pftable-rs
A small Rust library for managing pf tables on OpenBSD.
https://github.com/d3npa/pftables-rs
#pf #security #network
A small Rust library for managing pf tables on OpenBSD.
https://github.com/d3npa/pftables-rs
#pf #security #network
OpenBSD TOR Bridge.
TOR and Pluggable Transport installation.
https://community.torproject.org/relay/setup/bridge/openbsd/
#tor #security
TOR and Pluggable Transport installation.
https://community.torproject.org/relay/setup/bridge/openbsd/
#tor #security
Blockor.
Protect BSD Unix computer servers from brute-force attacks. It works on top of the OpenBSD Packet Filter(PF) firewall.
https://github.com/muktadiur/blockor
#security #firewall #pf
Protect BSD Unix computer servers from brute-force attacks. It works on top of the OpenBSD Packet Filter(PF) firewall.
https://github.com/muktadiur/blockor
#security #firewall #pf
๐8๐1
Heap Overflow in OpenBSD's slaacd via Router Advertisement
In this blog post we analyze a heap overflow vulnerability we discovered in the IPv6 stack of OpenBSD, more specifically in its slaacd daemon. This issue, whose root cause can be found in the mishandling of Router Advertisement messages containing a DNSSL option with a malformed domain label, was patched by OpenBSD on March 21, 2022. A proof-of-concept to reproduce the vulnerability is provided.
https://blog.quarkslab.com/heap-overflow-in-openbsds-slaacd-via-router-advertisement.html
#security #network #slaacd
In this blog post we analyze a heap overflow vulnerability we discovered in the IPv6 stack of OpenBSD, more specifically in its slaacd daemon. This issue, whose root cause can be found in the mishandling of Router Advertisement messages containing a DNSSL option with a malformed domain label, was patched by OpenBSD on March 21, 2022. A proof-of-concept to reproduce the vulnerability is provided.
https://blog.quarkslab.com/heap-overflow-in-openbsds-slaacd-via-router-advertisement.html
#security #network #slaacd
๐3๐1
mimmutable() for OpenBSD.
Virtual-memory systems provide a great deal of flexibility in how memory can be mapped and protected. Unfortunately, memory-management flexibility can also be useful to attackers bent on compromising a system. In the OpenBSD world, a new system call is being added to reduce this flexibility; it is, though, a system call that almost no code is expected to use.
https://lwn.net/SubscriberLink/915640/53bc300d11179c62/
#security #system #memory
Virtual-memory systems provide a great deal of flexibility in how memory can be mapped and protected. Unfortunately, memory-management flexibility can also be useful to attackers bent on compromising a system. In the OpenBSD world, a new system call is being added to reduce this flexibility; it is, though, a system call that almost no code is expected to use.
https://lwn.net/SubscriberLink/915640/53bc300d11179c62/
#security #system #memory
๐5๐ฑ1
Errata patches for TCP have been released for OpenBSD 7.1 and 7.2.
Binary updates for the amd64, i386 and arm64 platform are available via the syspatch utility. Source code patches can be found on the respective errata page:
- https://www.openbsd.org/errata71.html
- https://www.openbsd.org/errata72.html
#security #update #system
Binary updates for the amd64, i386 and arm64 platform are available via the syspatch utility. Source code patches can be found on the respective errata page:
- https://www.openbsd.org/errata71.html
- https://www.openbsd.org/errata72.html
#security #update #system
๐11
sshd random relinking at boot.
As with library order randomisation (libc.so/libcrypto/ld.so) at boot and kernel relinking at boot, boot time relinking of sshd(8) is now implemented in -current. Theo de Raadt committed the changes...
https://undeadly.org/cgi?action=article;sid=20230119075627
#ssh #security
As with library order randomisation (libc.so/libcrypto/ld.so) at boot and kernel relinking at boot, boot time relinking of sshd(8) is now implemented in -current. Theo de Raadt committed the changes...
https://undeadly.org/cgi?action=article;sid=20230119075627
#ssh #security
๐17
Initial support for guided disk encryption in the installer.
