DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th January 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,027
Default Newbie guide to operating services on the Internet

Today, on OpenBSD's misc@ mailing list, a poster discovered that his new OpenBSD installation had been rapidly compromised. Nick Holland posted the following short essay in reply.

I thought it was a brilliant response.

While you may not feel Mr. Holland's recommendations apply to you (and your skills, real or perceived), his point that mismanaged or mis-configured services can cause harm to others on the Internet is absolutely pertinent.

The entire post is here, and the thread begins here.

Quote:
> Ideas are going to be really appreciated, because i am not a technical guy.

ok, this is the unpopular answer, but here it is anyway: Stop. You should not be running your own web and mail server.

Years ago, I used to say that I could make a good case that anyone running a mail server or DNS server should require a license, for much the same reason as one should have a driver's license to drive on public roads: to indicate you have some minimum level of skill so you don't hurt others on the road....

...I exempted running a webserver because I felt that your average website was "safe" to other people...kinda like painting your own car -- you may do a lousy job, but no one has to look at your car/site. Well, these days of web applications pretty much means I was wrong, and yes, they are just as able to harm others on the Internet as mail and dns servers -- maybe even more so these days. If you don't know how to track down what happened -- and more importantly, don't know how to KEEP it from happening in the first place -- you should not be running services on the Internet. Using OpenBSD does not render your system unbreakable, any more than putting a five year old behind the wheel of a "safe" car makes them or the world "safe"....

...if you expose a service, you are under CONSTANT attack, if you have any kind of vulnerability, it WILL be exploited, and rather soon.
Reply With Quote
  #2   (View Single Post)  
Old 10th January 2014
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

I have a publicly available web service running from my home network. It's running on it's own vlan behind very strict rate limited inbound/outbound pf rules, proxied behind chrooted nginx with all methods but GET turned off, with only generated static content running directly in nginx (pfstat!). The actual website is a small blogsum instance running in chrooted apache that isn't directly publicly available. The pf machine and the nginx/apache machines are all running up-to-date 5.4-STABLE builds.

Granted, the web site is not terribly *interactive* from the outside (i.e. no comments), but I wasn't designing for that =)
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #3   (View Single Post)  
Old 12th February 2014
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default A bully-boy groupie?

Quote:
Originally Posted by jggimi View Post
I thought it was a brilliant response.
Was it the public relations spin that you found admirable - Nick's attempt to immediately squash this mention of a possible insecurity as user incompetence before any discussion could begin? Did you enjoy the violence of seeing someone humiliated?

I, personally, saw nothing "brilliant" about the thread. I think Nick's response severely interfered with the community's ability to analyze and resolve the issues (wherever the problems might have been).

Reply With Quote
  #4   (View Single Post)  
Old 12th February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,027
Default

I'm sorry I wasn't sufficiently clear, hanzer. I'll briefly restate my thoughts.

Any of us can make a mistake. All of us do make mistakes, all the time. Sometimes our mistakes cause problems for others. When those are mistakes we make while operating Internet-facing services, those problems for others can be magnified and very far reaching. Apropos, knowledge of the best practices that mitigate those risks should be considered before operating those services.

Discussion continued - there were 16 additional posts in the thread after Nick's. http://marc.info/?t=138933594300001&r=1&w=2

Last edited by jggimi; 12th February 2014 at 08:53 PM. Reason: typo
Reply With Quote
  #5   (View Single Post)  
Old 12th February 2014
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default

Quote:
Originally Posted by jggimi View Post
Discussion continued - there were 16 additional posts in the thread after Nick's. http://marc.info/?t=138933594300001&r=1&w=2
The fact that several people decided not to follow Nick's lead and instead chose to interact with the original poster in a civilized manner is a hopeful indicator that the OpenBSD mailing-list community isn't completely lost in madness and brutality. It's just so odd to me that the community leaders don't recognize that kind of behavior as being extremely foolish and detrimental to progress.

Some resources for OpenBSD users who would rather not be drawn into the mosh-pit:
Reply With Quote
  #6   (View Single Post)  
Old 13th February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,027
Default

My apologies for offending you. It was unintentional, as I considered the passage to be appropriate discourse. It is clear that two people can read the same text and have widely divergent opinions of interpretation.
Reply With Quote
  #7   (View Single Post)  
Old 13th February 2014
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default

Quote:
Originally Posted by jggimi View Post
My apologies for offending you.
None taken. An interesting and relevant topic is unfolding, it's certainly worth discussing.

I suspect it's not unusual at all for console cowboys to go a little whack-a-mole crazy from time to time. This is probably due to the character of the technology. The desire for control in designing, building and using complex systems and the need for order as the complexity of the system increases, are both probably necessary for any significant success. But this isn't mathematics with idealized abstractions that are universally true and eternally perfect. [Computer] networks and software are messy evolving systems with an almost organic character. There will be parasites and predators filling the niches and taking advantage of opportunities as they arise. That's a characteristic of the technology. If dealing with that becomes overwhelming then it's time to take a break and maybe move out into the country and build clocks or go to a university and meditate serenely on mathematical perfections. However, it's very important not to let these mad buggers dictate social policy and try to force evolutionary processes into their small clock-work notions of order.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Disabling Services Not Needed EverydayDiesel OpenBSD Security 10 25th January 2010 01:20 PM
start stop services ? smooth187 OpenBSD General 4 31st August 2008 01:00 AM
Newbie-friendly "printing in OpenBSD" guide wanted Shagbag OpenBSD Packages and Ports 5 7th July 2008 09:26 PM
Questions about my home configuration services aleunix OpenBSD Security 9 12th June 2008 01:54 PM
Learn which services are listening on your box anomie Guides 5 14th May 2008 09:59 AM


All times are GMT. The time now is 11:47 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick