DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default Hardening OpenBSD

Can anyone help me harden OpenBSD? Am I off to a good start with the commands below? Anything I should add?

edit /etc/rc.securelevel
Code:
sysctl kern.securelevel=2

Code:
chflags schg /bsd
chflags -R schg /bin


Code:
chflags schg /bsd
chflags schg /etc/changelist
chflags schg /etc/daily
chflags schg /etc/inetd.conf
chflags schg /etc/netstart
chflags schg /etc/pf.conf
chflags schg /etc/rc
chflags schg /etc/rc.conf
chflags schg /etc/rc.local
chflags schg /etc/rc.securelevel
chflags schg /etc/rc.shutdown
chflags schg /etc/security
chflags schg /etc/mtree/special

chflags -R schg /bin
chflags -R schg /sbin
chflags -R schg /usr/bin
chflags -R schg /usr/libexec
chflags -R schg /usr/sbin
edit etc/sysctl.conf
Code:
vm.swapencrypt.enable=1
edit /etc/rc.conf
Code:
inetd=NO
edit /etc/inetd.conf
Code:
#telnet
Reply With Quote
  #2   (View Single Post)  
Old 21st December 2009
ephemera's Avatar
ephemera ephemera is offline
Knuth's homeboy
 
Join Date: Apr 2008
Posts: 537
Default

Whats the role of this m/c: desktop or server?

What are you protecting yourself against?
Reply With Quote
  #3   (View Single Post)  
Old 21st December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

its just a router/firewall

nothing really, im a windows .NET developer trying to learn unix to expand my horizons. So far I like BSD ALOT better then windows. The best way to learn something is to actually use it, read and ask alot of questions.
Reply With Quote
  #4   (View Single Post)  
Old 21st December 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.

Setting the schg flag is just silly, you'll have to boot into single-user mode if you ever need to recompile your kernel or adjust firewall rules.. you cannot remove those flags unless the securelevel is <= 0.

Swap is already encrypted, vm.swapencrypt.enable is already 1.. redundant much?

The services running as part of inetd are not insecure, and if you're concerned that someone will find a problem.. block access using pf.

There is no telnetd included with OpenBSD, that makes no sense at all.

OpenBSD "as-is" has been audited by some very intelligent people, the term "secure by default" isn't just a slogan.. they have 10 years of a fairly clean track record to prove it.

Want to harden the system? learn more about it first.. you'll find you have no reason to make such drastic changes to the base system.
Reply With Quote
  #5   (View Single Post)  
Old 21st December 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by BSDfan666 View Post
.. they have 10 years of a fairly clean track record to prove it.
13.5 years. 1996 was the first public release of OpenBSD 1.2.
Reply With Quote
  #6   (View Single Post)  
Old 21st December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

interesting...those were the recommendations that i got from this site http://www.openbsd101.com/security.html. Im still reading through openbsd.org at the moment.
Reply With Quote
  #7   (View Single Post)  
Old 21st December 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by EverydayDiesel View Post
interesting...those were the recommendations that i got from this site http://www.openbsd101.com/security.html. Im still reading through openbsd.org at the moment.
That is an unofficial website, not associated with the OpenBSD project.. poorly maintained and often incorrect.

The website, FAQ and system manuals are the official documentation.

@jggimi, I should have added a '+' symbol eh?
Reply With Quote
  #8   (View Single Post)  
Old 21st December 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by EverydayDiesel View Post
interesting...those were the recommendations that i got from this site http://www.openbsd101.com/security.html. Im still reading through openbsd.org at the moment.
You should learn to -avoid- 3rd party "howto" documents.

The OpenBSD Project frowns on them. As do I. Usually, such documents, no matter the subject, are:
  • Out-of-date by the time you read them
  • Not maintained by the author
  • Written by newbies who are proud of what they have accomplished
  • Written by newbies who may not understand the subject matter at hand
  • Written by newbies who are not cognizant of the many architectures and broad types of environments that the OS works within
  • Written for one particular environment only, which will not likely match yours.
  • Will usually send other newbies in entirely the wrong direction
I haven't read the "howto" you refer to. I don't have to. Your efforts in this direction will only cause you problems, so I know the document fits squarely within this discriptive type.

Read the FAQ. It is the closest thing the OpenBSD Project has to "howto" documents, and is fairly complete, well maintained, and factually accurate.
Reply With Quote
  #9   (View Single Post)  
Old 21st December 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

Best way to harden OpenBSD... install it and turn off ssh; place claymore mines around computer, face toward intruders. Problem solved.


@windows 2 unix: You might also like to read the Art of Unix Programming, and some of the long ago depreciated docs on porting software from POSIX/Unix to Windows: it usually demonstrates the fundamental differences in the programming environment, if you're familiar with C.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 21st December 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by TerryP View Post


@windows 2 unix: You might also like to read the Art of Unix Programming, and
Are you kidding? That book is a joke written by couple Linux guys who have heard of the Art of Computer Programming. If you want to read one intro book about Unix the Unix Programming Environment by Brian Kerrnighan and Rob Pike is the way to go.

Last edited by Oko; 22nd December 2009 at 03:32 AM.
Reply With Quote
Old 22nd December 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 170
Default

Quote:
None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.
I completely agree with the first part of your comment Oko, also the second part, that said i DO use securelevel=2 on my firewall, why? because i do NOT change alot on it, not even reload pf rules. By default after a reboot i am at securelevel=1, i change this manually to 2, that's just me, i like to use it and do believe in the right circumstances (firewall) it's beneficial.

If or when i do need to edit/reload something i log into my firewall locally and "shutdown now" to single user mode, then "exit" back up, leaving me at securelevel=1, then i make my changes, confirm them, and then type "sysctl -w kern.securelevel=2" and finish.

I also use tools like AIDE and sha checksums on log files, binaries and config files, in addition i run snort and portsentry and a HARD pf.conf file. I also use tools like bwm-ng, pftop, ntop, tcpdump and trafshow to inform me. In addition nessusd and nmap help too.

I use chflags, on SOME files, mostly just log files, binaries and config files, chflags are TRICKY and MUST be tested before you deploy, i have had it RUIN some setups with one simple enter ...

Remember that a misconfigured or worse unknown user account or buggy serivce can make your security life hell, even a well intended rm * (silly example i know) in the wrong directory could give you a large headache.

That also said, OpenBSD is pretty dam secure by default, and all this maybe quite unnecessary, but it makes me feel safer
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardening FreeBSD cajunman4life FreeBSD Security 53 7th October 2008 12:06 PM
Basic sshd hardening anomie Guides 12 12th September 2008 03:39 AM
Can I use this link for hardening FreeBSD 7 mfaridi FreeBSD Security 1 9th July 2008 07:35 AM


All times are GMT. The time now is 11:18 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick