Slashdot Mirror
OpenBSD Now Nine Years Old
NekkidBob writes "OpenBSD, my personal favorite *BSD, turns 9 years old today. And with only 1 remote hole in the default install, I'd say that is a pretty good acheivement. The first commit was at 16:36 MST on Saturday, October 14, 1995. Happy birthday OpenBSD!"
Happy birthday ;))) /...and here comes an OpenBSD song.../
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I heard OpenBSD was merging with Debian... Is this the truth, or is it bunk?
where i live
i saw the baby, and the baby looked at me
I've always been a firm believer in running BSD systems. I still stand by my beliefs. BSD operating systems have always been fun from the software packging systems to the firewalls. PF has made its way to all the widely free BSD systems. I thank OpenBSD and all the developers for doing such a great job at design. I'll always love reading what others have to say on the mailing lists.
Let the Birthday party begin!
David Ross
dross logged on
freenode.net - Join the #openbsd channel
Ok, I hear this over and over "With only 1 remote hole in the default install..."
But, what good is the default install? Don't you want it to be doing something? It's suffered the same Apache/SSL/FTP/PHP errors as everyone else. I know if you search cert for openbsd you get lots of hits, so there are wholes in the applications.
Nothing as secure as a box unplugged in a closet!
Have you ever installed and used it? Try it, you might like it.
/* oops I accidentally made a comment, sorry */
The point of OpenBSD is SANE defaults (i.e. not running telent, ftp, and rsh by default). Turning on Apache (bundled by default) is really simple, and because they've gone through and clobbered most buffer overflows and built everything with ProPolice, what were on other systems are root holes turn into non-events or program crashes (which can in theory be used to do a DoS, but that's a huge improvement).
The policy of the United States is worse than bad---it is insane. -- Ludwig von Mises, Economic Policy(1959)
Have you ever installed and used it? Try it, you might like it.
I have, and do. But I favor freebsd for my servers, and linux for personal use. But for my work I use Solaris (with clustering).
I just find the comment amusing, soon as you add in server applications, you decrease the security.
holes not wholes.
first off, the FTP daemon is in the default and hasnt had holes. apache is also heavily modified and audited, and has also not had any remote root exploits as configured by default, not to mention its chrooted
second, most of the other security issues dont even matter because they are inapplicable due to propolice.
third, if youre going to make a comment about security on openbsd, you better know what your are talking about. noob.
The last time I installed OpenBSD it did have the OpenSSH daemon enabled by default and maybe some inetd services if I remember correctly. IMHO that is too much. Every service that is on by default is too much. Therefore I consider NetBSD the cleanest as it does not have a single server enabled by default.
Having services enabled by default is nothing to brag about.
That is my humble opinion.
I demand the Cone of Silence!
I think you're thinking Debian GNU/NetBSD:
http://www.debian.org/ports/netbsd/
OpenBSD still has other security features which help in securing the machine which the other BSDs do not. I do however agree that the "default" install doesn't mean a whole lot, but consider how hard it is to secure windows 2000 with a default install when connecting directly to the internet - your machine is already 0wned before you had the chance to update it.
I guess not, but shouldn't OpenBSD include the years before the fork as a whole?
Who misinformed you? "It's dead Jim."
Is this possible without invoking black magic? Windows 2000 might very well have some advanced features to harden it, but they are so inaccessible/hard to understand as to be useless.
this doesn't mean your final system won't have holes, but it means you're not already starting "in the hole"; it doesn't sound like much, and yet how many other systems out there can make this claim? OpenBSD isn't the end-all, be-all, it's just a good tool for your toolbox
But, what good is the default install?
Drop a fresh OpenBSD installation into a hostile environment such as the internet.
Drop a fresh WindowsXP installation into the same environment.
You won't ask that question again.
Don't you want it to be doing something?
No I want it to do as little as possible. It is ready to serve when I say it is and no sooner. This lets you patch first and not everyone has the luxury of installing a box in a secure network.
It's suffered the same Apache/SSL/FTP/PHP errors as everyone else.
More or less, yes, the same problems. Thats why these services are off by default, to let you patch them first, and enable only what you need.
I know if you search cert for openbsd you get lots of hits, so there are wholes in the applications.
No one has ever suggested otherwise.
A radio maverick jumps to internet only. The Future of Rock n Roll
FTP is not on by default, so it doesn't count.
Anyways, that kind of comments like the grandparent post come from time to time from people that can't see the importance of a secure by default OS installation.
How much does it take to hack into any Windows box just installed and connected to Internet? Make the numbers. How about a Red Hat Linux?
With the "Secure by default" and the "Only one remote exploit ..." slogans OpenBSD is not claiming it is the most secure OS, but that you can be reasonably sure that it won't be hacked just after you have finished downloading the patches.
It has had so good results that some vendors, including Microsoft and Red Hat, have adopted it.
Can we now push the dicussion level a bit higher?
The best way to predict the future is to invent it
Happy Birthday OpenBSD!
The installation script now asks you if you want it enabled
The best way to predict the future is to invent it
Anyways, that kind of comments like the grandparent post come from time to time from people that can't see the importance of a secure by default OS installation.
What? I never said no such thing. I said the comment was funny thats all. So stop throwing windows into the mix. My comment was, and is, a basic install unix type OS box are almost always secure, and yes even redhat. But a basic box by itself is of no use, its the applications which by default have the applications, thus the exploits.
The "Windows" basic install replies are a joke, we are talking Unix here. So maybe "Secure by default" is an amusing thought.
A uber secure box sitting there doing nothing, is still, doing nothing.
So we know that OpenBSD is a Libra, what about the other OSes Anyway, I think it's a shame that the OpenBSD doesn't release official ISO. I have no idea how hard it is to make one, but I think it might encourage more people to try OpenBSD. OpenBSD does seem to have a cool collection of Hackers/Developers (hackers slash developers) and a special community. And opensource software is all about community.
Also, if you can't figure out an ftp install, you might be barking up the wrong tree.
GNU is dead - everybody knows it.
I sure wish -I- was 9 years old. :-/
Some of the early 1980s were some fun times.
Though i can't decide whether computers were cool then, or if they sucked.
do() || do_not();
What? I never said no such thing.
I guess you mean "I never said such thing". From your first post:
But, what good is the default install? Don't you want it to be doing something? It's suffered the same Apache/SSL/FTP/PHP errors as everyone else. I know if you search cert for openbsd you get lots of hits, so there are wholes in the applications.
Then you can't see the importance of the security in the default install in OpenBSD.
I said the comment was funny thats all.
I fail to see where do you state the comment is funny. I don't see anything funny at all.
So stop throwing windows into the mix. My comment was, and is, a basic install unix type OS box are almost always secure, and yes even redhat. But a basic box by itself is of no use, its the applications which by default have the applications, thus the exploits.
I'm talking about default setups, the same you seem to not understand its importance, again.
The "Windows" basic install replies are a joke, we are talking Unix here. So maybe "Secure by default" is an amusing thought.
See above.
A uber secure box sitting there doing nothing, is still, doing nothing.
You're not reading. OpenBSD's default install is a reasonable setup from which you can start patching and configuring. It is not supposed to be ready to serve. Do you get it now?
The best way to predict the future is to invent it
OpenBSD is a nice OS.
Makes a good firewall, but that is all to >me.
OpenBSD always comes very last when speed and performance is an issue and not scalable.
CARP, PF and Openssh are nice, thank you but as an OS, still trails NetBSD, and especially FreeBSD.
Keep the good applications going, so I can run them on FreeBSD and Gentoo.
Fortunately, that's where you are wrong.
It's quite common to search through bugtraq or another security list, and find it in the list as the only OS "unaffected". Now, that's not always the case, but it's surprisingly common.
OpenBSD is more secure than other OSes, not just out of the box, but with major services enabled too... When you install Apache on Linux/FreeBSD, you just get the plain vanilla version. With OpenBSD, you get a version that has been audited by the team, and lots of changes have been made.
Plus, about a year ago, Propolice, W^X, and other protection measures have be included by OpenBSD, which does negate most bugs, and does protect your OTHER services against software bugs.
BTW, most of my machine have only SSHD enabled (which is one of a few services enabled by default), so the default install can be very useful for a great many things. SSH handles log-in, file transfer, plus port forwarding. So any other services can run on 127.0.0.1, and only be accesses remotely (via SSH) if you have an account.
Of course, but baring that, OpenBSD is a very good choice.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That's a good thing. Someone else already mentioned where the 1 exploit comes from, so I won't go there. With all of the defaults enabled in other OS's, OpenBSD gives you a level place to start from. Everything installed by default is chrooted, that includes apache, BIND 9, FTP, etc... OpenBSD does install these by default jsut doesn't turn them on. When I first switched to Linux years ago, it took me months before I figured out that I didn't need saslauthd, postfix, apache, named, ws_ftp (later proftpd) and a few others that were installed and running by default. OpenBSD was a breath of fresh air. I still love to run 'ps ax' when I boot up OpenBSD after a fresh install.
/sbin/init /var/named/dev/log -a /var/empty/dev/log /usr/sbin/sshd /usr/bin/perl /usr/ports/sysutils/webmin/webmin-1.150 /usr/libexec/getty suncons console
Here's a ps ax from my primary DNS server (which is very busy).
# ps ax
PID TT STAT TIME COMMAND
1 ?? Is 0:01.11
5741 ?? Is 0:06.49 syslogd: [priv] (syslogd)
3517 ?? I 1:13.56 syslogd -a
24875 ?? Is 0:00.03 named: [priv] (named)
10792 ?? I 320:27.22 named
25379 ?? Is 0:00.25 inetd
12780 ?? Is 4:13.98
23171 ?? Is 11:22.04 sendmail: accepting connections (sendmail)
15125 ?? Is 0:06.28 ntpd: [priv] (ntpd)
9037 ?? I 9:36.04 ntpd: ntp engine (ntpd)
26494 ?? Is 5:11.57
10568 ?? Is 0:36.80 cron
8249 ?? Is 0:00.33 sshd: root@ttyp0 (sshd)
4537 a Is+ 0:00.05
32091 p0 Is 0:00.10 -sh (sh)
20044 p0 R+ 0:00.02 ps -ax
Here's a netstat -ss from that same machine
# netstat -ss
ip:
11272118 total packets received
12 with data size data length
6741 fragments received
6726 fragments dropped after timeout
7 packets reassembled ok
10332389 packets for this host
318009 packets for unknown/unsupported
###
Had to truncate because of some retarded junk filter.
/* oops I accidentally made a comment, sorry */
here's a partial top:
16 processes: 2 running, 14 idle
CPU states: 0.0% user, 0.0% nice, 1.8% system, 0.0% interrupt, 98.2% idle
Memory: Real: 30M/55M act/tot Free: 189M Swap: 0K/250M used/tot
/* oops I accidentally made a comment, sorry */
My comment was, and is, a basic install unix type OS box are almost always secure, and yes even redhat. apparently you've never typed "redhat worm" into google.
soon as you add in server applications, you decrease the security.
No shit?!
The point with OpenBSD, is that it has so many active security mechanisms, that a [insert network daemon] exploit might allow a remote root on your FreeBSD, Solaris and Linux machines, but only result in a DoS of that particular service on OpenBSD.
Already we are not only seeing open source OS' take leafs out of OpenBSD's book, but also Microsoft and Sun.
The multitude of active and passive security measures in OpenBSD is very impressive.
Plus the point is, that an OS should be locked down from the initial install and then built on from there as the admin requires, not as the OS maintainers think you will require.
Presumptuous people who build operating systems, do not make secure operating systems.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Given how little (that is, nothing) is turned on in the default install, one remote root hole is pretty damned bad. Remember that that's a remote root hole with *no* services running... Now, if they had only one remote root hole including sshd, a webserver, a mailserver and so on, that'd be something to brag about.
You speak with such authority, for someone who obviously knows nothing about the subject.
OpenSSH has been ON by default at some stage after or including OpenBSD 2.6 and only recently has the option to disable it within the install script, become an option for users. That's about 5.5 years out of that 8.
The foundation of your rant is completely non-existent.
Nowdays, even if you do enable popular daemons, your typical worst case is likely to be a DoS instead of a remote root, thanks to OpenBSD.
I take, "Only one remote hole in the default install, in more than 8 years!", as a fact that is representative of the mindset of the developers behind the project, not as an absolute gauge of overall project security. Anyone who does or thinks that is what it is supposed to represent, is stupid.
Take that statement for what it is. Reading more into it is your problem.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Aargghh!!! You logged in as root! :)
I've finally broken myself of that, even on single-purpose non-Internet-exposed machines. Bad habit I picked up from Windows... Broke down and started disabling ssh root login, now I have to su/sudo.
Is a livecd from OpenBSD that I could boot into a wooking RAM based system on whatever PC I happen to be at. Linux and FreeBSD, etc, have it, and yes, I could create my own if I were to ReadTheSource. But I don't have time, and I would want it right. I'd buy one if it were available, one that would give me access to a working system with a browser, ssh, tcpdump, wireless, and the many other utilities, I have come to love.
Oh yes, in case you didn't already assume, I ordered my 3.6 cds (yes, multiple ones) to go with my stack of previous releases.
Many thanks and best of birthday wishes to Theo and crew. They have given us a great OS and development model.
The world can sleep better tonight knowing Puff the Barbarian is on guard.
No GNU has been Hurd during the making of this comment.
(Score:1, Troll)
More Moderator abuse.
It depends what you're doing, doesn't it?
its the applications which by default have the applications, thus the exploits.
Not sure what you mean by "the applications which by default have the applications", but if you meant "the applications which by default have the holes" (or "wholes" as you call them), no they don't. Stop spewing nonsense and spend 5 minutes at openbsd.org and read about the auditing work that goes into many of the specific versions of the applications included in the OS - Apache on OBSD is NOT the same as Apache on RedHat by default, etc.
A uber secure box sitting there doing nothing, is still, doing nothing.
Okay, you've no idea what's included in the "default install" of OpenBSD, we believe you already, no more evidence required.
Why do you assume that his critique is an expression of personal dislike for the OS?
There are people in the world who are objective and who form conclusions based upon evidence and experience. I know that when you hang out on slashdot too long it is easy to become convinced that everyone is biased, prejudiced, and an inflexible partisan on one side or the other of one of the various ideological/technological disputes.
The next time you read a critique, don't assume that the person making it has some kind of a personal grudge against the product or its users, or that he or she is unknowledgable about it.
The fact that the original post has been modded down as -1: Troll speaks volumes about the capacity of the OpenBSD community to accept valid criticism.
Not everyone is out to get you, ok?
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
I'm trying to understand the mechanics of this fellow's brain. I'll provide here all the possible explanations I can think of - since mine was indeed a three-word post, their number is actually quite small.
1) It's "Happy".
Maybe my wishing a "happy" birthday instead of a "fairly good birthday", or "decent birthday", sounded like an abuse to everybody in the world who was not particularly happy ("Hey! How dare you talk about happiness when I've just had a goddamn f**kin' day? You're flaming, aren't you!").
2) It's "Birthday".
Maybe the fact that I wished happy birthday to an OS sounds offensive towards real people ("Hey! It's *my* birthday too. How come a f**kin' OS gets more attention than me? That's what I call flaming!").
3) It's "OpenBSD".
Maybe it sounded discriminatory against the other OS's ("Hey! I didn't hear you wish happy birthday to Mandrake! Wanna start a flame?"). More likely, it might have sounded discriminatory against Linux in general, since I'm sure there are at least a dozen distros whose birthday falls on the same day.
Here they are, but I can't really pick. And that's a pity, because I'm really curious about what triggers certain brains.
Oh well...
Have they stopped backdooring their SSH and reclassifying bugs/exploits so they can keep the record of having the fewest remote holes going? http://www.wideopenbsd.net/ Also GOBBLES speach from defcon a few years ago mentions Theo IRC'ing from cvs.openbsd.org. Thats a pretty shitty security practice methinks. ss
I think all of you are talking bout things you "just heard" and I guess none of you all do audit yourself. So it sounds nice but makes not much sense at all. And this guy is right. Default install makes no sense at all. Sure it's better to turn things off by default, but it's foolish to take it as the reason to use an os. Turning off services is one minute; rm /etc/rc.conf :P
well, considering if you use the default install for many other operating systems, you won't be finding a remote hole either.
;)
generally speaking, operating systems are relatively secure out of the box,
its the shit you add to it, apache, php, sql, perl, ftp, etc...
that end up really being your headache.
in fact, i believe a study was done, (i don't remember where now though)
about ~90% of all unix and unix-like boxes "rooted", are done so under the ftp service/daemon.
it kinda makes people want to think twice before sharing any files via ftp,
-kind regaurds, kingpunk
BSD is dead /obligatory