[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wanting opinions...



On Fri, Jun 17, 2005 at 11:43:37AM -0500, L. V. Lammert wrote:
> If I want to put a server on the 'Net, I use OpenBSD. Never had to worry 
> about getting rooted (one RedHat box from a customer was on THREE DAYS 
> before getting rooted).

If you're going to use this argument, I would prefer that you keep your
drool-mouthed diatribe to yourself.  The concept that OpenBSD is more
secure IN GENERAL than any other UNIX or UNIX clone is more a red
herring than anything else.  Sure, OpenBSD may be locked down out of the
box, but that doesn't mean you can't lock down a Red Hat box to the
level of an OpenBSD box to the outside world.  And, yes, admittedly,
there are some things that make me a little weary when it comes to
running mult-user GNU/Linux systems, so for that purpose, I run NetBSD
on machines I intend to have a good number of untrusted users logged
into.

And there are a whole ton of things about OpenBSD that drive me mad
because I wouldn't do things that way, like running Apache in a chroot
jail.  I wouldn't ever do that; rather, I'd tell Apache to listen on
port 8080 and use PF to forward all requests on port 80 to port 8080.
IIRC, this prevents Apache from ever having to gain root because it's
listening on an unprivileged port.

... and putting any machine on the Internet without locking it down
first is outright stupid, careless, and foolish.  Do the install either
on a chunk of isolated ethernet or behind a firewall that's doing NAT.

-- 
Nathaniel Reindl
Fedora Core 3 kernel 2.6.11-1.27_FC3 on an AMD Opteron 240

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.