Re: Secure by default
Hi, > 13. feb. 2021 kl. 20:14 skrev sivasubramanian muthusamy > <6.inter...@gmail.com>: > > Hello, > > I am an ordinary computer user, installed 6.8 without connecting to > the Internet yet, (a friend and a technical expert recently advised me > in a different context: do not expose your machine to the Internet- > don't know what that means) > > OpenBSD intro says OpenBSD is secure by default. How is it secure by > default for an average user who does not get to ssh, does not use his > computer as a web-server or as a VM host, who does not have to share > screen etc? What ports are open by default and what applications start > by default? > > Before connecting the computer to the Internet, what other steps > should a very ordinary user take? Block a few more ports? Which ones? To me this sounds like your friend does not know anything specific about OpenBSD, and in that scenario the advice is sound — «don’t put anything on the network that you don’t know how to operate». However, if you did run through the install, you will have noticed that it asked whether you wanted to run sshd. If you said no to that question, as far as I know there are no daemons listening on a default OpenBSD install. This is easy to verify by running a simple port scan from another host on your local network. By the way, you posted this to the wrong list. tech@ is for patches and patch related discussions only. I’m redirecting to misc@, which is a more appropriate forum. You might find useful information in one of my recent presentations, see https://undeadly.org/cgi?action=article;sid=20201109055713 <https://undeadly.org/cgi?action=article;sid=20201109055713> and links therein. All the best, Peter N. M. Hansteen — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. signature.asc Description: Message signed with OpenPGP
Re: Where is Secure by default ?
On Mon, Mar 09, 2009 at 04:50:51PM +0100, Felipe Alfaro Solana wrote: ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND. SeND will not be coming to OpenBSD any time soon. http://www.ietf.org/rfc/rfc3971.txt http://www.ietf.org/rfc/rfc3972.txt 80 pages across two RFCs for mapping layer 2 addresses to layer 3 addresses?!? Public key crypto (ASN.1 encoded, of course) to verify them? I guarantee that implementing this will create more security problems than it solves. If you do not trust your local network, use crypto at a higher layer (ipsec, ssh, ssl, etc).
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 7:36 AM, irix i...@ukr.net wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? -- Best regards, irix mailto:i...@ukr.net So your network connection was hijacked. Sounds like you have a network problem, not an operating system problem. Replace your OS with any other OS and the same thing will happen.
Re: Where is Secure by default ?
* Felipe Alfaro Solana felipe.alf...@gmail.com [2009-03-09 17:07]: ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND. hah. IPv6 makes arp look like the brightest invention ever. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Where is Secure by default ?
* irix i...@ukr.net [2009-03-09 15:55]: In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? yeah, that is a great patch. it breaks ethernet. it effectively makes arp static. great idea, great. move an IP to another machine and observe it not working (until the long-ish timeout expires). great eh. how about letting the one who knows about IP-mac relations decide. using arp(8). or fix the network from the beginning and make proper use of port security and vlans on the switches. yes, most ISPs don't do that. yes, most ISPs are stupid. you can work around that to some degree by using static arp and deal with the fallout, or get a decent ISP. they exist. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Where is Secure by default ?
Han Boetes h...@mijncomputer.nl writes: Paul Irofti wrote: Hello Mr. Troll, thanks for flaming by. Have a good day! Never attribute to malice that which is adequately explained by stupidity. That doesn't seem to be a good idea when you're working with security. Weren't we talking about secure by default here? Always attribute to malice even that which has been explained by stupidity. Stupidity is easy to fake. //art
Re: Where is Secure by default ?
On Tue, Mar 10, 2009 at 10:11:12AM +0100, Artur Grabowski wrote: Always attribute to malice even that which has been explained by stupidity. Stupidity is easy to fake. Surprisingly enough, most often it's not. I've met more actual stupidity than faked one.
Re: Where is Secure by default ?
* Artur Grabowski a...@blahonga.org [2009-03-10 10:11:12]: Han Boetes h...@mijncomputer.nl writes: Paul Irofti wrote: Hello Mr. Troll, thanks for flaming by. Have a good day! Never attribute to malice that which is adequately explained by stupidity. That doesn't seem to be a good idea when you're working with security. Weren't we talking about secure by default here? Always attribute to malice even that which has been explained by stupidity. Stupidity is easy to fake. //art Someone I used to work with had a tough time deciding if he was on the recieving end of malice or stupididty. The vast majority of the time, it was stupidity. When it was malice, well, malice is a bit strong of a word. However, that probably does not detract from the fact that both stupidity and malice can cause headaches. Stupidity is probably worse in my opinion due to its frequency. Maliciousness is a lot less frequent, but worse in magnitude... well, I suppose this all depends on how good of an admin you are! -- Travers Buda
Where is Secure by default ?
Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? -- Best regards, irix mailto:i...@ukr.net
Re: Where is Secure by default ?
because it is. On Mon, Mar 09, 2009 at 04:36:47PM +0200, irix wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? -- Best regards, irix mailto:i...@ukr.net
Re: Where is Secure by default ?
On Mon, Mar 09, 2009 at 04:36:47PM +0200, irix wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? Hello Mr. Troll, thanks for flaming by. Have a good day!
Re: Where is Secure by default ?
How do you define remote holes? Which remotely accessible services were compromised by this? Hey, somone hijacked facebook and I entered my password and submitted it to them AND OPENBSD DID NOT SAVE ME OMG!!! OpenBSD is so insecure. There may or may not be a reason for applying sth similar to that patch but OpenBSD cannot save you from everything, you know. Why the hell do I even bother replying to this? Sorry, list. /Alexander irix wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ?
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 10:36 AM, irix i...@ukr.net wrote: When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? Then shouldn't you be using freebsd, and go bug them? -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? Tet -- The greatest shortcoming of the human race is our inability to understand the exponential function -- Albert Bartlett
Re: Where is Secure by default ?
If FreeBSD solve your problem, use it. On Mon, Mar 9, 2009 at 12:10 PM, bofh goodb...@gmail.com wrote: On Mon, Mar 9, 2009 at 10:36 AM, irix i...@ukr.net wrote: When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? Then shouldn't you be using freebsd, and go bug them? -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related -- Se Debugar i a arte de remover bugs, programar i a arte de inserm-los. Donald E. Knuth. -- Joco Salvatti Graduated in Computer Science Federal University of Para - UFPA - Brazil E-Mail: salva...@gmail.com
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. So it wasn't default install anymore, was it ? And my OpenBSD were attacked, by simple MiTM attack in arp protocol. that's why OpenBSD comes with IPSec and OpenSSH by default : to let you create secure networks without having to install poorly-integrated 3rd party software. How then can we talk about the security by default Simply because it wasn't default install anymore. For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? My guess is this will never be in OpenBSD source tree. Security is a process, not a product, and blindly adding code inside kernel to cover a marginal use case for which there is already a solution is not my idea of a good process, and I'm pretty sure this is not OpenBSD developers's either. For authenticating remote hosts, have a look at ipsecctl, ssh and SSL. Cheers, -- Vincent Gross So, the essence of XML is this: the problem it solves is not hard, and it does not solve the problem well. -- Jerome Simeon Phil Wadler
Re: Where is Secure by default ?
- Tethys wrote: On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? Tet I agree with your standpoint
Re: Where is Secure by default ?
On Mon, Mar 09, 2009 at 03:48:05PM +, - Tethys wrote: On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? As a community, we don't suffer fools well. Take it or leave it, but don't try to change us. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Where is Secure by default ?
If this issue matters to you and you want the OS to fix it you are doing it wrong. ARP has some inherent qualities that are questionable. You can hack ARP all up but it won't ever fix it so instead one needs to embrace the issues and fix them where it makes sense. This is not about an issue with the community it is about a misunderstanding that is blown way out of proportion with condescending language to boot. You are on the other hand suggesting that we are not paying attention to security issues. On Mon, Mar 09, 2009 at 03:48:05PM +, - Tethys wrote: On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? Tet -- The greatest shortcoming of the human race is our inability to understand the exponential function -- Albert Bartlett
Re: Where is Secure by default ?
At 04:50 PM 3/9/2009 +0100, Felipe Alfaro Solana wrote: On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND. PMFJI, but isn't the issue simpler than that? If he has a MiTM attack via arp, doesn't that mean the attacker has access to the local subnet? That would be a physical security issue FIRST?? Lock the doors before you point fingers at the OS? In any case, facts are more useful than FUD BS. Lee
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 11:48 AM, - Tethys tet...@gmail.com wrote: And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the Depends on whether it is a valid concern. I believe it was pointed out in the other thread that the patch doesn't really help. Think about it - do you want an openssh that only half secures your session? OpenBSD is about complete security, but also, at the same time, about the resources to do things. If this is something that is a real issue, a developer would have jumped on it. Maybe they still would. But coming in and flaming the developers for you say you're so secure, but this is proof that you're not surely doesn't help. is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? OpenBSD exists solely for the developers... [and yes, I'm a figment of my imagination] -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Where is Secure by default ?
Paul Irofti wrote: Hello Mr. Troll, thanks for flaming by. Have a good day! Never attribute to malice that which is adequately explained by stupidity. # Han
Re: Where is Secure by default ?
On 2009-03-09, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND. Ah yes, SeND. That would be the one registered as US20080307516 with the US Patent and Trademark Office wouldn't it.
Re: Where is Secure by default ?
2009/3/9 bofh goodb...@gmail.com: On Mon, Mar 9, 2009 at 11:48 AM, - Tethys tet...@gmail.com wrote: Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? OpenBSD exists solely for the developers That's a silly thing to say. -- jm
Re: Where is Secure by default ?
On Mar 09 15:48:05, - Tethys wrote: Maybe it's a troll. Maybe not. Take a wild guess. Can we afford to be turning away potential users on the off chance? Assuming that we means the dev team, of which neither you or me are members, then yes, we can. -- The greatest shortcoming of the human race is our inability to understand the exponential function -- Albert Bartlett Apparently not.
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 11:48 AM, - Tethys tet...@gmail.com wrote: On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Then one should ask a question, wait for replies, and read them. Not send a new email to the list every hour with ever escalating trollosity, nor start new threads with provocative subjects. If you want to borrow some eggs from your neighbor, you knock politely and wait. You don't keep bounding on the door and then piss in the window.
Re: Where is Secure by default ?
On 9 March 2009 P3. 21:29:47 Juan Miscaro wrote: 2009/3/9 bofh goodb...@gmail.com: On Mon, Mar 9, 2009 at 11:48 AM, - Tethys tet...@gmail.com wrote: Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? OpenBSD exists solely for the developers That's a silly thing to say. Then what do you do on this silly list made by silly people who also own a silly website (and, as one Unix here says, silly OSes too) which says such silly things too? -- Best wishes, Vadim Silly Zhukov
Re: Where is Secure by default ?
L. V. Lammert wrote: PMFJI, but isn't the issue simpler than that? If he has a MiTM attack via arp, doesn't that mean the attacker has access to the local subnet? Remote access to a machine on that subnet would do. It does not have to be physical. Probably a compromised Windows box that got the ball rolling (that's been my experience anyway). Once a machine on your net is infected, the cracker may as well be physically in the building. -- View this message in context: http://www.nabble.com/Where-is-%22Secure-by-default%22---tp22414975p22426601.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
