From owner-freebsd-questions  Mon Dec 10 17:53:46 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from pogo.caustic.org (caustic.org [64.163.147.186])
	by hub.freebsd.org (Postfix) with ESMTP id 4929637B41C
	for <freebsd-questions@FreeBSD.ORG>; Mon, 10 Dec 2001 17:53:43 -0800 (PST)
Received: from localhost (jan@localhost)
	by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id fBB1rfk56005;
	Mon, 10 Dec 2001 17:53:41 -0800 (PST)
	(envelope-from jan@caustic.org)
Date: Mon, 10 Dec 2001 17:53:41 -0800 (PST)
From: "f.johan.beisser" <jan@caustic.org>
X-X-Sender:  <jan@localhost>
To: Bill Schoolcraft <bill@wiliweld.com>
Cc: Noah Dunker <ndunker@jccc.net>, <freebsd-questions@FreeBSD.ORG>
Subject: RE: openbsd
In-Reply-To: <Pine.LNX.4.33.0112101351290.3892-100000@localhost.localdomain>
Message-ID: <20011210174925.P16958-100000@localhost>
X-Ignore: This statement isn't supposed to be read by you
X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN?
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 10 Dec 2001, Bill Schoolcraft wrote:

> Now, correct me here when needed.  Back when I started using (not
> hacking) FreeBSD the version was 3.4 and it was a "slam_dunk" that
> OpenBSD was the secure way to go.

i still regard that as being true, even in our FreeBSD 4.4 times.

> I bring this question up at the *BSD meetings I go to here in the
> San Francisco Bay Area and seeing we are up to 4.4 (I've stayed at
> 4.2) the consensus I've been listening to is that some minor
> adjustments would secure your FreeBSD box as well as your OpenBSD
> box.  Could you comment on this ?

well, the idea is that openbsd is secured out of the box. you don't have
to do these adjustments to it, since they should already be done.

when i'm locking down my FreeBSD machine, the first thing i do is shut off
inetd. since i don't use it, there's no reason i need it. the next 3
things are only somewhat nessassary, but i do them anyway: recompile the
kernel to use firewalling, up the maxusers and then, finally, install
extra packages.

the packages i tend to install are: sudo, cvsup, and bash.

i still think freebsd has a little ways to go to be "up to par" with
openbsd's default "secure" install.



-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message