As Bob alluded to, corp scanning is a Dot the I, Cross the T accounting
measure. If you want to make them happy, make them happy. It doesn't take
much to determine what the src ip is for a scan engine. I leave the rest to
you.
diana
On 14 March 2010 11:37, Steve Shockley wrote:
> On 3/13/2010 10:57 AM, Bob Beck wrote:
>>
>> you're going
>> to spend a lot of time jerking off instead of basing anything on
>> reality.
>
> So, you'd be a masturbating monkey?
>
>
Well, I am an OpenBSD developer after all.. So doesn't that go with
On 3/13/2010 10:57 AM, Bob Beck wrote:
you're going
to spend a lot of time jerking off instead of basing anything on
reality.
So, you'd be a masturbating monkey?
On Fri, 12.03.2010 at 13:28:07 -0700, kj...@pintday.org
wrote:
> > Very good suggestion, indeed.
-20
I'm impartial, though, as I don't use the default configuration,
anyway. I think it's rather a non-issue.
> > Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
> > (a per
> I understand what you say and I appreciate you taking the time to write.
> Hiding files or pretending others can't see them doesn't make us more
> secure.
>
> I guess the real issue is that sometimes people use check lists. Items
> such as this are on those lists. Technical people are asked to ma
> My apologies. The look on the Linux peoples faces when they see all of
> these OpenBSD boxes with *0* vulnerabilities compared to the 200 to 300
> of their own drove me to it. I'll not do it again.
>
The problem is you are equating vulnerability scanners - which are a
product of script kiddies t
On Sat, 13 Mar 2010 17:12 +0200, "Lars Nooden"
wrote:
> Brad and Ozgur,
>
> If your file is in the server's document root, then it is published [1].
> For whatever reason, a lot of C-Levels act as if they are unclear on
> that. There is also often the false belief among them that security and
>
Brad and Ozgur,
If your file is in the server's document root, then it is published [1].
For whatever reason, a lot of C-Levels act as if they are unclear on
that. There is also often the false belief among them that security and
usability are mutually exclusive. I don't understand the rules in
On 2010/03/13 03:19, Ozgur Kazancci wrote:
> > Yes we are, while we are at it we can ship an http.conf file that wil
> > only listen on port 8000 on localhost when the daemon comes up as
> > well, and that would be super obscure as well, and it would only read
> > index files ending in .HolyFuck, a
On Fri, 12 Mar 2010 19:21 -0700, "Theo de Raadt"
wrote:
> > On Fri, 12 Mar 2010 18:25 -0700, "Theo de Raadt"
> > wrote:
> > > That's a lot of words.
> > >
> > > The default configuration is not going to be changed in this way.
> >
> > To be honest, my patch is selfish. I get perfect vulnerabili
> On Fri, 12 Mar 2010 18:25 -0700, "Theo de Raadt"
> wrote:
> > That's a lot of words.
> >
> > The default configuration is not going to be changed in this way.
>
> To be honest, my patch is selfish. I get perfect vulnerability
> assessment scores on OpenBSD boxes when doing vulnerability scans
On Fri, 12 Mar 2010 18:25 -0700, "Theo de Raadt"
wrote:
> That's a lot of words.
>
> The default configuration is not going to be changed in this way.
To be honest, my patch is selfish. I get perfect vulnerability
assessment scores on OpenBSD boxes when doing vulnerability scans until
I enable A
> > Yes we are, while we are at it we can ship an http.conf file that wil
> > only listen on port 8000 on localhost when the daemon comes up as
> > well, and that would be super obscure as well, and it would only read
> > index files ending in .HolyFuck, and we'd ship a mime types
> > where HolyFuc
> Yes we are, while we are at it we can ship an http.conf file that wil
> only listen on port 8000 on localhost when the daemon comes up as
> well, and that would be super obscure as well, and it would only read
> index files ending in .HolyFuck, and we'd ship a mime types
> where HolyFuck was html
On Fri, 12 Mar 2010 16:44 -0700, "Bob Beck" wrote:
> What in god's name do you need sshv1 for anymore? What client are you
> using that still
> uses it? how old and vulnerable is it?
That was my hyperbole... remember? Apache 1.3.x anyone?
Brad
> Turn SSHv1 back on please why do you force me to twist that knob! That's
> some hyperbole of my own ;) Alright, I give up. Turning the option off
> manually works for me. I don't want or need it and I assumed other
> OpenBSD folks would feel the same.
Not being able to get directory indexes of m
> Apache comes up and works fine with Indexes off (for me at least).
>
Well, having indexes on is much nicer for having it do things like,
install OpenBSD from.
On Fri, 12 Mar 2010 16:17:51 -0700 Bob Beck wrote:
> Off is off. don't make it where you have to turn 8 knobs to turn
> something on. because you wanted it "more off".
Alternatively, you could make the user turn 8 knobs to turn
something "moron" ;)
(sorry, couldn't resist)
On Fri, 12 Mar 2010 16:17 -0700, "Bob Beck" wrote:
> >>
> >> It *IS* off by default. I have yet to see an OpenBSD machine that I
> >> can install that
> >> will come up with httpd turned on.
> >
> > We are not talking about the same thing. I understand that httpd is off
> > by default. The *optio
>> It *IS* off by default. I have yet to see an OpenBSD machine that I
>> can install that
>> will come up with httpd turned on.
>
> We are not talking about the same thing. I understand that httpd is off
> by default. The *option* is on by default in the config file.
>
Yes we are, while we are a
> On Fri, 12 Mar 2010 16:05 -0700, "Bob Beck" wrote:
> > On 12 March 2010 12:53, Brad Tilley wrote:
> > > On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian"
> > > wrote:
> > >> does disabling this option /really/ improve security?
> > >
> > > No, not unless you consider keeping files that are
On Fri, 12 Mar 2010 16:05 -0700, "Bob Beck" wrote:
> On 12 March 2010 12:53, Brad Tilley wrote:
> > On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian"
> > wrote:
> >> does disabling this option /really/ improve security?
> >
> > No, not unless you consider keeping files that are
> > inappropr
On 12 March 2010 12:53, Brad Tilley wrote:
> On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian"
> wrote:
>> does disabling this option /really/ improve security?
>
> No, not unless you consider keeping files that are
> inappropriately/accidentally copied to these directories a security
> issue
On Fri, Mar 12, 2010 at 3:28 PM, wrote:
>> Very good suggestion, indeed.
>>
>> Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
>> (a perfect example:
>> http://mgeisler.net/downloads/phpshell/phpshell-1.7.tar.gz)
>> inside such a directory. (Or even maybe a simple file u
> Also, think "emacs-turdfile". Have any config.php~ lying around?
>
> or index.php~?
>
> Are you SURE?
>
Sorry for the lack of explanation. I was meaning a server where
you've thousands of vhosts/users exist.
Yes, you can disable the indexing.
Yes, you can activate the PHP's safe_mode, but...
> Very good suggestion, indeed.
>
> Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
> (a perfect example:
> http://mgeisler.net/downloads/phpshell/phpshell-1.7.tar.gz)
> inside such a directory. (Or even maybe a simple file uploader, that will
> help the attacker to uplo
> > It seems inline with OpenBSD's off by default posture, that is
> > the only reason I suggested it.
>
> Very good suggestion, indeed.
>
> Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
Anything PHP is dangerous. But there is a perfect cure for these files,
known as t
> It seems inline with OpenBSD's off by default posture, that is
> the only reason I suggested it.
Very good suggestion, indeed.
Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
(a perfect example: http://mgeisler.net/downloads/phpshell/phpshell-1.7.tar.gz)
inside such a d
On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian"
wrote:
> does disabling this option /really/ improve security?
No, not unless you consider keeping files that are
inappropriately/accidentally copied to these directories a security
issue. It seems inline with OpenBSD's off by default posture,
Nope.
On 12 March 2010 11:10, patrick keshishian wrote:
> does disabling this option /really/ improve security?
>
>
> On Fri, Mar 12, 2010 at 9:41 AM, Brad Tilley wrote:
>> When ran against default OpenBSD servers that have Apache enabled,
>> vulnerability assessment software (Nessus, Rapid7, et
does disabling this option /really/ improve security?
On Fri, Mar 12, 2010 at 9:41 AM, Brad Tilley wrote:
> When ran against default OpenBSD servers that have Apache enabled,
> vulnerability assessment software (Nessus, Rapid7, etc.) complain about
> "browesable web directories". The concern is
When ran against default OpenBSD servers that have Apache enabled,
vulnerability assessment software (Nessus, Rapid7, etc.) complain about
"browesable web directories". The concern is that someone may
accidentally place inappropriate files in the web directories that will
then be visible to others.
32 matches
Mail list logo
