DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 31st December 2009
shep shep is offline
ISO Quartermaster
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 631
Thanked 9 Times in 9 Posts
Default Browser Security

I finally feel comfortable setting up and running a current OpenBSD system and as part of a New Years resolution have been trying to increase the security of my home network. I have one computer on a NIC and I just finished changing the rest from WEP -> WPA2. The one on the NIC is running Arch linux.

I'm predominately a desktop user and the things that concern me the most are online banking and online purchases with credit cards. These tasks are browser based and my bank web site will not work with lynx. I delete all web cookies after purchases and banking. I maintain a simple web site for our local EAA chapter and may take advantage of the email server our web host has

I am thinking about putting an OpenBSD current system on the NIC cable. My choice of current is based on the availability of newer browser versions with security updates. With that background onto the questions:

1) Is it worth the migrating the OpenBSD system to the NIC ie. do I gain anything over Arch Linux and if so what? How important is the gain?
2) What are the chances that current will break irrevocably if I "pkg_add -F update -u" periodically? I'm willing to back up my home directory before updates. How often do current users have to rebuild xenocara, kernel and userland?

Thanks in advance for your input
Reply With Quote
  #2   (View Single Post)  
Old 31st December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,252
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by shep View Post
How often do current users have to rebuild xenocara, kernel and userland
Depends on how you run current. I never recompile anything, always a clean fresh install from the snapshot binary filesets and packages.

Saves a lot of wear and tear on your disk, saves electricity and thus is good for the environment. I wonder if I could make some money by selling my unused carbon emission rights

I have two disks in my sytem. I use both disks to install OpenBSD snapshots.
If I want to try a new snapshot, I do a fresh install on the oldest snapshot disk. That way I always have a working snapshot on the other disk to fall back on.

If you are careful you could follow a similar procedure by using two OpenBSD MBR partitions on a single disk. But as disks are cheap, I don't bother anymore.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 1st January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

I too do NOT usually compile anything, most of my requirements (security and userland) are met by binary packages, while you could call me a liar for recently patching and recompiling my kernel(s) (need an i386 sp and mp kernel patched). I usually do all my testing in a virtual machine, even my compiling, it makes me feel safer from me

I have a small shell script, that calls other shell scripts that peels out my configs and some user settings (log files too on firewall). I like J65nko prefer multiple hard disks, they ARE very inexpensive and are good to have handy, I do also make triplicate backups of all my important files.

Quote:
1) Is it worth the migrating the OpenBSD system to the NIC ie. do I gain anything over Arch Linux and if so what? How important is the gain?
I have used Trustix and Engarde Linux's in the past (currently only use Backtrack and KUbuntu liveboot), i find OpenBSD MUCH more stable, robust and secure, and the developers have made it a dream to work with. I have been using OpenBSD since 2.6 and am SOOOOOO glad i have, it has been a very pleasing experience, the community is great too.

Quote:
2) What are the chances that current will break irrevocably if I "pkg_add -F update -u" periodically? I'm willing to back up my home directory before updates. How often do current users have to rebuild xenocara, kernel and userland?
Honestly i have never rebuild xenocara, the odd userland application and rebuild the kernel ONLY when im patching (this too is rare, you can patch up to date and rebuild quickly, then just reboot from new kernel).I have broken my install by my own stupidity by wrong syntax's (in the wrong directory) or simple typos in conf files (usually fixable). I try to keep current with releases every 6 months or so, as long as i'm patched up, i fear not missing one.

I actually had a booboo earlier this evening, the livecd that jggimi produces saved me quite a headache when i had to recover 1 tarred up file (full of configs and user settings) from a blown out install. I could have saved the install but opted to instead reinstall on one of my laptops, i had all the required configs and setting files needed.
__________________
The more you learn, the more you realize how little you know ....

Last edited by There0; 1st January 2010 at 12:03 PM.
Reply With Quote
  #4   (View Single Post)  
Old 4th January 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,935
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by shep View Post
What are the chances that current will break irrevocably if I "pkg_add -F update -u" periodically?
It is imperative to keep the system & applications synchronized. Failure to do so can result in weirdnesses described in Section 15.4.1. So before updating applications, update the system. Studying Section 5.1 would also be beneficial.
Quote:
How often do current users have to rebuild xenocara, kernel and userland?
On whatever schedule you want. As you can see from other responses to this thread, many don't. Personally, I update weekly. Some developers update daily. It all depends your goals & time.
Reply With Quote
  #5   (View Single Post)  
Old 4th January 2010
Oko's Avatar
Oko Oko is online now
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 854
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by shep View Post
I'm predominately a desktop user and the things that concern me the most are online banking and online purchases with credit cards.
Then you should not do it. Unless you control complete Internet infrastructure
conecting your computer with the servers of your bank you are completely
exposed. Even worse, if you run X your working assumtion should be that what you can see on your monitor anybody can see.

The above being said, I use sometimes credit cards on-line and I do log into my
bank accounts from time to time. It is all about the risk you can take it.
I am not familiar with Linux so I really do not know how much you would gain in the
terms of security by switching to OpenBSD.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
NetBSD 5.0 wifi/wireless network browser/scanner vermaden NetBSD General 9 5th July 2009 12:56 AM
Need a lightweight browser to replace Fx3 TerryP General software and network 15 12th February 2009 10:45 PM
Best web browser for *BSD systems JMJ_coder Other BSD and UNIX/UNIX-like 92 2nd January 2009 09:27 PM
Google Chrome browser drhowarddrfine General software and network 63 15th September 2008 11:09 PM
Problem for associated a program to browser on Xfce aleunix OpenBSD Packages and Ports 2 3rd June 2008 02:54 PM


All times are GMT. The time now is 11:21 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick