Sign in to follow this  
Followers 0
bsd-roo

is my box secure enough?

17 posts in this topic

i nmapped myself and heres my results:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-04-16 01:43 NZST
Initiating SYN Stealth Scan against discworld.******* (127.0.0.1) [1680 ports] at 01:43
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 113/tcp on 127.0.0.1
Discovered open port 587/tcp on 127.0.0.1
Increasing send delay for 127.0.0.1 from 0 to 5 due to 23 out of 75 dropped probes since last increase.
Discovered open port 6000/tcp on 127.0.0.1
Increasing send delay for 127.0.0.1 from 5 to 10 due to max_successful_tryno increase to 4
Discovered open port 13/tcp on 127.0.0.1
Discovered open port 37/tcp on 127.0.0.1
The SYN Stealth Scan took 35.80s to scan 1680 total ports.
For OSScan assuming port 13 is open, 1 is closed, and neither are firewalled
Host discworld.****** (127.0.0.1) appears to be up ... good.
Interesting ports on discworld.student.aspley.opal.lan (127.0.0.1):
Not shown: 1673 closed ports
PORT STATE SERVICE
13/tcp open daytime
22/tcp open ssh
25/tcp open smtp
37/tcp open time
113/tcp open auth
587/tcp open submission
6000/tcp open X11
Device type: general purpose
Running: OpenBSD 3.X
OS details: OpenBSD 3.5 - 3.9
OS Fingerprint:
TSeq(Class=TR%IPID=RD)
T1(Resp=Y%DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Randomized

Nmap finished: 1 IP address (1 host up) scanned in 37.385 seconds
Raw packets sent: 2337 (103.320KB) | Rcvd: 4044 (171.516KB)

i'm still learning to secure it better. is this safe enough for now? will x11 be exploited? i did not run it as root.

does openbsd need any firewall tools or is it secure enough? im trying to set up the packet filter, lots of pages to read.

0

Share this post


Link to post
Share on other sites

Don't nmap yourself, use netstat.

0

Share this post


Link to post
Share on other sites
Don't nmap yourself, use netstat.

netstat -utl

The world is not made of Linux. It looks like he's running OpenBSD, that's not what he wants. He'll want something like netstat -an | grep LISTEN.

0

Share this post


Link to post
Share on other sites
i'm still learning to secure it better. is this safe enough for now? will x11 be exploited? i did not run it as root.

does openbsd need any firewall tools or is it secure enough? im trying to set up the packet filter, lots of pages to read.

Sorry, I didn't even see this part the first time I read your message. OpenBSD is very safe out of the box. Most services are turned off, and other potentially dangerous services (like sendmail) are bound to 127.0.0.1, so they're not accessable remotely. As is X11, you can only access that from localhost, so it's probably not worth worrying about. That's one of the reasons you don't nmap yourself from localhost, it gives confusing results.

OpenBSD has the awesome pf packet filter. It's really easy to use (much easier than iptables), but depending on the machine's purpose, you probably won't need it. If this is a server, definitely set up a whitelisting firewall (deny every packet, then allow every packet you know you want). Definitely read those pages, pf is easy and powerful, but like any non-trivial tool, there's a bunch to learn.

0

Share this post


Link to post
Share on other sites

thanks

looking at the pf firewall manuals now. i was getting worried that X11especially most of the time i run that with root.

thanks for help anyways

0

Share this post


Link to post
Share on other sites
Don't nmap yourself, use netstat.

netstat -utl

The world is not made of Linux. It looks like he's running OpenBSD, that's not what he wants. He'll want something like netstat -an | grep LISTEN.

FUCK BSD, live free or die

0

Share this post


Link to post
Share on other sites
looking at the pf firewall manuals now. i was getting worried that X11especially most of the time i run that with root.

There's no reason you need to run that as root. If you're going to be so careless, you might as well not be running OpenBSD at all. Security is about doing things in a secure way, not about setting things up and magically "obtaining security." Security isn't something you can have, it's something that you do. So log in as an unprived user and use sudo to selectively run commands as root. This has the advantage of not only running unnecessary things as root (like X11), but also sudo's extra layer of authentication. You can set it up so a user can only run certain commands as root (or another user), for example (on a debian system) only give a user permission to execute apt-get as root. If you need a full-blown root shell, you can either sudo sh or go to one of the virtual consoles and log in as root from there.

0

Share this post


Link to post
Share on other sites
There's no reason you need to run that as root. If you're going to be so careless, you might as well not be running OpenBSD at all. Security is about doing things in a secure way, not about setting things up and magically "obtaining security." Security isn't something you can have, it's something that you do. So log in as an unprived user and use sudo to selectively run commands as root. This has the advantage of not only running unnecessary things as root (like X11), but also sudo's extra layer of authentication. You can set it up so a user can only run certain commands as root (or another user), for example (on a debian system) only give a user permission to execute apt-get as root. If you need a full-blown root shell, you can either sudo sh or go to one of the virtual consoles and log in as root from there.

Unfortunatly this is something that most people don't understand. OpenBSD may be one of the most secure operating systems you can run, but not setting it up correctly or not using secure practices takes that security away. Sure windows has lots of flaws and inherent bad security designs, but I can make it more secure than who doesn't know anything about security setting up something like OpenBSD. I've been telling people for years that software doesn't mean shit it's the user that defines the security and people are starting to figure this out. Most issues can be avoided simply by practicing good security and having good policies in place even if there are vulnerabilities in the software.

0

Share this post


Link to post
Share on other sites
Don't nmap yourself, use netstat.

netstat -utl

The world is not made of Linux. It looks like he's running OpenBSD, that's not what he wants. He'll want something like netstat -an | grep LISTEN.

FUCK BSD, live free or die

arewhyainn I hope you know that BSD license is much more free then GPL license.

0

Share this post


Link to post
Share on other sites
Don't nmap yourself, use netstat.

netstat -utl

The world is not made of Linux. It looks like he's running OpenBSD, that's not what he wants. He'll want something like netstat -an | grep LISTEN.

FUCK BSD, live free or die

Yes, because everyone appreciates being told "FUCK _____[something they use]_____" by someone who doesn't even know what that thing is.

0

Share this post


Link to post
Share on other sites
Don't nmap yourself, use netstat.

netstat -utl

The world is not made of Linux. It looks like he's running OpenBSD, that's not what he wants. He'll want something like netstat -an | grep LISTEN.

FUCK BSD, live free or die

arewhyainn I hope you know that BSD license is much more free then GPL license.

I have read the BSD license and i disagree with it.

Don't nmap yourself, use netstat.

netstat -utl

The world is not made of Linux. It looks like he's running OpenBSD, that's not what he wants. He'll want something like netstat -an | grep LISTEN.

FUCK BSD, live free or die

Yes, because everyone appreciates being told "FUCK _____[something they use]_____" by someone who doesn't even know what that thing is.

hell, ya

-------------------------------------

help! Richard Stallman has brainwashed me.

Edited by arewhyainn
0

Share this post


Link to post
Share on other sites

What do you not like about BSD's licensing scheme, arewhyainn?

Edited by intimidat0r
0

Share this post


Link to post
Share on other sites
What do you not like about BSD's licensing scheme, arewhyainn?

i'll get back to you on that. it's been awhile since I read them, I forget. It's sad I know. I just remember it sucking.

0

Share this post


Link to post
Share on other sites
What do you not like about BSD's licensing scheme, arewhyainn?

i'll get back to you on that. it's been awhile since I read them, I forget. It's sad I know. I just remember it sucking.

It's more free than the GPL is free. It ain't that hard really:

http://en.wikipedia.org/wiki/BSD_license

0

Share this post


Link to post
Share on other sites

well, with the BSD licensing you might as say "here take my software, I don't need it" you still need basic rights for software, and the BSD license dose not do that.

It took me a while to under stand "gnu, free as in freedom, not free beer." my first thought was I could just take it and do whatever the fuck I want with it. but that is not the case. but BSD is like that. The other thing is I like the idea of the software changes have to be free as well. It's doesn't support proprietary, like BSD dose.

http://www.gnu.org/philosophy/bsd.html

Edited by arewhyainn
0

Share this post


Link to post
Share on other sites

arewhyainn, hope you know the GNU BSD FUD page hasn't been updated sicne BSD changed their license you don't need the adver clause anymore.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0