Why I Love Open Source - NSA helped with Windows 7 development
From Network World: NSA helped with Windows 7 development Privacy expert voices 'backdoor' concerns, security researchers dismiss idea By Gregg Keizer , Computerworld , 11/18/2009 This story appeared on Network World at http://www.networkworld.com/news/2009/111809-nsa-helped-with-windows-7.html http://www.stumbleupon.com/s/#1uLpIW/www.networkworld.com/news/2009/111809-nsa-helped-with-windows-7.html?source=NWWNLE_nlt_daily_am_2009-11-19/
Re: 4.6 arriving
I got my OpenBSD 4.6 cd set and T-shirt in the mail! I'm going strong with OpenBSD since 3.0. THANKS THEO and all the OpenBSD Developers and Community --- On Thu, 10/15/09, Lars Nooden lars.cura...@gmail.com wrote: From: Lars Nooden lars.cura...@gmail.com Subject: Re: 4.6 arriving To: OpenBSD Misc. misc@openbsd.org Date: Thursday, October 15, 2009, 11:17 AM patrick keshishian wrote: ...So long as Theo continues his no compromise/no bullshit attitude and keeps the project truly free and secure, I will continue my support of the project (what little it may be). +1
Re: OpenBSD ESXi VMware image on Soekris Net5501
Thanks Ross/Ed, yes we're going to dump the custom Windows app and use an open source solution using Samba's file share capability (with Samba running on OBSD of course :). --- On Fri, 5/22/09, Ross Cameron abal...@gmail.com wrote: From: Ross Cameron abal...@gmail.com Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: Ed Ahlsen-Girard eagir...@cox.net Cc: misc@openbsd.org Date: Friday, May 22, 2009, 9:05 AM On Fri, May 22, 2009 at 5:56 PM, Ed Ahlsen-Girard eagir...@cox.net wrote: On 2009-05-22 Ross Cameron wrote: Certainly the hardware chosen isnt anywhere NEAR potent enough,... and u're leaving ure whole configuration open for attack via the ESXi sub layer. Why not just port the custom app to OpenBSD and run the configuration natively on the hardware? There are apps on Windows for which porting to OpenBSD would be roughly equivalent to porting to NetWare Virtual Loadable Module. Maybe he doesn't mind doing it all over from scratch, but that's about what it might turn out to be. True but then again I generally find that rewriting and targeting the code for portability and re-use is worth the efforts in the long run. Painting you're self into a corner with regards to coding standards/languages/host OS are generally just a headache waiting to happen in the years to come.
Re: OpenBSD ESXi VMware image on Soekris Net5501
Hi Diana (and Stuart) thanks for all your advice. The problem or nut we're trying to crack is that we're trying to deploy OpenBSD to remote clients and we wanted an inexpensive but very high reliability system with the flexibility to change configurations (switch in/out different VMs) and add/modify services remotely on-the-fly. For example we could upgrade a client from 4.4 to 4.5 along with all the custom apps and client data packaged in a VM. We would grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it the way we wanted to and drop it back on the ESXi. Then just change the network configs and switch the old for the new all remotely without ever visiting the client Thanks again all. --- On Wed, 5/20/09, Diana Eichert deich...@wrench.com wrote: From: Diana Eichert deich...@wrench.com Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: misc@openbsd.org Date: Wednesday, May 20, 2009, 7:16 PM On Wed, 20 May 2009, Obiozor Okeke wrote: Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501 appliance and I was wondering if anyone has already tried successfully running ESXi on the Soekris Net5501 before I order the hardware? Any advice or comments is appreciated. Thanks in advance The better question is, What nut are you trying to crack? Why would you even consider running a virtualization system on what is effectively a 486? Okay, a 500MHz 586, but still, it's slow to start with. diana Past hissy-fits are not a predictor of future hissy-fits. Nick Holland(06 Dec 2005)
Re: OpenBSD ESXi VMware image on Soekris Net5501
Wow!! Thanks guys for all your advice and the vm-help.com site! The OpenBSD community is fantastic!!! --- On Wed, 5/20/09, Kevin Wilcox ke...@tux.appstate.edu wrote: From: Kevin Wilcox ke...@tux.appstate.edu Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: David Talkington dt...@flyingjoke.org, misc@openbsd.org Date: Wednesday, May 20, 2009, 7:44 PM David, I'm currently mobile and unable to track down the HCL for ESX/i myself - thus my mentioning them to the original poster with what I could remember off the top of my head about supported machines. If that was an insufficient response then the OP is more than welcome to ignore it. On the other hand, the OP could always say, oh, ESXi HCL, I wonder... and google 'vmware esxi hardware compatibility'. kmw On 20/05/2009, David Talkington dt...@flyingjoke.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is way OT for this list, but: Kevin Wilcox wrote: My understanding is that it has a strict HCL, Yes it does. that practically necessitates IBM, Sun, HP or Dell hardware. No it doesn't. Skip the virtualisation cruft and install natively. That isn't a helpful or enlightened answer (not that one should expect help with this topic here). O.P., you should start here for detailed ESXi hardware support info: http://www.vm-help.com/ Cheers -d - -- David Talkington dt...@flyingjoke.org - -- PGP key: http://www.flyingjoke.org/keys/801E3976.asc (What's this? http://en.wikipedia.org/wiki/Digital_signature) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (GNU/Linux) iQEcBAEBAgAGBQJKFKpkAAoJEO7jL1CAHjl2+YgH/jwqmzLTgAGD1wDkxBPbJGZC qOQkT2lYoyy0obJ66777wfh/BRcZt88jIpnBVxPfprfnE3h4HUVw/0pP4xtriWcK nOQp+dWQeuhGYmV9QycWXAWvhRIrSwgmB3LagKPPYUQ4eR0aVz8NJ/LzkJpzwRb1 4kdxc4KXYxDG+HdaQ/mhQ4yGeY2AiTs41zs0oEjBQraeBb/FUwdXzKfFmK9brFxd kOEuKYUW9QAFnpzAmkKcFHM7QOQ8zIhLNIs7K/jTmLPVYycU14eutUUR+Q+SoI9W YriQmxcZ2PTxHIXA2hjvORM9FZiy0NwyDU8H9NHl2gA34rq1vheuVUnsHRJVH4U= =eE8z -END PGP SIGNATURE- -- Sent from my mobile device To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'
Re: OpenBSD ESXi VMware image on Soekris Net5501
Well I should have mentioned that the ESXi is also running a Windows server VM for a custom app that requires it. So the idea was to have one box running ESXi and reduce hardware costs. --- On Thu, 5/21/09, Jason Dixon ja...@dixongroup.net wrote: From: Jason Dixon ja...@dixongroup.net Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: Obiozor Okeke obiozorok...@yahoo.com Cc: misc@openbsd.org, Diana Eichert deich...@wrench.com Date: Thursday, May 21, 2009, 7:19 AM On Thu, May 21, 2009 at 06:47:08AM -0700, Obiozor Okeke wrote: Hi Diana (and Stuart) thanks for all your advice. The problem or nut we're trying to crack is that we're trying to deploy OpenBSD to remote clients and we wanted an inexpensive but very high reliability system with the flexibility to change configurations (switch in/out different VMs) and add/modify services remotely on-the-fly. For example we could upgrade a client from 4.4 to 4.5 along with all the custom apps and client data packaged in a VM. We would grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it the way we wanted to and drop it back on the ESXi. Then just change the network configs and switch the old for the new all remotely without ever visiting the client No offense, but that's a terrible design. Get yourself two inexpensive systems (5501's are ok) and run them in a failover configuration. You have redundancy and the flexiblity to alternate between releases. Without the headache of middleware patches, an unsupported configuration, etc. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD ESXi VMware image on Soekris Net5501
Many, many thanks to all who responded! I now plan to run my OpenBSD firewall *stand-alone* on directly on a Soekris box for sure (no VM) and isolate all else on a separate box running the ESXi that fully supports the ESXi HCL. Many thanks to all the developers and especially Theo for creating IMHO the world's greatest OS!! --- On Thu, 5/21/09, Kevin Wilcox ke...@tux.appstate.edu wrote: From: Kevin Wilcox ke...@tux.appstate.edu Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 To: obiozorok...@yahoo.com Cc: misc@openbsd.org Date: Thursday, May 21, 2009, 11:39 AM 2009/5/21 obiozorok...@yahoo.com: I'll have to re-think this but I honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image running on ESXi as my strong firewall I would be ok. B Basically its just a virtualization of my physical environment but all on one box with 3 VM images. So my idea was to have second OpenBSD image (not the firewall OpenBSD image) running with Samba as my Domain Controller and File server, and Email server and then the third Windows VM running just the custom app. B I figured that as long as all the 'Net traffic hit my first OpenBSD VM and was properly filtered and controlled by pf, spam greylisting, brute force checked, etc I would be ok? B No? There are some strategic issues with virtualising a firewall. What should be the simplest, most rock solid member of your network is now on the same hardware as foo virtual machines. If one of the application servers is compromised then it's *possible* that the VMWare server itself could be compromised, rendering the firewall VM under the control of The Bad Guys. If one of the VMs screws the pooch and takes down the server then you've not only lost the ability to communicate with those servers, you've lost the ability to communicate with your firewall. If one of the application VMs isn't configured with proper resource limits then performance on the firewall will drop under periods of heavy traffic. For that matter, you've already introduced overhead on throughput of the firewall by forcing traffic to be received by the VM OS before it's received by OpenBSD. If the VM server is compromised then the things that can be done to traffic without ever actually disrupting the firewall are almost certainly fun fun fun (in all fairness, I haven't tried mucking with traffic on ESX/i, this is based entirely in speculation). I'm sure there are obvious things that I'm missing but these are the ones that blast the loudest through my brain when I think about virtualising a firewall. As I stated before, I have done it and there are a few that I maintain - and they do their job well - but that doesn't mean I condone the practice in general and it surely doesn't suggest that I think it's something that should be done on a whim or with a light attitude. It is dangerous and unsupported and you need to understand there is significant risk in doing so. kmw -- To take from one, because it is thought that his own industry and that of his fathers has acquired too much, in order to spare to others, who, or whose fathers have not exercised equal industry and skill, is to violate arbitrarily the first principle of association, bthe guarantee to every one of a free exercise of his industry, the fruits acquired by it.'
OpenBSD ESXi VMware image on Soekris Net5501
Hi I am hoping to run an ESXi OpenBSD 4.5 image on a Soekris Net5501 appliance and I was wondering if anyone has already tried successfully running ESXi on the Soekris Net5501 before I order the hardware? Any advice or comments is appreciated. Thanks in advance
Re: SSH Brute Force Attacks Abound - and thanks!
Wow, I read your email and checked my authlog and was astounded by the number hack attempts. Thankfully, I configured my OpenBSD firewall with recommended access controls. Thanks to all the dedicated OpenBSD developers and community! Support the project and encourage the purchase of more OpenBSD CD's and direct donations to the Foundation! --- Ken [EMAIL PROTECTED] wrote: A practical example, real life, last night. I was replacing my hard drive on my home broadband OBSD firewall, and it was taking a few minutes to copy over the old pf.conf and enable the firewall. I had installed the latest snapshot as a fresh image and restarted. It took a little while to set up the local networks, and I was connected to the Internet, so I could download packages. I copied over the pf.conf from my backup host and enabled it, not thinking much more about it. Then this morning I looked at /var/log/authlog to see stuff like this: Jan 9 18:00:01 home-fw newsyslog[6065]: logfile turned over Jan 9 18:03:03 home-fw sshd[29544]: Invalid user andrew from 125.16.26.123 Jan 9 18:03:03 home-fw sshd[240]: input_userauth_request: invalid user andrew Jan 9 18:03:03 home-fw sshd[29544]: Failed password for invalid user andrew from 125.16.26.123 port 52447 ssh2 Jan 9 18:03:03 home-fw sshd[240]: Received disconnect from 125.16.26.123: 11: Bye Bye Jan 9 18:03:06 home-fw sshd[19514]: Invalid user adam from 125.16.26.123 Jan 9 18:03:06 home-fw sshd[15864]: input_userauth_request: invalid user adam Jan 9 18:03:06 home-fw sshd[19514]: Failed password for invalid user adam from 125.16.26.123 port 52651 ssh2 Jan 9 18:03:06 home-fw sshd[15864]: Received disconnect from 125.16.26.123: 11: Bye Bye Jan 9 18:03:08 home-fw sshd[18110]: Invalid user trial from 125.16.26.123 Jan 9 18:03:08 home-fw sshd[22493]: input_userauth_request: invalid user trial Jan 9 18:03:09 home-fw sshd[18110]: Failed password for invalid user trial from 125.16.26.123 port 52821 ssh2 Jan 9 18:03:09 home-fw sshd[22493]: Received disconnect from 125.16.26.123: 11: Bye Bye Jan 9 18:03:11 home-fw sshd[20596]: Invalid user calendar from 125.16.26.123 Jan 9 18:03:11 home-fw sshd[8582]: input_userauth_request: invalid user calendar Jan 9 18:03:11 home-fw sshd[20596]: Failed password for invalid user calendar from 125.16.26.123 port 53011 ssh2 Jan 9 18:03:12 home-fw sshd[8582]: Received disconnect from 125.16.26.123: 11: Bye Bye Jan 9 18:03:14 home-fw sshd[22151]: Invalid user poq from 125.16.26.123 Jan 9 18:03:14 home-fw sshd[17137]: input_userauth_request: invalid user poq Jan 9 18:03:14 home-fw sshd[22151]: Failed password for invalid user poq from 125.16.26.123 port 53199 ssh2 I never see anything like that, since my pf rules only allow me to ssh back to home from my work IP range. In the space of about 15 minutes before I enabled pf all of the following users were tried, probably by an automated script: AaliyahAaron Aba Abel Exit Jewel Zmeu Zmeu adam adam add adm admin admin admin admin admin admin admin adminsadminsadrian alan alex alin alina alinusamanda andrei andrew angel apachearon at backup bnc bran brett cafe calendar cap cgi ch cmd com danny data david dulap fernando fluffyftpgames george getguest guest hacker haxor hk http httpd hyid ident if info info internet ircis it john kathi kaytenldap library linux lp luis mail mail mailman master maxmichael michael michi mikael mike mike mysql mysql netnetwork news news nick octavio open oper oracle orgparty paul paul pe pgsql pgsql plplay poqpostfix postmaster print psybncradu resin rex richard richardrobertrpm sales samba sara search sef sex sgisharon shell shell shop squid sshstan station stef stephen stevensunny sunsun susan suva suzukitavi technicom telnet test test test test test trial trib uk unix unseenus user user username username users webwebadmin webmaster webmaster webpopword www-data wwwrun wwwrun yahoo za What a cesspool the internet is! Good passwords, limit access to where it is necessary, and run an ironclad OS. Thanks for making it all possible. Never
Re: wireless on OpenBSD : ath(4) or ral(4) ?
