Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Now Nine Years Old

Posted by michael on from the make-a-wish dept.

NekkidBob writes "OpenBSD, my personal favorite *BSD, turns 9 years old today. And with only 1 remote hole in the default install, I'd say that is a pretty good acheivement. The first commit was at 16:36 MST on Saturday, October 14, 1995. Happy birthday OpenBSD!"

6 of 60 comments (clear)

  1. Re:one hole? by the+morgawr · · Score: 3, Informative
    Actually stuff is running in the default install, SSH being the primary example (That's where the 1 hole comes from); you can now have SSH turned off by default.

    The point of OpenBSD is SANE defaults (i.e. not running telent, ftp, and rsh by default). Turning on Apache (bundled by default) is really simple, and because they've gone through and clobbered most buffer overflows and built everything with ProPolice, what were on other systems are root holes turn into non-events or program crashes (which can in theory be used to do a DoS, but that's a huge improvement).

    --
    The policy of the United States is worse than bad---it is insane. -- Ludwig von Mises, Economic Policy(1959)
  2. Re:And with only 1 remote hole in the default inst by Anonymous Coward · · Score: 1, Informative

    holes not wholes.

    first off, the FTP daemon is in the default and hasnt had holes. apache is also heavily modified and audited, and has also not had any remote root exploits as configured by default, not to mention its chrooted

    second, most of the other security issues dont even matter because they are inapplicable due to propolice.

    third, if youre going to make a comment about security on openbsd, you better know what your are talking about. noob.

  3. I think you're thinking Debian GNU/NetBSD by Anonymous Coward · · Score: 2, Informative

    I think you're thinking Debian GNU/NetBSD:
    http://www.debian.org/ports/netbsd/

  4. Re:And with only 1 remote hole in the default inst by rosie_bhjp · · Score: 4, Informative

    But, what good is the default install?

    Drop a fresh OpenBSD installation into a hostile environment such as the internet.
    Drop a fresh WindowsXP installation into the same environment.

    You won't ask that question again.

    Don't you want it to be doing something?

    No I want it to do as little as possible. It is ready to serve when I say it is and no sooner. This lets you patch first and not everyone has the luxury of installing a box in a secure network.

    It's suffered the same Apache/SSL/FTP/PHP errors as everyone else.

    More or less, yes, the same problems. Thats why these services are off by default, to let you patch them first, and enable only what you need.

    I know if you search cert for openbsd you get lots of hits, so there are wholes in the applications.

    No one has ever suggested otherwise.

    --
    A radio maverick jumps to internet only. The Future of Rock n Roll
  5. Re:And with only 1 remote hole in the default inst by Santana · · Score: 3, Informative

    FTP is not on by default, so it doesn't count.

    Anyways, that kind of comments like the grandparent post come from time to time from people that can't see the importance of a secure by default OS installation.

    How much does it take to hack into any Windows box just installed and connected to Internet? Make the numbers. How about a Red Hat Linux?

    With the "Secure by default" and the "Only one remote exploit ..." slogans OpenBSD is not claiming it is the most secure OS, but that you can be reasonably sure that it won't be hacked just after you have finished downloading the patches.

    It has had so good results that some vendors, including Microsoft and Red Hat, have adopted it.

    Can we now push the dicussion level a bit higher?

    --
    The best way to predict the future is to invent it
  6. Re:one hole? by nocomment · · Score: 3, Informative

    That's a good thing. Someone else already mentioned where the 1 exploit comes from, so I won't go there. With all of the defaults enabled in other OS's, OpenBSD gives you a level place to start from. Everything installed by default is chrooted, that includes apache, BIND 9, FTP, etc... OpenBSD does install these by default jsut doesn't turn them on. When I first switched to Linux years ago, it took me months before I figured out that I didn't need saslauthd, postfix, apache, named, ws_ftp (later proftpd) and a few others that were installed and running by default. OpenBSD was a breath of fresh air. I still love to run 'ps ax' when I boot up OpenBSD after a fresh install.

    Here's a ps ax from my primary DNS server (which is very busy).

    # ps ax
    PID TT STAT TIME COMMAND
    1 ?? Is 0:01.11 /sbin/init
    5741 ?? Is 0:06.49 syslogd: [priv] (syslogd)
    3517 ?? I 1:13.56 syslogd -a /var/named/dev/log -a /var/empty/dev/log
    24875 ?? Is 0:00.03 named: [priv] (named)
    10792 ?? I 320:27.22 named
    25379 ?? Is 0:00.25 inetd
    12780 ?? Is 4:13.98 /usr/sbin/sshd
    23171 ?? Is 11:22.04 sendmail: accepting connections (sendmail)
    15125 ?? Is 0:06.28 ntpd: [priv] (ntpd)
    9037 ?? I 9:36.04 ntpd: ntp engine (ntpd)
    26494 ?? Is 5:11.57 /usr/bin/perl /usr/ports/sysutils/webmin/webmin-1.150
    10568 ?? Is 0:36.80 cron
    8249 ?? Is 0:00.33 sshd: root@ttyp0 (sshd)
    4537 a Is+ 0:00.05 /usr/libexec/getty suncons console
    32091 p0 Is 0:00.10 -sh (sh)
    20044 p0 R+ 0:00.02 ps -ax

    Here's a netstat -ss from that same machine

    # netstat -ss
    ip:
    11272118 total packets received
    12 with data size data length
    6741 fragments received
    6726 fragments dropped after timeout
    7 packets reassembled ok
    10332389 packets for this host
    318009 packets for unknown/unsupported

    ###
    Had to truncate because of some retarded junk filter.

    --
    /* oops I accidentally made a comment, sorry */
    /* http://allyourbasearebelongto.us */