Re: Linux vs OpenBSD as a router

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: Linux vs OpenBSD as a router
On Thu, Oct 22, 2009 at 8:04 AM, Paul Mooring <> wrote:

> Please excuse my inexperience here but I'm not sure what you mean.
>


Don't we all love that humble posturing! Looks so good on you young nixian!


> I have a script that runs in cron and checks installed packages against
> glsa (glsa-check is a app for gentoo) and if there is a security problem on
> an installed package it notifies us immediately, because of this security
> packages that make it in to portage generally are applied to systems within
> the hour when they're released.
>


Ho, s-hexy!

...sadly, if it doesn't install with the distro, few configure it!

ASIDE: You are the exception, someone must have issued you a clue? If
it's stolen obnosis, I understand your humble posturing! (In abject
deference to the intellectual caste system that requires one to carry
certifications, education and other proof you were issued knowledge (25
years of experience [which still will be questioned]! [Do "bottom dog" well,
my man and try to avoid corporate America to ensure none chastise and punish
you for your intellectual insolence - [via remanding you to first echelon
technical support positions...[or join them and get a BS {in anything}] and
take a DHS or NSA job [you are less than 10% of the IT populace]).


>

However, I'm not sure what you mean by checking against the patch lists
> (like I said I'm still relatively new sys admin in general) is there a
> better way to go about security policy for linux servers.
>


That was exactly what I meant!

ASIDE: How polite, he is! Another would be arrogantly correcting my syntax
referencing the update/patch process nomenclature in Gentoo!


>
> btw, I'm not particularly attached to gentoo so if you or anyone know
> another distro better from a sys admin standpoint for staying ahead of
> security that would be great. The above mentioned glsa-check script and
> another script allowing most packages to be updated on all servers at once
> is the main reason I use it.
>


I am fickle! I can't seem to agree on the superiority of any distro or OS,
but like to build and dissect and disassemble them all. Some are better for
some things and others are worse for others, but bingo, you got it, they all
require HIGHLY RESPONSIBLE CONFIGURATION, much ignored, especially in
security in IT today!


>
> -----Original Message-----
> *From*: Lisa Kachold <<%3e>
> >
> *Reply-to*: Main PLUG discussion list <
> >
> *To*: Main PLUG discussion list <<%3e>
> >
> *Subject*: Re: Linux vs OpenBSD as a router
> *Date*: Thu, 22 Oct 2009 00:50:10 -0400
>
> Yes, my point with wget was/is that it's on ALL distros, so having package
> updates is essential.
>
> If you actually trust portage; or have you had stellar experiences with
> gentoo patch updates?
>
> In my historical day(s), portage was replaced by the best gentoo admins
> (Dotster for instance, now replaced with CentOs) with custom local portage
> server source, due to many issues.
>
> And from my experience, Gentoo admins simply don't patch update. Honestly,
> now, do you? Have you checked your source against the patch lists?
>
> Point made!
>
> On Wed, Oct 21, 2009 at 12:09 PM, Paul Mooring <>
> wrote:
>
> I definately see what your saying and agree that the most important thing
> is to use a distro or OS that ou have policies in place to stay current on
> patches and updates, but I'm not sure I see your point about gentoo
> security. It looks to me like that link shows a patch in portage where
> gentoo had fixed an issue with wget (before similiar updates where out for
> suse, redhat, or ubuntu) which seems to me to be an indicator of good
> security practices for a distro, and as for as securing open ports, I would
> think you wouldn't open them up in the first place without trusting the
> service on any particular port.
>
>
>
> -----Original Message-----
> *From*: Lisa Kachold <<%3e>
> >
> *Reply-to*: Main PLUG discussion list <
> >
> *To*: Main PLUG discussion list <<%3e>
> >
> *Subject*: Re: Linux vs OpenBSD as a router
>
>
> *Date*: Wed, 21 Oct 2009 08:06:48 -0700
>
> Gentoo likewise has problematic patch security and package management. I
> have built more than a few of those systems.
>
> OpenBSD of course has less to patch, if installed without all the X.
>
> SLES has inherent kernel security and NX (immunix-style development by
> Crispen Cowen), and packages can easily be hardened.
>
> All production use of Linux requires a good understanding of both patch
> management and server hardening, especially in a firewall.
>
> My point is, that whatever you choose, especially in a production
> environment, a process must be in place to track security issues, and apply
> patches with a modicrum of dependence that they will, in fact, work, with
> insurance that the downtime will be ONE reboot (for a kernel patch/rebuild).
>
>
> You know that the day the exploit has been announced, the exploit scripts
> are in play?
>
> *Gentoo has horrendous security issues. Do you know that every port open
> to both local networking and external applications is secure?*
>
> http://www.gentoo.org/security/en/glsa/ [Example - I am pretty sure you
> are using wget (since it's part of the hand build process {you did build
> your gentoo distro by hand didn't you?}) - first thing on the
> list....possibly mitigated because you don't have shell users to gain root,
> but there are a great many others that are a factor in a firewall
> application (net/dhcpd).
>
> *How are you going to be alerted tomorrow when the reverse engineers
> partner with progress to dissassemble binaries/kernels/SSL entropy while
> building metasploit toys/tools to prove their intelligence is worth a book
> deal or consulting company?*
> On Wed, Oct 21, 2009 at 7:46 AM, Paul Mooring <> wrote:
>
>
> I don't know as much about security as you do, but surely your not
> suggesting that distros like suse or ubuntu or more secure than openbsd. I
> thought the whole purpose behind openbsd was to make a secure os, as oppose
> to suse for example which I quit using on firewall servers for the security
> issues created from all the unwanted packages installed by default. Are you
> saying I'm wrong in thinking that by default openBSD/pf has siginificantly
> less security issues than say gentoo/iptables (which is what I'm currently
> using in this set up).
>
>
> -----Original Message-----
> *From*: Lisa Kachold <<%3e>
> >
> *Reply-to*: Main PLUG discussion list <
> >
> *To*: Main PLUG discussion list <<%3e>
> >
> *Subject*: Re: Linux vs OpenBSD as a router
>
>
> *Date*: Tue, 20 Oct 2009 19:09:39 -0700
>
>
>
> On Mon, Oct 19, 2009 at 2:46 PM, Paul Mooring <> wrote:
>
>
> I've been running linux routers using iproute2 and iptables for a while
> now, and openBSD just had a new release which has me considering switching
> my home setup to a BSD pf solution. Does anyone have any experience
> comparing the two? I guess I'm also concerned about other software I use on
> my linux router not being supported in openBSD (OpenVPN, OpenSwan, and
> Quagga primarily).
>
> Hi! I agree that pf is easier. My first copy of FreeBSD was won from
> Defcon 6, answering a question correctly from the crowd, and I proceeded to
> learn about the wonders that are BSD for a command line (and Xterm) systems
> administrator.
>
> But seeing a good number of implementations of both linux and especially
> OpenBSD in the field, I see shameful exploits that have never been patched.
> I.E. They set it up, (fail to test their rules fully with a full tool suite
> like BackTrack4 [but that is another subject]) and call it functionally
> adequate; the world marches on, and reverse engineers as progress continues,
> yet OpenBSD core kernel exploits (for instance) are never patched (like the
> well known null kernel deference exploit).
>
> Here are the top $n reasons to avoid OpenBSD:
>
> 1) Use a distribution that provides automated source and binary patch
> management or updates like SLES, Redhat, or Ubuntu for your firewall
> source.
>
> http://www.openbsd.org/faq/faq15.html
>
> You are not going to have time to deal with issues brought forth from
> updates and kernel rebuilds on your bastion firewall system.
>
> 2) Example OpenBSD PF null pointer deference & scapy:
>
> ------------------------------
> *PROBLEM:* OpenBSD PF Remote Denial Of Service Vulnerability Exploiting
> this issue allows remote attackers to cause a kernel panic on affected
> computers, denying further service to legitimate users. *PLATFORM:* OpenBSD 4.3, 4.4, and 4.5 are affected.
> *ABSTRACT:* OpenBSDs PF firewall in OpenBSD 4.3 up to OpenBSD-current is
> prone to a remote Denial of Service during a null pointer dereference in
> relation with special crafted IP datagrams. If the firewall handles such a
> packet the kernel panics. The vulnerability resides in 'sys/net/pf.c' in the
> pf_test() function.
>
>
>
> Ref: http://www.doecirc.energy.gov/bulletins/t-110.shtml
>
> Current release is 4.6, but you can bet there are no proactive patches for
> anything older than April 2009! Get scapy baby! Ref:
> http://pentestit.com/2009/09/03/scapy-powerful-interactive-packet-manipulator/
>
> 3) IPV6 wa hopelessly broken in OpenBSD up to 4.1 (2007)
>
> Remotely exploitable buffer overflow vulnerability, due to kernel memory
> design flaw in IPv6.
>
> Hey? Good thing I mentioned it, right, or are you all checking the source
> exploits on each distro tool you use? Are you all keeping up on all that
> source code in legacy systems? Script kiddies could just be running the
> python exploit example publicized here:
> http://blog.lifeoverip.net/2007/03/14/only-two-remote-holes-in-the-default-install-in-more-than-10-years/
>
> Ref: http://www.coresecurity.com/content/open-bsd-advisorie
>
> 4) Quagga bgpd denial of service vulnerability (not just for OpenBSD 4.4 or
> earlier, but it is trivial to update source in other distros):
>
> http://www.openbsd.org/errata44.html
>
> Other distros: Ref: http://www.securityfocus.com/bid/17979
>
> 5) OpenBSD 4.6 BIND dynamic zone update message crash (should you need to
> use BIND on your firewall).
>
> http://www.openbsd.org/security.html#46
>
> 6) Exploit mitigation techniques are very complex. Once you read through a
> well explained example, you will agree, that one mitigation technique might
> not be sufficient.
>
> http://www.openbsd.org/papers/ven05-deraadt/index.html
>
> Summary: Check your security patch and exploits by release for OpenBSD
> here:
>
> http://www.openbsd.org/security.html
>
> Be sure to indicate to all your stakeholders that when you take down your
> firewall to implement these fixes EVERYTHING will be either down or at risk?
> Be sure to dd that original kernel to backup before attempting a patch, so
> you can swiftly roll back? Same thing for all the juicy binary sources,
> running unpatched...ignored and constantly under seige!
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
> --
> Skype: (623)239-3392
> AT&T: (503)754-4452
> www.obnosis.com
> http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
> --
> Skype: (623)239-3392
> AT&T: (503)754-4452
> www.obnosis.com
> http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
> --
> Skype: (623)239-3392
> AT&T: (503)754-4452
> www.obnosis.com
> http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
Skype: (623)239-3392
AT&T: (503)754-4452
www.obnosis.com
http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss