Setup environment in OpenBSD using Ansible playbook (2018).
This repository contains an Ansible playbook and set of roles for configuring an OpenBSD installation on a ThinkPad X1 Carbon laptop: https://github.com/ligurio/openbsd-cookbooks
#ansible
This repository contains an Ansible playbook and set of roles for configuring an OpenBSD installation on a ThinkPad X1 Carbon laptop: https://github.com/ligurio/openbsd-cookbooks
#ansible
OpenBSD and you.
How to have fun with the world’s most important free software project: https://home.nuug.no/~peter/openbsd_and_you/#1
How to have fun with the world’s most important free software project: https://home.nuug.no/~peter/openbsd_and_you/#1
10 projects to start contributing to OpenBSD.
You're already reading tech@ and source-changes@ and still don't know where to invest your energy? You have been applying diff from developers since some times and would like to try something new? Or maybe you're looking for a subject for this semester's project?
https://www.grenadille.net/post/2019/10/21/10-projects-to-start-contributing-to-OpenBSD
#contribute #develop
You're already reading tech@ and source-changes@ and still don't know where to invest your energy? You have been applying diff from developers since some times and would like to try something new? Or maybe you're looking for a subject for this semester's project?
https://www.grenadille.net/post/2019/10/21/10-projects-to-start-contributing-to-OpenBSD
#contribute #develop
CVE-2019-8460.
Reuven Plevinsky and Tal Vainshtein of Check Point Software Technologies Ltd. discovered that OpenBSD kernel (all versions, including 6.5) can be forced to create long chains of TCP SACK holes that cause very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8460
#security #cve
Reuven Plevinsky and Tal Vainshtein of Check Point Software Technologies Ltd. discovered that OpenBSD kernel (all versions, including 6.5) can be forced to create long chains of TCP SACK holes that cause very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8460
#security #cve
Humble Book Bundle: Linux & BSD Bookshelf by No Starch Press.
https://www.humblebundle.com/books/linux-bsd-bookshelf-2019-books
#book
https://www.humblebundle.com/books/linux-bsd-bookshelf-2019-books
#book
Blocking Ads using unbound(8) on OpenBSD.
Here’s how to add an extra layer of privacy using OpenBSD and its unbound(8) DNS resolver.
https://www.tumfatig.net/20190405/blocking-ads-using-unbound8-on-openbsd/
#unbound
Here’s how to add an extra layer of privacy using OpenBSD and its unbound(8) DNS resolver.
https://www.tumfatig.net/20190405/blocking-ads-using-unbound8-on-openbsd/
#unbound
The OpenBSD Hypervisor in the wild, a short story.
OpenBSD Amsterdam started in the summer of 2018 after a poll on Twitter as an idea to start testing with vmm(4)/vmd(8). Mostly to see how far we could take it and more importantly to give back to the project. Little did we know where it would take us.
During this talk I will outline how it all started, how it’s build, how we operate the platform and what speedbumps we encountered.
https://www.youtube.com/watch?v=9TuWCR9X-wY
#video #vmd
OpenBSD Amsterdam started in the summer of 2018 after a poll on Twitter as an idea to start testing with vmm(4)/vmd(8). Mostly to see how far we could take it and more importantly to give back to the project. Little did we know where it would take us.
During this talk I will outline how it all started, how it’s build, how we operate the platform and what speedbumps we encountered.
https://www.youtube.com/watch?v=9TuWCR9X-wY
#video #vmd
Protect the ESXi virtual machines with OpenBSD
I own a server at Online.net which now runs VMware ESXi free edition. The thing is VMs have to access the Wild Wild Web and provide public services while still being protected. So let’s configure OpenBSD to do so.
https://www.tumfatig.net/20191031/protect-the-esxi-virtual-machines-with-openbsd/
#security
I own a server at Online.net which now runs VMware ESXi free edition. The thing is VMs have to access the Wild Wild Web and provide public services while still being protected. So let’s configure OpenBSD to do so.
https://www.tumfatig.net/20191031/protect-the-esxi-virtual-machines-with-openbsd/
#security
Mailsignup
Mailsignup is a python script for creating virtual email accounts on the OpenBSD system from user input on a given port.
https://gitlab.com/freecypher/mailsignup
#email
Mailsignup is a python script for creating virtual email accounts on the OpenBSD system from user input on a given port.
https://gitlab.com/freecypher/mailsignup
OpenBSD on Google Compute Engine.
This tutorial outlines a simple way to get OpenBSD working on GCE, utilizing only OpenBSD to create the image and send up into gcloud.
https://www.findelabs.com/post/openbsd-on-gce/
#gce #gcloud
This tutorial outlines a simple way to get OpenBSD working on GCE, utilizing only OpenBSD to create the image and send up into gcloud.
https://www.findelabs.com/post/openbsd-on-gce/
#gce #gcloud
BSD, C, httpd, SQLite.
BCHS is an open source software stack for web applications. To prepare a BCHS environment, install OpenBSD, start your editor of choice, and get to work. https://learnbchs.org/index.html
#bchs
BCHS is an open source software stack for web applications. To prepare a BCHS environment, install OpenBSD, start your editor of choice, and get to work. https://learnbchs.org/index.html
#bchs
OpenBSD & WireGuard VPN.
WireGuard VPN Server on a Cloud VPS on OpenBSD 6.6 with Full Disk Encryption.
https://www.cryptsus.com/blog/wireguard-vpn-privacy-server-on-a-vultr-cloud-vps-on-openbsd-6.6-with-full-disk-encryption.html
#wireguard #vpn
WireGuard VPN Server on a Cloud VPS on OpenBSD 6.6 with Full Disk Encryption.
https://www.cryptsus.com/blog/wireguard-vpn-privacy-server-on-a-vultr-cloud-vps-on-openbsd-6.6-with-full-disk-encryption.html
#wireguard #vpn
syscall call-from verification
The following change only permits system calls from address-ranges in the process which system calls are expected from.
If you manage to upload exploit code containing a raw system call sequence and instruction, and mprotect -w+x that block, such a system call will not succeed but the process is killed. This obliges the attacker to use the libc system call stubs, which in some circumstances are difficult to find due to libc random-relinking at boot...
https://marc.info/?l=openbsd-tech&m=157488907117170
#syscall
The following change only permits system calls from address-ranges in the process which system calls are expected from.
If you manage to upload exploit code containing a raw system call sequence and instruction, and mprotect -w+x that block, such a system call will not succeed but the process is killed. This obliges the attacker to use the libc system call stubs, which in some circumstances are difficult to find due to libc random-relinking at boot...
https://marc.info/?l=openbsd-tech&m=157488907117170
#syscall
rcctl-stat.
See which services are enabled in OpenBSD. https://github.com/dantecatalfamo/rcctl-stat
#github #rcctl
See which services are enabled in OpenBSD. https://github.com/dantecatalfamo/rcctl-stat
#github #rcctl
pkg_ping.
Determines and prints or writes the fastest OpenBSD mirror for "/etc/installurl". https://github.com/lukensmall/pkg_ping
#github #pkg
Determines and prints or writes the fastest OpenBSD mirror for "/etc/installurl". https://github.com/lukensmall/pkg_ping
#github #pkg
Authentication vulnerabilities in OpenBSD.
We discovered an authentication-bypass vulnerability in OpenBSD's authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
https://www.openwall.com/lists/oss-security/2019/12/04/5
#security
We discovered an authentication-bypass vulnerability in OpenBSD's authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
https://www.openwall.com/lists/oss-security/2019/12/04/5
#security
attention please: host's IP stack behavior got changed slightly.
commit from today [1] makes IP stack more paranoid. Up to now OpenBSD implemented so called 'weak host model' [2]. The today's commit alters that for hosts, which don't forward packets (don't act as routers)...
https://undeadly.org/cgi?action=article;sid=20191209024432
#network
commit from today [1] makes IP stack more paranoid. Up to now OpenBSD implemented so called 'weak host model' [2]. The today's commit alters that for hosts, which don't forward packets (don't act as routers)...
https://undeadly.org/cgi?action=article;sid=20191209024432
#network