The OpenBSD installer now has basic support for configuring disk encryption during the regular installation process. Previously, disk encryption needed to be set up manually by dropping to the shell from the installer. Initial support, likely to be expanded upon, was committed by Klemens Nanni (kn@) on March 7, 2023...
https://undeadly.org/cgi?action=article;sid=20230308063109
#security #encryption #install
The OpenBSD installer now has basic support for configuring disk encryption during the regular installation process. Previously, disk encryption needed to be set up manually by dropping to the shell from the installer. Initial support, likely to be expanded upon, was committed by Klemens Nanni (kn@) on March 7, 2023...
https://undeadly.org/cgi?action=article;sid=20230308063109
#security #encryption #install
โค11๐6๐ฅ1
How To Set Up a Wireguard VPN Server with Unbound on OpenBSD.
Some months ago, I published an article on how to set up a Wireguard server with adblocking capabilities on GNU/Linux systems, focusing Debian and PiHole specifically. Recently I wanted to reproduce the same setup on an OpenBSD server(since the Wireguard protocol is available on *BSD systems as well) and, while PiHole is not currently available for *BSD systems, I managed to accomplish the same result using the DNS resolver unbound(8) and unbound-adblock to fetch updated blocklists every day. In this guide, I will show you how to achieve the same result...
https://marcocetica.com/posts/wireguard_openbsd/
#wirequard #vpn #security
Some months ago, I published an article on how to set up a Wireguard server with adblocking capabilities on GNU/Linux systems, focusing Debian and PiHole specifically. Recently I wanted to reproduce the same setup on an OpenBSD server(since the Wireguard protocol is available on *BSD systems as well) and, while PiHole is not currently available for *BSD systems, I managed to accomplish the same result using the DNS resolver unbound(8) and unbound-adblock to fetch updated blocklists every day. In this guide, I will show you how to achieve the same result...
https://marcocetica.com/posts/wireguard_openbsd/
#wirequard #vpn #security
๐14โค8๐1
Media is too big
VIEW IN TELEGRAM
Synthetic Memory Protections.
Theo de Raadt (derradt@) was scheduled to present at CanSecWest. That's now happened, and slides of Theo's presentation, Synthetic Memory Protections, can be found in the usual place. Video is available on the bird site.
#security #video
Theo de Raadt (derradt@) was scheduled to present at CanSecWest. That's now happened, and slides of Theo's presentation, Synthetic Memory Protections, can be found in the usual place. Video is available on the bird site.
#security #video
โค13๐3๐ฅ2
OpenBSD workstation hardening.
I wanted to share a list of hardening you can do on your OpenBSD workstation, and explaining the threat model of each change...
https://dataswamp.org/~solene/2023-12-31-hardened-openbsd-workstation.html
#security #system
I wanted to share a list of hardening you can do on your OpenBSD workstation, and explaining the threat model of each change...
https://dataswamp.org/~solene/2023-12-31-hardened-openbsd-workstation.html
#security #system
โค21๐12
Some OpenBSD features that aren't widely known.
In this blog post, you will learn about some OpenBSD features that can be useful, but not widespread. They often have a niche usage, but it's important to know they exist to prevent you from reinventing the wheel...
https://dataswamp.org/~solene/2024-02-20-rarely-known-openbsd-features.html
#system #security
In this blog post, you will learn about some OpenBSD features that can be useful, but not widespread. They often have a niche usage, but it's important to know they exist to prevent you from reinventing the wheel...
https://dataswamp.org/~solene/2024-02-20-rarely-known-openbsd-features.html
#system #security
โค26
Re: lcamtuf on the recent xz debacle
None. TLDR: The build process of the backdoor explicitly aborts on platforms other than Linux x86-64...
https://marc.info/?l=openbsd-misc&m=171227941117852&w=2
#security #xz
Just for clarity, does anyone know what "Unix-like operating systems" would be affected by this?
None. TLDR: The build process of the backdoor explicitly aborts on platforms other than Linux x86-64...
https://marc.info/?l=openbsd-misc&m=171227941117852&w=2
#security #xz