DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th August 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default sysjail alternative

it has been announced they are closing down ,anyone knows any alternative for this?or any honeypot for openbsd?
Quote:
IMPORTANT: Due to handling semantics of user/kernel memory in concurrent environments, the sysjail tools, in inheriting from systrace(4), are vulnerable to exploitation. Details available here. Many thanks to Robert Watson for discovering these issues! Until these problems have been addressed, we do not recommend using sysjail (or any systrace(4) tools, including systrace(1)) for security purposes. sysjail is no longer maintained.
Reply With Quote
  #2   (View Single Post)  
Old 28th August 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Unfortunately not, FreeBSD has a more in-depth jail mechanism with kernel support.. but it's quite an extensive modification and very unlikely to be ported easily.

The problem here is that the primary developers of sysjail assumed like many others that systrace was designed for security.. but the man page for it has always warned about a major design flaw for many years.

This doesn't mean that systace can't be useful in controlled situations, it shouldn't have been purged immediately like the NetBSD folks decided to do.

If you try to explain what you require, it may be possible for to you achieve the "security" you desire using traditional (..and/or OpenBSD specific) mechanisms, so please consider telling us a little more about your setup.

I personally don't recommend virtualization or emulation, but assuming this isn't going into production.. it may be an option for you.
Reply With Quote
  #3   (View Single Post)  
Old 28th August 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default

iam suprise how friendly the bsd community are,iam new enough in openbsd,this is my first week lol,and haven't been touch even linux for years,so pardon me,my setup are simple,iam gonna use this box as firewall,my connection comes from adsl 2mbps,i planned to divide the bandwidth evenly for 3 people,and if possible qos applied also,but my first priority are bandwidth management,does download manager(flashget,etc) could broke the bsd traffic shaping setup?i was tried using win box with kiddie software like bandwidth limiter,flashget/youtube/streaming easily break the software.

have doing some research so far found these : ht@@p://w@@w.benjaminheckmann.de/how..._altq_v2.7.pdf , great start though but still need more comment from expert like you,and more n00b friendly like me. thx for helping..
Reply With Quote
  #4   (View Single Post)  
Old 28th August 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default

i was testing scanning my own test box,supprisingly there is more than 100 port tcp udp opened o_0,how i can fully make this box invisible? i need advice,tips,trick how to execute my plan,including hardening the box,and any other that i may forget

for hardening got this \v/\v/\v/.cromwell-intl.c0m[slash]security[slash]linux-hardening.html
hmm sory for these,antispam 5 min post to post url
Reply With Quote
  #5   (View Single Post)  
Old 28th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Start with the OpenBSD FAQ. It is the primary "howto" for the user community, and more importantly, the only supported "howto".

In general, avoid Linux documentation; there are similarities but these are two very different OSes. Linux is not OpenBSD. OpenBSD is not Linux. For that matter, OpenBSD is neither FreeBSD nor NetBSD.

Most importantly, be extremely careful of any 3rd party OpenBSD documentation or guides, they are often out-of-date, incomplete, written by newbies, and with unclear scope and configuration limitations.

Bandwidth management (traffic shaping) is handled by OpenBSD's Packet Filter, PF. Start with the PF Users Guide, which is included with the OpenBSD FAQ. The specific chapter is called "Packet Queueing and Prioritization."

OpenBSD is secure by default. The default install has some open TCP and UDP ports, but these are for standard services that have been audited for security implications. Some examples of these: identd, daytime, date. OpenBSD users do not configure the OS to be hidden; such is anathema. The developers believe "security by obscurity is not security at all."
Reply With Quote
  #6   (View Single Post)  
Old 31st August 2009
nacredata nacredata is offline
Port Guard
 
Join Date: May 2008
Posts: 12
Thanked 1 Time in 1 Post
Default

I can relate my experience with one scenerio where limiting access for some users is needed. I use the newish SSH capability to invoke an internal-sftp server in combination with MatchUser directive in sshd_config, forcing the user to use this sftp instance in a chroot. I use this for allowing people access to the web root when we are working together on a web project, but they don't need access outside of the web root or full shell access.

Code:
AllowUser ______
Subsystem sftp internal-sftp

Match User ______
    ForceCommand internal-sftp
    ChrootDirectory /var/www

# copied note from forum on how to make sure this works:
# This is quite simple really, it’s stat()ing the directory specified for 
# “ChrootDirectory” and all its parents up to / and checking that they are:
# 
#     * owned by root
#     * not group or other writable
Reply With Quote
  #7   (View Single Post)  
Old 4th September 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default

@narcedata

nice way

btw i saw the vid conference by mult about process isolation from
http://www.youtube.com/watch?v=JaVnNllZxn4
it was named instproc,but cannt found anywhere?even in ports,any idea when it's gonna be implemented?
Reply With Quote
  #8   (View Single Post)  
Old 4th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

If you listen to the presenter, Kristaps Dzonsons, he tells you where to find information on the second slide of his presentation. The .pdf for the presentation is online at www.dcbsdcon.org/speakers/slides/dzonsons_dcbsdcon2009.pdf

At this moment, I cannot connect to the website, but I found the following in Google's cache. Highlights mine:
Quote:
mult is an on-going research project to create a high-performance instance multiplicity system. An instance multiplicity system has a forest of process trees, each rooted at init(8), instead of a single, global tree. Each tree, an instance, has a set of resources isolated from other instances.

mult effects multiplicity by isolating system resource in-kernel. It's implemented as a local branch of the NetBSD and OpenBSD operating systems, specifically as tagged in CVS at netbsd-5-0-RC2 and (waiting for stable RC) OPENBSD_4_4. The local branches are tagged as netbsd-5-0-MULT and OPENBSD_4_4_MULT.

Until otherwise stated, all instructions below focus on the OpenBSD version of mult....

...the below instructions will overwrite existing OpenBSD sources, built objects, and installed binaries. Be careful!
Therefore, it is not yet part of the OS. It may be, one day. It is not yet a port/package, and I doubt it could be, as I believe the extent of changes to the kernel prevent it. (Kernel modules in packages are possible, such as emulators/kqemu, but they must be able to be separate entities. This is not.)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN alternative: ssh -w s2scott OpenBSD Security 15 16th April 2009 01:09 AM
Alternative Architecture Laptops JMJ_coder General Hardware 6 7th October 2008 05:05 PM
Alternative to FoxPro? michaelrmgreen Programming 2 18th July 2008 11:40 AM
iTunes alternative stukov Off-Topic 8 14th June 2008 01:55 PM
There is an alternative way to find a packages? aleunix OpenBSD Packages and Ports 23 6th June 2008 07:18 AM


All times are GMT. The time now is 08:21 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick