DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th June 2008
aleunix aleunix is offline
Real Name: Alessandro
Spam Deminer
 
Join Date: May 2008
Location: Italy
Posts: 224
Thanked 3 Times in 3 Posts
Default Questions about my home configuration services

Questions about my home configuration services

Code:
$ fstat | grep internet | grep -v -e '>' -e '<'                               
ale      Xorg       24090    4* internet6 stream tcp 0xd6057004 *:6000
ale      Xorg       24090    6* internet stream tcp 0xd6057194 *:6000
root     sendmail   24841    4* internet stream tcp 0xd607a960 127.0.0.1:25
root     sendmail   24841    5* internet6 stream tcp 0xd607aaf0 [::1]:25
root     sendmail   24841    6* internet stream tcp 0xd607ac80 127.0.0.1:587
root     sendmail   24841    7* internet6 stream tcp 0xd607ae10 [::1]:587
root     inetd      20616    4* internet stream tcp 0xd607a000 *:113
root     inetd      20616    5* internet6 stream tcp 0xd607a190 *:113
root     inetd      20616    6* internet dgram udp 127.0.0.1:512
root     inetd      20616    7* internet6 dgram udp [::1]:512
root     inetd      20616    8* internet stream tcp 0xd607a320 *:13
root     inetd      20616    9* internet6 stream tcp 0xd607a4b0 *:13
root     inetd      20616   10* internet stream tcp 0xd607a640 *:37
root     inetd      20616   11* internet6 stream tcp 0xd607a7d0 *:37
_syslogd syslogd      764    4* internet dgram udp *:514
_dhcp    dhclient   12391    8* internet raw ip 0xd6199000
For the moment i have disabled sendmail (because i utilize only web email).
Code:
$ fstat | grep internet | grep -v -e '>' -e '<'        
ale      Xorg       28227    4* internet6 stream tcp 0xd6070960 *:6000
ale      Xorg       28227    6* internet stream tcp 0xd6070af0 *:6000
root     inetd      30906    4* internet stream tcp 0xd6070000 *:113
root     inetd      30906    5* internet6 stream tcp 0xd6070190 *:113
root     inetd      30906    6* internet dgram udp 127.0.0.1:512
root     inetd      30906    7* internet6 dgram udp [::1]:512
root     inetd      30906    8* internet stream tcp 0xd6070320 *:13
root     inetd      30906    9* internet6 stream tcp 0xd60704b0 *:13
root     inetd      30906   10* internet stream tcp 0xd6070640 *:37
root     inetd      30906   11* internet6 stream tcp 0xd60707d0 *:37
_syslogd syslogd     6171    4* internet dgram udp *:514
_dhcp    dhclient   28736    8* internet raw ip 0xd6199000
I would like do some other optimization.

Also i have another question.
How can disable service without restart the OS?

Note:
I have read the Faq 10.
Reply With Quote
  #2   (View Single Post)  
Old 10th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default

As installed, sendmail(8) is limited to local loopback connectivity. It is operational on install to route output from security(8) and daily(8)/weekly(8)/monthly(8) cron jobs.

As installed, OpenBSD is "secure by default" -- those ports which are open are considered secure and necessary.
Reply With Quote
  #3   (View Single Post)  
Old 10th June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

You can also stop Xorg from listing on TCP port 6000, assuming you using ksh as your shell.. add the following into your .kshrc or .profile
Code:
alias startx='/usr/X11R6/bin/startx -- -nolisten tcp'
export startx
This will prevent utilization of "xhost" and friends, but you can still do X forwarding over SSH though.

Line 31-34 in /etc/inetd.conf have the daytime/time services, ports 13 and 37 tcp, they may or may not be required.

In all honesty, you do not need to disable any of these services.. sendmail listens on localhost so it wasn't a security threat, a lot of system daemons use it for logging.

Consider configuring pf(4) instead of blindly disabling services you don't understand..

Take care.

Last edited by BSDfan666; 10th June 2008 at 11:43 AM.
Reply With Quote
  #4   (View Single Post)  
Old 10th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default

Regarding port 6000 listening, see:

http://marc.info/?t=102905976900001&r=1&w=2

and

http://marc.info/?t=112532270200004&r=1&w=2
Reply With Quote
  #5   (View Single Post)  
Old 10th June 2008
aleunix aleunix is offline
Real Name: Alessandro
Spam Deminer
 
Join Date: May 2008
Location: Italy
Posts: 224
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
sendmail listens on localhost so it wasn't a security threat, a lot of system daemons use it for logging.
...
Which for example?

However in this manner i have release additional memory.

$top
SIZE RES COMMAND
1124K 1496K sendmail

Note:
I have also disabled the service ssh!

However before disable services for which i'm uncertain will ask clarification.
Reply With Quote
  #6   (View Single Post)  
Old 10th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by aleunix View Post
Which for example?
Daemons use syslogd(8). As I mentioned above in http://daemonforums.org/showpost.php?p=5823&postcount=2 sendmail is used for security(8) and the daily(8) management scripts.
Quote:
However in this manner i have release additional memory.

$top
SIZE RES COMMAND
1124K 1496K sendmail
In the event memory is needed, sendmail will be paged out or swapped out as the OS determines necessary. There is no "savings" from your change if you have swap space defined.

In addition, you have shown yourself concerned about security. Shutting down sendmail prevents you from seeing the results of security(8) output, which security-conscious admins should be reading every day.
Quote:
Note:
I have also disabled the service ssh!
You were asked during install if you wanted sshd(8) to be started. Had you replied "No" sshd would not be enabled in /etc/rc.conf.local.
Reply With Quote
  #7   (View Single Post)  
Old 10th June 2008
aleunix aleunix is offline
Real Name: Alessandro
Spam Deminer
 
Join Date: May 2008
Location: Italy
Posts: 224
Thanked 3 Times in 3 Posts
Default

Mmm ok i will restart this service.
Perhaps I will try to replace sendmail with postfix or exim.
Reply With Quote
  #8   (View Single Post)  
Old 10th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,825
Thanked 214 Times in 189 Posts
Default

Quote:
... Perhaps I will try to replace sendmail...


This would be of little value, unless you want to teach yourself postfix/exim.
  1. Sendmail is pre-configured to operate in a secure manner, without any external connectivity, to provide a valuable service to you. Postfix and exim are 3rd party packages which you will have to configure, and configure just as securely.
  2. You are running a graphical workstation. --> You are not running an e-mail server.
  3. Unless you have a static IP address, an internet domain, an MX DNS record, and an ISP that permits inbound SMTP traffic...you won't be able to run an effective e-mail server. You will not learn how to effectively configure postfix or exim if you are not running an e-mail server.
Setting up an e-mail server is easy. Setting it up to run properly on the Internet so that it does not spew SPAM, and so SPAM issues can be effectively managed and resolved is a more complicated endeavor.
Reply With Quote
  #9   (View Single Post)  
Old 11th June 2008
aleunix aleunix is offline
Real Name: Alessandro
Spam Deminer
 
Join Date: May 2008
Location: Italy
Posts: 224
Thanked 3 Times in 3 Posts
Default

Thanks.
Reply With Quote
Old 12th June 2008
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 107
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by aleunix View Post
Perhaps I will try to replace sendmail with postfix or exim.
I replace sendmail on every OpenBSD installation..
Postfix IMHO is so much easier to configure /troubleshoot..

About 4 years ago, I tried to configure Sendmail and after
3 days I gave up..

Installed Postfix and had it configured in about 10 minutes..

Jiggimi has also stated a very good point..
Setting up a good spam free email server does require time..

All my SMTP (email) OpenBSD gateways run:
- OpenBSD spamd
- SpamAssassin
- Razor2
- DCC
- Amavisd

Example..
The office manager at our parish asked me if the (linux) email server was broken.
I asked.. "Why"... She said.. I am not getting any SPAM...


OpenBSD packages make it very easy to change from Sendmail
to Postfix if you so choose..

rk
__________________
All posts sent on ReCycled Electrons...

Last edited by roundkat; 12th June 2008 at 02:03 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
k3b, configuration. maxrussell FreeBSD Ports and Packages 4 3rd March 2009 04:23 AM
NFS mount /usr/home? giddyupman FreeBSD General 1 1st September 2008 07:06 PM
start stop services ? smooth187 OpenBSD General 4 31st August 2008 01:00 AM
Learn which services are listening on your box anomie Guides 5 14th May 2008 09:59 AM
Home Button JMJ_coder Feedback and Suggestions 4 5th May 2008 05:13 PM


All times are GMT. The time now is 11:21 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick