Re: 3.9 coming out
My guess is that it was a PHP exploit. There are a plethora of them available. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David B. Sent: Monday, April 03, 2006 4:41 AM To: misc@openbsd.org Subject: 3.9 coming out hi, I see 3.9 is getting ready to be released. Do you plan on bundling Apache2 with it? it would seem a logical thing to do, since the Apache version currently bundled with it seems to have problems. I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. The point being, if you sell security as your market niche, you might want to make sure that, at least, Apache be up to date, and not a version from 5 years ago where who knows how many hacks there are out there for it. I don't mind rebuilding my development box from scratch because that's why I had it on the net like that anyway, simply to see how long it would take for someone to crash it. It took less than a month - that's not very good from a default security viewpoint. I'm assuming of course that Apache is the problem, as there are no logs or anyway to tell what happened, but the hard drive started to make an awful screaching sound as the drive was apparently being forced to track the heads back and forth very quickly. The drive is fine, but apache and postgresql won't start, and the wtmp file was erased, so that when I did a 'last' only my most recent login came up. Anyway, it would be nice if Apache 2 were available for 3.9
Re: 3.9 coming out
The Apache 1.3 series is being actively maintained, and developed at a leisurely pace, to maintain stability. Releases will be made to address security issues, or after a comfortable number of bug fixes or improvements have been made. Significantly new features are unlikely to be added to 1.3 in preference to 2.0, although important new features and enhancements will be seriously considered for inclusion in 1.3. -- http://httpd.apache.org/download.cgi The Apache 1.3 strain is still a very active project. The code is much less complex than V2 and thus easier to debug/secure. If you don't need all of the added bells whistles in V2, then sticking with 1.3 is a pretty decent idea. In fact, it's still actively packaged with commercial solutions (including OS X/OS X Server 10.4). One of the main advantages of OpenBSD is that it doesn't bundle a ton of features with the OS. It's a very clean, lean, basic installation that I can add the few things I need running on a server. Compared to Red Hat Enterprise, OpenBSD is much easier to manage/secure because of it's clean design. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David B. Sent: Monday, April 03, 2006 4:41 AM To: misc@openbsd.org Subject: 3.9 coming out hi, I see 3.9 is getting ready to be released. Do you plan on bundling Apache2 with it? it would seem a logical thing to do, since the Apache version currently bundled with it seems to have problems. I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. The point being, if you sell security as your market niche, you might want to make sure that, at least, Apache be up to date, and not a version from 5 years ago where who knows how many hacks there are out there for it. I don't mind rebuilding my development box from scratch because that's why I had it on the net like that anyway, simply to see how long it would take for someone to crash it. It took less than a month - that's not very good from a default security viewpoint. I'm assuming of course that Apache is the problem, as there are no logs or anyway to tell what happened, but the hard drive started to make an awful screaching sound as the drive was apparently being forced to track the heads back and forth very quickly. The drive is fine, but apache and postgresql won't start, and the wtmp file was erased, so that when I did a 'last' only my most recent login came up. Anyway, it would be nice if Apache 2 were available for 3.9
3.9 coming out
hi, I see 3.9 is getting ready to be released. Do you plan on bundling Apache2 with it? it would seem a logical thing to do, since the Apache version currently bundled with it seems to have problems. I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. The point being, if you sell security as your market niche, you might want to make sure that, at least, Apache be up to date, and not a version from 5 years ago where who knows how many hacks there are out there for it. I don't mind rebuilding my development box from scratch because that's why I had it on the net like that anyway, simply to see how long it would take for someone to crash it. It took less than a month - that's not very good from a default security viewpoint. I'm assuming of course that Apache is the problem, as there are no logs or anyway to tell what happened, but the hard drive started to make an awful screaching sound as the drive was apparently being forced to track the heads back and forth very quickly. The drive is fine, but apache and postgresql won't start, and the wtmp file was erased, so that when I did a 'last' only my most recent login came up. Anyway, it would be nice if Apache 2 were available for 3.9
Re: 3.9 coming out
David B. wrote: hi, I see 3.9 is getting ready to be released. Do you plan on bundling Apache2 with it? it would seem a logical thing to do, since the Apache version currently bundled with it seems to have problems. You should check the archive if you don't want to be flame. The license doesn't allow to do it, so it will never go in.
Re: 3.9 coming out
http://www.openbsd.org/policy.html Source code published under version 2 of the Apache license cannot be included into OpenBSD. On 4/3/06, David B. [EMAIL PROTECTED] wrote: hi, I see 3.9 is getting ready to be released. Do you plan on bundling Apache2 with it? it would seem a logical thing to do, since the Apache version currently bundled with it seems to have problems. I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. The point being, if you sell security as your market niche, you might want to make sure that, at least, Apache be up to date, and not a version from 5 years ago where who knows how many hacks there are out there for it. I don't mind rebuilding my development box from scratch because that's why I had it on the net like that anyway, simply to see how long it would take for someone to crash it. It took less than a month - that's not very good from a default security viewpoint. I'm assuming of course that Apache is the problem, as there are no logs or anyway to tell what happened, but the hard drive started to make an awful screaching sound as the drive was apparently being forced to track the heads back and forth very quickly. The drive is fine, but apache and postgresql won't start, and the wtmp file was erased, so that when I did a 'last' only my most recent login came up. Anyway, it would be nice if Apache 2 were available for 3.9 -- Julien Cabillot
Re: 3.9 coming out
On Mon, 3 Apr 2006, David B. wrote: hi, I see 3.9 is getting ready to be released. Do you plan on bundling Apache2 with it? it would seem a logical thing to do, since the Apache version currently bundled with it seems to have problems. I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. The point being, if you sell security as your market niche, you might want to make sure that, at least, Apache be up to date, and not a version from 5 years ago where who knows how many hacks there are out there for it. I don't mind rebuilding my development box from scratch because that's why I had it on the net like that anyway, simply to see how long it would take for someone to crash it. It took less than a month - that's not very good from a default security viewpoint. I'm assuming of course that Apache is the problem, as there are no logs or anyway to tell what happened, but the hard drive started to make an awful screaching sound as the drive was apparently being forced to track the heads back and forth very quickly. The drive is fine, but apache and postgresql won't start, and the wtmp file was erased, so that when I did a 'last' only my most recent login came up. Anyway, it would be nice if Apache 2 were available for 3.9 You are very uninformed, to say it nicely. Please search the archives for discussions of this topic. The version of httpd we have has all the bugfixes and MUCH more. It is not the same as the version form 5 years ago. Apart from that, Apache2 won't make it into OpenBSD. If you install a buggy php app, then it's your problem. -Otto
Re: 3.9 coming out
On 2006/04/03 02:40, David B. wrote: I even had all packets dropped that came from asia, south america and africa. What's the point in this? If you want to drop packets from places where there might be attackers, you certainly need to include N.America and Europe on your list. I don't mind rebuilding my development box from scratch because that's why I had it on the net like that anyway, simply to see how long it would take for someone to crash it. It took less than a month - that's not very good from a default security viewpoint. You're not using a default system, though. You added at least mod_php and PostgreSQL (and presumably some software written in PHP). Was your httpd running in the default chroot btw, or was that layer of security removed for the sake of expediency? I'm assuming of course that Apache is the problem, as there are no logs or Perhaps you might like to arrange off-system logging. anyway to tell what happened, but the hard drive started to make an awful screaching sound as the drive was apparently being forced to track the heads back and forth very quickly. The drive is fine Are you sure about the drive being fine? I had an HD fail recently which made intermittent excessive accessing noises, including straight after the box was turned on. Not saying that this is likely to be the case for you (or not), but sometimes there can be more than one reason for a failure and it might not be the first one you think of. Anyway, it would be nice if Apache 2 were available for 3.9 It is, but you get to build it yourself, and lose the security enhancements.
Re: 3.9 coming out
The point being, if you sell security as your market niche, you might want to make sure that, at least, Apache be up to date, and not a version from 5 years ago where who knows how many hacks there are out there for it. If I remember correctly it is a modified version of apache 1.3. It is actively maintained by the openbsd devlopers. Regards Edd
Re: 3.9 coming out
On Mon, Apr 03, 2006 at 02:40:50AM -0600, David B. wrote: hi, I see 3.9 is getting ready to be released. Do you plan on bundling Apache2 with it? it would seem a logical thing to do, since the Apache version currently bundled with it seems to have problems. I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. The point being, if you sell security as your market niche, you might want to make sure that, at least, Apache be up to date, and not a version from 5 years ago where who knows how many hacks there are out there for it. I don't mind rebuilding my development box from scratch because that's why I had it on the net like that anyway, simply to see how long it would take for someone to crash it. It took less than a month - that's not very good from a default security viewpoint. I'm assuming of course that Apache is the problem, as there are no logs or anyway to tell what happened, but the hard drive started to make an awful screaching sound as the drive was apparently being forced to track the heads back and forth very quickly. The drive is fine, but apache and postgresql won't start, and the wtmp file was erased, so that when I did a 'last' only my most recent login came up. As pointed out, Apache 2 won't make it into base. Also, as I like to say, PHP is more likely to be the point of entry. And the oldish version of Apache, with lots of fixes, that is in OpenBSD is *less*, not more, likely to have major bugs than the current Apache. As to getting hacked - OpenBSD is only secure by default, or when run by someone who knows what he's doing. Joachim
Re: 3.9 coming out
David B. wrote: hi, I see 3.9 is getting ready to be released. Do you plan on bundling Apache2 with it? it would seem a logical thing to do, since the Apache version currently bundled with it seems to have problems. I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. The point being, if you sell security as your market niche, you might want to make sure that, at least, Apache be up to date, and not a version from 5 years ago where who knows how many hacks there are out there for it. I don't mind rebuilding my development box from scratch because that's why I had it on the net like that anyway, simply to see how long it would take for someone to crash it. It took less than a month - that's not very good from a default security viewpoint. I'm assuming of course that Apache is the problem, as there are no logs or anyway to tell what happened, but the hard drive started to make an awful screaching sound as the drive was apparently being forced to track the heads back and forth very quickly. The drive is fine, but apache and postgresql won't start, and the wtmp file was erased, so that when I did a 'last' only my most recent login came up. Anyway, it would be nice if Apache 2 were available for 3.9 As has been said here already, the licensing of Apache2 means that it will _not_ be included in the base file sets. Apache 1.3.x that resides in the OpenBSD base system, is not the exact same beast as the Apache 1.3.x that you get from anywhere else. It has been subjected to the same code audits that the rest of the base system gets, so is far less likely to suffer the same vulnerabilities as the general release version. Depending on how you have iSmoothwall set up, the fact that your server is in a DMZ, means that it is pretty exposed and that not much actual firewall protection is applied to it. iSmoothwall, being a Linux based firewall, does not incorporate the pf packet filter and from what I can make out, isn't anywhere near as good as a well configured OpenBSD/pf based firewall. I won't go into much depth here as it obviously depends on how you have iSmoothwall configured. Finally, as has also been said already, OpenBSD is 'secure by default'. If you have introduced vulnerabilities through (mis)configuration, then it isn't going to be as secure as it might be. This will apply to the OS and the software installed and running. Apache must remain chrooted, for the benefits to remain. Likewise PHP, you will need to make sure you have it configured properly, are not running unnecessary extensions and also that you are running well written, or at least securely coded PHP based web apps. Personally, I wouldn't run somebody else's PHP web app on a publicly available web site. Any third party apps would be placed well out of public reach, with only my own code being exposed to the big bad world. PHP is most likely to be the route in, in your case, but that doesn't mean that PHP is always going to be a problem. As long as it is well configured, patched and executing securely written code, then there should not be any real reason to fear it. That is, of course, so long as I haven't missed a major flaw in PHP. ;) -- Best regards, Craig http://slashboot.org/ Support OpenBSD http://www.openbsd.org/orders.html
Re: 3.9 coming out
On Mon, Apr 03, 2006 at 02:40:50AM -0600, David B. wrote: I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. Out of curiosity... you don't specifically mention what OS was on your server but take the time to mention smoothwall somewhere. Were you actually running OpenBSD on your webserver or are you kneejerking from another OS being nailed? Gord
Re: 3.9 coming out
On 4/3/06, Gordon Grieder [EMAIL PROTECTED] wrote: On Mon, Apr 03, 2006 at 02:40:50AM -0600, David B. wrote: I just lost my entire development box to a hack this week, right through smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as the middleware. All settings were default and the only port I had open was 80 through smoothwall. I even had all packets dropped that came from asia, south america and africa. lack of security in your apache/php setup. To be frank you don't sound like the type that actually reads through a php.ini or who knows what a chroot is. If thats the case then: 1) switch to openbsd 2) start reading (archives, faqs and manuals) 3) try to save your job
