[{"body":"Introduction Welcome to my FreeBSD hardening guide, refreshed for FreeBSD 15.1. FreeBSD is conservative and secure out of the box, but a box that faces the internet deserves more. This guide is a practical, defense-in-depth walkthrough you can apply to a fresh 15.1 install: patching, accounts, SSH, the firewall, the kernel, attack-surface reduction, the filesystem, and monitoring. Apply what fits your threat model — you don\u0026rsquo;t need every item on every machine. Throughout, a # prompt means run as root.\n1. Keep the system patched Nothing below matters if the box runs known-vulnerable code. Patching is the single highest-value control.\nBase system: freebsd-update On a RELEASE, fetch and install base security and errata patches:\n# freebsd-update fetch install Packages: pkg upgrade and pkg audit Keep packages current and — importantly — check them against the VuXML vulnerability database. The old portaudit is long gone; this is built into pkg now:\n# pkg update # pkg upgrade # pkg audit -F pkg audit -F refreshes the vulnerability database and reports any installed package with a known issue.\nAutomate it Let the box tell you when it needs attention. Add a daily base-update check that only mails root when patches are pending:\n# echo \u0026#39;@daily root freebsd-update cron\u0026#39; \u0026gt;\u0026gt; /etc/crontab And have the daily periodic run audit your packages, via /etc/periodic.conf:\nsecurity_status_pkgaudit_enable=\u0026#34;YES\u0026#34; 2. Accounts and authentication Password hashing and policy (login.conf) Modern FreeBSD already hashes passwords with SHA-512 by default; the old MD5 default is history. Confirm it (or switch to Blowfish with blf) in the default class of /etc/login.conf, and set a sane minimum length:\n:passwd_format=sha512:\\ :minpasswordlen=12:\\ After editing, rebuild the hashed database:\n# cap_mkdb /etc/login.conf Root login and privilege escalation Don\u0026rsquo;t share the root password or log in as root over the network. Create an admin user, add them to the wheel group, and escalate with a tool that logs and limits what it grants. doas is small and easy to audit:\n# pkg install doas # echo \u0026#39;permit persist :wheel\u0026#39; \u0026gt; /usr/local/etc/doas.conf (security/sudo is the heavier, more configurable alternative.) We lock direct root SSH login in the next section.\n3. Harden SSH (OpenSSH) SSH is usually the only door into the box, so make it a good one.\nsshd_config In /etc/ssh/sshd_config, prefer key-based auth and turn off the weak options:\nPermitRootLogin no PasswordAuthentication no KbdInteractiveAuthentication no PubkeyAuthentication yes AllowUsers youradmin Install your public key (~/.ssh/authorized_keys) and test key login before disabling passwords, or you\u0026rsquo;ll lock yourself out. Then reload:\n# service sshd reload Restricting AllowUsers (or AllowGroups wheel) to exactly who needs shell access is one of the highest-value lines in the file.\nBrute-force protection with blacklistd FreeBSD ships blacklistd, which watches for repeated auth failures and tells the firewall to drop the source. Enable it:\n# sysrc blacklistd_enable=YES # service blacklistd start Add UseBlacklist yes to sshd_config, reload sshd, and wire blacklistd into pf (below).\n4. Firewall with pf FreeBSD inherited OpenBSD\u0026rsquo;s pf, a clean and powerful packet filter. A good default is to deny everything inbound and open only what you actually serve; filtering on the external interface is usually enough.\nA default-deny ruleset A minimal /etc/pf.conf for a server offering SSH and HTTPS:\next_if = \u0026#34;vtnet0\u0026#34; # your external interface set skip on lo scrub in all # blacklistd inserts its block rules here anchor \u0026#34;blacklistd/*\u0026#34; in on $ext_if block in all pass out quick keep state # only the services you actually offer pass in on $ext_if proto tcp to ($ext_if) port { 22 443 } keep state # allow ping pass in on $ext_if inet proto icmp icmp-type echoreq Syntax-check, then enable and start it:\n# pfctl -nf /etc/pf.conf # sysrc pf_enable=YES # service pf start Hook blacklistd into pf The anchor \u0026quot;blacklistd/*\u0026quot; line is where blacklistd injects its blocks, so an SSH brute-forcer that trips blacklistd gets dropped at the firewall automatically. The default /etc/blacklistd.conf already covers ssh.\n5. Kernel and sysctl hardening Useful sysctls Add these to /etc/sysctl.conf (they apply at boot; set them now with sysctl \u0026lt;name\u0026gt;=\u0026lt;value\u0026gt;):\n# hide other users\u0026#39; processes security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 # don\u0026#39;t let unprivileged users debug other processes security.bsd.unprivileged_proc_debug=0 # stricter hardlink handling in sticky dirs security.bsd.hardlink_check_uid=1 security.bsd.hardlink_check_gid=1 # stack guard page security.bsd.stack_guard_page=1 # randomize the IP ID field net.inet.ip.random_id=1 ASLR is already on Good news: address space layout randomization is enabled by default in base FreeBSD (since 13.0), so you no longer need a third-party kernel just for it. Confirm:\n# sysctl kern.elf64.aslr.enable kern.elf64.aslr.pie_enable kern.elf64.aslr.enable: 1 kern.elf64.aslr.pie_enable: 1 securelevel (know the trade-offs) kern.securelevel is a one-way ratchet: it makes the schg/sappnd file flags immutable, blocks loading kernel modules, and at level 3 freezes your firewall ruleset. It\u0026rsquo;s strong but operationally heavy — you\u0026rsquo;ll need single-user mode to change protected files, and some software dislikes it. Enable it deliberately via /etc/rc.conf:\n# sysrc kern_securelevel_enable=YES # sysrc kern_securelevel=2 Move to level 3 only once your firewall and system files are stable.\n6. Minimize the attack surface See what\u0026rsquo;s listening You can\u0026rsquo;t secure what you don\u0026rsquo;t know about. List listening sockets:\n# sockstat -4l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 803 4 tcp4 *:22 *:* unbound unbound 7620 6 tcp4 127.0.0.1:53 *:* Use -6l for IPv6 or -l for both. Anything on 127.0.0.1 isn\u0026rsquo;t reachable from the network; anything on * is (subject to your firewall). Every listener is attack surface — close what you don\u0026rsquo;t need.\nTurn off what you don\u0026rsquo;t need A default install is already lean. Disable the usual suspects you aren\u0026rsquo;t using:\n# sysrc sendmail_enable=NONE # sysrc inetd_enable=NO (FreeBSD has been moving sendmail out of the base system, so a clean 15.1 box may not ship it at all.)\nIsolate services in jails FreeBSD\u0026rsquo;s standout security feature is the jail — a lightweight, OS-level container. Run each network-facing service (web, mail, DNS) in its own jail so a compromise is contained to that jail instead of the whole host. Managers like bastille (pkg install bastille) make this easy. Architecturally, this is the biggest win on the list.\n7. Filesystem hardening Mount options Give each filesystem only the privileges it needs. A separate /tmp and /var can carry nosuid/noexec so an attacker can\u0026rsquo;t drop and run a binary there. In /etc/fstab:\n/dev/... /tmp ufs rw,nosuid,noexec,nodev 2 2 On ZFS, set the equivalents with zfs set exec=off setuid=off \u0026lt;dataset\u0026gt;. Test first — a few package build steps legitimately execute from /tmp.\nperiodic security checks The daily periodic security run reports setuid changes, failed logins and more. Turn on the pieces you want in /etc/periodic.conf:\ndaily_clean_tmps_enable=\u0026#34;YES\u0026#34; security_status_pkgaudit_enable=\u0026#34;YES\u0026#34; 8. Logging, auditing and monitoring The security periodic run By default FreeBSD mails root a daily security summary — read it. It flags new setuid binaries, kernel-message anomalies, login failures and more: cheap, high-signal monitoring.\nAudit with auditd (BSM) For real forensic logging, FreeBSD ships the OpenBSM audit framework. Enable it to record security-relevant events (logins, privilege use, file access) to a structured trail:\n# sysrc auditd_enable=YES # service auditd start Tune what\u0026rsquo;s captured in /etc/security/audit_control, and review with praudit and auditreduce.\nScan with Lynis For an automated second opinion, run Lynis, which checks dozens of hardening items and gives you a prioritized list:\n# pkg install lynis # lynis audit system 9. Going further MAC framework and Capsicum When you outgrow plain Unix permissions, FreeBSD offers the MAC framework — loadable Mandatory Access Control policies such as mac_portacl and mac_bsdextended — and Capsicum, the capability-mode sandbox built into many base utilities. Both confine processes well beyond users and groups.\nHardenedBSD HardenedBSD is a downstream of FreeBSD focused on exploit mitigation. Now that base FreeBSD ships ASLR, HardenedBSD\u0026rsquo;s value is the extra mitigations it carries — stronger ASLR, PaX-style protections, SEGVGUARD and ongoing CFI work. If your threat model warrants aggressive mitigation it\u0026rsquo;s worth evaluating, and the project always welcomes testers.\nFeedback Your feedback is encouraged. Tell me what\u0026rsquo;s missing, what you\u0026rsquo;d add, and what helped — this guide gets better every time someone does.\n","section":"howto","tags":[],"title":"Howto secure FreeBSD","url":"/howto/secure-freebsd/"},{"body":"I - Introduction This HOWTO shows you how to setup Linux emulation in FreeBSD. The reasons why you want to have it are many:\nRun closed source Linux software\nSecurity\nResearch\nJust for fun / because you can\nII - Preparation 1) Load kernel modules Load the linux kernel module:\nroot@bsdbox:/root # kldload linux III - Installation 1) Install linux emulation from ports We choose Fedora Core 10:\nroot@bsdbox:/root # cd /usr/ports/emulators/linux_base-f10/ root@bsdbox:/usr/ports/emulators/linux_base-f10 # make install clean +++ Some programs may need linprocfs, please add it to /etc/fstab! +++ Running linux ldconfig... This software is based in part on the work of the FreeType Team. See \u0026lt;URL:http://www.freetype.org/\u0026gt;. Installation of the Linux base system is finished. The Linux kernel mode, which must be enabled for Linux binaries to run, is now enabled. Linux mode can be enabled permanently with the linux_enable variable of rc.conf(5). If you want to use shared memory in Linux applications, you need to set up a link from /dev/shm to a suitable place, e.g. by adding the following line to /etc/devfs.conf (takes effect on each boot): link /tmp shm To make use of NIS you have to adjust yp.conf and nsswitch.conf in /compat/linux/etc/ accordingly. For example: Set your yp-server and yp-domainname in yp.conf: domainname my.yp.domainname ypserver my.yp.server Let your lists for hosts, passwd and group be resolved via nsswitch.conf: passwd: files nis shadow: files nis group: files nis hosts: files dns nis WARNING: doing work which needs to chroot into the linux base may not work. In such cases (e.g. cross-development) you are better suited with a linux_dist port. ===\u0026gt; Registering installation for linux_base-f10-10_5 root@bsdbox:/usr/ports/emulators/linux_base-f10 # IV - Tests 1) Test the emulation Jump into Linux emulation:\nroot@bsdbox:/root # /compat/linux/bin/sh Display system info:\nsh # uname -a V - Conclusion We successfully managed to setup Linux emulation in FreeBSD. Plese let us know what you liked and what not. Thank you!\n","section":"howto","tags":[],"title":"Howto setup Linux emulation in FreeBSD","url":"/howto/setup-linux-emulation-in-freebsd/"},{"body":"I - Introduction Since Samba 4 it is possible to have a full featured Active Directory PDC for your Windows clients without the need to install Windows Server.\nIn this compact HOWTO we install and configure samba4 on a FreeBSD machine.\nOur example server and domain looks like this.\nServer Hostname: dc01 Server IP: 192.168.0.2 DNS Domain Name: samdom.fleximus.org NT4 Domain Name: samdom Server Role: DC II - Installation 1a) Install Samba4 from ports cd /usr/ports/samba4 make config make install clean 1b) Install Samba4 from package pkg install samba4 III - Configuration 1) Provisioning Samba (Setup a new domain) samba-tool domain provision --use-rfc2307 --interactive 2) Start Samba Simply start samba using the command\nservice samba4 start or\n/usr/local/etc/rc.d/samba4 start depending on your FreeBSD version or what you prefer to use.\n3) TODO TODO\nIII - Testing your work TODO\nIV - Conclusion Another masterpiece of open source software (namely Samba4) helped us to setup a Windows Domain Controller for Windows Clients on a FreeBSD server. You saved to install a Windows Server product for this, which means you saved costs.\nWe hope this HOWTO was helpful to you and look forward to your feedback. Thanks!\n","section":"howto","tags":[],"title":"Howto setup Samba Domain Controller on FreeBSD","url":"/howto/setup-samba-domain-controller-on-freebsd/"},{"body":"I - Introduction AntiVir WebGate is a virus scanning proxy server from the German company Avira known for it\u0026rsquo;s good scanning engine. AntiVir WebGate is a Linux product. This HOWTO shows how you install and configure the software on a FreeBSD server and optionally how to use it together with squid.\nII - Preparations 1) Download Download the product archive directly from the Avira webservers.\nroot@bsdproxy:/tmp # fetch http://professional.avira-update.com/package/webgate/unix/int/antivir-webgate-prof.tar.gz If the above command does not work for you, go to product page and download from there.\n2) Setup Linux emulation Follow Howto Setup Linux emulation in FreeBSD instructions.\nIII - Installation 1) Unpack the download root@bsdproxy:/root # cd /tmp/ root@bsdproxy:/tmp # tar xzvf antivir-webgate-prof.tar.gz 2) Jump into the Linux emulation root@bsdproxy:/tmp # /compat/linux/bin/bash 3) Install the product bash-3.2# pw groupadd antivir bash-3.2# cd /tmp/antivir-webgate-prof-3.3.0.2-5/ bash-3.2# ./install Do you agree to the license terms? [n] y Enter the path to your key file: [] /tmp/avira.key Would you like to create a link in /usr/sbin for avupdate-webgate? [y] Would you like to setup Scanner update as cron task? [y] available options: d [2] Would you like to check for WebGate updates once a week? [n] Would you like to create a link in /usr/sbin for avwebgate? [y] Set up boot scripts? [y] setting up boot script ... failed Unable to locate where boot scripts belong. You can launch Avira WebGate with: /usr/lib/AntiVir/webgate/avwebgate start Press \u0026lt;ENTER\u0026gt; to continue. Would you like to activate SMC support? [y] 4) Product update bash-3.2# /usr/lib/AntiVir/webgate/avupdate-webgate --product=WebGate bash-3.2# exit IV - Configuration Alright, the product is now installed on your FreeBSD system, residing in the Linux emulation.\n1) Startup script You need to create a startup script for WebGate so it will be started upon a reboot.\nroot@bsdproxy:/tmp # vi /usr/local/etc/rc.d/avwebgate root@bsdproxy:/usr/local/etc/rc.d # vi /etc/rc.conf avwebgate_enable=\u0026#34;YES\u0026#34; :wq 2) Product configuration Now let\u0026rsquo;s go through the configuration. Edit the file /compat/linux/etc/avira/avwebgate.conf\nroot@bsdproxy:/root # vi /compat/linux/etc/avira/avwebgate.conf V - Tests 1) Try a sample virus Go to the EICAR website and try to download a zip file. If you get a red screen then you\u0026rsquo;re protected by AvWebGate which runs in the Linux Emulation of FreeBSD. Congratulations!\nVI - Conclusion TODO\n","section":"howto","tags":[],"title":"Howto install Avira AntiVir WebGate on FreeBSD","url":"/howto/install-avira-antivir-webgate-on-freebsd/"},{"body":"I - Introduction This HOWTO provides solutions and ideas on how to achieve PCI DSS compliance on a FreeBSD system towards PCI DSS Standard 3.0.\nPlease note that this HOWTO is NOT COMPLETE and probably never will. Nevertheless it might be helpful for you anyway as we update this HOWTO on a regular basis.\nII - PCI DSS Requirements Numbers correspond to the PCI DSS standard mentioned above.\n2.2.1) One function per server Have only one function per server. For example if your the is a webserver, only install webserver software, not any databases or FTP servers.\n4.4) Centralized Logging To have centralized logging, activate remote syslogging in /etc/syslogd.conf:\n*.* @remoteloghost 5.1) Anti-Malware / Anti-Virus Install one or more malware detection tools from the FreeBSD Ports: Port name\tDirectory Clam Antivirus\t/usr/ports/security/clamav Rootkit Hunter\t/usr/ports/security/rkhunter Spybye\t/usr/ports/security/spybye\n6.1) Time window for security updates You must install vendor critical security patches within 30 days.\nSubscribe to the FreeBSD advisories and security mailing lists listed at the FreeBSD Security Information website. Install /usr/ports/ports-mgmt/portaudit and take care of the produced logs if your ports need an update. 8.5.15) Automatic logouts You must logout idle users after 15 minutes. You do so by adding the following line to your /etc/csh.cshrc:\nset -r autologout=15 11.4) Intrusion detection Install an intrusion detection/prevention system from the FreeBSD Ports: Port name\tDirectory bsmtrace\t/usr/ports/security/bsmtrace Snort\t/usr/ports/security/snort\nIII - Feedback Your feedback on this HOWTO is highly encouraged. What did you like and what not? Any additions we can put in our list? Thank you for helping.\n","section":"howto","tags":[],"title":"Howto achieve PCI DSS compliance with FreeBSD","url":"/howto/achieve-pci-dss-compliance-with-freebsd/"},{"body":"Introduction Erlang is a functional programming language invented at Ericsson built to be highly scalable, high available, fault taulerant and it allows you to change code modules at runtime. FreeBSD\u0026rsquo;s stability and Erlang\u0026rsquo;s robustness make a perfect team.\nErlang is gaining more and more popularity due to it\u0026rsquo;s robustness and fault tolerancy. When Facebook baught WhatsApp in Jan 2014, it came to public attention that WhatsApp is built on FreeBSD and Erlang technology that can handles 1.000.000 simulatneous connection with only one server.\nSoftware built on Erlang Prominent software that is built on Erlang includes\nApache CouchDB, a JSON database\nejabberd, a massively scalable XMPP server,\nRabbitMQ, a robust message queue,\nRiak, a linear scalable NoSQL key-value storage,\nWhatsApp, the most successful instant messenger\nErlang on FreeBSD Typically for FreeBSD, you install software through a port or package. I\u0026rsquo;ll assume you to install the package by running pkg install erlang which installs you Erlang/OTP 18.2.x. OTP stands for Open Telecom Platform and is a set of components that make Erlang so great. When I write about Erlang, I really mean Erlang/OTP.\nFirst steps with the interpreter You start the Erlang interpreter by starting erl. A shell starts and waits for your input. You can quit it by typing q(). The dot is importing because it marks the end of your input and Erlang begins to execute your code.\nDisplay code paths # erl Erlang R16B03-1 (erts-5.10.4) [source] [async-threads:10] [hipe] [kernel-poll:false] Eshell V5.10.4 (abort with ^G) 1\u0026gt; code:get_path(). [\u0026#34;.\u0026#34;,\u0026#34;/usr/local/lib/erlang/lib/kernel-2.16.4/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/stdlib-1.19.4/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/xmerl-1.3.6/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/wx-1.1.2/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/webtool-0.8.9.2/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/typer-0.9.5/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/tv-2.1.4.10/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/tools-2.6.13/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/toolbar-1.4.2.3/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/test_server-3.6.4/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/syntax_tools-1.6.13/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/ssl-5.3.3/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/ssh-3.0/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/snmp-4.25/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/sasl-2.3.4/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/runtime_tools-1.8.13/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/reltool-0.6.4.1/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/public_key-0.21/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/pman-2.7.1.4/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/percept-0.8.8.2/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/parsetools-2.0.10/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/otp_mibs-1.0.8/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/os_mon-2.2.14/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/orber-3.6.26.1/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/observer-1.3.1.2/ebin\u0026#34;, \u0026#34;/usr/local/lib/erlang/lib/mnesia-4.11/ebin\u0026#34;, [...]|...] 2\u0026gt; The Basics Further links to Erlang programming A very good resource for Erlang programming is Learn You Some Erlang for Great Good!