As Bob alluded to, corp scanning is a Dot the I, Cross the T accounting
measure. If you want to make them happy, make them happy. It doesn't take
much to determine what the src ip is for a scan engine. I leave the rest to
you.
diana
On 14 March 2010 11:37, Steve Shockley wrote:
> On 3/13/2010 10:57 AM, Bob Beck wrote:
>>
>> you're going
>> to spend a lot of time jerking off instead of basing anything on
>> reality.
>
> So, you'd be a masturbating monkey?
>
>
Well, I am an OpenBSD developer after all.. So doesn't that go with
On 3/13/2010 10:57 AM, Bob Beck wrote:
you're going
to spend a lot of time jerking off instead of basing anything on
reality.
So, you'd be a masturbating monkey?
On Fri, 12.03.2010 at 13:28:07 -0700, kj...@pintday.org
wrote:
> > Very good suggestion, indeed.
-20
I'm impartial, though, as I don't use the default configuration,
anyway. I think it's rather a non-issue.
> > Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
> > (a per
> I understand what you say and I appreciate you taking the time to write.
> Hiding files or pretending others can't see them doesn't make us more
> secure.
>
> I guess the real issue is that sometimes people use check lists. Items
> such as this are on those lists. Technical people are asked to ma
> My apologies. The look on the Linux peoples faces when they see all of
> these OpenBSD boxes with *0* vulnerabilities compared to the 200 to 300
> of their own drove me to it. I'll not do it again.
>
The problem is you are equating vulnerability scanners - which are a
product of script kiddies t
On Sat, 13 Mar 2010 17:12 +0200, "Lars Nooden"
wrote:
> Brad and Ozgur,
>
> If your file is in the server's document root, then it is published [1].
> For whatever reason, a lot of C-Levels act as if they are unclear on
> that. There is also often the false belief among them that security and
>
Brad and Ozgur,
If your file is in the server's document root, then it is published [1].
For whatever reason, a lot of C-Levels act as if they are unclear on
that. There is also often the false belief among them that security and
usability are mutually exclusive. I don't understand the rules in
On 2010/03/13 03:19, Ozgur Kazancci wrote:
> > Yes we are, while we are at it we can ship an http.conf file that wil
> > only listen on port 8000 on localhost when the daemon comes up as
> > well, and that would be super obscure as well, and it would only read
> > index files ending in .HolyFuck, a
On Fri, 12 Mar 2010 19:21 -0700, "Theo de Raadt"
wrote:
> > On Fri, 12 Mar 2010 18:25 -0700, "Theo de Raadt"
> > wrote:
> > > That's a lot of words.
> > >
> > > The default configuration is not going to be changed in this way.
> >
> > To be honest, my patch is selfish. I get perfect vulnerabili
> On Fri, 12 Mar 2010 18:25 -0700, "Theo de Raadt"
> wrote:
> > That's a lot of words.
> >
> > The default configuration is not going to be changed in this way.
>
> To be honest, my patch is selfish. I get perfect vulnerability
> assessment scores on OpenBSD boxes when doing vulnerability scans
On Fri, 12 Mar 2010 18:25 -0700, "Theo de Raadt"
wrote:
> That's a lot of words.
>
> The default configuration is not going to be changed in this way.
To be honest, my patch is selfish. I get perfect vulnerability
assessment scores on OpenBSD boxes when doing vulnerability scans until
I enable A
> > Yes we are, while we are at it we can ship an http.conf file that wil
> > only listen on port 8000 on localhost when the daemon comes up as
> > well, and that would be super obscure as well, and it would only read
> > index files ending in .HolyFuck, and we'd ship a mime types
> > where HolyFuc
> Yes we are, while we are at it we can ship an http.conf file that wil
> only listen on port 8000 on localhost when the daemon comes up as
> well, and that would be super obscure as well, and it would only read
> index files ending in .HolyFuck, and we'd ship a mime types
> where HolyFuck was html
On Fri, 12 Mar 2010 16:44 -0700, "Bob Beck" wrote:
> What in god's name do you need sshv1 for anymore? What client are you
> using that still
> uses it? how old and vulnerable is it?
That was my hyperbole... remember? Apache 1.3.x anyone?
Brad
> Turn SSHv1 back on please why do you force me to twist that knob! That's
> some hyperbole of my own ;) Alright, I give up. Turning the option off
> manually works for me. I don't want or need it and I assumed other
> OpenBSD folks would feel the same.
Not being able to get directory indexes of m
> Apache comes up and works fine with Indexes off (for me at least).
>
Well, having indexes on is much nicer for having it do things like,
install OpenBSD from.
On Fri, 12 Mar 2010 16:17:51 -0700 Bob Beck wrote:
> Off is off. don't make it where you have to turn 8 knobs to turn
> something on. because you wanted it "more off".
Alternatively, you could make the user turn 8 knobs to turn
something "moron" ;)
(sorry, couldn't resist)
On Fri, 12 Mar 2010 16:17 -0700, "Bob Beck" wrote:
> >>
> >> It *IS* off by default. I have yet to see an OpenBSD machine that I
> >> can install that
> >> will come up with httpd turned on.
> >
> > We are not talking about the same thing. I understand that httpd is off
> > by default. The *optio
>> It *IS* off by default. I have yet to see an OpenBSD machine that I
>> can install that
>> will come up with httpd turned on.
>
> We are not talking about the same thing. I understand that httpd is off
> by default. The *option* is on by default in the config file.
>
Yes we are, while we are a
> On Fri, 12 Mar 2010 16:05 -0700, "Bob Beck" wrote:
> > On 12 March 2010 12:53, Brad Tilley wrote:
> > > On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian"
> > > wrote:
> > >> does disabling this option /really/ improve security?
> > >
> > > No, not unless you consider keeping files that are
On Fri, 12 Mar 2010 16:05 -0700, "Bob Beck" wrote:
> On 12 March 2010 12:53, Brad Tilley wrote:
> > On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian"
> > wrote:
> >> does disabling this option /really/ improve security?
> >
> > No, not unless you consider keeping files that are
> > inappropr
On 12 March 2010 12:53, Brad Tilley wrote:
> On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian"
> wrote:
>> does disabling this option /really/ improve security?
>
> No, not unless you consider keeping files that are
> inappropriately/accidentally copied to these directories a security
> issue
On Fri, Mar 12, 2010 at 3:28 PM, wrote:
>> Very good suggestion, indeed.
>>
>> Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
>> (a perfect example:
>> http://mgeisler.net/downloads/phpshell/phpshell-1.7.tar.gz)
>> inside such a directory. (Or even maybe a simple file u
> Also, think "emacs-turdfile". Have any config.php~ lying around?
>
> or index.php~?
>
> Are you SURE?
>
Sorry for the lack of explanation. I was meaning a server where
you've thousands of vhosts/users exist.
Yes, you can disable the indexing.
Yes, you can activate the PHP's safe_mode, but...
> Very good suggestion, indeed.
>
> Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
> (a perfect example:
> http://mgeisler.net/downloads/phpshell/phpshell-1.7.tar.gz)
> inside such a directory. (Or even maybe a simple file uploader, that will
> help the attacker to uplo
> > It seems inline with OpenBSD's off by default posture, that is
> > the only reason I suggested it.
>
> Very good suggestion, indeed.
>
> Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
Anything PHP is dangerous. But there is a perfect cure for these files,
known as t
> It seems inline with OpenBSD's off by default posture, that is
> the only reason I suggested it.
Very good suggestion, indeed.
Especially, if someone has a 'dangerous' file, a PHP Shell for instance,
(a perfect example: http://mgeisler.net/downloads/phpshell/phpshell-1.7.tar.gz)
inside such a d
On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian"
wrote:
> does disabling this option /really/ improve security?
No, not unless you consider keeping files that are
inappropriately/accidentally copied to these directories a security
issue. It seems inline with OpenBSD's off by default posture,
Nope.
On 12 March 2010 11:10, patrick keshishian wrote:
> does disabling this option /really/ improve security?
>
>
> On Fri, Mar 12, 2010 at 9:41 AM, Brad Tilley wrote:
>> When ran against default OpenBSD servers that have Apache enabled,
>> vulnerability assessment software (Nessus, Rapid7, et
does disabling this option /really/ improve security?
On Fri, Mar 12, 2010 at 9:41 AM, Brad Tilley wrote:
> When ran against default OpenBSD servers that have Apache enabled,
> vulnerability assessment software (Nessus, Rapid7, etc.) complain about
> "browesable web directories". The concern is
31 matches
Mail list logo
