Contributed by jason on from the paranoia-can-be-fun dept.
ITILGuy wrote in with a reference to Peter Hansteen's blog about coordinated botnets. According to Peter and his colleagues at FreeCode, it appears that not only are these distributed bruteforce attacks becoming more cagey at avoiding intrusion detection thresholds, but they are adapting by avoiding difficult targets such as OpenBSD.
Peter Hansteen is the author of Firewalling with PF, an excellent supplementary text to the OpenBSD PF FAQ.
(Comments are closed)
By Anonymous Coward (213.227.184.100) on
Now OpenBSD is out of the loop: the other UNIXes must come up with their own security cleverness. If this happens (I'm sure it can), will it trickle down to OpenBSD?
OpenBSD could be left in a strange situation because of this.
Comments
By tedu (udet) on
> Now OpenBSD is out of the loop: the other UNIXes must come up with their own security cleverness. If this happens (I'm sure it can), will it trickle down to OpenBSD?
No, cleverness invented elsewhere can not trickle down to OpenBSD.
Comments
By raw foo(d) (80.249.194.29) on
Yes, it is evident that it can't. Want an example? ZFS.
Comments
By Anonymous Coward (150.101.245.181) on
Good ideas can come from anywhere, even proprietary software. Licensing issues aside, the code itself will probably not come from anywhere else - look at the quality of code in OpenBSD and look at the quality of code in other projects. Most projects don't write their code defensively or with simplicity in mind, so OpenBSD devs are going to be far more hesitant at including it.
By Anonymous Coward (59.167.252.29) on
>
> Yes, it is evident that it can't. Want an example? ZFS.
An isolated case of avoiding something for specific reasons, equates to an inability to import cleverness to OpenBSD period?
You have options. If you want ZFS, use something else. If you want ZFS in OpenBSD, do it yourself. If you want some ZFS features in OpenBSD, you could wait to see what might happen with HAMMER.
Trying to put the developers and project down, because they choose to not incorporate ZFS, is not a valid option. It will not get you what you want and only makes you look like an arse.
Comments
By raw foo(d) (80.249.194.29) on
Comments
By Anonymous Coward (59.167.252.29) on
Okay. You continued with the word "can't" but it didn't seem like you were using it with sarcasm.
In a perfect World, people would do nothing less than appreciate the efforts of those who are happy to give so selflessly.
Sly remarks about a free system not matching exactly what you want, only serve to be detrimental.
The project won't budge on licence and their ideals and for that I am glad. I use ZFS at work, but if I don't get it in OpenBSD, that's fine. If I get something better some day in OpenBSD, then brillant. They have a habit of doing that and it has shown to be worth the wait.
I sure won't complain about what gets given to me for nothing.
By Bees (84.75.23.135) on
The OpenBSD community is not only hardening their OS, they are also hardening their members.
Comments
By Anonymous Coward (150.101.245.181) on
Yeah, I've often considered this to be a byproduct of heavy flaming when clueless users do clueless things. Either they learn, or they leave.
Comments
By Anonymous Coward (80.37.248.67) on
By Anonymous Coward (203.20.78.196) on
0_o
Comments
By Anonymous Coward (128.171.90.200) on
>
> 0_o
>
Hopefully that should scare off intruders.
By Anonymous Coward (216.167.201.130) on
That's what she said!
By Srikant (122.169.127.46) on
OS detection can be misled in some cases. If OpenBSD starts getting left alone, very soon, other OSes may try mimicking it. I don't know the difficulty level of doing this. But as a result, botnets will drop this privilege given to OpenBSD. We are then back to square zero. So, instead of bothering about who endorses OpenBSD's security, let us just keep our systems secure and sleep well.
Comments
By Anonymous Coward (212.20.215.132) on
> We are then back to square zero.
I think that's square one, but whatever the square, the only thing really
affected by this is our logs. I'm pretty sure it won't affect my sleep.
An interesting read, nevertheless.
Comments
By pepo (190.76.20.225) on
> > We are then back to square zero.
>
> I think that's square one, but whatever the square, the only thing really
> affected by this is our logs. I'm pretty sure it won't affect my sleep.
>
> An interesting read, nevertheless.
>
the only thing really
> affected by this is our logs
LOL
By Anonymous Coward (203.20.78.196) on
From: http://www.openssh.org/portable.html
"Portable releases are marked with a 'p' (e.g. 4.4p1)."
A script could simply skip any server which lacks the 'p' perhaps?
Comments
By Srikant (210.211.128.226) on
By Anonymous Coward (2001:1938:30f:dead:21f:3bff:fe03:b159) on
>
> OS detection can be misled in some cases. If OpenBSD starts getting left alone, very soon, other OSes may try mimicking it. I don't know the difficulty level of doing this. But as a result, botnets will drop this privilege given to OpenBSD. We are then back to square zero. So, instead of bothering about who endorses OpenBSD's security, let us just keep our systems secure and sleep well.
>
> From: http://www.openssh.org/portable.html
>
> "Portable releases are marked with a 'p' (e.g. 4.4p1)."
>
>
> $ telnet OpenBSD.Host 22
> Trying OpenBSD.Host...
> Connected to OpenBSD.Host.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_5.1
>
>
> A script could simply skip any server which lacks the 'p' perhaps?
>
This is way too unreliable of a test.
$ telnet www.kernel.org 22
Trying 149.20.20.133...
Connected to www.kernel.org.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1
$ telnet www.slackware.com 22
Trying 64.57.102.34...
Connected to www.slackware.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.9
$ telnet www.debian.org 22
Trying 194.109.137.218...
Connected to www.debian.org.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
$ telnet www.ubuntu.com 22
Trying 91.189.94.9...
Connected to www.ubuntu.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.7p1 Debian-12ubuntu1.CAT.8.04
Comments
By Anonymous Coward (78.21.21.141) on
>
> $ telnet www.kernel.org 22
> Trying 149.20.20.133...
> Connected to www.kernel.org.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_5.1
>
> $ telnet www.slackware.com 22
> Trying 64.57.102.34...
> Connected to www.slackware.com.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_4.9
Nah, they secretly all run OpenBSD ;-)
Comments
By Anonymous Coward (129.174.112.141) on
> >
> > $ telnet www.kernel.org 22
> > Trying 149.20.20.133...
> > Connected to www.kernel.org.
> > Escape character is '^]'.
> > SSH-2.0-OpenSSH_5.1
> >
> > $ telnet www.slackware.com 22
> > Trying 64.57.102.34...
> > Connected to www.slackware.com.
> > Escape character is '^]'.
> > SSH-2.0-OpenSSH_4.9
>
> Nah, they secretly all run OpenBSD ;-)
The main OpenBSD hosting, after all, is on solaris.
Comments
By Anonymous Coward (85.158.44.149) on
s/is/was/
Comments
By Anonymous Coward (81.83.46.237) on
>
> s/is/was/
Netcraft detects OpenBSD too.
http://toolbar.netcraft.com/site_report?url=http://www.openbsd.org
By Anonymous Coward (65.93.7.167) on
> > >
> > > $ telnet www.kernel.org 22
> > > Trying 149.20.20.133...
> > > Connected to www.kernel.org.
> > > Escape character is '^]'.
> > > SSH-2.0-OpenSSH_5.1
> > >
> > > $ telnet www.slackware.com 22
> > > Trying 64.57.102.34...
> > > Connected to www.slackware.com.
> > > Escape character is '^]'.
> > > SSH-2.0-OpenSSH_4.9
> >
> > Nah, they secretly all run OpenBSD ;-)
>
> The main OpenBSD hosting, after all, is on solaris.
*yawn*
http://openbsd.org/faq/faq8.html#wwwsolaris
By Renaud Allard (renaud) on
> Trying 149.20.20.133...
> Connected to www.kernel.org.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_5.1
>
> $ telnet www.slackware.com 22
> Trying 64.57.102.34...
> Connected to www.slackware.com.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_4.9
>
> $ telnet www.debian.org 22
> Trying 194.109.137.218...
> Connected to www.debian.org.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
>
> $ telnet www.ubuntu.com 22
> Trying 91.189.94.9...
> Connected to www.ubuntu.com.
> Escape character is '^]'.
> SSH-2.0-OpenSSH_4.7p1 Debian-12ubuntu1.CAT.8.04
>
What you pointed out is why botnets try to evade OpenBSD hosts, because most OpenBSD administrators care about security. The telnet to port 22 verifying that it shows a "p" in the answer works on most hosts except those where the admin cares about security and changed the source to hide them (although security through obscurity is probably not a good idea). They don't care if it doesn't work with your particular host, as long as it works with 70%-90% of the others. If you took the time to modify the source to not show the "p", then you probably choose a good password too, so it is useless to keep trying on this one with basic attacks.
In fact, your test really showed how this "p" test is reliable. You checked on 4 of the biggest sites where admins are more than probably very competent and got 50% success.
Comments
By Anonymous Coward (2001:1938:30f:dead:21f:3bff:fe03:b159) on
> In fact, your test really showed how this "p" test is reliable. You checked on 4 of the biggest sites where admins are more than probably very competent and got 50% success.
>
An older stock install of OpenSuse has "SSH-1.99-OpenSSH_4.6" -- I doubt suse guys patch their sshd specifically to defer `smart' botnets.
By Damien Miller (djm) on http://www.mindrot.org/~djm/
Not in the server banner - we stopped doing that a couple of years back.