“If you’re a software enthusiast who has never used OpenBSD before, you might enjoy installing it by yourself and figuring it out as you go. If, however, you’re looking for a more practical approach to using OpenBSD 4.1 on a desktop or server machine, here’s a quick guide to get you started in this spectacular operating system.”
A small correction: This is not a review, but an overview, aimed at helping people get up and running with it.
As to the article itself: I’m no fan of the *nix model, and there’s more than a little grandstanding in the article (‘Spetacular’? I know a few things that ‘spetacular’ could apply to, and none of them is an OS), but now I can see more clearly why I have so many friends who swear by OpenBSD/FreeBSD. (I assume that this article would be equally helpful for users of FreeBSD, although that’s an assumption on my part.)
OpenBSD is “spectacular,” ever use it? Also, if you admit to not being a fan of UNIX type systems, what’s the point of your comment?
A critique of the flaws of the *nix model is something that would take a full article, not a forum post, to properly line out. But I can still compliment an article that gets me interested despite my opinions. ^^;
At the moment there is nothing that comes close to being better than modern UNIX / UNIX like systems.
MS Windows is so inferior that it isn’t worth a mention really.
Plan 9 from Bell labs perhaps…
“MS Windows is so inferior that it isn’t worth a mention really. ”
To be fair he never said the Windows model is better, only that there are flaws in the *nix model. This happen to be true, all security models have “flaws”. That’s why there’s more than one of them. The question is which model is the right one for a given situation.
“MS Windows is so inferior that it isn’t worth a mention really. ”
Opinion, not fact.
When I got my copy of 4.0, this site was invaluable for getting the system up and running:
http://www.openbsd101.com/
I’ve found OpenBSD complicated only to the point of making you realize what you’re doing instead of just taking the install defaults.
The review is here:
http://www.softwareinreview.com/cms/content/view/79/
The link in the story text is the Using OpenBSD article.
I think one of the things to make sure to take into account is the concept that once I install OpenBSD and start making changes to the OS to make it ‘usable’, I am losing the various security aspects that are enabled by default. It is necessary to make the system less secure to make it usable.
That being said, OpenBSD is great, and has it’s uses. Just don’t think that once you install the core OS and install the applications that you are secure. Once you start installing applications, it will be necessary to practice due care and get the necessary service/apps secured.
The idea is that at least you are starting with a secure base, and do not have to take action in order to make it secure. This differs from other OS’s where a fresh install is not secure at all unless the administrator does *something* first. Ex: Windows 2003 requires a ton of patches after an initial install (along with turning off extra services) as the first step towards a secure system.
I think Microsoft is doing better in this regard. If I remember correctly, the default install of Sql Server (or MSDE) used to have an SA password of blank – ripe for the picking! Fresh installs of Sql Server 2005 require a password and have network connectivity shut off until you specifically enable it. WIndows 2003 Server is also much more secure by default that 2000. However, I would still prefer a fresh install of OpenBSD.
One clarification to the article – it says OpenSSH if shutoff untill you specifically enable it. That makes it sound like you have to manually edit a file to enable it after install. The install asks if you want SSH enabled and it does it for you durng the install process (unless they have changed this in 4.1).
It’s good for OpenBSD to have most services shut off by default. I guess that’s a good compromise between usability and security.
In reality, the even better way to be secure by default is NOT to have any UNNEEDED applications installed in the first place.
As I said, the not-enabled-by-default approach is the best compromise between usability and security – I do want to point out that you can get even better security if tools are not installed to be exploited.
Having the software installed by default but not active is no more insecure than not having the software installed – if the system is compromised, it’s over anyways. It’s like people not having gcc on a system as a, “security measure,” it’s not helping, since once a person has broken in, they can simply get it on their own.
I guess I wasn’t too clear.
The problem with more software is that it gives more vectors for attack.
Software installed by default and not active *should* be secure. But, all it means is that the server daemon is not running. The executable is still sitting somewhere.
A newly installed server could have added a “hook” to run the executable of a non-enabled server. Something like this may just enabled a new vector of attack not realized before. Even experienced admins may miss something like that.
Speaking of gcc. Not having gcc installed means that a hacker cannot use gcc as a vector of attack. Sure, if a person has hacked a server they can do whatever they want – including adding gcc. But what I mean to say is that not having gcc may just have shut down attacks from that angle.
I really don’t know why people are modding you down because what you are saying is correct. When the Linux Slapper worm was going around it depended on two things in order to exploit a system, a default installation of apache with mod-ssl enabled and gcc on the same machine. As someone who had to answer the questions as to whether or not we were vulnerable to this, it only took me a few seconds after reading how the exploit worked I could answer definitely that we were not vulnerable because I removed gcc and apache from the machines.
If you are going to build a system that is Internet facing, you can either strip the OS to “parade rest” so that you minimize possible attack vectors or do a default install, lock it down and take your chances. SANS, SecurityFocus and other security sites have tons of documents on doing exactly what you recommend. I don’t see the problem here unless fretinator is right and you are being modded down for the wrong reasons.
I think Microsoft is doing better in this regard
No doubt that they have improved, they just have a long ways to go, and were an easy target to illustrate my point.
Also, I just installed 4.1 on a server yesterday. Yes, it still prompts to ask if you want ssh enabled
Actually, installing updates is not the same as having a small attack surface to begin with, and Win2k3 is pretty locked down by default. It’s certainly not OpenBSD, but you don’t have to run around turning off services in 2003 like you did with Windows 2000 or XP.
“I think one of the things to make sure to take into account is the concept that once I install OpenBSD and start making changes to the OS to make it ‘usable’, I am losing the various security aspects that are enabled by default. It is necessary to make the system less secure to make it usable.”
This is a tendency that other UNIXes and Linux have to deal with today. Because users could need certain services, these serveices have to be enabled by default so the user does not get bothered. There are other security aspects such as automated login, asterisks displayed in the password input field, not needing root passwords to install systemwide software – marginal aspects, I agree, but step by step security barriers get overridden by comfortability considerations. Most of them feature the loss of the difference between system user and system administrator which does not exist at the home user’s site in fact.
Because OpenBSD is an OS only distribution (in opposite to most Linusi or DesktopBSD / PC-BSD), it does not contain software the OS developers do not have any control over. This is one important aspect regarding security.
“That being said, OpenBSD is great, and has it’s uses. Just don’t think that once you install the core OS and install the applications that you are secure. Once you start installing applications, it will be necessary to practice due care and get the necessary service/apps secured.”
Home users do not care anyway, but surely OpenBSD would not be their choice either.
Luckily, OpenBSD is usually used by people who know what they’re doing, so they know what they can take the responsibility for.
I don’t know if there is a better way, but I have always had to manually set my encryption key when I am doing a network install of OpenBSD. When it gets to the network setup, I just exit the install to the command-line and enter “ifconfig ath0 nwkey 0x123456789” where ath0 is your interface and 0x123456789 is your WEP key. I then restart the setup program (I don’t remember the program name) – it is smart enough to let me keep my drive settings and then DHCP works.
Just in case someone needed that. If there is a better way, let me know.
[Edit – clarification that this is a network install]
Edited 2007-06-20 21:06
The security of a server depends mainly on its administrator, not on it’s OS.
“The security of a server depends mainly on its administrator, not on it’s OS.”
Software quality cannot be overlooked, a Windows free server is a more secure server.
Not always. I think it’s all about how competent your admin is.
If somebody is a windows guru, they can probably construct a respectable server.
If they have absolutely no *nix experience and slap an OpenBSD box together, enable random services, they might have some issues.
I agree that in their own, BSD’s are more secure than Windows boxes – provided the admin knows what they’re doing of course!
Edited 2007-06-20 21:40
I agree with the part that admins are crucial in terms of setting the system right.
However, the OS design is more important in these days of zero-day exploits.
If an OS is designed properly, there is a less chance of major damage even if a vulnerability is exploited while the admin is off-work, sleeping, commuting, etc..
When you go back to the history of Windows vs. *nix in the security arena, more often than not Windows have vulnerability that are exploited actively and quickly.
Sometimes, you just don’t have the time to patch or implement a workaround before the exploit hits your server.
I have to disagree with you. A windows 2003 box can be made to be very secure, with only a small amount of effort. Most unneeded services are disabled by default, and the system is setup to require authentication to even view open shares and services. Codewise, Win2k3 is going to need some updates when installing a new box, but what OS that came out 4 years ago doesn’t?
Windows is the worst OS you can use on a server, other OS’s such as Linux, BSD, and OpenSolaris easily win on cost, reliability, security, EULA, and system requirements.
In some situations, Windows would be the best tool for the job, and Exchange and SQL server 2005 are very good products. If you could get over yourself and your prejudices, do some research and some testing, you might learn that there is a tool for every job, and you can’t just dismiss something because you don’t like it or dont know anything about it (and you don’t don’t seem to know anything about modern Windows)
That’s like saying condoms are unnecessary if you know how to pull – never mind, I wont elaborate. You know what I’m getting at.
Point is no matter how good the administrator is, it’s the OS that has to deal with a security threat. At some point you have to let in _something_ in order for the server to be of any use at all, and if the code for that particular something has a flaw in it… THAT is what matters in the end.
In other words the OS is VASTLY more important than the administrator. A really good administrator with a shitty OS wont do a damned bit of good…
Edited 2007-06-20 22:01
I modded you up and wish I could give you a few points. The reason I modded you up is it is obviously people are modding you down because they disagree with you. You comment is very true and important to remember – no OS is secure without a trained administrator at the helm. People, please mod this person up, and others, stop modding people down because you disagree with someone, or they say something that you don’t like, or because you get mad. Mod a comment down because:
1. It contain offensive language or personal attacks
2. It is off-topic
3. It contains ads, spam, or an attempt to link to something unrelated
Whoever is modding us down is more than likely the people who think supreme dragon’s comments are insightful and can’t be bothered to actually engage any of us in a discussion of why we respond the way we do.
I have come to the conclusion that some of the people here are not really interested in meaningful discussion of OS related topics, they are far more interested in modding people they don’t like down and posting inflammatory comments. My guess is we are right and somebody is upset about it.
I am a UNIX fan. I use Debian Linux all the time. I believe that a Debian Linux server or a FreeBSD server can be as secure as a OpenBSD server. OpenBSD is secure by default. It’s an empty statement. Nobody uses a ‘default’ server. And define ‘secure’. From OpenBSD’s point of view, it means: no buffer overflow, no hackable software, etc. That’s pretty wortheless if you host a buggy PHP website on it or badly configure your mailserver so it becomes a spamhost. Therefor I believe that the security of a server depends on its administrator, not the running OS. Debian and FreeBSD have a very excellent security history. So, if you’re looking for a secure OS that is also functional (good hardware support), you’re better of with Debian or FreeBSD.
I have found OpenBSD to have very good hardware support, especially in the NIC area. I use OpenBSD on some of my laptops and it supports more wireless cards than my Linux laptops. I use older laptops for my test servers because they give me that “rack” feeling (I even put them on a rack) without the price. They also use less power and keep from heating up my computer room.
BTW: There will be nice feature in FreeBSD 7 called Red Zone [buffer overflow detection]:
“RedZone, a buffer corruption protection for the kernel malloc(9) facility has been implemented. This detects both buffer underflows and overflows at runtime on free(9) and realloc(9), and prints backtraces from where memory was allocated and from where it was freed. For more details, see the redzone(9) manual page.”
redzone(9) man: http://www.freebsd.org/cgi/man.cgi?query=redzone&sektion=9&manpath=…
more about FreeBSD 7 here: http://www.freebsd.org/relnotes/CURRENT/relnotes/article.html
…From OpenBSD’s point of view, it means: no buffer overflow, no hackable software, etc. That’s pretty wortheless if you host a buggy PHP website on it or badly configure your mailserver so it becomes a spamhost.
No buffer overflows and no hackable software are laudable goals, saying that things like this are worthless is extremely ignorant. And then you go on and make absolutely no point at all… If you host a buggy PHP website or a badly configured mailserver on ANYTHING you have a pretty major problem. No, OpenBSD wont save you from stupidity, no one is claiming that it will. But it just might save you from some obscure buffer-overflow someone discovers in bind or sendmail or whatever that allows someone to root your box.
And don’t take me the wrong way, I’m not at all picking on Debian or FreeBSD. Your right, their security records are pretty good too. Not as good as OpenBSD, but they do have performance/software/etc advantages for certain uses and depending on your needs either may be a better choice. Use what makes sense to you, but all the reasons you have brought up are bogus.
at least with buggy PHP, no harm can reach the system as httpd is chrooted by default
“at least with buggy PHP, no harm can reach the system as httpd is chrooted by default”
If your website gets defaced or personal data from the users of that website are compromised, do you think a chrooted webserver will prevent any more structual damage? Reputation damage can also be really bad for a company. In case of a buggy PHP website, you are better off with a well designed DMZ and an IDS.
A secure OS is nice. But if I had to chose between “a secure OS and a good administrator” and “a really really secure OS and a bad administrator”, I definitly will chose the first one.
Edited 2007-06-21 06:59
That’s a nice strawman you have there.
It’s even better with a really really secure OS and a good administrator.
I’ve alway thought of OpenBSD as taking the firewall approach to their design. You generally don’t install a firewall with all ports open in both directions. You install it with nothing open, and then create access rules accordingly. The same principal applies to OpenBSD. You get basically no services up front and then add them as needed. Theoretically, this lets you control your environment with a higher degree of certainty and confidence than you might find with an open service oriented OS like Windows or Fedora Core.
I think we can all agree though, a bad administrator is a bad administrator. OpenBSD can only help that affliction so much!
If your website gets defaced or personal data from the users of that website are compromised, do you think a chrooted webserver will prevent any more structual damage?
Yes. Definitely. Absolutely. Without Question. Can I possibly be more forthright? Preventing more structural damage is the fricken’ POINT of chrooting something…
In case of a buggy PHP website, you are better off with a well designed DMZ and an IDS.
You keep doing that… Its irritating. The fact is you are MUCH better of having BOTH. There is no need to chose one and not the other. And what exactly does a DMZ or IDS have to do with the relative merits of an OS that is designed to be secure? Your argument seems to be “a secure OS isn’t really better than an unsecured one because of a multitude of things like DMZs and firewalls and whatever that have nothing at all to do with the Operating System’s design”.
A secure OS is nice. But if I had to chose between “a secure OS and a good administrator” and “a really really secure OS and a bad administrator”, I definitly will chose the first one.
Again, you don’t have to chose. Really. The two things are in no way mutually exclusive.
“OpenBSD is secure by default. It’s an empty statement. Nobody uses a ‘default’ server.”
It does mean you’re not vulnerable after installation and that you don’t have to spend countless of hours securing it. Start with a secure base and *add* stuff that you need. Seriously, how can you argue that this is not a good strategy?
“From OpenBSD’s point of view, it means: no buffer overflow, no hackable software, etc. ”
Uh, yeah. What else would it mean? It’s not like they can guarantee that you wont screw things up on your own.
“That’s pretty wortheless if you host a buggy PHP website on it or badly configure your mailserver so it becomes a spamhost.”
No shit Sherlock. However…
A seatbelt wont help if you drive your car off a 500 feet cliff, ergo seatbelts are useless?
“So, if you’re looking for a secure OS that is also functional (good hardware support), you’re better of with Debian or FreeBSD.”
Personally I have found that OpenBSD is functional and supports most of my hardware better than Linux.
Edited 2007-06-21 03:19
Exactly. FreeBSD users also use PF. It’s probably the best fw you’ll find out there.
Please do not do what this article says about renaming /bsd.mp to /bsd. This is a bad idea since you would have no kernel to fall back on except /bsd.rd which does not have all the tools to perform a recovery.
A much better method would be to edit /etc/boot.conf and add the line:
boot /bsd.mp
Other than that, not a bad introduction.
“Default text editor: vi.”
Not entirely true. Base also has mg, a small emacs-like editor.
“Type ls /dev/cd* to see other CD device nodes”
A better way to do this would be:
sysctl hw.disknames
disklabel cdX (X being whatever CD device you have)
“Packages are easier to upgrade when it comes time to switch to the next OpenBSD release; Ports are trickier to upgrade, and will take much longer to reinstall.”
Not really since ports creates packages. It would only be a little but tricky if you had fiddled with the ports build options (something you usually should not do if you’re a user).
“It’s easier to find programs in Ports than it is the package database”
Install sqlports, a sqlite database of available ports/packages.
“export FETCH_PACKAGES=yes”
You should put “FETCH_PACKAGES=yes” in /etc/mk.conf and not export it in the shell. It’s also useful to set “SUDO=sudo” in mk.conf so that you can build ports as an unprivileged user.
PKG_PATH can have multiple paths like so:
PKG_PATH=”/mnt/cdrom/4.1/packages/i386/:ftp://ftp2.usa.openbsd.org/pub/OpenBSD/4.1/packages/i386/“
“Adding the Ports tree and OpenBSD source code”
Why add the source code?
“Enabling FreeBSD and Linux binary support”
Unless you really need this you should leave it off. Does anyone actually use the FreeBSD emulation?
“mv bsd.mp bsd”
Before you do this you should “mv /bsd /bsd.old”.
Edited 2007-06-21 03:54
I think OpenBSD point of view of security is different than others OS. They usually use “Code quality”, not “Security”.
…doesn’t OpenBSD do other things like encrypt on-the-fly and randomly assign memory addresses required by the applications?
My feeling is the OpenBSD team is very conscious about keeping the hardware, OS, and applications separate. Meaning, they know the OS is the middle man between the hardware and applications so they work to make sure the OS can fulfill the various requests while keeping applications from messing with other applications and their data. At no point are they concerned with the applications since it is the job of the developers to develop their applications within the confines of the OpenBSD security model.
Microsoft, on the other hand, seems to do the opposite in that they come up with a feature for an application and then modify the OS to make it happen. Internet Explorer is one that comes to mind. I am sure Microsoft is working on improving security, but they are still trying to “bake” stuff into the OS.
…doesn’t OpenBSD do other things like encrypt on-the-fly and randomly assign memory addresses required by the applications?
Those are fairly standard practices nowadays. I think Windows started doing that with Windows 2000, and Linux around 2.4.
This ongoing thread is a perfect example of just how broken the “mod system” is. IMO, the discussion here on osnews should stand on its own. We don’t need some stranger to pat us on the back or vote us down because they can’t think up a reasonable counter-argument.
I’ve seen situations where individuals with multiple accounts bend the system anyway. Ever notice the guy who, within seconds after posting, always has a score of 2? You know who you are. I’ve seen multiple comments on this OBSD thread where someone is being modded down, yet I see nothing that fits the appropriate “mod down criteria” in his posts.
——————-
Anyway, lest I be accused of going OT, I agree that the article was a pretty decent, cursory overview. OpenBSD is most impressive for its “secure by default” approach (which is, among other things, a side-effect of careful code review).