[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 3.9 coming out
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: 3.9 coming out
- From: Craig <bsd_(_at_)_slashboot_(_dot_)_org>
- Date: Mon, 03 Apr 2006 11:50:58 +0100
David B. wrote:
hi, I see 3.9 is getting ready to be released. Do you plan on bundling
Apache2 with it? it would seem a logical thing to do, since the Apache
version currently bundled with it seems to have problems.
I just lost my entire development box to a hack this week, right through
smoothwall's DMZ. I had apache up, postgresql installed with the mod_php
as the middleware. All settings were default and the only port I had
open was 80 through smoothwall. I even had all packets dropped that
came from asia, south america and africa.
The point being, if you sell security as your market niche, you might
want to make sure that, at least, Apache be up to date, and not a
version from 5 years ago where who knows how many hacks there are out
there for it.
I don't mind rebuilding my development box from scratch because that's
why I had it on the net like that anyway, simply to see how long it
would take for someone to crash it. It took less than a month - that's
not very good from a default security viewpoint.
I'm assuming of course that Apache is the problem, as there are no logs
or anyway to tell what happened, but the hard drive started to make an
awful screaching sound as the drive was apparently being forced to track
the heads back and forth very quickly. The drive is fine, but apache
and postgresql won't start, and the wtmp file was erased, so that when I
did a 'last' only my most recent login came up.
Anyway, it would be nice if Apache 2 were available for 3.9
As has been said here already, the licensing of Apache2 means that it
will _not_ be included in the base file sets. Apache 1.3.x that resides
in the OpenBSD base system, is not the exact same beast as the Apache
1.3.x that you get from anywhere else. It has been subjected to the
same code audits that the rest of the base system gets, so is far less
likely to suffer the same vulnerabilities as the general release
Depending on how you have iSmoothwall set up, the fact that your server
is in a DMZ, means that it is pretty exposed and that not much actual
firewall protection is applied to it. iSmoothwall, being a Linux based
firewall, does not incorporate the pf packet filter and from what I can
make out, isn't anywhere near as good as a well configured OpenBSD/pf
based firewall. I won't go into much depth here as it obviously depends
on how you have iSmoothwall configured.
Finally, as has also been said already, OpenBSD is 'secure by default'.
If you have introduced vulnerabilities through (mis)configuration, then
it isn't going to be as secure as it might be. This will apply to the
OS and the software installed and running. Apache must remain chrooted,
for the benefits to remain. Likewise PHP, you will need to make sure
you have it configured properly, are not running unnecessary extensions
and also that you are running well written, or at least securely coded
PHP based web apps. Personally, I wouldn't run somebody else's PHP web
app on a publicly available web site. Any third party apps would be
placed well out of public reach, with only my own code being exposed to
the big bad world.
PHP is most likely to be the route in, in your case, but that doesn't
mean that PHP is always going to be a problem. As long as it is well
configured, patched and executing securely written code, then there
should not be any real reason to fear it. That is, of course, so long
as I haven't missed a major flaw in PHP. ;)