Yes, good choice. I've had great success with ral(4) supported wireless pci and pcmcia cards i.e. from edimax ew-7608pg/7628ig (cheap cards i know but it works for what i need!) Vincent GROSS [EMAIL PROTECTED] wrote: On 4/4/07, Marius ROMAN wrote: ral(4) because it's better supported. On 4/4/07, Nick ! wrote: On 4/4/07, Vincent GROSS wrote: 1) what is the R.E. level of ath(4) ? fully understood, mainly understood ? 2) Is Atheros still reluctant to disclose documentation for its chips ? 3) If 1)=fully and 2)=reluctant, what should I pick between ath(4) and ral(4) ? ral(4). I have ath(4) because I got it from a big box store, but I'm ashamed. Don't support stupid vendors, give your money elsewhere. As you are conforting me in my final decision, let's go for ral(4). Thanks folks. -- Vincent GROSS - It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar.
Re: Problems using OpenBSD 4.0 with Zope/Plone/Python?
I'm no expert by any means but I am running a few Zope/Python websites on OpenBSD 4 (GENERIC) with no problems at all - it runs extremely well in fact. Note that I did not install Plone because I have no need for it right now. I am also running Zope/Python on OpenBSD 4 inside of the SysJail utility to provide another layer of security. I installed zope-2.8.6p0 directly from the ports, but I had to download and install PyXML-0.8.4.tar.gz separately to actually run Zope properly. Not having PyXML initially was my only problem. Hope this helps. --- Merp.com Volunteer [EMAIL PROTECTED] wrote: We were seeing an unusually large number of complaints when doing search results related to getting Zope/plone/python working on OpenBSD. Is there a known caveat about using zope/plone/python-latest on openbsd 4.0 that we should be warned about? Since Zope/Plone/Python (curently plone-2.5.1 bundle) is what we converted all of our websites too, this would be a show-stopper in switching (back) to OpenBSD from Linux. We were planning to go ahead and try the latest plone-2.5.1 bundle on openbsd 4.0, but would like to know if anyone is using it in a web-based-public-production environment without any gotchas? Thanks! -- *** Volunteer Team for the completely non-profit, non-revenue, non-business-entity dedicated to the Middle-earth Role-playing International Community at Merp.com Fighting the noble battle against the dark forces, trying to keep alive, and growing, the dream and joy of role-playing gaming in J.R.R. Tolkien's Middle-earth http://www.merp.com Mailing list subscribe: [EMAIL PROTECTED] IRC (Internet Relay Chat) Server: irc.merp.com (channel: #merpchat) Yahoo=merpcom ICQ=293-163-919 [EMAIL PROTECTED] Alternate Email: [EMAIL PROTECTED] (in case you're blocked by our spam filters). Be sure to sign up for the 3rd annual International MerpCon (2007): July 27th, 28th, 29th in Spokane, WA, USA. This event is not run by merp.com, but by a different group of volunteers, but merp.com has donated many services to help them out. Show them your support by signing up, spreading the word, and showing up. http://www.merpcon.com I would draw some of the great tales in fullness, and leave many only placed in the scheme, and sketched. The cycles should be linked to a majestic whole, and yet leave scope for other minds and hands, wielding paint and music and drama... - John Ronald Reuel Tolkien, from a letter written to Milton Waldman, ca. 1951 - Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com