\n","section":"howto","tags":[],"title":"Getting started with Erlang programming on FreeBSD","url":"/howto/getting-started-with-erlang-programming-on-freebsd/"},{"body":"We are pleased to interview Oliver Pinter and Shawn Webb, the core developers of the HardenedBSD project.\nFounded in 2014, the project aims to be a security enhanced FreeBSD, with modern technologies like exploit mitigation known as PAX and ASLR but also introduces a bunch of new sysctls to the system.\nFleximus: Before we go into any details, please introduce yourself and then give us please a brief introduction of your project.\nOliver/Shawn:\nFleximus: When did you come to FreeBSD and why did you decide to start this sub-project?\nShawn: I first learned about FreeBSD as a teenager. I was introduced to it from a group of old-school hackers. I've fallen in love with it ever since. Oliver and I founded HardenedBSD in April of 2014. Both of us were interested in implementing ASLR for FreeBSD and Oliver already had an existing patch. We created HardenedBSD to coordinate our work on ASLR along with other exploit mitigations. We've been working on providing more exploit mitigation technologies ever since starting HardenedBSD.\nOliver: First time I tried FreeBSD at 6.1-STABLE version, but compiling the whole system takes too much time (KDE3 and OpenOffice), so I suspended the FreeBSD till 2008, when I got a new PC. This new PC was enough powerful to compile the whole system in finite time, the other part of the change from Debian to FreeBSD was an infinite number of XFS file system corruptions. I tried a lot of version from Linux - from 2.6.17 - 2.6.32 - but neither works, so I switched finally to FreeBSD.\nThe HardenedBSD project was started based on my University thesis, which primarily focused the Intel S.M.A.P. implementation to FreeBSD, and secondly on ASLR. One day I got an e-mail from pipacs (one member of the PaXTeam), that someone else started working on FreeBSD hardening, and he gives me a link to Shawn's blog entry. At the first times we worked on different repos, until I bored about the lot of merge / cherry-pick conflict, and I created the HardenedBSD repo on github, this was at 2014 spring.\nFleximus: What is the longterm goal of HardenedBSD? Upstreaming the patches becoming an integral part of the FreeBSD system seems to be a big one. We heard this could happen with FreeBSD 11.\nShawn: We want to provide the world with better security. FreeBSD is used quite heavily by some rather large companies and communities. FreeBSD lags behind the rest of the world in exploit mitigation technologies. We want to fill that gap.\nWhen FreeBSD releases 11.0, we'll follow within a reasonable amount of time (we get to define \"reasonable\" as \"when it's ready\") with our first official release.\nEventually, we want to start selling our own security appliances. We've started researching that already and have deliciousness cooking in the oven.\nWe're adding more system-level hardening bits. I'm hardening syscalls and sysctls. Oliver's continuing work on Intel SMAP and finishing up PaX NOEXEC. My next large task is revamping how our SEGVGUARD works, following grsec's model more closely. Oliver will also start on PaX UDEREF.\nWe added a new member to our team. He goes by the handle \"CTurt\". He's focusing on finding vulnerabilities and exploiting them in FreeBSD along with providing patches to secure those vulnerabilities.\nFleximus: Are there any key differences in the ASLR or PAX implementation compared to Linux or anything else worth noting?\nShawn: We took PaX's implementation as our inspiration, even working with the PaX Team in ensuring ours is implemented properly. Oliver: We followed mostly the PaX documentation, but currently we lack a little of them. Fleximus: OpenBSD implemented ASLR in 2003 and finished it's implementation in 2008. Did you look at their source code to evaluate a migration of their work to FreeBSD?\nShawn: Even though OpenBSD is BSD-licensed, I've avoided looking at other implementations to prevent licensing concerns. That way, my code is my code. I don't have to worry about adding others to the copyright statement and/or using their copyright altogether.\nFleximus: We read that you wrote patches for FreeBSD-11 and already backported those patches back to FreeBSD 10-STABLE. What is the current status of the project?\nShawn: All work we deem stable we backport to 10-STABLE. We maintain package repos for both 11-CURRENT/amd64 and 10-STABLE/amd64.\nOliver: At the project's beginning the code was developed on 10-STABLE and forwardported to 11-CURRENT. Shawn used 11-CURRENT and I used 10-STABLE, this is why we have so many merge conflicts. Primarily we focus with new developments on 11-CURRENT, and if the given feature is enough stable, we cherry-pick them to 10-STABLE too.\nFleximus: Actually there's an ongoing poll if the linuxulator (Linux compat layer) shall be removed from the sources or not. As we are aware the more features and the more compatibility code exists, the more attack surface is also present.\nShawn: I will be doing a bit more research into this area. It's still undecided whether we'll remove the linux compat layer. We need to wait till the linuxulator commits settle down and then do some additional work. As it stands right now, COMPAT_FREEBSD32 has been removed from our custom kernel (the HARDENEDBSD amd64 kernel config). COMPAT_FREEBSD32 is required for the linuxulator to work. You'd have to compile your own kernel with that option added in to get the linuxulator to work.\nFleximus: We are thanking you, Oliver and Shawn, for this interview. We got more insights and a better understanding of the HardenedBSD project and are even more excited to see and test the results.\nWe encourage anyone who is interested in the project to help with contributions, your ideas and thoughts. The project also accepts the usual donations, even bitcoins.\nShawn: Thank you for this great opportunity. We're having fun doing what we love. We hope to someday make this passion sustainable as a full-time employ. It's because of the community that we're at where we are now. We look forward to giving back.\nReferences:\nHardenedBSD website Full list of the HardenedBSD developer team and contributors IRC channel at Freenode Poll: linuxulator Removal \u0026#9632;","section":"blog","tags":["Interview","HardenedBSD","BSD"],"title":"HardenedBSD: An interview with the core developers","url":"/blog/freebsd/hardenedbsd-an-interview-with-the-core-developers-0x54/"},{"body":"You want to upgrade your FreeBSD system before 9.0 through freebsd-update and it fails, showing the following error message:\nThe update metadata is correctly signed, but failed an integrity check. Cowardly refusing to proceed any further. The problem lies in a broken version of freebsd-update(8) which got fixed in FreeBSD 9.0-RC1.\nTo fix your version simply run the following command:\nbsdbox# sed -i \u0026#39;\u0026#39; -e \u0026#39;s/=_/=%@_/\u0026#39; /usr/sbin/freebsd-update For a full reference read the official FreeBSD 9.0-RC1 announcement.\n","section":"blog","tags":[],"title":"freebsd-update fails on systems before 9.0","url":"/blog/freebsd/freebsd-update-fails-on-systems-before-90-0x52/"},{"body":"Let\u0026rsquo;s learn how to execute commands in a jail by referring to the jail name instead of the jail number.\nSuppose you have set up two jails, namely \u0026ldquo;mail\u0026rdquo; and \u0026ldquo;www\u0026rdquo;. The first is to run your mailserver, the second to run your webserver in a secure jail environment. Each jail has its own parameters like name, hostname, ip, rootdir and so on:\njailserver# grep jail /etc/rc.conf jail_enable=\u0026#34;YES\u0026#34; jail_list=\u0026#34;mail www\u0026#34; jail_mail_name=\u0026#34;mail\u0026#34; jail_mail_hostname=\u0026#34;mail.mydomain\u0026#34; jail_mail_ip=\u0026#34;192.168.0.11\u0026#34; jail_mail_rootdir=\u0026#34;/usr/jail/mail\u0026#34; jail_mail_devfs_enable=\u0026#34;YES\u0026#34; jail_www_name=\u0026#34;www\u0026#34; jail_www_hostname=\u0026#34;www.mydomain\u0026#34; jail_www_ip=\u0026#34;192.168.0.12\u0026#34; jail_www_rootdir=\u0026#34;/usr/jail/www\u0026#34; jail_www_devfs_enable=\u0026#34;YES\u0026#34; jailserver# The jails are started automatically during system startup. If you just configured the jails you want to start them immediately without to reboot:\njailserver# service jail start Configuring jails:. Starting jails: mail.mydomain www.mydomain. jailserver# jls JID IP Address Hostname Path 1 192.168.0.11 mail.mydomain /usr/jail/mail 2 192.168.0.12 www.mydomain /usr/jail/www jailserver# Now two jails are running, having jail ids 1 and 2 assigned. Those numbers are assigned automatically. To jump into a jail simply execute a shell in it:\njailserver# jexec 1 /bin/csh mail# sysctl security.jail.jailed security.jail.jailed: 1 mail# exit jailserver# What happens if you need to restart the jails and want to jump into one of them again?\njailserver# service jail restart Stopping jails: mail.mydomain www.mydomain. Configuring jails:. Starting jails: mail.mydomain www.mydomai■n. jailserver# jls JID IP Address Hostname Path 3 192.168.0.11 mail.mydomain /usr/jail/mail 4 192.168.0.12 www.mydomain /usr/jail/www jailserver# jexec 1 /bin/csh jexec: jail_attach(1): Invalid argument jailserver# I love shell history and use it quite often. But ooops, after the jail restart the JIDs are not the same as before. Let\u0026rsquo;s try it by name.\njailserver# jexec mail /bin/csh jexec: jail \u0026#34;mail\u0026#34; not found jailserver# Why isn\u0026rsquo;t the jail found? jexec(8) states\nThe jexec utility executes command inside the jail identified by its jid or name.\nand we set it in rc.conf but it is still not working. The reason for that is, we set up the name for the startup scripts. jexec does not now about it. In jail(8) there is an option -n where you can set the jail name. That\u0026rsquo;s what jexec looks up. So we need to set up /etc/rc.conf like this:\njailserver# grep jail /etc/rc.conf jail_enable=\u0026#34;YES\u0026#34; jail_list=\u0026#34;mail www\u0026#34; jail_mail_name=\u0026#34;mail\u0026#34; jail_mail_flags=\u0026#34;-n mail\u0026#34; jail_mail_hostname=\u0026#34;mail.mydomain\u0026#34; jail_mail_ip=\u0026#34;192.168.0.11\u0026#34; jail_mail_rootdir=\u0026#34;/usr/jail/mail\u0026#34; jail_mail_devfs_enable=\u0026#34;YES\u0026#34; jail_www_name=\u0026#34;www\u0026#34; jail_www_flags=\u0026#34;-n www\u0026#34; jail_www_hostname=\u0026#34;www.mydomain\u0026#34; jail_www_ip=\u0026#34;192.168.0.12\u0026#34; jail_www_rootdir=\u0026#34;/usr/jail/www\u0026#34; jail_www_devfs_enable=\u0026#34;YES\u0026#34; jailserver# Let\u0026rsquo;s restart the jails again and see if it\u0026rsquo;s now properly working as we wish:\njailserver# service jail restart Stopping jails: mail.mydomain www.mydomain. Configuring jails:. Starting jails: mail.mydomain www.mydomain. jailserver# jls JID IP Address Hostname Path 5 192.168.0.11 mail.mydomain /usr/jail/mail 6 192.168.0.12 www.mydomain /usr/jail/www jailserver# jexec mail /bin/csh mail# exit jailserver# Okay, now we can use the jail name which will be constant without the need to lookup the jid first.\nFinal note: This has been tested with FreeBSD 8.2. jail(8) tells us that the option -n is deprecated and setting the name by parameter should be equivalent. So I expect that the option is removed in the next major releases and the name parameter must be used. Unfortunately I did not manage to configure the name parameter so I am only showing this method.\n","section":"blog","tags":[],"title":"Switching into a jail by name","url":"/blog/freebsd/switching-into-a-jail-by-name-0x50/"},{"body":"When you work with a squid access log file you sometimes want to know when a site or resource was accessed. Squid does not store the date and time information for that in a human readable format.\nIt is stored as \u0026lt;unix timestamp\u0026gt;.\u0026lt;centisecond\u0026gt; so you can use a command like that to post-process to make it more readable for you:\ncat access.log | perl -p -e \u0026#39;s/^([0-9]*)/\u0026#34;[\u0026#34;.localtime($1).\u0026#34;]\u0026#34;/e\u0026#39; ","section":"blog","tags":[],"title":"Convert squid timestamps","url":"/blog/squid/convert-squid-timestamps-0x4f/"},{"body":"Nginx is a great webserver that is flexible, feature rich and fairly well documented. But have you ever wanted to whitelist files upon their extensions and did not find a solution in the documentation reference? The bad answer is you will not find it.\nThe good answer is: It is possible.\nif ($request_filename !~* \\.(gif|html|jpe?g|png|ico|js|css|flv|swf|pdf|xml)$ ) { return 404; break; } The request filename is checked against that regular expression which looks for all endings of filenames you want. If it does not match, Nginx will display a 404 (not found) page. This snippet should be used in the config file before any other rewrite rules or checks.\n","section":"blog","tags":["Webserver"],"title":"Nginx file extension whitelisting","url":"/blog/nginx/nginx-file-extension-whitelisting-0x4e/"},{"body":"FreeBSD boots painfully slow on new servers with Intels Nehalem chipsets. You don\u0026rsquo;t want to wait 180 seconds and more? Here\u0026rsquo;s the solution.\nJust add these two lines to your /boot/loader.conf and the boot time will significantly decrease:\nhint.atkbdc.0.disabled=\u0026#34;1\u0026#34; hint.atkbd.0.disabled=\u0026#34;1\u0026#34; The reason is that FreeBSD tries to find and initialize a PS/2 keyboard where no PS/2 is in the system at all.\n","section":"blog","tags":["Operating System"],"title":"Faster boot times on Nehalem systems","url":"/blog/freebsd/faster-boot-times-on-nehalem-systems-0x4d/"},{"body":"Haiku have been allocated eight students for this years Google Summer of Code program. Overall, 417 mentoring organizations applied and 3731 students submitted 5474 proposals. Haiku is proud to be one of 175 accepted mentoring organizations, with 35 submitted proposals and 8 accepted students!\nThat means, that 8 people are working on eight projects that will be hopefully successfully finished at the end of this summer. It is also Haiku\u0026rsquo;s opportunity to grow and refine young, intelligent, and highly motivated students into people who will continue to develop Haiku in the years to come.\nHere\u0026rsquo;s the overview of the accepted projects:\nServices server and Contacts files integration USB Video Driver for High-end Webcams Language bindings for the C++ API SDL upgrade Add USB 3.0 support to Haiku Bâtisseur: a build server for all. Port ZFS to Haiku VirtualBox guest additions for Haiku You can also look at the full announcement from Haiku\u0026rsquo;s website for this.\nWow, driver stuff is always a good thing but also a port of the ZFS file system sounds very promising. As I use Haiku in VirtualBox, the guest additions are helpful for a lot of people I think. Looking forward!\n","section":"blog","tags":["Operating System"],"title":"Haiku gets eight studens for GSoC 2011","url":"/blog/haiku/haiku-gets-eight-studens-for-gsoc-2011-0x4c/"},{"body":"The 2.10 release supports, thanks to updates of ACPI and APIC interrupt routing support, a much larger variety of hardware and multiprocessor systems than previous releases.\nThe Hammer Filesystem can now deduplicate volumes overnight in a batch process and during live operation. For estimation of space savings for existing data you can use this command:\n# hammer dedup-simulate The pf Packet Filter was updated to match OpenBSD\u0026rsquo;s 4.4 version of pf where DragonFly BSD used pf from OpenBSD 4.2 before.\nGCC 4.4 is now used as the default system compiler. Oher BSDs use older GCC versions, so it\u0026rsquo;s the first to take that step.\nThe bridging system has been rewritten. Multiple interfaces on a single system can be bound together transparently under a single virtual MAC address, and bandwidth aggregated to that new interface.\nThe MPLOCK (the primary lock, that when held ensures only a single cpu is operating within the kernel) has been removed from every area except the VM system. DragonFly is one of the few non-academic operating systems to use a primary sychronization mechanism that is not a blocking mutex.\nDragonFly BSD now offers significant performance gains over previous releases, especially for machines using AHCI or implementing swapcache(8).\nHere is the original DragonFly BSD 2.10 release page\n","section":"blog","tags":["Operating System"],"title":"DragonFly BSD 2.10 released","url":"/blog/dragonfly-bsd/dragonfly-bsd-210-released-0x4b/"},{"body":"After nine years of development nginx reaches version 1.0.0 which is now the latest stable version and ready for production. Version 0.8.54 is now the newest legacy stable version.\nA complete list of changes since its first public release from Oct 2004 is available.\nNginx is a rock solid HTTP and reverse proxy server and as well a mail proxy server. It performs best at static files and is used on the most heavily loaded websites in the world.\n","section":"blog","tags":["Webserver"],"title":"Nginx 1.0 released","url":"/blog/nginx/nginx-10-released-0x4a/"},{"body":"Imagine the following scenario: You can\u0026rsquo;t connect with VNC to your iMac/Mac Mini that runs Mac OS X Snow Leopard. The Screen Sharing service is not enabled. Anyway Remote Login via ssh is available. What can you do?\nWell, you can just start the Service via ssh with:\n$ sudo touch /private/etc/ScreenSharing.launchd Another way (which I didn\u0026rsquo;t checked though) is to execute this statement:\n$ echo -n enabled \u0026gt; /Library/Preferences/com.apple.ScreenSharing.launchd Wow, that sime! Now you can connect to your machine via VNC and work with the mouse. 🤓\nI hope this will help you like it helped me a lot.\n","section":"blog","tags":["MacOS X"],"title":"Enable screen sharing via ssh on Snow Leopard","url":"/blog/security/enable-screen-sharing-via-ssh-on-snow-leopard-0x49/"},{"body":"Have you ever wondered how anti-virus signatures are created?\nIn his article An Intro to Creating Anti-Virus Signatures the author describes three types of signature detections:\nhash signatures byte signatures heuristics Though the article focusses primarily on Microsoft portable executable files like .exe, .dll and .sys, it would be possible to analyze pdf , .ppt files if one would do that.\nThe article is well detailed and a good start to understand how anti-virus/anti-malware signatures are built.\n","section":"blog","tags":["Antivirus"],"title":"Introduction for anti-virus signature creation","url":"/blog/security/introduction-for-anti-virus-signature-creation-0x48/"},{"body":"This release resolves a critical security issue where the PHP interpreter can hang on a string to double conversion if x87 FPU registers are internally used. This DoS vulnerability is reported as PHP bug #53632 and is assigned as CVE-2010-4645.\nTo verify if your system is also affected, you can use this script and execute it from the command line: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 \u0026lt;?php /* +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ | Copyright (c) 2011 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | | available through the world-wide-web at the following url: | | http://www.php.net/license/3_01.txt | | If you did not receive a copy of the PHP license and are unable to | | obtain it through the world-wide-web, please send a note to | | license@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ | Author: Johannes Schlueter \u0026amp;lt;johannes@php.net\u0026amp;gt; | +----------------------------------------------------------------------+ */ if (PHP_SAPI != \u0026#39;cli\u0026#39;) { die(\u0026#34;Please run this test from CLI!\\n\u0026#34;);} ini_set(\u0026#39;display_errors\u0026#39;, 1); ini_set(\u0026#39;output_buffering\u0026#39;, 0); error_reporting(-1); if (!ini_get(\u0026#39;safe_mode\u0026#39;)) { set_time_limit(1); } echo \u0026#34;Testing float behaviour. If this script hangs or terminates with an error \u0026#34;. \u0026#34;message due to maximum execution time limit being reached, you should \u0026#34;. \u0026#34;update your PHP installation asap!\\n\u0026#34;; echo \u0026#34;For more information refer to \u0026amp;lt;http://bugs.php.net/53632\u0026amp;gt;.\\n\u0026#34;; $d = (double)\u0026#34;2.2250738585072011e-308\u0026#34;; echo \u0026#34;Your system seems to be safe.\\n\u0026#34;; ","section":"blog","tags":["PHP"],"title":"PHP 5.3.5 and 5.2.17 released, fixes possible DoS","url":"/blog/open-source/php-535-and-5217-released-fixes-possible-dos-0x47/"},{"body":"I am pleased to announce that Fleximus is now an official mirror for pfSense in Germany. As of this writing Fleximus is the only mirror located in Germany.\npfSense is a customized firewall and router distribution with FreeBSD under it\u0026rsquo;s hood. pfSense started as a fork of the m0n0wall project in 2004.\n","section":"blog","tags":[],"title":"pfSense mirror in Germany ","url":"/blog/pfsense/pfsense-mirror-in-germany-0x46/"},{"body":"OpenBSD 4.7 has been released!\nA look at the release page reveals that this release offers wider platform support, new drivers and improvements over existing ones, filesystem midlayer improvements.\n","section":"blog","tags":["Operating System"],"title":"OpenBSD 4.7 released","url":"/blog/openbsd/openbsd-47-released-0x45/"},{"body":"George Hotz alias geohot released his playstation 3 exploit to the public. It gains control of the hypervisor which could be used to run pirated PS3 games and game backups on the hacked machine.\nYou can find more details in his blog and also an article which explains what the exploit does for the less technical people.\n","section":"blog","tags":["Hacking","Linux"],"title":"Playstation 3 exploit released to the public","url":"/blog/security/playstation-3-exploit-released-to-the-public-0x44/"},{"body":"Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted DNS packets.\nVulnerable versions Squid still using the obsolete dnsserver are not vulnerable.\nThe ignore_unknown_nameservers option affects the severity of this vulnerability. When set to on (default) risk is low. When set to off the vulnerability risk is increased.\nAll unpatched Squid-3.0 versions up to and including 3.0.STABLE21 are vulnerable. All unpatched Squid-3.1 versions up to and including 3.1.0.15 are vulnerable. All unpatched Squid-2.x versions are vulnerable. Workarounds Using all of the following steps are required to protect a vulnerable Squid from this and other forms of DNS attack.\nEnsuring the ignore_unknown_nameservers is turned on. Ensuring that DNS packets cannot be sent to Squid from untrusted nameservers or other machines. The most secure implementation of these requirements is to use a nameserver running on the localhost IP dedicated for secure use by Squid and any other services on the Squid machine.\nAdvisory Link to full advisory: http://www.squid-cache.org/Advisories/SQUID-2010_1.txt\n","section":"blog","tags":[],"title":"Squid vulnerable to DoS attack: issue in DNS handling","url":"/blog/security/squid-vulnerable-to-dos-attack-issue-in-dns-handling-0x43/"},{"body":"The german antivirus company Avira has published statistics about file extensions used by malware in URLs that may occur in emails or infected websites for January 2010.\nThe most common extension used by malware is .exe (53.29%) followed by no file extension (18.99%) and the third place goes to .txt (10.37%).\n","section":"blog","tags":["Antivirus"],"title":"Avira malware extension stats for Jan 2010","url":"/blog/security/avira-malware-extension-stats-for-jan-2010-0x42/"},{"body":"The website of the BSD magazine announces that the BSD Mag is now becoming a free monthly online publication. You can sign up to their newsletter and get every issue straight to your inbox.\n","section":"blog","tags":[],"title":"BSD magazine becomes free online publication","url":"/blog/freebsd/bsd-magazine-becomes-free-online-publication-0x41/"},{"body":"Matthew Dillon is interviewed and asked about recent developments in DragonFly BSD.\nOriginal link: bsdtalk184 - DragonFlyBSD with Matthew Dillon\n","section":"blog","tags":["Operating System"],"title":"Bsdtalk 184: Interview about DragonFlyBSD","url":"/blog/dragonfly-bsd/bsdtalk-184-interview-about-dragonflybsd-0x40/"},{"body":"The ZFS Intent Log ZIL is a mechanism that gathers together in memory transactions of writes, and is flushed onto disk when synchronous semantics is necessary. In the event of crash or power failure, the log is examined and the uncommitted transaction would be replayed to maintain the synchronous semantics.\nProblem description When replaying setattr transaction, the replay code would set the attributes with certain insecure defaults, when the logged transaction did not touch these attributes.\nImpact A system crash or power fail would leave some file with mode set to 07777. This could leak sensitive information or cause privilege escalation.\nAdvisory Original advisary and solution: FreeBSD-SA-10:03.zfs\n","section":"blog","tags":[],"title":"FreeBSD security advisory 10-03: zfs","url":"/blog/freebsd/freebsd-security-advisory-10-03-zfs-0x3f/"},{"body":"The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source.\nProblem description If ntpd receives a mode 7 MODE_PRIVATE request or error response from a source address not listed in either a \u0026lsquo;restrict \u0026hellip; noquery\u0026rsquo; or a \u0026lsquo;restrict \u0026hellip; ignore\u0026rsquo; section it will log the even and send a mode 7 error response.\nImpact If an attacker can spoof such a packet from a source IP of an affected ntpd to the same or a different affected ntpd, the host(s) will endlessly send error responses to each other and log each event, consuming network bandwidth, CPU and possibly disk space.\nAdvisory Original advisory and solution: FreeBSD-SA-10:02.ntpd\n","section":"blog","tags":[],"title":"FreeBSD security advisory 10-02: ntpd","url":"/blog/freebsd/freebsd-security-advisory-10-02-ntpd-0x3e/"},{"body":"BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server.\nDNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers.\nProblem description If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag.\nImpact If a client can send such queries to a server, it can exploit this problem to mount a cache poisoning attack, seeding the cache with unvalidated information.\nAdvisory Original advisory and solution: FreeBSD-SA-10:01.bind\n","section":"blog","tags":[],"title":"FreeBSD security advisory 10-01: bind","url":"/blog/freebsd/freebsd-security-advisory-10-01-bind-0x3d/"},{"body":"There are two major vulnerabilities which were recently discovered in the PowerDNS Recursor (all versions up to and including 3.1.7.1) which can lead to a full system compromise and/or cache poisoning.\nThese vulnerabilities were addressed and resulted in the PowerDNS Reucursor 3.1.7.2 release. All PowerDNS Recursor Users are urged to upgrade as soon as possible.\nVersions of PowerDNS Authorative Server are not affected.\nOfficial announcement from Bert Hubert\n","section":"blog","tags":["PowerDNS"],"title":"Critical PowerDNS Recursor Security Vulnerabilities","url":"/blog/security/critical-powerdns-recursor-security-vulnerabilities-0x3c/"},{"body":"Fleximus wishes everybody a happy new year! We hope that 2010 will be a great year, with lots of good and exciting stuff.\nWe want to improve our website and its content further. More frequent blog entries with quality of information. Also some nifty litle tools will hopefully attract more users. Stay tuned!\n","section":"blog","tags":["UNIX"],"title":"Happy new year and welcome in 2010","url":"/blog/fleximus/happy-new-year-and-welcome-in-2010-0x3b/"},{"body":"Kingcope discovered and posted on Full-disclosure that the Run-Time Link-Editor rtld in recent FreeBSD versions has a dangerous bug. An attacker can trick rtld to accept a manipulated LD_PRELOAD environment variable even when executing setugid binaries like ping or su.\nThe FreeBSD Security Officer Colin Percival reacted quckly with a preliminary patch which might not be the final one. The patch is for use of own risk because it might not fix the issue or might introduce new ones.\nThe official FreeBSD security advisory is here: FreeBSD-SA-09:16.rtld\n","section":"blog","tags":["Hacking"],"title":"FreeBSD rtld local root exploit","url":"/blog/freebsd/freebsd-rtld-local-root-exploit-0x3a/"},{"body":"The Beta 2 Final of OllyDbg is now available and adds debugging of child processes to the feature list.\n\u0026lt;!- more\u0026ndash;\u0026gt; The debugging engine is more stable and tricky, OllyDbg knows more functions now and there\u0026rsquo;s a more or less consistent support for UNICODE and UTF-8 in dialogs and comments.\nOf course also many bugfixes.\nOllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is a shareware, but you can download and use it for free.\nVersion information with download link: http://www.ollydbg.de/version2.html\n","section":"blog","tags":["Hacking"],"title":"OllyDbg 2.0 Beta 2 Final available","url":"/blog/security/ollydbg-20-beta-2-final-available-0x39/"},{"body":"The OpenLDAP project announced the availability of OpenLDAP 2.4.20, which is a maintenance release that fixes about 40 bugs.\nHere is the download page: https://www.openldap.org/software/download/\n","section":"blog","tags":["OpenLDAP"],"title":"OpenLDAP 2.4.20 released","url":"/blog/open-source/openldap-2420-released-0x38/"},{"body":"Database performance is essential and the most common bottleneck of web application is the database. Often the DBA is concerned about the performance but not only he should be, it\u0026rsquo;s also the application developers that should keep an eye on database performance.\nBurak Guzel shows in his article Top 20+ MySQL Best Practices on net.tutsplus 20+ best practises for MySQL application developers.\nEven this is specific to MySQL databases I found his tips are mostly applicable for any other database (for example PostgreSQL). The article should be read by anyone that\u0026rsquo;s interested in database performance.\n","section":"blog","tags":["MySQL","Performance"],"title":"Top 20+ MySQL best practises","url":"/blog/security/top-20-mysql-best-practises-0x37/"},{"body":"Database security is essential with today\u0026rsquo;s web applications. You should have the control, not the bad guys that are visiting your website. Exposing sensitive information from your database is bad, loosing data from your customers is even worse.\nRobert Bernier published an article plus downloadable PDF on IBM\u0026rsquo;s developerWorks where you can learn about security measures to protect your PostgreSQL database.\nUpdate 2020-01-18: Replaced the link since it was no longer working. Check also his presentation PostgreSQL: Welcome To Total Security on SlideShare!\n","section":"blog","tags":[],"title":"Postgresql and total security in the database","url":"/blog/postgresql/postgresql-and-total-security-in-the-database-0x36/"},{"body":"FreeBSD 8.0 is available for download on the ftp servers. Please note that at the time as we are writing this, there\u0026rsquo;s not yet an official statement on the FreeBSD website.\nThis release brings an overhauled USB stack, a new partition class called slices and NFSv4.\nThe old USB stack had problems when you disconnected devices before they\u0026rsquo;d have been unmounted and freezed the machine. This is now past. The new stack is backwards compatible with old drivers.\nNFS version 4 brings new features like a stateful protocol, performance improvements and stronger security through ACLs and strong authentication. The brand new NFS lock manager runs in the kernel mode, operates multithreaded and has deadlock detection.\nDespite ISO images for the platforms amd64, i386, ia64, pc98, powerpc, sparc64 an image for USB sticks will be there. Great stuff, thanks to everyone that worked on the new release!