In the wake of the recent Heartbleed vulnerability, the OpenBSD Project started auditing the OpenSSL code before coming to the conclusion that it was beyond repair. In excess of 90,000 lines of C — comprised of deprecated (read: decades old) APIs, WIN32 and (potentially harmful) FIPS support, bugs and kludge — were removed from the source tree when the development group realised just how terribly bad the OpenSSL source code actually was. Continue reading
It has come to light that the National Security Agency (NSA) knew about the vulnerability existing in the OpenSSL 1.0.1 code soon after its implementation, and used the Heartbleed bug to exploit their targets by stealing user credentials and other sensitive information. The NSA decided not to disclose the biggest flaw in the history of the Internet — more than two-thirds of all websites use the cryptographic protocol — to continue exploiting their targets in secret, while citing national security as the motivating factor. Continue reading
A serious vulnerability in the heartbeat extension, implemented in OpenSSL’s TLS protocol over two years ago, has been discovered and aptly labeld ‘Heartbleed.’
Fortunately, FreeBSD 9.2 releases using the base system OpenSSL (0.9.8) installation were unaffected. However, all later versions of the operating system and any machines running port installs of the vulnerable OpenSSL version (1.0.1 – 1.0.2-beta) have been exposed since the buggy code was released back in March 2012. Most, if not all, recent Linux distributions were running the vulnerable code; Debian oldstable might be one of the few not to be exposed. Continue reading
FreeBSD recently converted to its next generation package management utility: PKGNG. To date, many of its improved features aren’t yet implemented due to developer commitment to maintaining legacy compatibility with
pkg_*. One of the most eagerly anticipated features — smooth interaction between binary packages and source built applications from ports — remains elusive at present. To overcome this obstacle, create a local package repository with Poudriere.
Compiling a custom kernel in FreeBSD is relatively simple, it’s the research required to make a sane configuration to ensure your machine will operate properly with the new kernel loaded that is important. To that end, there is no blanket method to tailoring kernels; your hardware and objectives determine what options need to be set and what can be removed. The tuning(7) and config(5) manual pages should be consulted beforehand. Additionally, query loaded modules, drivers and attached devices with kldstat(8), pciconf(8) and devinfo(8), and parse
/var/run/dmesg.boot to formulate a comprehensive list of kernel requirements.
This guide is divided into three sections: Continue reading
To setup multiple jails on a VPS with a single IP address, simply clone the loopback device and create a virtual private network. The procedure is quickly described below. Continue reading
We’ve known since late last year that Opera is ceasing development for FreeBSD, which is disappointing as it’s arguably the best browser and FreeBSD is clearly the greatest operating system. However, it appears that Linux, too, might fall victim to Opera’s commercial predilections: Opera mocks Linux.
Thanks to Mike Caldwell, who notified correspondents on the tor-talk mailing list, a rather significant security hole in Thunderbird has been made public. I use Thunderbird, but have HTML disabled and only view mail in plain text, so I’ve never experienced this bug. If you view your mail in HTML, you should consider disabling it or install TorBirdy.
Mike goes into detail in this post on his blog. I am grateful he has made this public, but I feel as though it should have been done sooner.
I decided to relocate the server running this site and a few other services to an old Pentium M 2GHz box with 4GB DDR2 SDRAM — a slight step up from its previous host. In the process, I opted to move syn.bsdbox.co to its second-level domain: bsdbox.co. This displaced access to some SOHO services but they’re now more secure elsewhere. Obviously in the mood for change, I decided to drop Apache for NGINX to complete the move. I can’t say why I elected to do this, or even if it was worth the hassle — rewriting Apache configuration to NGINX for Roundcube, ownCloud, WordPress and some database management applications is not an easy task — because I also upgraded my SSL protocols, which has brought about extended handshake times when accessing the server over HTTPS, so I’m actually experiencing extended loading times. Notwithstanding said encrypted requests, I can’t see any performance improvement in serving requests from this blog for example, but given everything is running on the same ADSL connection with only minor hardware improvements, I shouldn’t expect much from NGINX; maybe slightly quicker serving of static content. However, what I didn’t plan on was a host of other problems courtesy of NGINX, such as broken WordPress plugins and file uploads! I’m still in the process of ironing out these kinks but may just have to revert back to Apache. Continue reading
Running your own mail server makes email more secure and manageable. Fortunately, setting up your own Mail Transfer Agent (MTA) with IMAP is rather simple with Postfix and Dovecot on FreeBSD.
The following guide provides instructions to install a basic mail server using system users for authentication. For larger deployments, it is best to use a database backend, such as MySQL, and virtual users. TLS encrypted authentication will be enforced to protect credentials and message content.
This procedure assumes you already have a certificate and private key to implement; if not, see this guide to establish your own Certificate Authority to certify service certificates or use this guide to quickly generate a self-signed certificate. Continue reading