Visit Jeremy's Blog.
Go Back > Forums > Other *NIX Forums > *BSD
User Name
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.


  Search this Thread
Old 01-11-2019, 07:23 PM   #1
LQ Newbie
Registered: Dec 2017
Posts: 21

Rep: Reputation: Disabled
How OpenBSD is secure compared to other operating systems?

I read many times OpenBSD is the most secure system and it has a minimal code base which affects its security. I'm curious how OpenBSD is secure comparing to other operating systems from BSD family (mainly FreeBSD, NetBSD, and HardenedBSD) and comparing to any hardened Linux (for example Gentoo, Arch, Slackware, Debian, RHEL etc.). Let's take into account FreeBSD - if we wish containerization, it has jails, if we wish MAC then FreeBSD has its built-in while in Linux we have a lot of different approaches and solutions - SELinux, RBAC, Apparmor, Firejail, Docker, LXC etc.
Let's consider two cases:

1. desktop - we assume using this system mainly for day-to-day operations, programming, sysadmin, running pentesting distro in VM etc.,
2. server - a website written in whatever programming language (for example PHP, Python, Ruby), mail server, IRC bouncer, LDAP, VPN etc.
Are default applications in OpenBSD such as OpenNTPd, httpd, OpenSMTPd more secure than tlsdate, nginx, postfix and dovecot?
Old 01-11-2019, 07:43 PM   #2
Senior Member
Registered: Jun 2009
Distribution: Haiku, macOS
Posts: 1,379

Rep: Reputation: 646Reputation: 646Reputation: 646Reputation: 646Reputation: 646Reputation: 646
I recently read this article, updated as of last month, regarding OOTB security ranking of various OS:

Granted, security is a process, and even an OpenBSD box can be made unsecure by poor configuration choices.
Old 01-13-2019, 10:15 AM   #3
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 233

Rep: Reputation: 107Reputation: 107
As you must have seen when you asked this question on multiple subreddits ... everyone has their favorites, and everyone has an opinion.
I have one too, which is:

Security is a process, it is not a product you install.

Whether "desktop" or "server" makes no difference. Any application you happen to run is a collective. The application, supporting services, libraries, subfunction systems, operating system, physical architecture, and microcode are all part of delivering something ill-defined and unclear called "security."
4 members found this post helpful.
Old 01-05-2021, 06:05 PM   #4
Registered: Nov 2017
Distribution: OpenBSD Desktop and Server
Posts: 73

Rep: Reputation: Disabled
OpenBSD comes secure by default. As a desktop system with a browser installed it keeps things like ssh keys and hardware fingerprinting much more obscured than many Linux systems. Being a single 'whole' rather than a kernel + third parties (as per Linux) its more inclined to be more secure.
Old 01-06-2021, 01:34 PM   #5
Registered: Nov 2008
Location: US
Distribution: slackware
Posts: 367

Rep: Reputation: 180Reputation: 180

I do not think I ever saw this question

But one development in OpenBSD I noticed is pledge(2) and unveil(2) has been added to Firefox. I noticed it with 6.8 and you can adjust using files in /etc/firefox-esr

To me that minimizes some risk Firefox can present to you.
Old 01-07-2021, 08:24 AM   #6
Registered: Nov 2017
Distribution: OpenBSD Desktop and Server
Posts: 73

Rep: Reputation: Disabled
Firefox-esr works better for me in OpenBSD, chromium throws out more regular 'Oh snap!'. I had noticed the 6.8 pledge/unveil settings for /etc/firefox-esr, but haven't changed the defaults. The only changes I've made are to redirect the default search engine over to DuckDuckGo instead of Google.

Security is subjective ... data, keys (ssh), fingerprinting/tracking, penetration/persistence ...etc. At least from a 'desktop user' perspective.

If userid separation can be breached, such as privilege elevation at the main/host level then its game over. If that is reflected into a container then its still most likely game over.

The way I address it is I boot a minimal Linux that wifi net connects and establishes sound, and within that I boot OpenBSD using kvm/qemu. I do it that way as otherwise OpenBSD doesn't 'see' my wifi (in the kvm/qemu OpenBSD it picks up the wifi net connection as though it were hard wired ethernet). If for instance I use the Linux (host) system to ssh and store data then that is relatively secure and the ssh keys are outside of the OpenBSD system - that I use for browsing. In addition to that laptop I also use a old desktop system as a server, that has the main TV as its display. A nice feature with kvm/qemu is that you can boot in snapshot mode, i.e. all changes are lost at shutdown and the system reverts to being clean, so the server is a form of DIY VPS with disposable sessions, that when I vnc into that from my laptop (or phone) and browse, has sites see the servers fingerprints and IP, not the device I'm actually using. I also tunnel traffic (socks5), so sites see that IP, not the servers IP, nor can my ISP see any traffic other than just the ssh link/tunnel that socks5 uses. Yes if google has say 1 pixel transparent images in many many web sites (one way or another) that provides them with what source IP and when that page was viewed, or send inaudible tones to one device and have other devices report back that they hear that tone ... along with the numerous other 'tracking' methods used, then it is the servers IP that is reported, where any one of a number of individuals could be vnc controlling that server. Giveaways would of course be if a direct login to a site occurred and was recorded, such as logging into google/yahoo/facebook/etc. services - which I personally do infrequently. Similarly DNS lookups aren't directly associated, but instead are sourced from a multi-shared source (socks5 IP/ssh server). Nor is any javascript run on the actual device, again that's run on the server. In some Linux distros/browsers for instance browse to file:///sys/devices/virtual/dmi/id ... and javascript could pick up/feed-back details such as motherboard serial number/whatever, so even if you went through tor/tails but a site was given permission to run javascript (as is more often needed in order to just see a web sites content), then that's usually game-over, but in my case has the servers motherboard serial number being reported back, not my actual devices motherboard serial number.

So for me the setup I use addresses data security (separation); ssh key security (again separation); tracking/fingerprinting; And penetration persistence risk factors. But as others have said that is a process, not a product.

If I tried setting up say a Linux box to be secure, more likely I wouldn't configure something correctly such that that 'bug' invalidated the security. As I set things up however and that is relatively secure as largely I'm just using defaults - that the OpenBSD crew had already set to secure defaults. My Linux host levels can be insecure, as they're not used for browsing, such that any Linux insecurities are irrelevant (a hacker would have to 'own' the OpenBSD system(s) and escape that in order to get to the Linux layer).

Last edited by rufwoof; 01-07-2021 at 08:46 AM.
Old 01-07-2021, 08:56 AM   #7
Registered: Nov 2017
Distribution: OpenBSD Desktop and Server
Posts: 73

Rep: Reputation: Disabled
Fundamentally if you want security you have to forego using a gui browser. Base OpenBSD doesn't come with a browser and as such is more secure - but can you live/work with that? http/https is pretty much now google owned/controlled - provided at zero $ cost, but instead paid for in the form of 'oneself' - all/any personal data/activities being recorded, as though you'd given permission for a stranger to enter your home and report back all activities.

That is in breach of human rights in many countries, but is overlooked. Capitalism ($$$'s) trumps freedom.

Some, perhaps even many OpenBSD users may be content with just base OpenBSD. Calculator (xcalc), graphical editor (xedit) and ssh - that facilitates ssh'ing into a server where you aren't giving others permission to run things on your local device, and from where you can communicate with others, such as via maillists, irc, whatever. Separate to that you might run a graphical browser, perhaps via vnc, or using a phone, where you accept that everthing done via that can be monitored/recorded, and being mindful of that take care with what you do share/do. In effect consider it as being hacked/open by default.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: 3 open source content management systems compared LXer Syndicated Linux News 0 06-30-2014 11:10 AM
which linux Operating systems applied to Embedded systems? ubun2os Linux - Embedded & Single-board computer 3 03-14-2013 05:24 PM
LXer: Isolating Your Linux Systems - How Sharing Operating Systems Can Put Holes in Your PCI Complia LXer Syndicated Linux News 0 04-09-2011 05:10 AM
What is the future in linux as compared to windows operating systems......?? charlesedwin Linux - Enterprise 7 12-31-2009 11:02 PM
ATI compared to Nvidia RATING SYSTEMS confusion! bigalexe General 2 02-20-2008 11:47 PM > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 04:48 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration