DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th June 2008
BFlatMinor BFlatMinor is offline
New User
 
Join Date: Jun 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default is default security applied?

I think I will be a new OpenBSD user. I want to learn about this OS using it. I read that OpenBSD is friendly to new users who aren`t security experts. After the installation, how do I know if default security is applied? What should be my best pratices to keep me secure while I study and discover OpenBSD?
Please give me your advice and opinion.
Thanks in Advance.
Reply With Quote
  #2   (View Single Post)  
Old 18th June 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,873
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by BFlatMinor View Post
After the installation, how do I know if default security is applied?
As you travel further down the road of experience, you will find out that the word "security" is both nebulous & subjective.

Yet to answer your question, users of any operating system need to be vigilant about what protocols & ports are accessible to the outside world. Password strength is another topic in which you should be familiar.

As a newbie, you will save yourself significant time & frustration by:
  • ...taking the time to seriously study the official FAQ:

    http://openbsd.org/faq/index.html
  • reading on both general Unix usage & what few OpenBSD books are available. Perhaps the best title is Michael Lucas' Absolute OpenBSD:

    http://www.amazon.com/Absolute-OpenB...3829712&sr=8-1

    Although somewhat dated, this book is still very worthwhile for all users of OpenBSD. Note that the book is also available for purchase in PDF form from No Starch Press.
Reply With Quote
  #3   (View Single Post)  
Old 19th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,608
Thanked 214 Times in 189 Posts
Default

One of the catchphrases of OpenBSD is, "Secure by Default." See www.openbsd.org/security.html for an overview of security features, including "Secure by Default."

As mentioned there, the default installation has few services running, and each is considered secure enough to be exposed directly on the Internet without fear of successful attack. As the home page of the Project website states, there have been two known remote attack vectors in the last 10 years, but no known exploits of them.

Once you change anything in the default installation -- make a configuration change, install a 3rd party package -- you are no longer running a default install, and the choices YOU make will affect your security. Knowledge is necessary, and it is gained by experience and understanding of your specific environment and specific needs.

For example: during install, you are asked if you would like to have an OpenSSH daemon started during bootup. If you request the OpenSSH server to be started, you need to know that the default configuration allows the "root" superuser to log on, and, the default configuration allows authentication via passwords. So, if you enable the SSH daemon during install, you are immediately responsible for ensuring the strength of the root password on any network the OS is exposed to, including the Internet, if directly connected to it. Poor decisions right then, such as "root" having no password or a poor password such as "root" -- will make your OS immediately insecure.

Why is this the default configuration? Primarily for ease of initial provisioning the OS remotely. Would you want a production server to have this configuration? Perhaps, depending on exposure and the strength of passwords used.

I'm one of those admins who believes passwords are an awful way to secure anything. An 8-byte ASCII password can be broken in a few days by scripted attack. So I configure all production SSH daemons I administer to deny root logon, and also to deny password authentication. Instead I configure alternate, stronger authentications such as public keys and S/Key one-time-passphrases. The specific authentication depends upon the server and its services.

Understanding your environment, and the changes you wish to make, then comprehending the impact of your choices are necessary steps to success.
Reply With Quote
  #4   (View Single Post)  
Old 21st June 2008
openbsdspirit openbsdspirit is offline
New User
 
Join Date: Jun 2008
Posts: 5
Thanked 0 Times in 0 Posts
Default

A noob can secure his network with openbsd.
Reply With Quote
  #5   (View Single Post)  
Old 21st June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,608
Thanked 214 Times in 189 Posts
Default

I disagree, spirit.

OpenBSD makes a fine network router, and an excellent firewall.

However, setting up a firewall properly requires detailed knowledge of the network applications in use, a clear understanding of TCP/IP, and competency with PF.

I have seen countless noobs stumble with PF configurations, due to lack of knowledge of PF, lack of knowledge of their network application requirements, lack of understanding of TCP/IP. For proof, I refer you to the long history of PF problems and questions posted in the "OpenBSD Security" subforum at bsdforums.org, on the misc@ mailing list, on Usenet, on IRC, and on the PF mailing list.
Reply With Quote
  #6   (View Single Post)  
Old 21st June 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,873
Thanked 190 Times in 160 Posts
Default

jggimi makes an excellent point which bares repeating (in the fear of beating yet another horse into an unrecognizable blob... ).

Throwing OpenBSD blindly at a problem is no guarantee that the result is secure. Understanding what problems need to be solved & understanding how to implement these solutions with OpenBSD (& actually doing it...) is an entirely different situation.
Reply With Quote
  #7   (View Single Post)  
Old 21st June 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is online now
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,062
Thanked 198 Times in 156 Posts
Default

Quote:
'm one of those admins who believes passwords are an awful way to secure anything. An 8-byte ASCII password can be broken in a few days by scripted attack. So I configure all production SSH daemons I administer to deny root logon, and also to deny password authentication. Instead I configure alternate, stronger authentications such as public keys and S/Key one-time-passphrases. The specific authentication depends upon the server and its services.
This is a bit OT, but you have a "MaxAuthTries" option which defaults to 6 ... Preventing brute-force attacks.
Or am I missing something?
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #8   (View Single Post)  
Old 21st June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,608
Thanked 214 Times in 189 Posts
Default

That parameter does stop the initial session, carpetsmoker. Big deal... the script kiddies just reestablish another TCP session and continue, no time really lost.

Modern ssh attack scripts attempt to brute force password authentication anyway, even if you have it disabled in sshd_config. So I also use PF to block scripted attacks and log the blocked IPs in a database. If you're blocked at my servers, I can give you a reason and a date/time of the misbehavior.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Default terminal color disappearedng FreeBSD General 5 21st February 2012 01:28 AM
how APM & ACPI duke it out to be the default ocicat OpenBSD General 0 23rd June 2009 04:05 AM
change default font of the X rex FreeBSD General 2 26th October 2008 05:54 PM
cvs-supfile default prefix maxrussell FreeBSD General 2 24th May 2008 10:49 AM
Default installation and Xenocara... maurobottone OpenBSD Installation and Upgrading 2 20th May 2008 10:12 PM


All times are GMT. The time now is 12:05 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick