OpenBSD 3.7

I just read from Slashdot that [ OpenBSD 3.7 was just released ]. I quickly checked the announcement, but unfortunately it seems that the auto-update feature is still being developed. This was my main reason of migrating from OpenBSD to Debian; updating existing packages took too much time and very disruptive to whatever I’m doing. With Debian, the server is able to automatically update itself whenever new updates are released, so I can use my time to do other more important things.

Don’t get me wrong : I still respect OpenBSD and its developers very much. This is because I’ve found out what I must do to bring Debian/Linux to OpenBSD’s security level — and it’s plain mind-boggling. The difference is quite huge.
Simply said, I’m only able to sleep easier at nights because I’ve put up a firewall, and I’ve locked down opened ports as tight as I could. But if a hacker ever manages to give himself shell access, I don’t think it will take much time to escalate it to root privileges. There are just too many software in my Debian server that’s not as hardened as the ones in OpenBSD’s software collection.

There was an easier way to bring Linux’s security level closer to OpenBSD’s, thanks to grsecurity project. But it was still hard to implement, break many things, and unfortunately the project has been shut down since. A lot of professional admins, especially in webhosting community, mourned the death of it.
With OpenBSD, you get the excellent security out of the box. It’s as convenient as it can be.

Security (and doing things [ the Right Way ] is still a trade-off with convenience though. Things tend to work differently, harder and/or more cumbersome on OpenBSD.
If you think administering Linux is already hard, I’ll frankly tell you to stay away from OpenBSD (for now) to avoid you from wasting your own time. But if you appreciate the peace of mind given by a secure system, then you’ll love OpenBSD and will be able to adapt yourself to its differences.

But don’t lose your alertness yet. Even with OpenBSD, you can still be hacked.
For example, if you host websites running unsecure scripts (PHP, Perl, etc), then you WILL be hacked. I know because my server was hacked too. Even though the attacker won’t be able to go out the chroot jail (Apache is running chroot-ed on OpenBSD), the attacker will still be able to destroy all of your websites!

In my case, I was saved by mod_security and suphp, even though I’m using Debian instead of OpenBSD. mod_security enable me to implement chroot easily in Apache on any OS (including Debian) and other great things including firewalling the HTTP requests. And suphp restrained the attacker even further by limiting his/her access only to the vulnerable script owner’s privilege – not Apache’s.

I still use Debian because in my case I’m happy with its security level and I need apt’s superior updating capability. But once OpenBSD provides excellent package management facility as well, then I’ll be very tempted to move to it.

very useful comment on [ OpenBSD life-cycle ] – the team officially support current version and the previous version. But I’m glad to know that it’s quite easy to update your current OpenBSD installation to the current version.

here’s my previous post on [ OpenBSD 3.6 ]

3 thoughts on “OpenBSD 3.7

  1. Hi.

    You wrote: “There are just too many software in my Debian server that’s not as hardened as the ones in OpenBSD’s software collection.”

    This is a misunderstanding.

    None of the software packages in OpenBSD’s package/ports collection are in any way hardened by the OpenBSD team.

  2. Hi Rico, many package/ports have default settings which are secure.
    This is also why they can be pretty hard to setup, since to gain such security sometimes it sacrifices ease-of-use.
    Also many are chrooted, and this is more secure as well.

Leave a Reply

Your email address will not be published. Required fields are marked *