\n","section":"blog","tags":["Operating System"],"title":"FreeBSD 8.0 Release available","url":"/blog/freebsd/freebsd-80-release-available-0x35/"},{"body":"Google created a new systems language, the Go Programming Language.\nThe language is a mix between C/C++ and a dynamically typed language like Python/JavasSript. The language has a garbage-collector and avoids the overhead of C-style include files and libraries which results in fast compile times for large projects.\nThe Go FAQ should answer the most questions and shows the projects purpose.\n","section":"blog","tags":["Google"],"title":"The Go Programming Language by Google","url":"/blog/open-source/the-go-programming-language-by-google-0x34/"},{"body":"Lighttpd 1.4.24 is out which brings TLS SNI support, connection state handling and improved FastCGI code. Also a lot of bugs were fixes.\nHave a look at the release announcement 1.4.24 - now with TLS SNI and money back guarantee for a full list of changes.\n","section":"blog","tags":["Lighttpd","Webserver"],"title":"Lighttpd 1.4.24 released","url":"/blog/open-source/lighttpd-1424-released-0x33/"},{"body":"Matthieu Bouthors from #IHTeam.net has discovered that squidGuard 1.4 is vulnerable to multiple buffer overflow attacks.\nAn attacker might for example use a buffer closely to 4096 characters to bring squidGuard into emergency mode and bypass all filter rules.\nSquidGuard is an URL filtering software which is often used with squid, the (caching) proxy server. It is licensed under the GPL .\nThe vulnerability is assigned to CVE-2009-3700.\nUpdate 2020-01-18: Replaced the original link to ihteam.net website with link to Packet Storm and provided a CVE link.\n","section":"blog","tags":[],"title":"squidGuard 1.4 has multiple buffer overflows","url":"/blog/security/squidguard-14-has-multiple-buffer-overflows-0x32/"},{"body":"Mozilla blogs about the security updates for Firefox 3.5.4 and 3.0.15 which are now available for download.\nThe release notes for Firefox 3.5.4 show that this release contains 11 security fixes and 6 are critical. All users are encourages to install this security update otherwise you\u0026rsquo;d be vulnerable to heap buffer overflow attacks, memory safety bugs and others.\n","section":"blog","tags":["Firefox"],"title":"Firefox 3.5.4 and 3.0.15 security updates","url":"/blog/security/firefox-354-and-3015-security-updates-0x31/"},{"body":"The FreeBSD Foundation announced pleasently the new funded FreeBSD HAST project. The software will be a file system and software independant synchronous replication which operates on the block-level in a cluster environment.\nIt works over TCP/IP and can use any GEOM providers. Pawel Dawidek has been awarded to implent this highly available storage replication system.\nThe project is partly funded by OMCnet Internet Service GmbH and TransIP BV and will be finished by Feb 2010.\nEditors comment This is great news and a pleasant surprise. Also looking forward to get a port of a finished and feature complete HAMMER file system.\n","section":"blog","tags":["Operating System"],"title":"FreeBSD HAST project funded","url":"/blog/freebsd/freebsd-hast-project-funded-0x30/"},{"body":"The FreeBSD Quaterly Status Report for April-September 2009 is now online.\nIt\u0026rsquo;s always worth to have a look at it. For example there\u0026rsquo;s a working port of Grand Central Dispatch, which Apple has released the source code for a few weeks ago. Or there is the libprocstat(3) project which can retrieve process statistics. Information about running processes and open files will be helpful for monitoring applications.\n","section":"blog","tags":["Operating System"],"title":"FreeBSD status report 2009, April-September","url":"/blog/freebsd/freebsd-status-report-2009-april-september-0x2f/"},{"body":"Theo de Raadt announced OpenBSD 4.6 on the openbsd-misc mailing list.\nThe announcement gives an overview of the most important changes. For a detailed information have a look at https://www.OpenBSD.org/plus46.html. OpenBSD should be released on Oct 1st but has been delayed to Nov 1st. The more happy we are that we can get it earlier.\n","section":"blog","tags":["Operating System"],"title":"OpenBSD 4.6 released","url":"/blog/openbsd/openbsd-46-released-0x2e/"},{"body":"The PCI DSS is a worldwide security standard assembled by the PCI SSC . The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The PCI DSS was created to minimize and prevent credit card fraud in any organization that processes credit card payments. If your company holds, processes or passes credit card information then you need to follow this security standard.\nThe current PCI DSS version is 1.2.1 from July 2009. What are the Requirements and Security Assessment Procedures?\nThe twelve requierements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs* Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors More information You can get all detailed information, lots of documents with standards and supporting document in many languages at the PCI Security Standards Council.\n","section":"blog","tags":["PCI DSS"],"title":"The PCI Data Security Standard","url":"/blog/security/the-pci-data-security-standard-0x2d/"},{"body":"Timo Sirainen announced Dovecot v2.0.alpha1 release on the dovecot-news mailing list. It\u0026rsquo;s not fully finished and polished but he states that it should work for most people. The core and main developer Sirainen already started using it without noticing any errors until now.\nDovecot 2.0 introduces according to the Dovecot roadmap a rewrite of the master process and the config handling framework, an even better optimized file index and the dsync utility that syncs two mailboxes reliable and efficiently.\n","section":"blog","tags":["Dovecot"],"title":"First Dovecot 2.0 alpha released","url":"/blog/open-source/first-dovecot-20-alpha-released-0x2c/"},{"body":"The first antivirus program for Mac OS X came from Sophos. Other vendors waited until the Mac got more attention, not only to users but also to malware authors. These beautiful computer systems are nowadays not only used by graphic designers but also by developers, administrators and CEOs. Everyone who wants a beautiful computer and/or operating systems. No doubt it is the sexiest UNIX system.\rNow the antivirus suites for Mac OS X from other vendors are popping up. Kaspersky announces Kaspersky Anti-Virus for Mac which uses the same engine as on Microsoft Windows and also supports Snow Leopard. It will be available from 15th October 2009. A beta release was published in june, according to this release note in their forum.\rMcAfee has now a full endpoint security protection suite for Mac, but also an ordinary VirusScan for Mac in their portfolio.\rI\u0026rsquo;m looking forward that others will follow, especially the popular AntiVir from Avira.\n","section":"blog","tags":["Antivirus"],"title":"More antivirus suites arrive on Mac","url":"/blog/security/more-antivirus-suites-arrive-on-mac-0x2b/"},{"body":"To support our visitors privacy I\u0026rsquo;m proud to announce that Fleximus can now be reached via HTTPS.\rFleximus is using a StartSSL Class 1 certificate that is free of charge, thanks to StartCom Ltd, a startup from Israel.\n","section":"blog","tags":[],"title":"Fleximus is now reachable via HTTPS","url":"/blog/fleximus/fleximus-is-now-reachable-via-https-0x2a/"},{"body":"FreeBSD published a security advisory FreeBSD-EN-09:05.null due to a security vulnerability in the FreeBSD kernel.\nA malicious process that has mapped code or data at address 0 may be able to execute arbitary code with kernel privileges when invoking a NULL pointer.\nThis is an issue that was also already discovered in the Linux kernel a few days before.\nAfter updating your kernel you should add the following line to either /boot/loader.conf or /etc/sysctl.conf:\nsecurity.bsd.map_at_zero=\u0026#34;0\u0026#34; Don\u0026rsquo;t forget to reboot! 🤓\n","section":"blog","tags":[],"title":"Security update for FreeBSD","url":"/blog/freebsd/security-update-for-freebsd-0x29/"},{"body":"The Mozilla Security Blog has an article A Glimpse Into the Future of Browser Security that the CSF feature is now available in preview builds of Firefox.\rContent Security Policy is intentended to mitigate against the web application vulnerabilites XSS and CSRF which increased considerabely over the last few years.\rGrab a preview build of Firefox from the download page and help testing this new feature. The demo page has currently 11 individual tests if your browser supports CSP (showing PASS) or not (showing FAIL).\n","section":"blog","tags":["Firefox","Browser"],"title":"Firefox with CSP now part of the preview builds","url":"/blog/security/firefox-with-csp-now-part-of-the-preview-builds-0x28/"},{"body":"The release of OpenBSD 4.6 is unfortunately postponed to Nov 1 due to serious CD production problems. Theo de Raadt announced the delay on openbsd-misc today.\rThe developers intended to bring out the release on Oct 1 because the tree was frozen earlier than normal. They are sorry about the dalay and stick to the traditional release date Nov 1 in the future.\n","section":"blog","tags":["Operating System"],"title":"OpenBSD 4.6 postponed for a month to Nov 1","url":"/blog/openbsd/openbsd-46-postponed-for-a-month-to-nov-1-0x27/"},{"body":"DragonFly 2.4 is a major release that brings a lot of new features, as you can read in their release notes.\rThere\u0026rsquo;s also a 64-bit experimental version available.\rIt is preferred that you choose a mirror site for downloads, for example Avalon or chlamydia.\n","section":"blog","tags":["Operating System"],"title":"DragonFly BSD 2.4 release available","url":"/blog/dragonfly-bsd/dragonfly-bsd-24-release-available-0x26/"},{"body":"Secunia reports in advisory SA3675 about a buffer underflow vulnerability in the function ngx_http_parse_complex_uri() of the nginx webserver and rates it as highly critical. Impacts may be a DoS attack or remote system access.\rChangelogs were published for nginx 0.7.62, nginx 0.6.39 and nginx 0.5.38.\rWe highly recommend that you upgrade to the latest version of nginx.\n","section":"blog","tags":["Secunia"],"title":"nginx buffer underflow reported by Secunia","url":"/blog/nginx/nginx-buffer-underflow-reported-by-secunia-0x25/"},{"body":"The Haiku Operating System is the open source resurrection of BeOS, the Be Operating System. The project started in 2001 under the name OpenBeOS and changed it\u0026rsquo;s name in 2004 to Haiku to circumvent any legal issues. The kernel is a fork of the NewOS kernel written by an ex-Be engineer. The Haiku team focussed on binary compatibity to BeOS 5 and started to replace single parts of the system with an open source alternative.