Re: Remiss on my personal and server security practices, offering server usage to outsiders
On Wed, Sep 19, 2018 at 11:09:20AM -0700, Chris Bennett wrote: [...] > I still would like to know about httpd's owner:group and permissions on files > not served to the public. I am not sure if somebody answered you offline, but my reasoning goes like this: 1. httpd runs and has said files writeable to itself (due to same owner:group) (if Perl is a no-no, how about PHP, a popular choice with problems of its own [judging from bug reports from time to time]) 2. someone finds a security hole 3. your scripts in Perl/PHP/C++ or whatever become overwritten by httpd 4. from now on the scripts will be not only doing what they were doing upto now, but also whatever additional code someone appended to them 5. ... something nasty HTH -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com **
Re: Remiss on my personal and server security practices, offering server usage to outsiders
I would like to continue what this topic is actually about. Frankly, I only mentioned the phone thing on this topic BECAUSE of Theo's immediate response to my other topic. A mistake on my part. Please feel free to reply to me off the list. I will not post anything you send me to the list. I appreciate greatly those who have sent me some very helpful advice already off-list. But this topic is not about phones. I am asking for help with security on an OpenBSD server and I would still like more help. I still would like to know about httpd's owner:group and permissions on files not served to the public. Chris Bennett
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On 09-19 08:32, Chris Bennett wrote: > On Wed, Sep 19, 2018 at 04:14:47PM +0200, Solene Rapenne wrote: > > Chris Bennett wrote: > > > I have not opened up my server before for full usage of email, web, > > > database, etc. before. So I'm a total noob on really good security > > > practices. > > > > > > Proper owner:group all over the place. Not covered in hier (7). > > > > look at security(8), especially the mtree part > > > Thank you. I used it a few times but I never opened the files in > /etc/mtree. Very useful. Although that doesn't cover all of my > owner:group questions, I can see a little better now. I have "umask 0077" set in my /etc/profile so that all users cannot by default see each others' files, unless they want to open them up. This is even though all the users are currently variations of myself with different security profiles. If I were a new user learning to use a system, especially a multiuser one, I would appreciate that default until I learned more. I have wondered if that would be a good systemwide default in new obsd installs (or the reasons not), but have also found that when root has that setting, I have to change it back to "umask 0022" for the duration of running pkg_add (which I do in a script), or some packages have problems. (Corrections welcome.)
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On 09/19/18 10:45, Chris Bennett wrote: Right now, I am not living at a fixed location anywhere. All of my internet access is not through a hard line, but by necessity through WiFi or tethering. If I have some kind of server emergency and I do not have my laptop with me, I am forced to access ssh directly from my phone or seek a public computer that actually allows Putty or ssh. I just left an area where there were NO public computers that allowed that. Get a mini laptop / pocket pc and install OpenBSD on it-- Problem solved. 'Smart' phones are Orwellian spying devices. They are the wool that has been pulled over our eyes. Why wouldn't I just bring my laptop? Because I am not allowed to drive due to a past history of seizures. Thus bringing my laptop while shopping for anything means one hand less to carry anything with. Buy a backpack or briefcase like every other adult has.
Re: Remiss on my personal and server security practices, offering server usage to outsiders
Look Chris, that is yet another mail is off topic for this list. https://www.openbsd.org/mail.html You are NOT talking about OpenBSD, rather you are blathering about unrelated topics. Get your shit together Chris Bennett wrote: > On Wed, Sep 19, 2018 at 10:48:50AM -0600, Theo de Raadt wrote: > > Surely this is off-topic for misc, your phone has nothing to do with > > openbsd. > > > > Perhaps we have different perspectives due to our ability on *how* we > access the internet and thus focus on this issue differently. > > Right now, I am not living at a fixed location anywhere. All of my > internet access is not through a hard line, but by necessity through > WiFi or tethering. If I have some kind of server emergency and I do not > have my laptop with me, I am forced to access ssh directly from my phone > or seek a public computer that actually allows Putty or ssh. I just left > an area where there were NO public computers that allowed that. > Why wouldn't I just bring my laptop? Because I am not allowed to drive > due to a past history of seizures. Thus bringing my laptop while > shopping for anything means one hand less to carry anything with. > > I actually thought very carefully whether to mark this OT or not. > After considering my situation, this issue really does directly effect > my secure access to OpenBSD. > > I am certainly not mad at your viewpoint. > We are all here by choice and I am now completely satisfied with not > speaking any further about anyone's phone. > > Chris Bennett > > > > Chris Bennett wrote: > > > > > On Wed, Sep 19, 2018 at 06:08:19PM +0100, Kevin Chadwick wrote: > > > > On Wed, 19 Sep 2018 07:03:56 -0700 > > > > > > > > > > > > > This is the thread that I wished to start that pertains to OpenBSD. > > > > > If usage of an SSH app on anyone's phone to access an OpenBSD server > > > > > isn't relevant from a security point of view, well, let's ignore the > > > > > communication breach from a hardware/software issue and I ask > > > > > forgiveness. > > > > > > > > Termux APP provides OpenSSH binaries but sadly built with OpenSSL not > > > > Libressl but faster than an APP. Better still use usb/wifi tethering to > > > > an OpenBSD laptop? > > > > > > > That's exactly what I'm doing right now. Using phone WiFi and ssh on > > > laptop. My concerns mean that I will restrict using my phone's apps with > > > anything that isn't fit to be spread anywhere. Oh well, I still like my > > > phone but I have to just look at it like any hardware/software flaw. > > > > > > Chris Bennett > > > > > > > > >
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On Wed, Sep 19, 2018 at 10:48:50AM -0600, Theo de Raadt wrote: > Surely this is off-topic for misc, your phone has nothing to do with openbsd. > Perhaps we have different perspectives due to our ability on *how* we access the internet and thus focus on this issue differently. Right now, I am not living at a fixed location anywhere. All of my internet access is not through a hard line, but by necessity through WiFi or tethering. If I have some kind of server emergency and I do not have my laptop with me, I am forced to access ssh directly from my phone or seek a public computer that actually allows Putty or ssh. I just left an area where there were NO public computers that allowed that. Why wouldn't I just bring my laptop? Because I am not allowed to drive due to a past history of seizures. Thus bringing my laptop while shopping for anything means one hand less to carry anything with. I actually thought very carefully whether to mark this OT or not. After considering my situation, this issue really does directly effect my secure access to OpenBSD. I am certainly not mad at your viewpoint. We are all here by choice and I am now completely satisfied with not speaking any further about anyone's phone. Chris Bennett > Chris Bennett wrote: > > > On Wed, Sep 19, 2018 at 06:08:19PM +0100, Kevin Chadwick wrote: > > > On Wed, 19 Sep 2018 07:03:56 -0700 > > > > > > > > > > This is the thread that I wished to start that pertains to OpenBSD. > > > > If usage of an SSH app on anyone's phone to access an OpenBSD server > > > > isn't relevant from a security point of view, well, let's ignore the > > > > communication breach from a hardware/software issue and I ask > > > > forgiveness. > > > > > > Termux APP provides OpenSSH binaries but sadly built with OpenSSL not > > > Libressl but faster than an APP. Better still use usb/wifi tethering to > > > an OpenBSD laptop? > > > > > That's exactly what I'm doing right now. Using phone WiFi and ssh on > > laptop. My concerns mean that I will restrict using my phone's apps with > > anything that isn't fit to be spread anywhere. Oh well, I still like my > > phone but I have to just look at it like any hardware/software flaw. > > > > Chris Bennett > > > > >
Re: Remiss on my personal and server security practices, offering server usage to outsiders
Surely this is off-topic for misc, your phone has nothing to do with openbsd. Chris Bennett wrote: > On Wed, Sep 19, 2018 at 06:08:19PM +0100, Kevin Chadwick wrote: > > On Wed, 19 Sep 2018 07:03:56 -0700 > > > > > > > This is the thread that I wished to start that pertains to OpenBSD. > > > If usage of an SSH app on anyone's phone to access an OpenBSD server > > > isn't relevant from a security point of view, well, let's ignore the > > > communication breach from a hardware/software issue and I ask > > > forgiveness. > > > > Termux APP provides OpenSSH binaries but sadly built with OpenSSL not > > Libressl but faster than an APP. Better still use usb/wifi tethering to > > an OpenBSD laptop? > > > That's exactly what I'm doing right now. Using phone WiFi and ssh on > laptop. My concerns mean that I will restrict using my phone's apps with > anything that isn't fit to be spread anywhere. Oh well, I still like my > phone but I have to just look at it like any hardware/software flaw. > > Chris Bennett > >
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On Wed, Sep 19, 2018 at 06:08:19PM +0100, Kevin Chadwick wrote: > On Wed, 19 Sep 2018 07:03:56 -0700 > > > > This is the thread that I wished to start that pertains to OpenBSD. > > If usage of an SSH app on anyone's phone to access an OpenBSD server > > isn't relevant from a security point of view, well, let's ignore the > > communication breach from a hardware/software issue and I ask > > forgiveness. > > Termux APP provides OpenSSH binaries but sadly built with OpenSSL not > Libressl but faster than an APP. Better still use usb/wifi tethering to > an OpenBSD laptop? > That's exactly what I'm doing right now. Using phone WiFi and ssh on laptop. My concerns mean that I will restrict using my phone's apps with anything that isn't fit to be spread anywhere. Oh well, I still like my phone but I have to just look at it like any hardware/software flaw. Chris Bennett
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On Wed, 19 Sep 2018 07:03:56 -0700 > This is the thread that I wished to start that pertains to OpenBSD. > If usage of an SSH app on anyone's phone to access an OpenBSD server > isn't relevant from a security point of view, well, let's ignore the > communication breach from a hardware/software issue and I ask > forgiveness. Termux APP provides OpenSSH binaries but sadly built with OpenSSL not Libressl but faster than an APP. Better still use usb/wifi tethering to an OpenBSD laptop?
Re: Remiss on my personal and server security practices, offering server usage to outsiders
On Wed, Sep 19, 2018 at 04:14:47PM +0200, Solene Rapenne wrote: > Chris Bennett wrote: > > I have not opened up my server before for full usage of email, web, > > database, etc. before. So I'm a total noob on really good security > > practices. > > > > Proper owner:group all over the place. Not covered in hier (7). > > look at security(8), especially the mtree part > Thank you. I used it a few times but I never opened the files in /etc/mtree. Very useful. Although that doesn't cover all of my owner:group questions, I can see a little better now. Chris Bennett
Re: Remiss on my personal and server security practices, offering server usage to outsiders
There are people still serving server side Perl scripts? That might be your problem right there. On 9/19/18, 10:06 AM, "owner-m...@openbsd.org on behalf of Chris Bennett" wrote: httpd should not have it's Perl scripts
Re: Remiss on my personal and server security practices, offering server usage to outsiders
Chris Bennett wrote: > I have not opened up my server before for full usage of email, web, > database, etc. before. So I'm a total noob on really good security > practices. > > Proper owner:group all over the place. Not covered in hier (7). look at security(8), especially the mtree part
Remiss on my personal and server security practices, offering server usage to outsiders
This is the thread that I wished to start that pertains to OpenBSD. If usage of an SSH app on anyone's phone to access an OpenBSD server isn't relevant from a security point of view, well, let's ignore the communication breach from a hardware/software issue and I ask forgiveness. I have not opened up my server before for full usage of email, web, database, etc. before. So I'm a total noob on really good security practices. Proper owner:group all over the place. Not covered in hier (7). For example, I read that httpd should not have it's Perl scripts owned by www:www. Well, what IS the right choice here? What about Perl modules I bring in? root:wheel seems wrong to me. If I bring in an outsider to also have a site under httpd, how should I deal with preventing them from getting into the other virtual server folders, which usually contain sensitive information? This would seem to be an owner:group and permission thing. But HOW do I do this right? Do I give them an outside folder to work in and then give them the ability to have my software copy it into the chroot? What about each servers logs? Should I have them written to their home folders? They need to see those but not anyone else's. Overall, What are the right and especially the wrong owner:group all over the general file system? I'm not really asking for a vague outline, I know very well that daemon is especially dangerous and needs to be used in some places and NOT in other's. Right now I just have a hodge-podge all over the place. Is there a manual page that covers this? If not, should there be? Hey, I grew up with DOS, BASIC and Windows. So I don't have any years of knowledge of "just how this obviously should be". (Thanks for the comments left in a project I gave a go at a while back, they were very educational about this topic. I may have failed at that project, but I do look at source code. I respect any requests not to reply to a personal email. I do not ignore such things, that would be extremely disrespectful.) Passwords in general. I'm familiar with the xkcd about password strength. But I see sites with password strength checkers that are clearly wrong now that I have this knowledge. Are there any correct password checkers that I can insert into the passwd routine to keep things safer? I can't prevent anyone for their own mistakes about leaving it out, but I at least want to prevent break-ins with lousy passwords from attackers. What else don't I know? This is one of those questions I have to ask since I don't know exactly what I don't know? There is an excellent pdf on a study about how people who are incompetent are unable to judge their own incompetence until they become more competent. Which is exactly my own problem. I am not competent enough to judge my own competence. I have not worked in IT. I do not know anyone who has, except over this list. I will ask stupid questions and not know it. Any help welcome, Chris Bennett