Bill’s Security Blog

Ok, so it took longer than I expected…

But in the end, the process was exceedingly easy.

I’d like to thank toeknee over at h00d.org for his awesome post, “OAMP on OpenBSD 4.2 (OpenBSD, Apache, MySQL 5.0 & PHP5)” which basically walked me through the process.

Before finding toeknee’s article, I was trying to manually install Apache.

After a few hours of banging on the keyboard, I realized… like an idiot… that OpenBSD comes with a chrooted Apache install…

Ok… RTFM, Bill.

Next all i had to do was get MySQL and PHP working.

Toeknee’s page was perfect.

There are a few changes between 4.2 and 4.3 with regards to activating MySQL for PHP, but after doing PKG_ADD, the instructions were quite clear.

I had no problem getting Apache to start at boot, but I couldn’t get MySQL to start at boot. There was no real error message. When the server would boot, you could see MySQL being started, but then immediately it would shut down.

No worries. I just started it by hand, and linked the socket over to the chroot:

/usr/local/bin/mysqld_safe -user=_mysql -log
ln -f /var/run/mysql/mysql.sock \ /var/www/var/run/mysql/mysql.sock

Installing and configuring an instance of WordPress was a breeze.

Sweet… I’m sure I’ll play around with this box some more. Perhaps putting known-vulnerable apps on it to test web-penetration testing tools.

I like OpenBSD. It’s been a fun project. Now, if I can just get my boss to consider anything that isn’t M$FT…

Bill

Installing applications

Out of the box, there’s no nifty graphical package installer in OpenBSD.

Installation can be performed by two methods:
1) The traditional method of building from source and installing
2) Downloading and installing pre-build binaries from CD or over the Web

For my experimenting, I’ll be installing binaries.

Though the absence of a package manager may seem a bit burdensome, the reality is that OpenBSD, IMHO, is best suited for a server environment where the number of installed packages should be quite small.

The bare-bones install of OpenBSD is very thin, requiring little more than is needed to get the host to boot a kernel.

From a security perspective, this is a bonus. Smaller install set = smaller attack surface.

The other thing I like is that it’s pretty easy to script the installation of packages, greatly simplifying the process of creating standard builds for web servers, database servers, etc.

Purchasing copies of the CD’s help to support the project, and packages can be installed directly from CD.

I don’t have the CD’s, so I’ll be installing from the Web.

The overall process is pretty straight forward:
1) Select an FTP mirror
2) Identify the package(s) to install
3) Use the pkg_add command to install

From scratch, here’ the process for installing the latest pre-built nmap package:

# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD /4.3/packages/i386/index.txt
100% |**************************************************| 105 KB 00:01
# grep nmap index.txt
nmap-4.53.tgz
nmap-zenmap-4.53.tgz
# pkg_add ftp://ftp.openbsd.org/pub/OpenBSD /4.3/packages/i386/nmap-4.53.tgz
lua-5.1.2p1: complete
libdnet-1.10p2: complete
nmap-4.53: complete
# nmap -p80 localhost

Starting Nmap 4.53 ( http://insecure.org ) at 2008-05-20 04:18 EDT
Interesting ports on bsdvm.localdomain (127.0.0.1):
PORT STATE SERVICE
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.334 seconds
#

For some reason, I was having trouble connecting to FTP servers… I kept getting the following error:
435 Can’t build data connection: illegal port number

I suspect the reason is the network I’m on, but who knows.

I also found that many of the mirrors didn’t have the latest 4.3 builds, which may not be too suprising as 4.3 was released only a few weeks ago.

Identifying what is installed

Ok, so now I know how to install, how do I tell what’s on my box?

The pkg_info command will list all packages installed on the host.

For example:

# pkg_info
atk-1.20.0p0 accessibility toolkit used by gtk+
cairo-1.4.14 vector graphics library
desktop-file-utils-0.14p1 utilities for 'desktop' entries
...


For further information on a package, you can:

# pkg_info <pkg name>

This will give detailed information about a package, including it’s full version (if it can be determined) and any dependencies…

For example:

# pkg_info tiff
Information for inst:tiff-3.8.2p0

Comment:
tools and library routines for working with TIFF images

Required by:
gtk+2-2.12.7

Description:
This software provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.


...

Maintainer: The OpenBSD ports mailing-list <ports@openbsd.org>

The documentation is quite extensive, and I recommend reading the FAQ and the MAN pages.

I certainly haven’t made it through all the documentation yet :)

Next time, getting Apache, PHP, and MySQL running…

Bill

I’ve heard that getting OpenBSD installed and running can be intense.

I reserve judgment until I am able to actually try the installation a few times on bare metal.

For now, I want to set this puppy up in a virtual machine.

Here’s my rig:

• HP Pavilion DV5224nr Laptop with AMD Turion 64 Mobile, 2 GHz processor with 1 GB Ram.
• Microsoft Windows XP (32bit) Professional, fully patched.
• VMWare Server 1.0.5 build 80187

Ok, so I’m ready to go.

Doing some quick Googling, I came across a very good, short OpenBSD on VMWare how-to by Jan Exß.

I downloaded the latest OpenBSD (4.3) installer ISO from one of the many mirrors. There were many iso images, the file I nabbed was openbsd-install43.iso.

Then I got down to work using Jan’s recommended settings.

I followed the instructions pretty much 100% with a few exceptions. Notably, I didn’t install all the packages he described on the Installation page. I also set up the NIC a little differently.

I wanted the install to be relatively thin, and I also wanted to reserve some packages out so that I can get experience with installing them later, when the excitement wears off.

In the end, I completed all the tasks up to the top of the Applications page.

Reboot, and presto! OpenBSD 4.3.

Sweet.

I banged around in the terminal a bit, just enough to realize that things weren’t as different as I thought they’d be.

I know the machine isn’t doing much at the moment, but I’m surprised how fast it responds considering it’s only allocated 512 MB ram, and is running in a VM…

Current impression: Sweet! This hasn’t been as challenging as I though it would be.  Let’s see how things go from here.

Stay tuned for the next episode - Installing Applications…

For years I’ve heard about the mythical, OpenBSD.

While getting my Master’s Degree in Information Security, one of my professors remarked, “Out of the box, OpenBSD is widely considered to be the most secure operating system.”

The home page of the OpenBSD site clearly, and proudly claims: “ Only two remote holes in the default install, in more than 10 years!”

Sounds impressive. Secunia shows that of the 189 advisories it reported from 2003 to 2008 for Microsoft Windows XP Professional, 61% were remote exploits.

Sixty-one percent! That’s 115 in just over 4 years!

The skeptic in me says, well, how many OpenBSD installs are there, relative to the number of XP installs. The bigger the install base, the more attractive the target.

But still. The seed had been planted.

I needed to try this thing out for myself!

I’ve toyed around with Linux since the late 90’s, but hadn’t used a Unix system since before that.

I have been stuck in Microsoft shops since ‘99 :/

But the power of virtualization has now made it possible for me to kick the tires of this mythical beast, and see how it responds.

In my next post, getting up-and-running with OpenBSD and VMWare Server.

For those who can’t wait, here’s my browser’s User Agent:
Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.8.1.12) Gecko/20080310 Firefox/2.0.0.12
So, it works :)