DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th April 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Post Openbsd and Antivirus

Hy All,

I searched for this topic a bit and found no posts or very old ones here and on the net there are just a few results. So i thought that i ask

One of my friends who is a IT security specialist suggested that dispite BSD not having may instances of viruses its a good idea to install an antivirus to the system. It bugged me a little so i was thinking.

I have a server that runs samba gets files from another network that has 99% windows computers, only a handful have access to the machine. My server is just a relay not a storage.

The problem is what if the server that gets the data is MS and MS virus is in the file.....
The network is secure and the windows machines have antivirus (windows defender at worst case) on them, but still am a bit worried, about security and ransomware.

So what would you suggest?
What antivirus are you using when you must have one (on BSD)?
What other methods would you suggest beside or instead?

BR
SimpL
Reply With Quote
  #2   (View Single Post)  
Old 29th April 2021
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

I am not an expert on Security by no means, so take this tidbit with disclaimer.

I maintained internet facing servers for some time hosting my own (static) business websites.
Used OpenBSD's base server and attempted to make sensible PF.conf configurations.
Used Clamav (clamscan, freshclam) to search / update virus's
Experienced "No" observable issues over the course of approx 7 yrs.

I also configured PF.conf to limit traffic from specific sites or countries to reduce the usual pesky problems.
U seem to control that by accepting traffic from known limited sources.

A good review of your logs, and IP traffic is advised.

Your level of expertise will determine the value of the statement "no observable issues" in your own set-up, configuration.

Many people here can help to secure or scan your traffic far better than I

Good Luck

Last edited by frcc; 29th April 2021 at 12:58 PM. Reason: clarify
Reply With Quote
  #3   (View Single Post)  
Old 29th April 2021
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

My personal stuff does not run AV. Pretty much everything that gets installed is from the OpenBSD packages so I'm not too worried. Web browsers are always suspicious but pledge and unveil are there and browsers are a known risk always anyway. Treat them as such.

For work servers, we're required to have AV. So there I run ClamAV and do a weekly scan in root's crontab. These servers download nothing, don't have web browsers or mail clients and don't have any users other than sysadmins but host data from Windows/Mac/Linux so the risk is really to those systems.
Reply With Quote
  #4   (View Single Post)  
Old 29th April 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I have had Clam Antivirus installed for many years. I use it only to examine phishing emails that have an executable payload attached. It's been a waste of time. Not only because I would never execute them, but because Clam has never ever identified a virus in any of them. Most of these attachments in recent years have been Excel files with embedded scripts.
Reply With Quote
  #5   (View Single Post)  
Old 29th April 2021
victorvas victorvas is offline
Real Name: Victor
Linux
 
Join Date: May 2019
Posts: 148
Default

Can files from Windows und Mac infect Openbsd?
Reply With Quote
  #6   (View Single Post)  
Old 29th April 2021
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

Depends what the files are. Executables won't run on OpenBSD. But something emedded in a supported format could. Like running javascript in a web browser or email client. A PDF exploit in a cross platform reader (though then it depends how they leverage that exploit). Or exploit in an image being processed by ImageMagic.

Something in an interpreted language like python or a shell script could work across platforms.

Usually you have to really target a system to get further than a crash, though, unless you're targeting a specific cross-platform application like a web server.
Reply With Quote
  #7   (View Single Post)  
Old 11th May 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Talking

Quote:
Originally Posted by victorvas View Post
Can files from Windows und Mac infect Openbsd?
Normally not. As TronDD already stated it depends on the file etc.

Normally a windows virus wont run on the BSD because it has better user security and limitation then windows. Most ransomware and viruses use the vulnerabilities from windows to get admin access or other access to run files and services.
If you run and maintain a good security in BSD (run most instances that access files etc and are not OS related not as root) like have nobody user run the samba and other server daemons then there "should" be no problem.
The problem is when you have a hole or create a hole that is required by some client and that hole gets you in trouble.

This is what im trying to prevent that a hole of a problem to create problems in the future or some other things that get the best of my servers

Thank you all for sharing your experiences about this.
It helps a ton!
Reply With Quote
  #8   (View Single Post)  
Old 11th May 2021
bsdun bsdun is offline
Real Name: Steve
Fdisk Soldier
 
Join Date: Feb 2020
Posts: 48
Default

You should never run third party programs as nobody user, or any program at all. It's a security risk. Create your own non-privileged users to do the task.
Reply With Quote
  #9   (View Single Post)  
Old 13th May 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Default

Quote:
Originally Posted by bsdun View Post
You should never run third party programs as nobody user, or any program at all. It's a security risk. Create your own non-privileged users to do the task.
Hy bsdun,

Could you elaborate on this?
Reply With Quote
Old 13th May 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I'll jump in with a guess. Unprivildeged daemons should normally run as their own identified userids. On OpenBSD, these are userids that begin with an underscore character, and a $HOME set to /var/empty.

The user and group "nobody" are reserved for access controls when no ownership is to be defined, such as in certain NFS mounts. See the usage discussion in the exports(5) man page.
Reply With Quote
Old 13th May 2021
bsdun bsdun is offline
Real Name: Steve
Fdisk Soldier
 
Join Date: Feb 2020
Posts: 48
Default

Let's say you run all your server daemons as nobody. If one daemon got compromised by attacker, then the attacker will get access to all the other daemons run as the same user - nobody in this case.

Quote:
User nobody on a Unix system is traditionally user id 65534. This user is used by NFS servers when they cannot trust the client-supplied uids and gids, or when the root-squash option is being used.

Some misguided programs or guides suggest that this user should be used for untrusted program execution or handling untrusted data. This is bad advice. Services should have their own, dedicated, user account. Even on sites where NFS is not being used, processes run as user nobody or files owned by user nobody may grant far more privileges than expected, especially if two services have been misconfigured in this fashion.

Do not use the user nobody for anything. It is for NFS.

Last edited by bsdun; 13th May 2021 at 03:09 PM.
Reply With Quote
Old 27th July 2021
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Default

bsdun, jggimi: Thy for clarifying
I only run 1 instance on 1 server usually with nobody and that is that servers use "main" program (VPN server VPN process, Samba or other etc. if its needed) so there is no 2 programs ran as nobody on the same machine.
So if nobody gets hacked on one then Im toast on that machine anyway

But yes your right i should give it a "nobody" user like vpnuser/lowprivuser/nouser that i create with 0 priv to run the daemon..... That way its separate and identifiable easily.

I think i read the nobody "hardening" for vpn somewhere and thought it was a nice touch and used it, based on my previous experiences with nobody/nogroup usage. Not the best method but its not bad if there is 1 process that u run with it, and not all.
Reply With Quote
Old 3rd August 2021
bradley bradley is offline
Fdisk Soldier
 
Join Date: Jul 2020
Posts: 53
Default

Quote:
Originally Posted by TronDD View Post
Depends what the files are. Executables won't run on OpenBSD. But something emedded in a supported format could. Like running javascript in a web browser or email client. A PDF exploit in a cross platform reader (though then it depends how they leverage that exploit). Or exploit in an image being processed by ImageMagic.
For these exploits there is an interesting development: https://github.com/firstlookmedia/dangerzone

Those pdf files can be indeed dangerous.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Antivirus update affects medical computers. shep News 4 28th April 2010 04:10 PM
antivirus gateway milo974 OpenBSD Security 9 14th September 2008 04:02 AM


All times are GMT. The time now is 07:31 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick