|
|||
is default security applied?
I think I will be a new OpenBSD user. I want to learn about this OS using it. I read that OpenBSD is friendly to new users who aren`t security experts. After the installation, how do I know if default security is applied? What should be my best pratices to keep me secure while I study and discover OpenBSD?
Please give me your advice and opinion. Thanks in Advance. |
|
|||
Quote:
Yet to answer your question, users of any operating system need to be vigilant about what protocols & ports are accessible to the outside world. Password strength is another topic in which you should be familiar. As a newbie, you will save yourself significant time & frustration by:
|
|
||||
One of the catchphrases of OpenBSD is, "Secure by Default." See www.openbsd.org/security.html for an overview of security features, including "Secure by Default."
As mentioned there, the default installation has few services running, and each is considered secure enough to be exposed directly on the Internet without fear of successful attack. As the home page of the Project website states, there have been two known remote attack vectors in the last 10 years, but no known exploits of them. Once you change anything in the default installation -- make a configuration change, install a 3rd party package -- you are no longer running a default install, and the choices YOU make will affect your security. Knowledge is necessary, and it is gained by experience and understanding of your specific environment and specific needs. For example: during install, you are asked if you would like to have an OpenSSH daemon started during bootup. If you request the OpenSSH server to be started, you need to know that the default configuration allows the "root" superuser to log on, and, the default configuration allows authentication via passwords. So, if you enable the SSH daemon during install, you are immediately responsible for ensuring the strength of the root password on any network the OS is exposed to, including the Internet, if directly connected to it. Poor decisions right then, such as "root" having no password or a poor password such as "root" -- will make your OS immediately insecure. Why is this the default configuration? Primarily for ease of initial provisioning the OS remotely. Would you want a production server to have this configuration? Perhaps, depending on exposure and the strength of passwords used. I'm one of those admins who believes passwords are an awful way to secure anything. An 8-byte ASCII password can be broken in a few days by scripted attack. So I configure all production SSH daemons I administer to deny root logon, and also to deny password authentication. Instead I configure alternate, stronger authentications such as public keys and S/Key one-time-passphrases. The specific authentication depends upon the server and its services. Understanding your environment, and the changes you wish to make, then comprehending the impact of your choices are necessary steps to success. |
|
|||
A noob can secure his network with openbsd.
|
|
|||
jggimi makes an excellent point which bares repeating (in the fear of beating yet another horse into an unrecognizable blob... ).
Throwing OpenBSD blindly at a problem is no guarantee that the result is secure. Understanding what problems need to be solved & understanding how to implement these solutions with OpenBSD (& actually doing it...) is an entirely different situation. |
|
||||
Quote:
Or am I missing something?
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
||||
That parameter does stop the initial session, carpetsmoker. Big deal... the script kiddies just reestablish another TCP session and continue, no time really lost.
Modern ssh attack scripts attempt to brute force password authentication anyway, even if you have it disabled in sshd_config. So I also use PF to block scripted attacks and log the blocked IPs in a database. If you're blocked at my servers, I can give you a reason and a date/time of the misbehavior. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Default terminal color | disappearedng | FreeBSD General | 5 | 21st February 2012 01:28 AM |
how APM & ACPI duke it out to be the default | ocicat | OpenBSD General | 0 | 23rd June 2009 04:05 AM |
change default font of the X | rex | FreeBSD General | 2 | 26th October 2008 05:54 PM |
cvs-supfile default prefix | maxrussell | FreeBSD General | 2 | 24th May 2008 10:49 AM |
Default installation and Xenocara... | maurobottone | OpenBSD Installation and Upgrading | 2 | 20th May 2008 10:12 PM |