https://unix-esoterica.com/tags/security/ Recent content in Security on UNIX Esoterica Hugo en Wed, 24 Dec 2025 12:58:21 +0100 https://unix-esoterica.com/posts/openbsd-updating/ Wed, 24 Dec 2025 12:58:21 +0100 https://unix-esoterica.com/posts/openbsd-updating/ <h3 id="note-feel-free-to-skip-ahead">NOTE: Feel Free To Skip Ahead</h3> <h3 id="openbsd-release-model-explained">OpenBSD Release Model Explained</h3> <p>OpenBSD uses a strict, time-based release model focused on predictability and continuous development. OpenBSD releases new versions on a fixed six-month cycle.</p> <h2 id="flavors">Flavors</h2> <p>OpenBSD maintains three distinct &ldquo;flavors&rdquo; of the operating system simultaneously:</p> <p>-release: The official, static version of the OS released every six months (e.g., 7.5, 7.6). It is intended for users who prioritize stability and do not need the absolute latest features.</p> https://unix-esoterica.com/posts/links/ Tue, 29 Apr 2025 10:35:02 +0200 https://unix-esoterica.com/posts/links/ <h3 id="an-eclectic-collection-of-useful-urls">An eclectic collection of useful URLs</h3> <p>I highly recommend reading official documentation first. I have provided a curated list of websites which I personally consider useful.</p> <h2 id="openbsd">OpenBSD</h2> <h3 id="main-openbsd-sites">Main OpenBSD Sites</h3> <ul> <li>OpenBSD Main Site <a href="https://www.openbsd.org" rel="noopener noreferrer" target="_blank">https://www.openbsd.org</a> </li> <li>OpenBSD FAQs <a href="https://www.openbsd.org/faq/index.html" rel="noopener noreferrer" target="_blank">https://www.openbsd.org/faq/index.html</a> </li> <li>OpenBSD Manpages <a href="https://man.openbsd.org" rel="noopener noreferrer" target="_blank">https://man.openbsd.org</a> </li> <li>OpenBSD Patches <a href="https://www.openbsd.org/errata76.html" rel="noopener noreferrer" target="_blank">https://www.openbsd.org/errata76.html</a> </li> <li>OpenBSD Download <a href="https://www.openbsd.org/faq/faq4.html#Download" rel="noopener noreferrer" target="_blank">https://www.openbsd.org/faq/faq4.html#Download</a> </li> </ul> <h3 id="openbsd-projects">OpenBSD Projects</h3> <ul> <li>OpenSSH <a href="https://www.openssh.com" rel="noopener noreferrer" target="_blank">https://www.openssh.com</a> </li> <li>LibreSSL <a href="https://www.libressl.org" rel="noopener noreferrer" target="_blank">https://www.libressl.org</a> </li> <li>OpenBGPD <a href="https://www.openbgpd.org" rel="noopener noreferrer" target="_blank">https://www.openbgpd.org</a> </li> <li>OpenNTPD <a href="https://www.openntpd.org" rel="noopener noreferrer" target="_blank">https://www.openntpd.org</a> </li> <li>OpenSMTPD <a href="https://www.opensmtpd.org" rel="noopener noreferrer" target="_blank">https://www.opensmtpd.org</a> </li> </ul> <h3 id="keeping-openbsd-alive">Keeping OpenBSD Alive</h3> <ul> <li>The OpenBSD Foundation <a href="https://www.openbsdfoundation.org" rel="noopener noreferrer" target="_blank">https://www.openbsdfoundation.org</a> </li> </ul> <h3 id="other-openbsd-related-sites">Other OpenBSD Related Sites</h3> <p>Hosting</p> https://unix-esoterica.com/posts/sysctl-hardening/ Tue, 29 Apr 2025 08:41:24 +0200 https://unix-esoterica.com/posts/sysctl-hardening/ <p>/etc/sysctl.conf - hardening</p> <p>Official OpenBSD Documentation</p> <p>sysctl(8) manpage - <a href="https://man.openbsd.org/sysctl.8" rel="noopener noreferrer" target="_blank">https://man.openbsd.org/sysctl.8</a> </p> <p>sysctl.conf(5) manpage - <a href="https://man.openbsd.org/sysctl.conf.5" rel="noopener noreferrer" target="_blank">https://man.openbsd.org/sysctl.conf.5</a> </p> <p>malloc(3) manpage - <a href="https://man.openbsd.org/free" rel="noopener noreferrer" target="_blank">https://man.openbsd.org/free</a> </p> <table> <thead> <tr> <th style="text-align: left">Sysctl Parameter</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>ddb.panic=0</code></td> <td style="text-align: left">Reboot on a panic, instead of dropping into the debugger.</td> </tr> <tr> <td style="text-align: left"><code>ddb.console=0</code></td> <td style="text-align: left">Prevent entry into the kernel debugger.</td> </tr> <tr> <td style="text-align: left"><code>net.inet.ip.forwarding=0</code></td> <td style="text-align: left">Prevent inet4 forwarding for standalone workstations ( unless needed ).</td> </tr> <tr> <td style="text-align: left"><code>machdep.allowaperature=0</code></td> <td style="text-align: left">For systems that don&rsquo;t run X.</td> </tr> <tr> <td style="text-align: left"><code>vm.malloc_conf=CFGU</code></td> <td style="text-align: left">Individual arguments explained below.</td> </tr> <tr> <td style="text-align: left">C ( Cache disabled )</td> <td style="text-align: left">Reduces the chance that sensitive data ( like passwords, keys, etc ) remains in memory after being freed.</td> </tr> <tr> <td style="text-align: left">F ( Free junking )</td> <td style="text-align: left">Easier to detect user-after-free bugs ( access to freed memory ), and prevents old data from leaking if memory is later misused.</td> </tr> <tr> <td style="text-align: left">G ( Guard pages )</td> <td style="text-align: left">Helps catch buffer overflows immediately by causing a segmentation fault when memory writes go past their bounds.</td> </tr> <tr> <td style="text-align: left">U ( Use junking )</td> <td style="text-align: left">Helps catch bugs where programs wrongly assume newly allocated memory.</td> </tr> </tbody> </table> <h3 id="server-example---etcsysctlconf">Server Example - /etc/sysctl.conf</h3> <pre tabindex="0"><code>ddb.panic=0 ddb.console=0 vm.malloc_conf=CFGU net.inet.ip.forwarding=0 machdep.allowaperature=0 </code></pre><h3 id="firewall-example---etcsysctlconf">Firewall Example - /etc/sysctl.conf</h3> <pre tabindex="0"><code>ddb.panic=0 ddb.console=0 vm.malloc_conf=CFGU net.inet.ip.forwarding=1 machdep.allowaperature=0 </code></pre><h3 id="workstation-example---etcsysctlconf">Workstation Example - /etc/sysctl.conf</h3> <pre tabindex="0"><code>ddb.panic=1 ddb.console=1 vm.malloc_conf=CFGU net.inet.ip.forwarding=0 machdep.allowaperature=1 </code></pre><p>Thanks to the author of the following page for teaching me about the malloc stuff:</p>