From owner-freebsd-questions Tue Dec 11 18:15:38 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id C68F037B416 for ; Tue, 11 Dec 2001 18:15:31 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id fBC2FQ461496; Tue, 11 Dec 2001 18:15:26 -0800 (PST) (envelope-from jan@caustic.org) Date: Tue, 11 Dec 2001 18:15:26 -0800 (PST) From: "f.johan.beisser" X-X-Sender: To: Mike Meyer Cc: Subject: RE: openbsd In-Reply-To: <15381.31268.834854.418233@guru.mired.org> Message-ID: <20011211175559.K16958-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 10 Dec 2001, Mike Meyer wrote: > f.johan.beisser types: > > On Mon, 10 Dec 2001, Bill Schoolcraft wrote: > > > Now, correct me here when needed. Back when I started using (not > > > hacking) FreeBSD the version was 3.4 and it was a "slam_dunk" that > > > OpenBSD was the secure way to go. > > i still regard that as being true, even in our FreeBSD 4.4 times. > > Even if you use the Extreme Security settings in sysinstall? i've found the Extreme Security to be more annoying than helpful. while i do like the idea, it's also good for rendering the machine useless to a beginner user, since it shuts out kernel modules, renders the root filesystem read only on mounting (not a bad idea, really, just inconvienent on the initial install.. and really nasty when it comes to /tmp and X).. on the other hand, it does still allow ssh, while disabling the inetd. i have just found that it's generally in my best interests to just do these things myself, since the various security settings (that i've seen, i can be wrong.. i don't use them at all) don't seem to strike a decent balance. i don't want services running, except for sshd. i don't generally use the kernel security settings on my workstation.. no need for them, usually. > > well, the idea is that openbsd is secured out of the box. you don't have > > to do these adjustments to it, since they should already be done. > > Most of the adjustments can now be done via the install process. yes, but again, the idea is that you don't have to do them. they're already done. while i can argue the relative merits of both OSs (i use both, for different things, some things are just easier to do in openbsd than in freebsd). i don't think this is the forum for that. > > when i'm locking down my FreeBSD machine, the first thing i do is shut off > > inetd. since i don't use it, there's no reason i need it. the next 3 > > things are only somewhat nessassary, but i do them anyway: recompile the > > kernel to use firewalling, up the maxusers and then, finally, install > > extra packages. > > inetd can be disabled via the install process, and you don't have to > recompile the kernel to use firewalling anymore. i prefer to have the firewall in the kernel. it's a goofy preference, that i know isn't nessassary to run it, but i do this anyway. i don't always allow kernel modules on every machine, in some cases, it's preferable to not have those modules available, even if the machine is set up to prevent the use of them. > > i still think freebsd has a little ways to go to be "up to par" with > > openbsd's default "secure" install. > > I haven't looked at OpenBSD in a long while, but it wouldn't surprise > me if the FreeBSD sysinstall Extreme Security setting was more secure > than OpenBSD's default install. this could be. again, i don't use the security settings because they're not quite "fine grained" enough for my purposes. yes, i don't bother with portmapper. i mearly don't need any of the inetd services (i do just about everything through ssh, myself), nor do i use distributed filesystems in an unprotected environment. i don't think that any other service should be run if it can be avoided. on the same note, OpenBSDs default install (0 customisation) has just about the right balance. minor hacks to the rc.conf, and the machine is ready to go. from initial install, to rolling out a finished machine: 30/40 minutes. FreeBSD is my choice for most things, it's what i recommend to people who want to try out UNIX. it's what i use for my workstation and most servers at my job. effectively, what doesn't have FreeBSD on it, has BSD/OS (aka BSDi), and only recently did we introduce OpenBSD. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message