Linked by Thom Holwerda on Wed 20th Jun 2007 20:07 UTC, submitted by Valour
OpenBSD "If you're a software enthusiast who has never used OpenBSD before, you might enjoy installing it by yourself and figuring it out as you go. If, however, you're looking for a more practical approach to using OpenBSD 4.1 on a desktop or server machine, here's a quick guide to get you started in this spectacular operating system."
Thread beginning with comment 249416
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:

Having the software installed by default but not active is no more insecure than not having the software installed - if the system is compromised, it's over anyways. It's like people not having gcc on a system as a, "security measure," it's not helping, since once a person has broken in, they can simply get it on their own.

Reply Parent Score: 3

flav2000 Member since:

I guess I wasn't too clear.

The problem with more software is that it gives more vectors for attack.

Software installed by default and not active *should* be secure. But, all it means is that the server daemon is not running. The executable is still sitting somewhere.

A newly installed server could have added a "hook" to run the executable of a non-enabled server. Something like this may just enabled a new vector of attack not realized before. Even experienced admins may miss something like that.

Speaking of gcc. Not having gcc installed means that a hacker cannot use gcc as a vector of attack. Sure, if a person has hacked a server they can do whatever they want - including adding gcc. But what I mean to say is that not having gcc may just have shut down attacks from that angle.

Reply Parent Score: 3

Robert Escue Member since:

I really don't know why people are modding you down because what you are saying is correct. When the Linux Slapper worm was going around it depended on two things in order to exploit a system, a default installation of apache with mod-ssl enabled and gcc on the same machine. As someone who had to answer the questions as to whether or not we were vulnerable to this, it only took me a few seconds after reading how the exploit worked I could answer definitely that we were not vulnerable because I removed gcc and apache from the machines.

If you are going to build a system that is Internet facing, you can either strip the OS to "parade rest" so that you minimize possible attack vectors or do a default install, lock it down and take your chances. SANS, SecurityFocus and other security sites have tons of documents on doing exactly what you recommend. I don't see the problem here unless fretinator is right and you are being modded down for the wrong reasons.

Reply Parent Score: 5