Generic OpenBSD Tips
From OpenBSD-Wiki
| Written for: OpenBSD Version 4.2 |
Contents |
[edit] Summary
This article is going to give you a list of tips for your OpenBSD 3.8 boxen. I am by no means a security expert however these are things I've learned that make your boxen more hardened.
[edit] mount /tmp with noexec
Mounting /tmp with the noexec makes your /tmp non-executable. This is a good thing because if your box gets rooted and the service/app isn't in a chroot'ed environment (or somehow breaks freak of the chroot jail) most apps will use your /tmp as a home place. Making this non executable will stop a good chunk of things out there. I say this from personal experience who had a friend get rooted and had he had his /tmp with noexec, it wouldn't have been a problem. I don't think either of us knew of the /tmp with noexec at the time. To enable noexec, you need to edit your '/etc/fstab. The line should look something like this:
| Config File: /etc/fstab |
/dev/wd0d /tmp ffs rw,noexec,nodev,nosuid 1 2 |
You will need to reboot your computer for the changes to take affect, or update the mount flags like 'mount -u -o noexec /tmp'. Assuming you followed the FAQ for installing your OpenBSD, your /tmp should be on it's own partition (probably subdivided on a single partition).
To test, you should copy a command to the /tmp directory and attempt to run it like so:
| Commands: Test noexec |
# cp /bin/ls /tmp # /tmp/ls ksh: /tmp/ls: Permission denied |
[edit] man afterboot
`man afterboot` is one of the things that the install guide recommends but due to the huge size of the man page, it's usually (barely) glanced over and quickly forgotten. The following sub items are items I've thought were pretty useful.
[edit] disable rootly access in ssh
Edit your /etc/sshd_config file and modify the following line to look like:
| Config File: /etc/sshd_config |
# PermitRootLogin yes PermitRootLogin no |
Now we need to refresh SSH to make the changes take affect:
| Command: Restart SSHD |
# kill -HUP `cat /var/run/sshd.pid` |
Now, you should try and test logging in as root through SSH.
[edit] Time Sync
We will use ntpd(8) as it comes with OpenBSD by default.
We will edit the /etc/rc.conf and engage the ntpd daemon.
| Config File: /etc/rc.conf |
#ntpd_flags=NO # for normal use: "" ntpd_flags="" # for normal use: "" |
You can start it up manually by simply typing ntpd at the command line.
Alternativly you can use rdate(8). If you can't get out of a firewall add the -n parameter to see if that helps (it uses a different protocol). Here is an example usage of the command:
| Command: rdate |
# rdate -na time.nist.gov Sat Dec 17 15:18:40 CST 2005 rdate: adjust local clock by -5.627940 seconds # |
If you are wanting to place this in cron add the -s parameter (silence).
[edit] next day cleanup
[edit] man hier
Run `man hier`. While you don't need to memorize the hierarchy of the OpenBSD filesystem, you should at least read over it -- just to get familiar with it.
[edit] packages vs ports: quick and dirty
Packages are tarballs you download off of OpenBSD's website while ports are the source code to packages. Ports will allow you to easily make modifications to (what will be) packages. Ports, basically, compiles and builds a (probably custom) package and then pkg_add's it. For example, you may have noticed that Postfix comes in the flavors of: vanilla, SASL, LDAP, MySQL, PgSQL. But not with any more than one at a time. Ports would allow you to build a Postfix package with, say, SASL and LDAP -- or all of the above. It's usually recommended to use packages, if possible, however sometimes ports are required for the reasons of customization or debugging.
To learn more about this, you should read: http://openbsd.org/faq/faq15.html#Ports
[edit] Forcefully shutting down
This is really for the partitions mounted with 'async', which isn't set on a default install. If you absolutely must shutdown your computer, run the command 'sync' first. This will force all cached material to sync to your hard drive thusly avoiding corruption. Any partitions mounted with 'sync' should already be sync'ed however better safe than sorry. While OpenBSD will not mark the disk as clean, you have a greater chance of keeping your data as this is when most data corruption will occur -- when shutting down your system while writing files. This tool is also useful when working off of a floppy as the system likes to cache items to increase speed for user responses.
[edit] dmesg for OpenBSD developers
If you can, send your dmesg to the OpenBSD developers and let them know what works and what doesn't. This is especially useful for prebuilt systems (like Dell, HP, etc). This can be done by running the following (assuming your.email@addy.com is your email addy):
| Command: Sending dmesg |
# dmesg | mail -s "Dell Dimension 2400; All but x works fine" your.email@addy.com |
When you get that email, forward it to: dmesg@openbsd.org
For more on this matter, read FAQ 4.9: 4.9 - Sending your dmesg to dmesg@openbsd.org after the install
