|
|
|||
Hardening OpenBSD
Can anyone help me harden OpenBSD? Am I off to a good start with the commands below? Anything I should add?
edit /etc/rc.securelevel Code:
sysctl kern.securelevel=2 Code:
chflags schg /bsd chflags -R schg /bin Code:
chflags schg /bsd chflags schg /etc/changelist chflags schg /etc/daily chflags schg /etc/inetd.conf chflags schg /etc/netstart chflags schg /etc/pf.conf chflags schg /etc/rc chflags schg /etc/rc.conf chflags schg /etc/rc.local chflags schg /etc/rc.securelevel chflags schg /etc/rc.shutdown chflags schg /etc/security chflags schg /etc/mtree/special chflags -R schg /bin chflags -R schg /sbin chflags -R schg /usr/bin chflags -R schg /usr/libexec chflags -R schg /usr/sbin Code:
vm.swapencrypt.enable=1 Code:
inetd=NO Code:
#telnet |
|
|||
its just a router/firewall
nothing really, im a windows .NET developer trying to learn unix to expand my horizons. So far I like BSD ALOT better then windows. The best way to learn something is to actually use it, read and ask alot of questions. |
|
|||
None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.
Setting the schg flag is just silly, you'll have to boot into single-user mode if you ever need to recompile your kernel or adjust firewall rules.. you cannot remove those flags unless the securelevel is <= 0. Swap is already encrypted, vm.swapencrypt.enable is already 1.. redundant much? The services running as part of inetd are not insecure, and if you're concerned that someone will find a problem.. block access using pf. There is no telnetd included with OpenBSD, that makes no sense at all. OpenBSD "as-is" has been audited by some very intelligent people, the term "secure by default" isn't just a slogan.. they have 10 years of a fairly clean track record to prove it. Want to harden the system? learn more about it first.. you'll find you have no reason to make such drastic changes to the base system. |
|
|||
interesting...those were the recommendations that i got from this site http://www.openbsd101.com/security.html. Im still reading through openbsd.org at the moment.
|
|
|||
Quote:
The website, FAQ and system manuals are the official documentation. @jggimi, I should have added a '+' symbol eh? |
|
||||
Quote:
The OpenBSD Project frowns on them. As do I. Usually, such documents, no matter the subject, are:
Read the FAQ. It is the closest thing the OpenBSD Project has to "howto" documents, and is fairly complete, well maintained, and factually accurate. |
|
||||
Best way to harden OpenBSD... install it and turn off ssh; place claymore mines around computer, face toward intruders. Problem solved.
@windows 2 unix: You might also like to read the Art of Unix Programming, and some of the long ago depreciated docs on porting software from POSIX/Unix to Windows: it usually demonstrates the fundamental differences in the programming environment, if you're familiar with C.
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
|||
Quote:
If or when i do need to edit/reload something i log into my firewall locally and "shutdown now" to single user mode, then "exit" back up, leaving me at securelevel=1, then i make my changes, confirm them, and then type "sysctl -w kern.securelevel=2" and finish. I also use tools like AIDE and sha checksums on log files, binaries and config files, in addition i run snort and portsentry and a HARD pf.conf file. I also use tools like bwm-ng, pftop, ntop, tcpdump and trafshow to inform me. In addition nessusd and nmap help too. I use chflags, on SOME files, mostly just log files, binaries and config files, chflags are TRICKY and MUST be tested before you deploy, i have had it RUIN some setups with one simple enter ... Remember that a misconfigured or worse unknown user account or buggy serivce can make your security life hell, even a well intended rm * (silly example i know) in the wrong directory could give you a large headache. That also said, OpenBSD is pretty dam secure by default, and all this maybe quite unnecessary, but it makes me feel safer
__________________
The more you learn, the more you realize how little you know .... |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hardening FreeBSD | cajunman4life | FreeBSD Security | 53 | 7th October 2008 12:06 PM |
Basic sshd hardening | anomie | Guides | 12 | 12th September 2008 03:39 AM |
Can I use this link for hardening FreeBSD 7 | mfaridi | FreeBSD Security | 1 | 9th July 2008 07:35 AM |