTED]> wrote: * Chad M Stewart <[EMAIL PROTECTED]> [2007-04-25 19:31]: > On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: > >pass in inet proto icmp all icmp-type $icmp_types keep state > > This can be used as a covert communication channel. Allowing > internal IPs to send/receive ping is bad. that is the biggest bullshit i have read on this list in some time. if you deny icmp, you shall burn in hell You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data: http://www.cs.uit.no/~daniels/PingTunnel/
Re: Machine freezes from invalid Ethernet packets
On 5/4/07, Karel Kulhavy <[EMAIL PROTECTED]> wrote: Hello I connected a 10Mbps free space optics link to a 10Mbps hub to which OpenBSD 4.0 machine (Dell Inspiron 510m) was connected. The link had probably bad signal because on the Dell directly (i. e. in the NIC) I could receive the RTP that was transmitted through the link, but another device couldn't, a switch wouldn't broadcast it (even when it were IP/Ethernet broadcast) and the hub was flashing traffic only on the LED where it was connected and not the other ones (so it probably thought the traffic is damaged and not worth, though it didn't report any collisions). After a while observing nonsensical Ethernet frames with nonsensical protocol fields in Wireshark (which went away when I shielded away the carrier beam) I Do you still have the packets? If you do, can you replay them and see if the crash happens.
Re: OpenBSD 4.1 Torrents
On 5/4/07, John Fiore <[EMAIL PROTECTED]> wrote: > Speaking of this, when will the OpenBSD project begin to post SHA256 > hashes > to the ftp sites. MD5 is dead: these two files are different and yet > have the same > MD5 hash. > http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps > http://www.cits.rub.de/imperia/md/content/magnus/order.ps Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release? That means nothing. If the OpenBSD project used a CRC16 to verify integrity, your argument would still hold. What matters is the ease of finding colliding files. While finding a file that has the same MD5 as an official file is hard, it seems ridiculous, to trust the security of downloaded files using an algorithm that is known to be insecure. From a project that has always placed security before everything, I do not understand the motivation behind not using a secure algorithm such as SHA-256 or SHA-512.
Re: OpenBSD 4.1 Torrents
On 5/4/07, John Fiore <[EMAIL PROTECTED]> wrote: Your point is taken, however, can you illustrate the threat against which the stronger hash is to protect? If the threat is that someone will redirect you to a fake openbsd.org (through DNS cache poisoning, etc.), the stronger hash offers no protection. If there's a man in the middle, it similarly offers you no more protection, and the same is true if someone manages to hack openbsd.org and upload different binaries. You are completely correct. A stronger hash will do nothing against such an attack. However, my argument was that since attacks on MD5 will just be easier as cryptanalytic techniques improve and CPU time becomes cheaper, it makes no sense to keep using it when stronger hashes are available.
Re: OpenBSD 4.1 Torrents
On 5/6/07, Adam Hawes <[EMAIL PROTECTED]> wrote: > Um, can you site a single *real world* example of where md5 sums > have been co-opted in any way? Yes, md5 now has a weakness, but > really, are there any cases of anyone having actually exploited it? That is not my point. My point is that if MD5 is weak, attackers *will* begin to exploit such a weakness. This isn't about IF the problem will occur, but WHEN! There is a known exploit and anybody who doesn't take steps to mitigate that now is just crazy (or lazy). Cryptographic attacks grow easier as time goes on. The attack is improved, the cost of a CPU cycle goes down... We need to change to SHA256 or SHA512 now instead of when script kitties will regularly be forging MD5 hashes.
Re: Prevent circumventing dansguardian with pf
On 5/7/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >From: Sebastian Benoit <[EMAIL PROTECTED]> > >If you want deny users the possiblility to smuggle data outside of their >workplace (or whatever) then don't connect them to the internet. No, no, no. You must go one step beyond this if you want to prevent employees from smuggling data. To do this properly, copy machines should be remove! Pen, pencils and papers removed! Employees should be searched for thumb drives, zip drive, floppy drives, tape recorders, papers, cd's, dvd's, and burners. It's better to strip search them just to be sure. As a matter of fact, because humans are so innovative, all materials should be removed from the office because I'm sure someone will come up with some way to write something down. Oh, don't forget to remove phones, faxes and cell phones, and cameras. You should only hire people who don't know how to read or write to reduce the work load of preventing others from smuggling data. It's probably best that they don't know how to receive or transmit any form of language/communication either. Also, make the whole building a large faraday cage to prevent them from using radio communication. And have automatic direction-finding recievers to triangulate the location of (l)users who attempt to use radio. In fact, there is a much cheaper method: don't hire humans. _Every_ compromise of security or instance of data exfiltration has been traced back to a human action. If you don't have humans, you don't have problems.
Re: OpenBSD sucks
On 5/31/07, qw er <[EMAIL PROTECTED]> wrote: It really sucks. it is slow. What you say does not apply to OpenBSD. What you said describes you.
Re: c2k7 hackathon is over
On 6/2/07, Theo de Raadt <[EMAIL PROTECTED]> wrote: The c2k7 hackathon is over, with roughly 50 developers attending the event for 10 days in Calgary. So many projects were started or finished, it is basically impossible for me to describe all the projects. Hope you guys out there enjoy the changes that we've made. Thanks to henning@ 's commits: http://marc.info/?l=openbsd-cvs&m=118037274607974&w=2 http://marc.info/?l=openbsd-cvs&m=118040004621784&w=2 PF ought to be even faster! Thank you Theo de Raadt and all the other developers. Such effort is what helps make OpenBSD my favorite operating system.
Re: OpenBSD router playing up
On 6/5/07, Karl Kopp <[EMAIL PROTECTED]> wrote: Hi All, I have a strange issue. We are using a OpenBSD 3.9 box running on an AMD64 CPU. Its doing BGP with our upstream provider and has some basic pf rules. Occasionally, the network slows to a crawl. I setup some external monitoring, and while a few simple HTTP checks of boxes on our network normally take a second or 2 (from 2 separate locations outside our network), this just went up to over 100 seconds and was only resolved by restarting the box. I'm learning this stuff, so am super keen if a) this is normal behavior (I'm guessing not) and b) how can I work out what is causing the problems? I've checked messages, and there is nothing strange in there (just some ftp-proxy 'client reset connection' and 'server refused connection' messages) and daemon (a few BGP updates not many). On restart, I get a flood of BGP updates. Where should I be looking? Should I just restart bgpd next time or does this seem like something else?? Any advice would be greatly appreciated! Post your dmesg, the contents of /etc/pf.conf and your BGP configuration file. Doing so will not solve your issue but it will give other members of the list more information about your setup.
Re: How to run and manage a DNS server.
On 6/6/07, Bray Mailloux <[EMAIL PROTECTED]> wrote: Hello; This is my first time managing anything larger than a simple dhcp or pf box and I'm wondering if there is anyone available on this list who can answer a few questions I have concerning the creation and management of DNS servers. Give us details of what you want to accomplish and your questions.
Re: How to run and manage a DNS server.
On 6/6/07, Sam Fourman Jr. <[EMAIL PROTECTED]> wrote: well here is a question, I was wondering if there would be anyway to make OpenBSD based DNS servers have a PostgreSQL backend. (I know there will be a performance hit) This (http://home.tiscali.cz:8080/~cz210552/sqldns.html) might do what you want, but be warned, it might be *very* slow. A simpler solution would be to use bind and regularly dump the contents of the database into the zone files.
