Re: Microsoft gets the Most Secure Operating Systems award
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Siju George Sent: Thursday, March 22, 2007 8:29 AM To: OpenBSD Misc Subject: Microsoft gets the Most Secure Operating Systems award Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju I think I'll print out this article for use any time my boss gets a wild hair up his ass and wants to convert to windows. The stats for number of vulnerabilities and turn around time have always been abysmal for windows and this article just proves that nothing has changed. Maybe I could admit that this is marginally better than previous windows versions (maybe) but it is still very sloppy when compared to OpenBSD. A special thanks to Theo and the OpenBSD team for making me look so good all these years. stuart
Re: Microsoft gets the Most Secure Operating Systems award
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of RedShift Sent: Thursday, March 22, 2007 10:30 AM To: misc@openbsd.org Subject: Re: Microsoft gets the Most Secure Operating Systems award Siju George wrote: Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju IMHO it's not a fair comparison, most linux distributions ship with alot more software than microsoft windows does, and most bugreports indicate an issue with third-party software. First, these types of articles (generally) have nothing to do with making a fair compairison. They are made up by marketing guys for marketing reasons. Second, It just goes to show that an OS that doesn't ship with a bunch of extra fluff that most people aren't going to need anyway is always the best choice. That was one of the first things that attracted me to OpenBSD. I remember saying to myself What? You have to enable the web server? It isn't on right out of the box? WOW! What a concept! Needless to say, I threw away my Red Hat CDs and haven't looked back.
ftpd problems
I am getting ready to replace an aging FTP server with an OpenBSD 4.0 server. The old server runs OpenBSD 3.6 and has always worked beautifully. Now, while setting up and testing the new OpenBSD 4.0 server I am having some issues. I am using the exact same setup as I did on the 3.6 server. Here is my line in inetd.conf: ftp stream tcp nowait root/usr/libexec/ftpd ftpd -Unll -u 006 At first, I was able to login quickly and easily. Then, a couple days later, I am unable to login at all using the windows command line ftp command. I get Connected to ip address and after a few minutes Connection closed by remote host. When I try from one of my OBSD test boxes I get the same Connected to ip address and have to wait a few minutes for it to finally get a login screen. And I mean literally at least 2 minutes. At first I didn't know it would even finally come up with a login because I gave up long before 2 minutes were up. I suspect that the difference between the windows client and the OBSD client is their timeout value. Does anyone know why it would be taking so long to get a login (and how to fix it)? This server will be used by our customers and they won't be happy with that kind of performance. Stuart van Zee [EMAIL PROTECTED]
Re: ftpd problems
Once again the list is brilliant when I am dull... DNS looks like it was indeed the culprit. I didn't seem to have this problem with my OpenBSD 3.6 ftp server. Does anyone know off the top of their head if there has been a change? I'll have to find out if I set up the origonal server to be able to do reverse lookups and just don't remember now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of stuartv Sent: Tuesday, March 13, 2007 8:31 AM To: [EMAIL PROTECTED] Org (E-mail) Subject: ftpd problems I am getting ready to replace an aging FTP server with an OpenBSD 4.0 server. The old server runs OpenBSD 3.6 and has always worked beautifully. Now, while setting up and testing the new OpenBSD 4.0 server I am having some issues. I am using the exact same setup as I did on the 3.6 server. Here is my line in inetd.conf: ftp stream tcp nowait root/usr/libexec/ftpd ftpd -Unll -u 006 At first, I was able to login quickly and easily. Then, a couple days later, I am unable to login at all using the windows command line ftp command. I get Connected to ip address and after a few minutes Connection closed by remote host. When I try from one of my OBSD test boxes I get the same Connected to ip address and have to wait a few minutes for it to finally get a login screen. And I mean literally at least 2 minutes. At first I didn't know it would even finally come up with a login because I gave up long before 2 minutes were up. I suspect that the difference between the windows client and the OBSD client is their timeout value. Does anyone know why it would be taking so long to get a login (and how to fix it)? This server will be used by our customers and they won't be happy with that kind of performance. Stuart van Zee [EMAIL PROTECTED]
Email server and large Emails.
I have FINALLY been allowed to schedule time to replace the aging mail server. Currently, it is running OpenBSD 3.7, with sendmail, smtp-vilter, and clamav. This is our internal mail server and it uses fetchmail to get our email off of the public server and sends our email out using a smart relay host provided by our ISP. When I originally set this server up I was also running spamassassin but had to remove it because it was causing the system to time out and stop getting mail for some reason that I never figured out. The boss where I work has NO sense of humor about not getting her email, and doesn't seem to get enough spam that it bothered her so I did the better part of valor thing and just axed the spamassassin. Lately, we have been receiving emails with larger and larger attachments which has been causing the clamav to take to long scanning them and thus a time-out and again, no more email until I get it straitened out. So now to my question. What software works really well for an internal mail server? I would like some spam protection and I NEED Anti-virus, and I need it all to work even when a customer sends an email with a 50M file attachment because they sometimes do. I don't mind doing the research and figuring out how to make it all work (although a point in the right direction would be appreciated). I just would like to know what people are using that really works for them. Stuart van Zee Dataline Systems, Inc. [EMAIL PROTECTED]
Re: Email server and large Emails.
I agree, I'm looking for a technical solution to a much bigger problem. Unfortuneatly, you can't fix stupid. I often have to deal with people who can barely attach a file to an email, asking them to check what size that file is or to send it using another method is out of the question (imagine heads popping off and eyes glassing over). On top of this, the people that are sending the files are from a different organization, I have no control over what they do, and if they say I sent the file, it is my ass that gets reamed if we don't get the file because the server didn't want to accept it or choked on it. I don't really care about efficiency, the longer it takes to get the file from here to there the more likely the people who want to send the files are to wake up and start looking for a better file transmission method. I just have to get it to work this way until then. Spam protection is really a nice-to-have. While we have seen a little more spam lately, usually it isn't so much to be a bother. The Anti-Virus is a must, although I have gotten some suggestions to just skip virus scanning for large files. I'm not sure I understand why a large file would be less likely to contain a virus though. stuart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darren Spruell Sent: Wednesday, February 21, 2007 12:57 PM To: misc@openbsd.org Subject: Re: Email server and large Emails. On 2/21/07, stuartv [EMAIL PROTECTED] wrote: spamassassin. Lately, we have been receiving emails with larger and larger attachments which has been causing the clamav to take to long scanning them and thus a time-out and again, no more email until I get it straitened out. So now to my question. What software works really well for an internal mail server? I would like some spam protection and I NEED Anti-virus, and I need it all to work even when a customer sends an email with a 50M file attachment because they sometimes do. IMHO you're trying to find a technical solution to a bigger problem. Consider limiting the size of attachments that go through your email gateway; SMTP isn't an efficient protocol for bulk file transfers, and like you've found out your CPU and I/O-heavy filtering applications don't work well with it. Organizations commonly limit the size to 10 MB or under; anything larger you can find an alternate (more suitable) method for file transfer (SFTP, or FTP if not sensitive come to mind.) For internal-only use a file server can be useful for this. If you're pounded by spam, consider implementing spamd in front of your mta (externally) to cut down on the volume that your content filters have to process. DS
Re: Email server and large Emails.
Yep, that's the attitude. A few jobs ago I worked for a small to medium sized company that was getting by with an IT manager and me as the assistant. When I put in my 2 wks notice the owner decided that I never did anything and he wasn't replacing me. The IT manager put his 2 wks notice in the next day because of it. We later found out that they had to replace the two of us with 4 guys just to stay in business. Last I checked, the firewall that I put in place is still there, years later, without a single update. I wonder if the guys even know what that little box in the bottom of the server cabinet even is. It sure had pretty lights on it, prob why they kept it. stuart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Toni Mueller Sent: Wednesday, February 21, 2007 4:39 PM To: misc@openbsd.org Subject: Re: Email server and large Emails. Hi, On Wed, 21.02.2007 at 14:26:00 -0600, L. V. Lammert [EMAIL PROTECTED] wrote: The bigger question is - how does the BOSS know there was a 30 second delay in incoming email due to virus scanning? the BOSS probably doesn't know that the delay is owed to the virus scanning, but I've experienced such people talking on the phone to their peers, and it goes Hey Joe, I'll just send you this presentation I did yesterday (or similar), and then get angry when the other side doesn't have it in an instant - no matter how stupid the idea might have been. And in such cases, it's the easiest thing to do for them to bash their sysadmin who's a cost and not a benefit to the company anyway (I don't subscribe to this attitude). Best, --Toni++
Re: Which tools the OpenBSD developers are using?
