SEO

Hi!
I've got OBSD-4.3 Installed.

1...My sound card is detected and works, however programs like Xmms/Amarok will not allow me to use their
volume controls, I'm limited to the speaker volume controls. Both programs play and work fine but I can't use
the programs volume/equalizer controls.

2...Xorg is listening on port 6000. I don't need or want that. How to disable?

3...'netstat -an' is showing my computer is listening on several ports by default. How to disable sendmail etc?

Thank you very much in advance.

Tammy.

Tammy Lyn <Tlyn@notformail.com> wrote:
> 1...My sound card is detected and works, however programs like
> Xmms/Amarok will not allow me to use their volume controls, I'm
> limited to the speaker volume controls. Both programs play and work
> fine but I can't use the programs volume/equalizer controls.

This is sound card specific, if I remember correctly. I'm pretty sure
someone will be along to help you with this; if not, try posting a
dmesg.

> 2...Xorg is listening on port 6000. I don't need or want that. How to
> disable?

It doesn't actually accept data from anywhere unless you change things
with xhost(1) and the like. In short, this is harmless.

The way to stop this is passing -nolisten tcp to the X binary (see
Xserver(8)). How to do this will likely vary depending on how you start
X (usually xinit or startx). This might break stuff, though.

If you're really paranoid, you're better off configuring pf to block
access.

> 3...'netstat -an' is showing my computer is listening on several ports
> by default. How to disable sendmail etc?

sendmail(8) doesn't accept data from outside either, at least not by
default. See afterboot(8), under "Sendmail".

sshd(8) is also listening; make sure you either have a strong password
for all relevant accounts or disallow password logins altogether.

The rest are run by inetd(8), see /etc/inetd.conf.

Relax. OpenBSD is secure by default.

Joachim

P.S. What's with wrapping at 113 columns or some such nonsense? A
classical terminal is 80 characters wide, so wrap at 72 columns or less
to allow for some follow-ups.
P.P.S. Welcome to OpenBSD! Feel free to post any questions you have
either here or on misc@openbsd.org. Do read the FAQ, archives,
afterboot(8), and any other relevant man pages first (man -k may be
helpful). OpenBSD has very good documentation.

On Fri, 09 May 2008 02:35:49 +0200, Joachim Schipper wrote:

> Tammy Lyn <Tlyn@notformail.com> wrote:
>> 1...My sound card is detected and works, however programs like
>> Xmms/Amarok will not allow me to use their volume controls, I'm limited
>> to the speaker volume controls. Both programs play and work fine but I
>> can't use the programs volume/equalizer controls.
>
> This is sound card specific, if I remember correctly. I'm pretty sure
> someone will be along to help you with this; if not, try posting a
> dmesg.

Ok. Thanks..

>> 2...Xorg is listening on port 6000. I don't need or want that. How to
>> disable?
>
> It doesn't actually accept data from anywhere unless you change things
> with xhost(1) and the like. In short, this is harmless.

Cool.

> The way to stop this is passing -nolisten tcp to the X binary (see
> Xserver(8)). How to do this will likely vary depending on how you start
> X (usually xinit or startx). This might break stuff, though.
>
> If you're really paranoid, you're better off configuring pf to block
> access.


I'm behind a router and the "Shields Up" test show no open ports.
Everything is stealth. https://www.grc.com/x/ne.dll?bh0bkyd2

Do I still need PF?

>> 3...'netstat -an' is showing my computer is listening on several ports
>> by default. How to disable sendmail etc?
>
> sendmail(8) doesn't accept data from outside either, at least not by
> default. See afterboot(8), under "Sendmail".

So it's okay to run sendmail for security reports etc?
What about syslogd?
On FreeBSD

syslogd_enable="YES"
syslogd_program="/usr/sbin/syslogd"
syslogd_flags="-ss"

syslogd_flags="-ss" will stop outside connections.
Does openbsd's syslog allow incoming connections?


> sshd(8) is also listening; make sure you either have a strong password
> for all relevant accounts or disallow password logins altogether.

I don't need sshd. How to disable? /etc/rc.conf sshd_enable=NO?

> The rest are run by inetd(8), see /etc/inetd.conf.

Since this is a desktop system. I can disable inetd?
I don't want any incoming connections to my computer from the outside. No telnet/sshd etc.

A fresh OpenBSD install disable these incoming connection by default unless you allow them?

> Relax. OpenBSD is secure by default.

Yes, that's why I chose it. My problem is that I don't know how to tweak the system
to make it secure. Jails/ and mandatory access control etc.

> P.S. What's with wrapping at 113 columns or some such nonsense? A
> classical terminal is 80 characters wide, so wrap at 72 columns or less
> to allow for some follow-ups.
> P.P.S. Welcome to OpenBSD! Feel free to post any questions you have
> either here or on misc@openbsd.org. Do read the FAQ, archives,
> afterboot(8), and any other relevant man pages first (man -k may be
> helpful). OpenBSD has very good documentation.

Sorry about the word wrap. I was using the default word wrap in PAN.
Hope I got that fixed.

Thanks for your help.

Tammy Lyn <Tlyn@notformail.com> wrote:
> On Fri, 09 May 2008 02:35:49 +0200, Joachim Schipper wrote:
>> Tammy Lyn <Tlyn@notformail.com> wrote:
>>> 2...Xorg is listening on port 6000. I don't (...) want that.
>>
>> It doesn't (...) accept data (...). [It] is harmless.

> Cool.

> I'm behind a router and the "Shields Up" test show no open ports.

> Do I still need PF?

No, you almost never need pf unless you are building a firewall. (Not
a ZoneAlarm-style "host-based firewall" - a real firewall.)

>>> 3...'netstat -an' is showing my computer is listening on several ports
>>> by default. How to disable sendmail etc?
>>
>> sendmail(8) doesn't accept data (...) by default.
>
> So it's okay to run sendmail for security reports etc?
> What about syslogd?
> On FreeBSD
>
> syslogd_enable="YES"
> syslogd_program="/usr/sbin/syslogd"
> syslogd_flags="-ss"
>
> syslogd_flags="-ss" will stop outside connections.
> Does openbsd's syslog allow incoming connections?

Yes, you will need to run sendmail to receive security reports and cron
output and the like. You can configure it to send to an external
mailserver, called a "smarthost" in sendmail terminology, but you'll
have to look the details up yourself - I never used sendmail.
Configuration files are under /usr/share/sendmail/cf.

syslogd(8) will only accept data from outside if you add "-u" to
syslogd_flags in /etc/rc.conf.local. (By convention, /etc/rc.conf holds
the defaults and a little documentation, and /etc/rc.conf.local holds
any local settings. This is analogous to how /etc/rc is the default
start script and /etc/rc.local holds local additions.)

>> sshd(8) is also listening; make sure you either have a strong password
>> for all relevant accounts or disallow password logins altogether.
>
> I don't need sshd. How to disable? /etc/rc.conf sshd_enable=NO?

sshd_flags=NO in /etc/rc.conf.local.

>> The rest are run by inetd(8), see /etc/inetd.conf.
>
> Since this is a desktop system. I can disable inetd?
> I don't want any incoming connections to my computer from the outside. No telnet/sshd etc.
>
> A fresh OpenBSD install disable these incoming connection by default unless you allow them?

Yes, you can disable inetd without problems. inetd=NO in
/etc/rc.conf.local.

By default, OpenBSD enables three services in /etc/inetd.conf

$ grep '^[^\#]' /etc/inetd.conf
ident stream tcp nowait _identd /usr/libexec/identd identd -el
ident stream tcp6 nowait _identd /usr/libexec/identd identd -el
daytime stream tcp nowait root internal
daytime stream tcp6 nowait root internal
time stream tcp nowait root internal
time stream tcp6 nowait root internal

identd can be used by external services to request which user opened a
connection. It is an old protocol. A few mail servers require it if you
want to send them messages (directly; you can always send mail via your
ISP or another mail service). Additionally, it is used by IRC.

You can add -h or -H (which hide information) or disable identd
altogether. It is pretty much only used in the above two cases, so feel
free to disable it.

daytime and time simply report the time. They are harmless, and can be
disabled without harm.

>> Relax. OpenBSD is secure by default.
>
> Yes, that's why I chose it. My problem is that I don't know how to
> tweak the system to make it secure. Jails/ and mandatory access
> control etc.

Very little tweaking is required unless you install (a lot) of
additional packages. The system is well-audited, presents few surfaces
for attack, and most important daemons run in a jail by default. (Apache
httpd and named, for instance.)
If you do install external packages, try to select secure packages and
configure them accordingly.

If, at some point, you do need to jail something, ktrace(1) can be
useful if it doesn't work. It shows you all system calls (filesystem
interactions etc) and their results, which can help in finding out that
some program tries to read a file you hadn't thought of. It can be
pretty verbose - grep for file-like things or system calls like open.

OpenBSD does not have a functional mandatory access control framework at
this time: securelevel 2 (see securelevel(7)) works as documented, but
there are quite a few ways around the documented functionality, and
systrace(8) is mostly functional but there are some rare cases in which
it is possible to alter the parameters of a system call after the system
call has been allowed by the systrace ruleset. In short, either have a
lot of limitations.
This is not seen as a big problem by most of the community - OpenBSD has
a secure kernel running secure binaries, and all of the standard *nix
security:
- pretty much each daemon has its own uid
- chroot() is used where appropriate
- many daemons that both interact with the network and need (root)
privileges have been implemented as two parts, one of which has no
privileges and one of which does not talk to the network. (Look at "ps
ax | grep ntpd" for an example, if you are running ntpd(8).)
- the base system, including external packages like httpd and named, has
been audited and secured as appopriate.

In addition, OpenBSD has some tricks that make it harder to exploit
common vulnerabilities (W^X, ProPolice, etc).

This is not OpenBSD-specific, but you should consider using sudo(8) for
almost all system administration tasks, instead of logging in as root or
su(8). Other than that, you are already pretty secure. Even swap is
encrypted by default! (Useful to make sure passwords etc. never touch
the disk.)

> Sorry about the word wrap. I was using the default word wrap in PAN.
> Hope I got that fixed.

Yes, you did. Thanks! And good luck, let us know if you have any more
trouble.

Joachim

Joachim Schipper <jdNoOtSPAMschipper@math.uu.nl> wrote:
> Tammy Lyn <Tlyn@notformail.com> wrote:
>> I don't want any incoming connections to my computer from the outside. No telnet/sshd etc.

>> Sorry about the word wrap. I was using the default word wrap in PAN.
>> Hope I got that fixed.
>
> Yes, you did. Thanks! And good luck, let us know if you have any more
> trouble.

Whoops, you only "mostly" did that. In your defence, I hit 'send' before
I noticed that I, too, had done it wrong.

Flame away!

Joachim

On Fri, 9 May 2008 04:48:43 +0200 (CEST),
Joachim Schipper <jdNoOtSPAMschipper@math.uu.nl> wrote:
>> I'm behind a router and the "Shields Up" test show no open ports.
>> Do I still need PF?
>
> No, you almost never need pf unless you are building a firewall. (Not
> a ZoneAlarm-style "host-based firewall" - a real firewall.)

Just to clarify: on a certain not to be taken seriously but despite
that widely (ab)used software platform, it turns out to be quite hard
to turn off unwanted services. Doing so anyway can cause all sorts of
side effects and nagging popups with conflicting messages, so the poor
uneducated user usually is beaten into not securing his machine.

``Firewalls'' have been touted as a solve-all for this. They're not, of
course, as the poor reporting and (again) uneducated user causes ``GWF''
syndrome. (Look up the ``GWF'' term. We've seen a few here also.)

Most modern unices are fine without a firewall, as long as you take care
and you know what you're doing.

There may still be reasons to use kernel level packet filtering, but it
is not a sine qua non of connecting a unix to the network. In fact, if
you have a working firewall configured ``in front'' of your machine,
it becomes desirable to not need yet another firewall due to the extra
maintenance.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.

Hi!

Joachim Schipper <jdNoOtSPAMschipper@math.uu.nl> wrote:
>Tammy Lyn <Tlyn@notformail.com> wrote:
>> 1...My sound card is detected and works, however programs like
>> Xmms/Amarok will not allow me to use their volume controls, I'm
>> limited to the speaker volume controls. Both programs play and work
>> fine but I can't use the programs volume/equalizer controls.

>This is sound card specific, if I remember correctly. I'm pretty sure
>someone will be along to help you with this; if not, try posting a
>dmesg.

Right, for my sound card, mixer controls work (it's a "Ensoniq
AudioPCI97"). I usually control them with xmix (I'm old fashioned, you
see).

You get the relevant lines by opening /var/run/dmesg.boot, looking for
the line "audio0 at ..." (or if you have multiple audio cards, it might
also read audio1 at ... etc.). Then look backwards for the device name
following at.

My example is:

audio0 at eap0

Ok, looking backwards for eap0 at ...:

eap0 at pci0 dev 15 function 0 "Ensoniq AudioPCI97" rev 0x06: irq 11

ok, I can look forward after eap0 for a few bits of additional
information: the next two lines read like this:

ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3)
ac97: codec features headphone, 20 bit DAC, 18 bit ADC, Crystal Semi 3D

In this case, the manual page (eap(4)) doesn't explicitly say that mixer
controls are supported quite well.

I used to have a gus(4), where mixer controls wouldn't work, volume
controls were at maximum always and I had to control the playback volume
at the stereo amplifier the soundcard was connected to.

>> 2...Xorg is listening on port 6000. I don't need or want that. How to
>> disable?

>It doesn't actually accept data from anywhere unless you change things
>with xhost(1) and the like. In short, this is harmless.

>The way to stop this is passing -nolisten tcp to the X binary (see
>Xserver(8)). How to do this will likely vary depending on how you start
>X (usually xinit or startx). This might break stuff, though.

I don't think it will, but I don't bother either.

>If you're really paranoid, you're better off configuring pf to block
>access.

I did:
block in quick on $ext_if proto tcp from any to any port 5999 >< 6011

(In a policy that allows only selected ports below 1024, blocks selected
ports >= 1024 and allows everything else >= 1024).

>> 3...'netstat -an' is showing my computer is listening on several ports
>> by default. How to disable sendmail etc?

>sendmail(8) doesn't accept data from outside either, at least not by
>default. See afterboot(8), under "Sendmail".

Dito, for being doubly safe, pf helps.

>sshd(8) is also listening; make sure you either have a strong password
>for all relevant accounts or disallow password logins altogether.

*nods* And sometimes it's useful (together with dyndns) :-)

>[...]

>P.S. What's with wrapping at 113 columns or some such nonsense? A
>classical terminal is 80 characters wide, so wrap at 72 columns or less
>to allow for some follow-ups.

The maximum line length of the original posting was 78 (question 2) in
my eyes. Not optimal, but not 113.

>[...]

Kind regards,

Hannah.

Hi!

Tammy Lyn <Tlyn@notformail.com> wrote:
>[...]

>> The way to stop this is passing -nolisten tcp to the X binary (see
>> Xserver(8)). How to do this will likely vary depending on how you start
>> X (usually xinit or startx). This might break stuff, though.

>> If you're really paranoid, you're better off configuring pf to block
>> access.

>I'm behind a router and the "Shields Up" test show no open ports.
>Everything is stealth. https://www.grc.com/x/ne.dll?bh0bkyd2

>Do I still need PF?

I don't think so (either). Except if you want to learn pf (out of pure
interest or whatever). :-)

>>> 3...'netstat -an' is showing my computer is listening on several ports
>>> by default. How to disable sendmail etc?

>> sendmail(8) doesn't accept data from outside either, at least not by
>> default. See afterboot(8), under "Sendmail".

>So it's okay to run sendmail for security reports etc?

Right, you need it for local mail to work and local mail is used for
daily/weekly/monthly reports to root (you can divert it by filling in
the appropriate aliases in /etc/mail/aliases; if you do so, don't forget
to run newaliases).

>What about syslogd?
>On FreeBSD

>syslogd_enable="YES"
>syslogd_program="/usr/sbin/syslogd"
>syslogd_flags="-ss"

>syslogd_flags="-ss" will stop outside connections.
>Does openbsd's syslog allow incoming connections?

OpenBSD syslogd *does* bind udp 514 (syslogd), but drops everything that
comes in, unless you explicitly tell it to record it (option -u, see
syslogd's manual page).

The manual page says about the socket:
syslogd opens an Internet domain socket as specified in /etc/services.
Normally syslogd will only use this socket to send messages outwards, but
in ``insecure'' mode it will also read messages from this socket.

>> sshd(8) is also listening; make sure you either have a strong password
>> for all relevant accounts or disallow password logins altogether.

>I don't need sshd. How to disable? /etc/rc.conf sshd_enable=NO?

Use /etc/rc.conf.local for your settings. Add sshd_flags=NO there.
I've found remote access to my home box useful sometimes, however, but
of course YMMV. If you're sure you'll never need remote access,
disabling sshd may be fine.

>> The rest are run by inetd(8), see /etc/inetd.conf.

>Since this is a desktop system. I can disable inetd?
>I don't want any incoming connections to my computer from the outside.
>No telnet/sshd etc.

For some applications you might want at least identd to work (e.g. some
IRC chat servers like identd). If so you might rather want to continue
running inetd, but comment everything but identd out from /etc/inetd.conf.
If you really want to disable inetd, use identd_flags=NO in
/etc/rc.conf.local.

> A fresh OpenBSD install disable these incoming connection by default
>unless you allow them?

There're some (quite few) connections that are enabled by default, see
the stock /etc/inetd.conf (you may save it for reference, or extract it
from the etc43.tgz set later, if you need the reference again).

>> Relax. OpenBSD is secure by default.

>Yes, that's why I chose it. My problem is that I don't know how to tweak
>the system
>to make it secure. Jails/ and mandatory access control etc.

I don't think you need to tweak so much. Jails are for when you have
multiple users, or network services, and want to heavily restrict the
local rights some have.

I think, for desktop use, the most important thing is, do your daily
stuff as non-root user and become root (using su or sudo) only if it's
really needed for some maintenance task.

>[...]

Kind regards,

Hannah.

On Fri, 09 May 2008 01:25:33 +0000, Tammy Lyn wrote:


> I'm behind a router and the "Shields Up" test show no open ports.
> Everything is stealth. https://www.grc.com/x/ne.dll?bh0bkyd2
>
> Do I still need PF?

you might try running nmap against your router from a machine on the net
and compare its results against the grc report...that might be more
reassuring

Hannah Schroeter <hu47121+nospam@usenet.kitty.sub.org> wrote:
> Joachim Schipper <jdNoOtSPAMschipper@math.uu.nl> wrote:
>>P.S. What's with wrapping at 113 columns or some such nonsense? A
>>classical terminal is 80 characters wide, so wrap at 72 columns or less
>>to allow for some follow-ups.
>
> The maximum line length of the original posting was 78 (question 2) in
> my eyes. Not optimal, but not 113.

I'm fairly certain there's some wrapping going on then. How long is this
line for you?

abcdefghi acbdefghi acbdefghi abcdefghi abcdefghi acbdefghi abcdefghi abcdefghi abcdefghi abcdefghi abcdefghij

I see one long (110-column) line.

Joachim

P.S. I am sorry not to add more content, but I'm afraid I'm out of good
tips. Sorry...