\rHaiku took part in the GSoC 2009 where five students/project were accepted. It is the second time that Haiku took part in a GSoC. One interesting and promising project is the port and integration of WebKit into a native browser for Haiku.\rIf you are interested in alternative (open source) operating systems or you were ever interested in BeOS or even a fan of it, then you should get Haiku and try it out yourself. You\u0026rsquo;ll find the press release about R1/Alpha 1 here. Please keep in mind, that this is an alpha release, which means that it is not yet feature complete and is still under development and not a finished product with lot\u0026rsquo;s of polishments/service packs/etc. It is unusual that a software is so stable in this state, but hey this is good for us, the users. And it\u0026rsquo;s already pretty fast.\rLong live Haiku, thanks to all the developers and thank you for licensing all your stuff under the terms of the MIT license!\n","section":"blog","tags":["Operating System"],"title":"Haiku Project releases Haiku R1/Alpha 1","url":"/blog/haiku/haiku-project-releases-haiku-r1alpha-1-0x24/"},{"body":"OpenBSD 4.6 is scheduled for release on 2009-10-01. Pre-Orders are now accepted.\rThe new release brings a new privilege-separated SMTP daemon, improvements over OpenBGPD, OpenOSPFD and other routing daemons, a per default enabled pf(4) that has stricter checking for ICMP and ICMP6 packets, improved driver support and many more changes.\rHere is the full list of changelog for OpenBSD 4.6\n","section":"blog","tags":["Operating System"],"title":"OpenBSD 4.6 Pre-Orders available","url":"/blog/openbsd/openbsd-46-pre-orders-available-0x23/"},{"body":"Fleximus moved to the new domain www.fleximus.org today. Please update all your bookmarks and blog software accordingly. Thank you!\n","section":"blog","tags":[],"title":"Fleximus moved to new domain","url":"/blog/fleximus/fleximus-moved-to-new-domain-0x22/"},{"body":"One of the few security portals hosting exploits, 0days and other vulnerabilities has closed it\u0026rsquo;s doors. The guy behind Milw0rm, called str0ke, said he wasn\u0026rsquo;t able to handle the sent in exploits and emails in an acceptible timeframe. All vulnerabilities were reviewed by him before it went online.\rBecause of these news the webserver did not withstand the wave of request that came in.\rAfter a few days offline, the website is now back with a bigger machine. Thanks to some of his friends, that are willed to share tasks and keep the website online.\rReferences:\rMilw0rm websitestr0ke on twitter\n","section":"blog","tags":[],"title":"Security portal Milw0rm closed - but not for long","url":"/blog/security/security-portal-milw0rm-closed-but-not-for-long-0x21/"},{"body":"OpenEAV, the free and open antivirus system for the enterprise is watching out for a talented and experienced C++/QT programmer with good knowledge of the STL and the Boost library. The client gui needs to be designed, implemented and must fit well around OpenEAV\u0026rsquo;s core api.\rEveryone who feels to be interested in helping out should not hesitate to contact me.\rThe OpenEAV project is hosted on Google Code\rIn additional news, the project now has it\u0026rsquo;s own development list OpenEAV-devel. I hope I can share it with other developers soon. :-)\n","section":"blog","tags":["Antivirus"],"title":"Developers for OpenEAV wanted","url":"/blog/security/developers-for-openeav-wanted-0x20/"},{"body":"Symantec reports that most of their av products have a security issue in conjunction with prepared archive files. These could bypass the virus scanner because the file format is not correct but the operating system is still able to etract the files.\rAlso Frisk (F-Prot), Norman and Ikarus published updates to similar problems in their products.\rKaspersky silently deployed updates to a parsing bug that prevented to identify pdf files if the magic string %PDF was missing. Adobe Reader still opens such files and worse, executes any JavaScript in it.\rThe security specialist Thiery Zoller found and reported several security bugs to the antivirus vendors.\rUpdate:\rClamAV has also released a new version of their scanner. ClamAV 0.95.2 fixes problems in file archive processing.\rReferences:\rSymantec report: Specifically Crafted Archive Files can Bypass Initial ScansThiery Zoller about Kaspersky PDF evasionClamAV announces Version 0.95.2\n","section":"blog","tags":["Antivirus"],"title":"Multiple antivirus products with security issues","url":"/blog/security/multiple-antivirus-products-with-security-issues-0x1f/"},{"body":"Secunia, well known for their vulnerability research and vuln announcements, has released the Secunia 2008 Report as pdf.\rThe report shows that they release more advisories per year and 0-day vulnerabilities felt back to the 2006-level for decreasing about 40 percent. Also very interesting was the comparison of browser security. While Firefox has more vulnerabilities than IE, Safari and Opera together, those security holes are closed way faster than the ones from IE. This makes Firefox in summary more secure.\rMy take: I recommend Firefox to everyone!\n","section":"blog","tags":["Secunia"],"title":"Secunia releases annual report for 2008","url":"/blog/security/secunia-releases-annual-report-for-2008-0x1e/"},{"body":"Version 1.21 is mainly a bugfix release over 1.4.20 and fixes at least 30 bugs. There are also 3 new features: mod_compress now supports caching through etags and last-modifieda new config setting debug.log-timeouts = \u0026ldquo;enable\u0026rdquo;. The default is now disabled and eleminates annoying log entriesa new $HTTP[\u0026ldquo;language\u0026rdquo;] conditional that allows interesting stuff like url rewritings that takes language codes into account\rThe official Lighttpd 1.4.21 release announcement and changelog\n","section":"blog","tags":["Lighttpd","Webserver"],"title":"Lighttpd 1.21 released","url":"/blog/open-source/lighttpd-121-released-0x1d/"},{"body":"One of the most interesting improvements made in DragonFly BSD are about the HAMMER filesystem which is now considered ready for productional use. It is also now possible to boot from a HAMMER-only disk, though this is still not recommended. On the kernel side first steps toward AMD64 support have been made, thanks to the Google Summer of Code 2008.\rFor a complete list of changes and release notes have a look at the DragonFly 2.2 release page.\rI can\u0026rsquo;t wait to play with a full-featured HAMMER filesystem, that allows multi-master replication!\n","section":"blog","tags":["Operating System"],"title":"DragonflyBSD 2.2 released","url":"/blog/dragonfly-bsd/dragonflybsd-22-released-0x1c/"},{"body":"OpenBSD releases every half year a new version, usually at 1st of May and 1st of Nov.\rNow the upcoming version 4.5 has been tagged as BETA which should be available on the OpenBSD mirrors soon. You are invited to check it out and report bugs you find to make this release also a good and stable system.\rReference: OpenBSD developer Miod Vallat tagged the operating system to 4.5-BETA.\n","section":"blog","tags":["Operating System"],"title":"OpenBSD turns 4.5-BETA","url":"/blog/openbsd/openbsd-turns-45-beta-0x1b/"},{"body":"The new version brings ULE as the default scheduler, DTrace inside the kernel framework, booting from USB devices, improved NFS Lock Manager (NLM) client, a new cpuset(2) system call and cpuset(1) command that brings an API for thread to CPU binding and last but not least DVD-sized media (only i386 and amd64).\nUntil now there were only CD ISO images available.\nFor a complete overview of changes have a look at the FreebSD 7.1-RELEASE Release Notes.\n","section":"blog","tags":["Operating System"],"title":"FreeBSD 7.1 released","url":"/blog/freebsd/freebsd-71-released-0x1a/"},{"body":"The danish computer security service provider has released Secunia PSI (Personal Software Inspector) version 1.0 after a 17 month beta test period.\rWith this software you can identify unpatched and old software that makes your Windows system vulnerable to attacks. Though this is not a complete indicator, Secunia can identify currently about 5.500 applications. This is quite a lot and the list continues to grow. I also tested and still use Secunia PSI. It offers a good overview what software needs updates, patches, etc. and speeds those up by providing a button that points to the right update sites.\rIt is so easy that I can recommend it for everyone that want to have Secunia Blog entry \u0026ldquo;Secunia PSI 1.0 (Final) has been released\u0026rdquo;\rDownload the latest Secunia PSI here\n","section":"blog","tags":["Secunia"],"title":"Secunia PSI 1.0 released","url":"/blog/security/secunia-psi-10-released-0x19/"},{"body":"Hugo Leisink has released a new version of his webserver hiawatha. The version 6.10 adds CSRF (Cross Site Request Forgery) protection. Hiawatha is a secure and light webserver written in C.\n","section":"blog","tags":["Hiawatha","Webserver"],"title":"Hiawatha 6.10 released, new feature: CSRF protection","url":"/blog/open-source/hiawatha-610-released-new-feature-csrf-protection-0x18/"},{"body":"There\u0026rsquo;s a small series about insecure C programming on the informIT website.\rDavid Chisnall shows the pitfalls involved in writing insecure code in C.\r1. Error Checking2. Integer Issues3. Buffers and Strings\n","section":"blog","tags":["Coding","C"],"title":"Writing Insecure C","url":"/blog/security/writing-insecure-c-0x17/"},{"body":"Google\u0026rsquo;s new browser Chrome has been released today.\rThere\u0026rsquo;s also the first exploit available.\r\u003c![CDATA[","section":"blog","tags":["Browser","Google"],"title":"Google Browser Chrome released. First exploit available.","url":"/blog/open-source/google-browser-chrome-released-first-exploit-available-0x16/"},{"body":"PHPIDS is an opensource Intrusion Detection System written in and for PHP. It\u0026rsquo;s licensed under the GPLv2 license.\rReferences:\rPHPIDS Website\rPHPIDS Demo\r","section":"blog","tags":["Intrusion Detection","PHP"],"title":"PHP-IDS, an Intrusion Detection System for PHP","url":"/blog/security/php-ids-an-intrusion-detection-system-for-php-0x12/"},{"body":"The OpenRCE community website was created from scratch to grow with the needs in community that\u0026rsquo;s targeted to reverse engineering. Security researches use the advantages of OpenRCE as a centralized recource because of hosted files, blog, forums, articles and more.\rReferences:\rOpenRCE website\r","section":"blog","tags":[],"title":"OpenRCE, the Open Reverse Code Engineering community","url":"/blog/security/openrce-the-open-reverse-code-engineering-community-0x11/"},{"body":"Zone-H publishes every year stats of registered attacks.\rAccording to those stats the most targeted operation systems are Linux, Windows 2003 and Windows 2000. The most defaced webservers are Apache, IIS/6.0 and IIS/5.0. References:\rZone-H.org - Statistics report 2005-2007\n","section":"blog","tags":["Hacking","Operating System","Webserver"],"title":"Zone-H statistic report 2005-2007","url":"/blog/security/zone-h-statistic-report-2005-2007-0x10/"},{"body":"Looking for an opensource alternative for Google\u0026rsquo;s Google Analytcs software I found Piwik. With Piwik you can create interesting reports about poular pages, used keywords in search engines and obviously about your visitors.\rIt is licensed under the GPL.\rReferences:\rPiwik WebsiteTry it out at the online demo page.\n","section":"blog","tags":["Web Analytics","Javascript"],"title":"Piwik: OpenSource Web Analytics","url":"/blog/open-source/piwik-opensource-web-analytics-0x0f/"},{"body":"Lighttpd 1.4.19 is out!\rThis release is mainly a bugfixing and security release.\rIt is still being worked hard on the 1.5.0 release.\rReferences:\rAnnouncement on lighttpd website\n","section":"blog","tags":["Lighttpd","Webserver"],"title":"Lighttpd 1.4.19 released","url":"/blog/open-source/lighttpd-1419-released-0x0e/"},{"body":"The long awaited FreeBSD 7.0 Release is out.\nSome highlights include:\nBetter scalability and performance improvements on SMP systems (benchmarks showed linear scaling on machines with 8 CPUs) Improved the ULE and 4BSD schedulers the new and highly scalable memory allocator jemalloc Reading of XFS volumes experimantal support of Sun\u0026rsquo;s ZFS References FreeBSD 7.0-RELEASE announcement FreeBSD 7.0-RELEASE Release Notes ","section":"blog","tags":["Operating System","UNIX"],"title":"FreeBSD 7.0 released","url":"/blog/freebsd/freebsd-70-released-0x0d/"},{"body":"Yesterday I found a webserver wich claims to be the most webserver around. It\u0026rsquo;s a lightweight daemon written in C with securty in mind.\rSome interesting features compared to other webservers:\rCross-site scripting preventionDoS/flooding protectionSQL injection prevention\rI will have a closer look on this\u0026hellip;\rReferences:\rHiawatha homepage\rHiawatha on FreeBSD, article by Dru Lavigne\n","section":"blog","tags":["Hiawatha","Webserver"],"title":"Hiawatha, the most secure webserver","url":"/blog/open-source/hiawatha-the-most-secure-webserver-0x0c/"},{"body":"PostgreSQL 8.3 has been realeased!\rNew features are better performance, introduction of new datatypes for xml, arrays and UUIDs, logging to csv format, etc.\rReferences:\rAnnouncement\rFeature list\rRelease notes\n","section":"blog","tags":[],"title":"PostgreSQL 8.3 realeased","url":"/blog/postgresql/postgresql-83-realeased-0x0b/"},{"body":"The newly created german anti-hacker-paragraph 202c StGB let the developers of KisMAC to stop working on the project.\rIt\u0026rsquo;s not yet clear if development is temporarily suspended to bring it up again in the netherlands.\n","section":"blog","tags":["Hacking"],"title":"Development of KisMAC stopped","url":"/blog/security/development-of-kismac-stopped-0x06/"},{"body":"Many times, the size of your programs do matter, to save bandwith and resources for you and end-users, or if your target platform has restrictions on resources available. Many compilers have their own settings for optimizing code with size in mind, so does the GNU C/C++ Compiler.\rThe full article can be found at utilitybase.com which was written by Nicolas Mendoza.\n","section":"blog","tags":["GCC"],"title":"Size does matter: Optimizing with size in mind with GCC","url":"/blog/security/size-does-matter-optimizing-with-size-in-mind-with-gcc-0x05/"},{"body":"The vSkype plug-in let\u0026rsquo;s invite you up to 200 buddies to a video call - even if they don\u0026rsquo;t have a camera. You can also share anything you see on your screen, even your entire desktop!\rWhether you use Skype for business or to connect with family and friends, now you can show a presentation, work on a spreadsheet, or share photos of your weekend fun while seeing everyone on the call. This thing is a test worth wether it\u0026rsquo;s really useful or if it\u0026rsquo;s just unsecure and a potentially backdoor to your system.\rUPDATE: The website http://www.vskype.com appears to be dead. Video funcionality is now builtin default in Skype and pretty good working.\n","section":"blog","tags":["Skype","Plugin"],"title":"Skype plugin adds video","url":"/blog/security/skype-plugin-adds-video-0x03/"},{"body":"JS/UIX is a virtual OS written entierly in JavaScript and uses DHTML to render a simple 80 columns terminal.\rIt is designed to be run in any standard web-browser. It features a UN*X-like operating environment with no intention of any full POSIX compatibility. Some standard commands have been implemented at full range others with just simple syntax or basic functionality, while new commands have been added. The only application for now is a simple implementation of vi..\rGo check it! This is weird cool stuff!\n","section":"blog","tags":["Javascript","UNIX","POSIX","Operating System"],"title":"JS/UIX - a JavaScript UN*X","url":"/blog/security/jsuix-a-javascript-unx-0x01/"},{"body":"Fleximus delivers information about computer and IT security, hacking and antivirus, open source software and projects and everything a computer geek might be interested in.\nSecurity IT security is one of the most interestings parts. Fleximus main competences are IT security and computer security.\nOpen Source There are several approved open source licenses. Fleximus favors most the \u0026ldquo;New BSD license\u0026rdquo;, the \u0026ldquo;MIT license\u0026rdquo; and under some conditions the \u0026ldquo;LGPL license\u0026rdquo;.\nProjects Fleximus hosts it\u0026rsquo;s own projects and license them under the terms of the \u0026ldquo;New BSD license\u0026rdquo;.\nBackground History The name In 2002, when I was watching out for a suitable domain name that was related to my nickname Flex. I thought of the name Maximus which reminded to a roman hero and a BBS software name. It was quite obvious to me merging these names Flex + Maximus = Fleximus. A search on the web revealed only about 3 hits to pages with that name in it. I found my name!\nFleximus Reloaded Over the years I had so much ideas what to put on my website. I had a lot of ideas and often tried to idealistic approaches that let to a idleness in updating the web presence. Now I found the right way to move on and made a complete new appearance with a lot more content which will be feed on a regular basis. As a MATRIX fan I choose not only a green and dark color style but also found the name Fleximus Reloaded appropriate.\nContent Fleximus Reloaded contains mainly a weblog and some project pages. Around these are some basic functionalities of a good website like contact formular, imprint for the german law and some neat statistics.\n","section":"","tags":[],"title":"About Fleximus","url":"/about/"},{"body":"Email You can drop me an email if you want.\nWrite your email to: wēbmāstēr@flēximus.ōrg\n(Hint: Use normal characters. No copy \u0026amp; paste!)\nKey ID: 8859882B198235F Key Fingerprint: B40E 7D6C B468 C4CC 9829 65FF C885 9882 B198 235F Valid until: 2025-09-05 -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEYxcabxYJKwYBBAHaRw8BAQdAQxc3S1xUYzrqhKL3pGWUbZAvaByXGeOnBaBb iOwF1prNGSA8d2VibWFzdGVyQGZsZXhpbXVzLm9yZz7CjwQTFggANxYhBLQOfWy0 aMTMmCll/8iFmIKxmCNfBQJjFxpvBQkFo5qAAhsDBAsJCAcFFQgJCgsFFgIDAQAA CgkQyIWYgrGYI1+7BgD/eebZt8EzTr7BPBMPNw3Hu24ZIR3QkOwC7Q8EpaWLL6kB APB18wyXwwsAVA1Q5yp+QV4U5RLkM04p/9Ahvp8n0egOzjgEYxcabxIKKwYBBAGX VQEFAQEHQAvUrYuGhejt4Xae/DMdzQKgcFoOHtgzC24JtGQ5CIg7AwEIB8J+BBgW CAAmFiEEtA59bLRoxMyYKWX/yIWYgrGYI18FAmMXGm8FCQWjmoACGwwACgkQyIWY grGYI19lxAD/f6GSdKp0i/MEuh7DxabXExmdviA9EIbuZYYKk/f3HnEA/joCWLb+ M/fTmgS3PLImGMEzn3RHLWLVTWCbCLhrmrQH =TE34 -----END PGP PUBLIC KEY BLOCK----- ","section":"","tags":[],"title":"Contact Fleximus","url":"/contact/"},{"body":" Responsible Disclaimer No liability for content All information and data supplied by Fleximus in its various Internet offers have been compiled to the best of its knowledge and belief. Fleximus cannot accept any liability for their accuracy, completeness and timeliness. The information supplied does not represent individual advice and cannot be taken as a substitute for such advice.\nThe same applies to all other Internet pages referred to by hyperlink. Fleximus is not responsible for the content of internet pages accessed through such link.\nLinks to other websites Links to other websites are not permanently controlled. Fleximus is not liable in any way for availability and the content of linked webpages.\n","section":"","tags":[],"title":"Imprint","url":"/imprint/"},{"body":"\nGeneral information This Privacy Policy is designed to inform you about kinds, scope and purpose concerning data collected about you. By visiting our websites you are accepting the practices described below.\nLogging With every visit of our websites information about date/time, IP address, requested and referring URL, browser + version and operating system is stored in the webserver logfiles due to technical and security reasons. Logfiles are kept for seven days.\nCookies A cookie will be stored for the use of Google Analytics.\nWeb Analytics Software (Google Analytics) This website uses Google Analytics, a web analytics service provided by Google, Inc. (\u0026ldquo;Google\u0026rdquo;). Google Analytics uses \u0026ldquo;cookies\u0026rdquo;, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States.\nIn case IP-anonymisation is activated on this website, your IP address will be truncated within the area of Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transfered to a Google server in the USA and truncated there. The IP-anonymisation is active on this website.\nGoogle will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing them other services relating to website activity and internet usage.\nThe IP-address, that your Browser conveys within the scope of Google Analytics, will not be associated with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also opt-out from being tracked by Google Analytics with effect for the future by downloading and installing Google Analytics Opt-out Browser Addon for your current web browser: http://tools.google.com/dlpage/gaoptout?hl=en.\n","section":"","tags":[],"title":"Privacy Policy","url":"/privacy/"}]