That was the basic idea. Make it cheap and easy to manufacture with loose enough tolerances that sand and dirt will just drop right through rather than gumming up the works. Most of them rattle terribly when you shake them, but they tend to be more reliable than US made M16s when conditions get really dirty. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Farrell Sent: Wednesday, November 29, 2006 5:44 PM Cc: misc@openbsd.org Subject: Re: Which tools the OpenBSD developers are using? ps. Two items regarding the AK47. I've heard that the majority of these are being produced illegally (manufacturer didn't get the required license from the Soviet inventor) and that, besides the gun barrel, most parts can be stamped out of sheet metal instead of having to be machined. Almost sounds like open-source weaponry... Dan Farrell
Re: layout of filesystems on OpenBSD
Robert Urban wrote: to me, this just looks like a horrible mess. I have never understood why people should be so keen on creating thousands of microscopic filesystems. For me, the advantage of being able to have several classes of filesystem content all take advantage of the available free space of a filesystem/partition far outweighs any need to segregate classes of filesystem content into separate partitions. For example, how could /usr/X11R6 possibly represent a threat to eat all the space is /usr? X11R6 content is static. (yes, I know, software packages put stuff there, but for the purposes of this discussion it's static). Arguments can presumably be made for /var/www, and /var/mail, /home, /usr/src, and /tmp, but the rest just seems like a waste of energy. I imagine I'd do: / /var /usr and as necessary /var/mail /var/www /usr/src /home /tmp Rob Urban I have to agree, except I would add a /var/log to the as necessary (and make it pretty big) as I often deal with firewalls and it's nice (I think) to limit the logs ability to totally run amuck Although it isn't strictly required since /var is in it's own partition. stuart
Re: Lenovo notebooks
Why do you continue to work there? Sorry, I just left that sort of environment and have been kicking myself for not leaving earlier. -Damian Dude, have you looked at the job market lately? Especially for a beginner OpenBSD admin with a 2 year degree and only a couple years experiance. Where I am at, everyone wants a genius with a 4 year degree (at very least) and 5 or more years experiance, and on top of that, they want to pay squat. If anyone wants to hire an OpenBSD guy who is not afraid to say that he has a LOT to learn, please email me, I would love to work in a dream environment (and yes I'll relocate, to almost anywhere), but for now, bills to pay, wife pregnant (again, I think there is something in the water), I think I'll put up with working in a mostly windows environment until I can find something better. stuart
Re: Sun BlackBox
On 11/1/06, Chris Cameron [EMAIL PROTECTED] wrote: On Wed, 2006-11-01 at 14:55 -0300, Gustavo Rios wrote: Dear list members, While visiting sun blackbox home page, i saw they have a new project called blackbox. But i don't know whether openbsd could be used within it. Gustavo Rios Do you plan to need a trailer full of Sun hardware? They're just normal Sun machines in a trailer. Why would you ever want a trailer of computers? So you can go RV'ing and still hack?; get a double degree in Hick/Nerdism? -Nick I'm in Florida where each year we never know if a Hurricane will hit or not. A trailer like this would be nice to have if your building gets blown/washed away. The only problem is where to put it. If it is so bad that your building is gone I don't think a trailer would fare any better. stuart
OpenBSD as a PDC on a windows network
I might have just about talked my boss into replacing our current WindowsNT (soon to be Win2003) primary file server with an OpenBSD server. Unfortunately, since most of our work is done using Access databases (and other Microsoft Office products) we will have to continue using Windows systems for our desktop systems (for now). This is a mix of Win98 and WinXP systems. The File server will have to act as a primary domain controller on a windows network handling logins and permissions for various shares around the network and share a couple network printers. I would also like to use an encrypted file system on which to store important data that needs to be protected (in case of theft etc). Does anyone on the list have this sort of setup running? Are there any pitfalls that I should look out for or any advice that would make this easier? More importantly, does this sound like a do-able project or am I jumping into a pile of snakes? This project is all part of my devious plan to gradually convert to an all (or at least mostly) OpenBSD environment here at work (psst... don't tell my boss). If this pans out, I think replacing our SQL server with MySQL on an OpenBSD box will be the next big conquest. :) stuart [EMAIL PROTECTED]
kevent sample code?
Can anyone point me at some sample code for kevent. I am trying to write a program that will watch a file for a write and can then read the new lines and act upon them. So far, I get the first event but not subsequent events. Stuart van Zee [EMAIL PROTECTED]
Re: NOD32 Antivirus and OpenBSD?
Hello List, Guess I have to weigh in on this one. My shop runs ClamAV on the (OpenBSD) mail server and NOD32 on the win* file servers and desktops (yes I know an OpenBSD file server would be neat, I'm working on it). The reason we run AV at the border AND on the inside boxes is quite simply that I have seen way too many times in my carreer a virus be ignored by one AV package but caught by another. Security is a must where I work and the added protection (for free i might add) is a very small price to pay for a little bit more. Remember, Security is like onions lots of layers... stuart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Berk D. Demir Sent: Friday, October 27, 2006 4:49 AM To: smith Cc: misc@openbsd.org Subject: Re: NOD32 Antivirus and OpenBSD? smith wrote: I second that. Why waste server resources and decrease server security, when all Windows machines should be running their own antivirus software to begin with. That's the difference between border defense and field defense. Running anti-malware software on border machines, such as STMP servers, proxies, etc. is an important countermeasure for network wide infection. It's very much possible to have an outdated or undefended node in the network but in border defense line, that's not the case. You shouldn't get this as waste of resources. Security is a process and it's not cheap to achieve. Field defense (node is protecting itself) and border defense are complemental approach to so-called self defending network (Hello, Cizzz-coeee)
Re: Lenovo notebooks
On 10/26/06, Johan P. Lindstrvm [EMAIL PROTECTED] wrote: You should really get yours too, not buying the CD's will not improve the hardware support now will it? The way it works here is boss, I need to buy an openbsd license for each openbsd box we run. It's $50 each, + shipping. Sign here please. Speaking of that, I need to get off my ass and buy my 4.0 licenses already. Awww... Too late for that for me, I had to use the whole Look Boss, it's free line along with plenty of documentation that OpenBSD is as secure as it gets for them to let me put in the first OpenBSD box. They are pretty happy with them so far. I'm going to try to hit them up with the whole Wouldn't it be nice to support such a great project that we use so much argument as soon as things slow down here a bit and there is time to chat. That should work. stuart
Re: Vulnerability and Patch Information
Podo, Around here I have had to write up exception documents for our OpenBSD servers when we get stuff like this on security audit/scans. Imagine the pain in the ass it is to have to convince a non-technical supervisor that the HIGH LEVEL vulnerability (that in one case only effected Debian Linux) was already fixed on OpenBSD years before it was ever discovered, and then figure out how to put it all on paper in an intelligent way. I have found that by looking on sites like security focus for the list of which systems are effected by a given vulnerability and crossing that with the OpenBSD patch download pages for current and previous versions I can usually find where there was a patch that fixed a given vulnerability. It is a bit of work and isn't easy, but it is do-able. This is all made easier in my case because I keep my servers running as close to the base install as possible only adding additional software when I have to because the base install doesn't provide a service or the service it provides doesn't have all the options I need. Then I really look hard to see if I really need that particular option before I look at other software. Happily, my boss gives me some leeway on choosing how to set things up. I have one firewall that is on an external audit/scan list that the people who actually do our audits doesn't believe really even exists because they can't even find it. Basically it has EVERYTHING locked down tight as a drum and allows only a few things through to and from very specific places. I love to show the blank audit page to the boss, esp. just before bonus time. Thanks so much to the OpenBSD project for making me look so good. stuart
Re: Happy Birthday OpenBSD!
What an interesting idea. I would vote for him, if only to piss off all my friends who fancy themselves as political but who really have no clue. Could you imagine Theo telling some foreign leader to quit being a cry baby? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruno Carnazzi Sent: Wednesday, October 18, 2006 11:03 AM To: misc Subject: Re: Happy Birthday OpenBSD! Theo president ! :) 2006/10/18, Edgars [EMAIL PROTECTED]: Yee! -Original message- From: Melameth, Daniel D. [EMAIL PROTECTED] Date: Wed, 18 Oct 2006 15:40:01 +0300 To: misc@openbsd.org Subject: Happy Birthday OpenBSD! Oct 18 OpenBSD born, Wednesday 08:37:01 GMT, 1995 OpenBSD turns not older with years, but newer every day. -Derived from an Emily Dickenson quote -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Broken partition table
Um... dude... formatting = erasing especially if you are changing what filesystem you are using. you = reloading everything (and wishing you had backups) I would feel sorry for you, but you are seemingly posting a windows XP question to an OpenBSD list so is isn't worth it. stuart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kyrre Nygerd Sent: Wednesday, October 18, 2006 12:44 PM To: misc@openbsd.org Subject: Broken partition table Hello! My partition table is messed up. I have a 150 gigabyte S-ATA hard drive, with a single NTFS partition running Windows XP. I've been running gpart /dev/ad0 from FreeSBIE for the last 14 hours now and it's not saying anything. I just want to get my data back. I don't care if I have to reinstall everything. How it all came about is a long story. I ran a second hard disk drive, with OpenBSD, and GRUB so it could do my dual booting. But I needed the space, so I formatted it to NTFS from Windows XP. That's it really, after that, it wouldn't boot. Couldn't load NTLDR. That's when I tried a lot of different things. boot0cfg, fixmbr and fixboot. I even managed changing its system ID type to FAT using fdisk -- I wasn't thinking clearly -- I was in deep shock. I have also tried gpart from Knoppix, but all its guesses came out as zero. I've also tried running gpart from Insert, another Linux distribution, but it totally freaked out about some I/O stuff. Linux uses SCSI drivers for S-ATA though. Is my only choice now to keep running gpart, even if it will run forever? All suggestions welcome, please! Best regards, Kyrre
Re: pfctl
Or you could do what I would do... Threaten to break his damn fingers...
Re: RMS vs TdR (WAS: Re: OLPC)
So... RMS vs. TdR in a hot jello grudge match... who comes out on top? Sorry, sometimes I just can't help myself. For the most part, this whole thread seems just that silly.
File system monitoring: another PCI cert requirement question
Hello list, In the company I work for's ever expanding quest for PCI certification, I am told that we are required to have in place something to monitor all system files and log files for changes. Does anyone have any suggestions on software to do this? I am currently looking at Osiris but would like some input as to what is out there and actually being used by people. On a funny note, I almost got myself in trouble today because the boss initially told me that the file monitoring was just for log files to make sure they don't change. I guess my slightly flippant remark of done, log files by definition always change, no need for monitoring wasn't exactly what they were looking for and gained me the old if you cant take this all more seriously... speech. Oh well, guess they told me... Stuart van Zee [EMAIL PROTECTED]
FTP Account Lockout
Hello list, The company I work for is required to get PCI (Payment Card something-or-other) certified in order to keep doing some of the things that we are doing with credit card payments. When I started working here it was an all MS shop, including the FTP server. In order to help secure things (at all), I talked the boss into letting me setup an OpenBSD server as the FTP server instead of windows2003. Since then, I have also setup firewalls, mail server, IDS etc. all based upon OpenBSD (and loving every minute of it). However, now that we need this cert, one of the few things still standing in the way is the requirement that we set up the FTP server to lockout (for 30min.) any account that fails to login 3 times in a row. I haven't been able to find any ftp software that does that. The FTP server that ships with OpenBSD uses system accounts, and I haven't figured out how to do that there either. If I don't get this figured out soon, The boss will loose patience and I will be right back to MS hell trying to secure a win2003 ftp server just because it will lockout an account that fails login 3 times in a row. (and then probably figure out how to setup a win2003 firewall, IDS, exchange server, etc etc etc... you get the pic) If anyone has any suggestions, please let me know. thanks. Stuart van Zee [EMAIL PROTECTED]
Re: FTP Account Lockout
Ryan, Thanks for your input. I have been gently pushing those who make the decisions here towards sftp for some time now; however, ultimately that is one decision that is out of my hands. According to the inspector that is doing our PCI inspection the only requirement we haven't met as reguards to our FTP server is the one for locking out an account that has failed 3 times in a row. Personally I think that this requirement is rather dumb and adds little to security, but we have to do what the inspector wants if we want certification. I have told my supervisor of your thoughts as to encrypted passwords (or the lack of in FTP) so we'll see if that helps. Thanks again, stuart You mean besides the fact that you're running FTP at all, right? - PCI requires that all passwords are encrypted in transmission, and FTP doesn't do this. - Depending on how you interpret the wording, PCI either prohibits or strongly discourages the use of FTP from 'untrusted' networks/hosts Consider replacing your FTP solution with scp/sftp. -Ryan