BlogFish

At least if you ordered the pre-release…

My OpenBSD 4.1 CD set and T-shirts arrived today.

The lyrics and the 4.1 song (MP3 4.1MB / OGG 8.3MB) are already up.

The offical release will be at the beginning of May but you can order OpenBSD 4.1 today.

A list of changes between OpenBSD 4.0 and 4.1 can be found here. One very nice addition in my opinion is hoststated(8), a host status daemon that can be used with PF to manage load-balanced servers and remove servers from the pool if they do not serve a HTTP page or your specific monitor script fails.

This is a very interesting for people like me who use OpenBSD firewalls in front of Rails applications. With OpenBSD/PF/pfsync/hoststated you can very easily have redundant firewalls load-balance your Apaches and automatically exclude a host that is down for whatever reason.

Yes, there is now a second remote hole in OpenBSD. In the last 10 years there was only one, yesterday Theo de Raadt posted the second one (discovered by Core Security Technologies) to misc@openbsd.org. The vulnerability involves a mbuf remote kernel buffer overflow in the IPv6 code.

So you should patch immediately if you use IPv6 or disable it through PF (as it is enabled by default):

block in inet6 

Apart from that the upcoming 4.1 release (“Puffy Baba & the 40 Vendors”) release is available for pre-order.

The OpenBSD c2k6 Hackathon is currently in progress in Calgary, Canada. The first outputs are

Timedelta sensors for OpenNTPD

A new SD card driver

Further KernelTrap.org has a nice introduction of some OpenBSD developers at the Hackathon. Many of the developers also talk about their goals for the Hackathon.

Some photos can be found here.

UPDATE:
HP donated gear for the Hackathon. One of the machines has 24GB RAM and is used for the SCSI development.

Finally here:

OpenBSD 3.9

UPDATE:
OpenBSD 3.9 is now officially released and avaliable through FTP.

The slides for the OpenBSD presentations at OpenCON 2005 are now available. Peter Valchev posted the links on misc@openbsd.org.

Peter also described the Venice v2k5 ports hackathon that was held right before the conference. See his post for details or his presentation slides about the hackathron.

The other presentations are:

OpenBSD Ports and Packages by Marc Espie

An overview of the current state and some of the new features like FETCH_PACKAGES and FORCE_UPDATE.

OpenBSD Networking Update by Henning Brauer

Interesting information about PF, OpenBGBD, OpenOSPFD, DoS migration, and crazy ideas for the future like a fast path through the network stack for forwarded connections with an already set up state.

Porting OpenBSD by Niall O’Higgins and Uwe Stühler

How to port OpenBSD to another architecture and a status update on the Zaurus port.

Exploit Mitigation Techniques by Theo de Raadt

Theo’s famous presentation on the exploit migration techniques used in OpenBSD with some updates on the new random malloc and mmap stuff.

UPDATE:
Undeadly.org has a write-up on the ports hackathon here.

I just got my OpenBSD 3.8 pre-order.

The official release date is November 1, 2005. Order a CD and support the project!

UPDATE:
OpenBSD 3.8 is now officially released. Further this article got a Chinese Slashdotting.

Onlamp.com has an interview with some OpenBSD developers about the upcoming 3.8 release.

Covered topics include the new trunk(4) network interface aggregation, interface groups, tracking wireless roaming users with IAPP and hostapd(8), a new ipsec configuration tool (ipsec.conf(5)), failover of ipsec links, a great rework of malloc(), and the first version of the universal RAID management tool, bioctl(8).

Today OpenBSD is turning 10 years old. Revision 1.1 of the CVS repository was created on October 18, 1995 by Theo de Raadt.

There was some confusion on misc@openbsd.org as the 14th was mentioned in the calendar.openbsd file as the birth of OpenBSD. But Theo clarified that OpenBSD was born on the date of the creation of revision 1.1.

Happy Birthday OpenBSD!

OpenBSD ships a wonderful little tool: spamd(8). spamd is a fake SMTP server that will accept all incoming connections and attempt to waste the time and resources of the spam sender by delaying the connection and replying slowly. Eventually spamd will return error code 450 to the spammer but by that time, the spammer usually wasted several hundreds or thousands of seconds.

Usually spamd listens on port 8025 on localhost and traffic on port 25 is redirected with pf:

table <spamd> persist
rdr pass inet proto tcp from <spamd> to any \
port smtp -> 127.0.0.1 port spamd

All IPs listed in the <spamd> table will be redirected to spamd. The spamd blacklist table can be maintained manually like this:

# pfctl -q -t spamd -T replace -f /my/list/of/spammers

Or with the help of spamd-setup(8) and spamd.conf(5) to use online blacklist like the one from www.spews.org.

Further spamd supports greylisting. Greylisting assumes that spam senders usually do not try to reconnect to a mail server if it returns a temporary errors. They normally scans a whole network and just try the next IP if a server returns an error or the connection times out. Normal mail server should try a reconnect after a configured time, so in greylist mode spamd tries to exploit this difference in behaviour . From the greylisting description of spamd:

When run in greylisting mode, spamd will run in the normal mode for any
addresses blacklisted by spamd-setup(8). Connections from addresses not
blacklisted by spamd-setup(8) will be considered for greylisting. Such
connections will not be stuttered at (though see the -S option above) or
delayed, and will receive the pleasantly innocuous temporary failure of:

451 Temporary failure, please try again later.

in the SMTP dialogue immediately after the recipient is specified. spamd
will use the db file in /var/db/spamd to track these non-blacklisted con-
nections to spamd by connecting IP address, envelope-from, and envelope-
to, or “tuple” for short.

A previously unseen tuple is added to the /var/db/spamd database, record-
ing the time an initial connection attempt was seen. After passtime min-
utes if spamd sees a retried attempt to deliver mail for the same tuple,
spamd will whitelist the connecting address by adding it as a whitelist
entry to /var/db/spamd.

These are very nice features for a mail server. But not only ISPs or people who operate a mail server can annoy spammers.

Just add the following line to your pf.conf:

rdr pass inet proto tcp from any to ($exit_if) port smtp -> 127.0.0.1 port spamd

And start spamd. In order to start spamd on boot use the spamd_flags keyword in /etc/rc.conf.local:

# grep spamd /etc/rc.conf.local
spamd_flags=””

Now everybody who connects to your server on port 25 will be redirected to spamd as you do not operate a mail server and so by definition all traffic to port 25 is malicious. You can check how effective this is by searching /var/log/daemon for spamd logs. For example in my logfile I find:

Oct 11 15:05:45 wrap spamd¹⁰⁸³³: xxx.109.43.1: disconnected after 551 seconds.
Oct 11 21:41:31 wrap spamd¹⁰⁸³³: xxx.64.88.103: disconnected after 667 seconds.
Oct 12 00:02:23 wrap spamd¹⁰⁸³³: xxx.36.81.231: disconnected after 3 seconds.
Oct 13 11:40:11 wrap spamd¹⁰⁸³³: xxx.64.98.17: disconnected after 1033 seconds.

Easy to set up and annoys spammers, I love it.

SecurityFocus has an interview with several OpenBSD developers about the OpenBSD 3.8 network stack and its protection against different attacks.

Fernando Gont describes the implemented counter-measures against his discovery of ICMP attacks, while Ryan McBride and Henning Brauer talk about randomization, TCP window reset attacks and OpenBGPD.

One of the new features of pkg_add(1) in OpenBSD 3.8 is the ability to update all installed packages. 3.8’s pkg_add will not do it automatically but rather list all packages for you to do it yourself (through pkg_add -r).

The pkg_add in current though will update all packages:

# dmesg | head -1
OpenBSD 3.8-current (GENERIC) #159: Tue Sep 27 22:21:33 MDT 2005
# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/
# pkg_add -u
Candidates for updating arping-2.05p0 -> arping-2.05p0
No need to update ddclient-3.6.3
Candidates for updating dnsmasq-2.22 -> dnsmasq-2.22
Candidates for updating gdiff-2.8.1p0 -> gdiff-2.8.1p0
Candidates for updating gettext-0.10.40p3 -> gettext-0.10.40p3
Candidates for updating libiconv-1.9.2p1 -> libiconv-1.9.2p1
Candidates for updating libnet-1.0.2a -> libnet-1.0.2ap1
No need to update lzo-1.08p0
No need to update mergemaster-1.46p0
Candidates for updating openvpn-2.0 -> openvpn-2.0.2
Candidates for updating rsync-2.6.5 -> rsync-2.6.6
No need to update screen-4.0.2-static
Candidates for updating vim-6.3.61p0-no_x11 -> vim-6.3.85p0-no_x11
Candidates for updating wget-1.8.2 -> wget-1.10
Running the equivalent of pkg_add -r arping-2.05p0 dnsmasq-2.22 gdiff-2.8.1p0 gettext-0.10.40p3 libiconv-1.9.2p1 libnet-1.0.2ap1 openvpn-2.0.2 rsync-2.6.6 vim-6.3.85p0-no_x11 wget-1.10
libnet-1.0.2ap1 (extracting): complete
libnet-1.0.2a (deleting): complete
libnet-1.0.2ap1 (installing): complete
arping-2.05p0 (extracting): complete
arping-2.05p0 (deleting): complete
arping-2.05p0 (installing): complete
dnsmasq-2.22 (extracting): complete
dnsmasq-2.22 (deleting): complete
dnsmasq-2.22 (installing): complete
libiconv-1.9.2p1 (extracting): complete
libiconv-1.9.2p1 (deleting): complete
libiconv-1.9.2p1 (installing): complete
gettext-0.10.40p3 (extracting): complete
gettext-0.10.40p3 (deleting): complete
gettext-0.10.40p3 (installing): complete
gdiff-2.8.1p0 (extracting): complete
gdiff-2.8.1p0 (deleting): complete
gdiff-2.8.1p0 (installing): complete
openvpn-2.0.2 (extracting): complete
openvpn-2.0 (deleting): complete
openvpn-2.0.2 (installing): complete
rsync-2.6.6 (extracting): complete
rsync-2.6.5 (deleting): complete
rsync-2.6.6 (installing): complete
vim-6.3.85p0-no_x11 (extracting): complete
vim-6.3.61p0-no_x11 (deleting): complete
vim-6.3.85p0-no_x11 (installing): complete
wget-1.10 (extracting): complete
wget-1.8.2 (deleting): complete
wget-1.10 (installing): complete
Clean shared items: complete

Nice and clean. Grab a snapshot from ftp://ftp.openbsd.org/pub/OpenBSD/snapshots or use the upcoming 3.8.

sasyncd(8), the new IPSec SA synchronization daemon for failover gateways in OpenBSD 3.8, had due to its recent appearance in the OpenBSD tree only the man pages as documentation.

Jason Dixon posted his NYCBSDCON slides on his homepage. These slides include a short coverage of sasyncd in a failover scenario with carp(4).

Markus Wernig also has some slides about PF, pfsync(4), and sasyncd(8). These slides are in German though.

With this additional documentation and the fabulous OpenBSD man pages it should be no problem to build failover OpenBSD firewall/VPN-gateways.

Kudos to the OpenBSD developers for their great work.

The new 3.8 release can now be preordered. The offical release date is November 1, 2005. Preorders normally ship earlier.

The 3.8 theme is “HACKERS of the LOST RAID” after the recent RAID management efforts (see bioctl(8) and his article on kerneltrap.org).

Other interesting new tools include:

• ipsecctl(8), a simple IPsec management tool.
• stat(1), displaying file status obtained from stat(2) or lstat(2).
• hostapd(8), a wireless Host Access Point daemon.
• ifstated(8), a daemon monitoring ethernet interfaces status.
• watchdogd(8), companion to the hardware watchdog devices.
• ztsscale(8), a tool to calibrate the Zaurus touch screen.
• xidle(1), a tool to run a program on X inactivity.
• gzsig(1), create and verify cryptographic signatures built into gzip file headers.

Further wd(4) disks have the security feature frozen before being attached to prevent malicious users setting a password that would prevent the contents of the drive from being accessed.

ospfd(8) and bgpd(8) had some updates and OpenSSH was updated to 4.2.

One very important security feature is that malloc(3) has been rewritten to use the mmap(2) system call, introducing unpredictable allocation addresses and guard pages, which helps in detecting heap based buffer overflows and prevents various types of attacks. This can break many third party tools if they access memory in an not allowed fashion.

See http://www.openbsd.org/38.html for details.

Arthur Barrett from the CVSNT team (a fork of CVS) asked on the openbsd-tech mailing list if the CVSNT/OpenCVS project effort can perhaps be consolidated.

His point was since the goals are similar (stay compatible to GNU CVS, be secure as possible, and provide a better access control) and CVSNT already had five years of stable releases, joining efforts would benefit both parties.

Apart from the argument of re-licensing (OpenCVS will be BSD licensed), Theo had some interesting information:

We were fully aware of there being other CVS projects, and we do not feel that their stuff can help us towards our goals at all. A lot of our goals are - as yet - not disclosed.

and continued to “explain” why they did not choose to use one of the various CVS implementations:

That said, we have no interest in furthering GPL codebases. Not just because of the licenses, but also because of the obvious bloat that always happens with these codebases designed to “work on every stupid variation of system even written in the past”.

Finally he ended the discussion in his way:

OK, let me be more clear. When people who know nothing about anything write software, in the GNU-style, they write bloated bloated bloated crap when it is not neccessary.

When it is done, OpenCVS will run fine on other systems.

Like OpenSSH.

Without the boatloats of bloat that is common in GNU-style projects.

Anyways, I think our conversation is over.

I personally agree with Theo and that’s why I really like the OpenBSD approach. That’s why I don’t like J2EE and love Ruby & Ruby on Rails.

You can find the whole thread on marc.

OpenSSH 4.2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

OpenSSH 4.2 also includes some security fixes:

- SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused GatewayPorts to be incorrectly activated for dynamic (“-D”) port forwardings when no listen address was explicitly specified.

- SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI credentials to be delegated to users who log in with methods other than GSSAPI authentication (e.g. public key) when the client requests it. This behaviour has been changed in OpenSSH 4.2 to only delegate credentials to users who authenticate using the GSSAPI method. This eliminates the risk of credentials being inadvertently exposed to an untrusted user/host (though users should not activate GSSAPIDelegateCredentials to begin with when the remote user or host is untrusted).

For details see the announce.