|
|||
Hardening OpenBSD
Can anyone help me harden OpenBSD? Am I off to a good start with the commands below? Anything I should add?
edit /etc/rc.securelevel Code:
sysctl kern.securelevel=2 Code:
chflags schg /bsd chflags -R schg /bin Code:
chflags schg /bsd chflags schg /etc/changelist chflags schg /etc/daily chflags schg /etc/inetd.conf chflags schg /etc/netstart chflags schg /etc/pf.conf chflags schg /etc/rc chflags schg /etc/rc.conf chflags schg /etc/rc.local chflags schg /etc/rc.securelevel chflags schg /etc/rc.shutdown chflags schg /etc/security chflags schg /etc/mtree/special chflags -R schg /bin chflags -R schg /sbin chflags -R schg /usr/bin chflags -R schg /usr/libexec chflags -R schg /usr/sbin Code:
vm.swapencrypt.enable=1 Code:
inetd=NO Code:
#telnet |
|
|||
its just a router/firewall
nothing really, im a windows .NET developer trying to learn unix to expand my horizons. So far I like BSD ALOT better then windows. The best way to learn something is to actually use it, read and ask alot of questions. |
|
|||
None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.
Setting the schg flag is just silly, you'll have to boot into single-user mode if you ever need to recompile your kernel or adjust firewall rules.. you cannot remove those flags unless the securelevel is <= 0. Swap is already encrypted, vm.swapencrypt.enable is already 1.. redundant much? The services running as part of inetd are not insecure, and if you're concerned that someone will find a problem.. block access using pf. There is no telnetd included with OpenBSD, that makes no sense at all. OpenBSD "as-is" has been audited by some very intelligent people, the term "secure by default" isn't just a slogan.. they have 10 years of a fairly clean track record to prove it. Want to harden the system? learn more about it first.. you'll find you have no reason to make such drastic changes to the base system. |
|
|||
interesting...those were the recommendations that i got from this site http://www.openbsd101.com/security.html. Im still reading through openbsd.org at the moment.
|
|
|||
Quote:
The website, FAQ and system manuals are the official documentation. @jggimi, I should have added a '+' symbol eh? |
|
||||
Quote:
The OpenBSD Project frowns on them. As do I. Usually, such documents, no matter the subject, are:
Read the FAQ. It is the closest thing the OpenBSD Project has to "howto" documents, and is fairly complete, well maintained, and factually accurate. |
|
||||
Best way to harden OpenBSD... install it and turn off ssh; place claymore mines around computer, face toward intruders. Problem solved.
@windows 2 unix: You might also like to read the Art of Unix Programming, and some of the long ago depreciated docs on porting software from POSIX/Unix to Windows: it usually demonstrates the fundamental differences in the programming environment, if you're familiar with C.
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
|||
Quote:
If or when i do need to edit/reload something i log into my firewall locally and "shutdown now" to single user mode, then "exit" back up, leaving me at securelevel=1, then i make my changes, confirm them, and then type "sysctl -w kern.securelevel=2" and finish. I also use tools like AIDE and sha checksums on log files, binaries and config files, in addition i run snort and portsentry and a HARD pf.conf file. I also use tools like bwm-ng, pftop, ntop, tcpdump and trafshow to inform me. In addition nessusd and nmap help too. I use chflags, on SOME files, mostly just log files, binaries and config files, chflags are TRICKY and MUST be tested before you deploy, i have had it RUIN some setups with one simple enter ... Remember that a misconfigured or worse unknown user account or buggy serivce can make your security life hell, even a well intended rm * (silly example i know) in the wrong directory could give you a large headache. That also said, OpenBSD is pretty dam secure by default, and all this maybe quite unnecessary, but it makes me feel safer
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Quote:
Also recall that any user can comprimise security unintentionally or otherwise, making all this useless to some degree, wisedom of what you are doing or want to do is more important that what software/hardware you are using.
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Ah yes one more post
I have acutally given my real IP to script kiddies (after they mouthed off about how 1337 they were) and dared them to attack, this one was a CounterStrike server (back about 6 years ago before that Source crap) running on OpenBSD with linux emulation. The only thing on that server that was "hardend" was the pf.conf file, and i recall that i did not have any state limiting or anything that has since been added to PF. Needless to say i was VERY confident about it's security, and guess what? NO interuptions to gameplay whatsoever, i believe he even tried some of the "cool" cheats that CS had back then, with the server shutdown and all, NOTHING worked on it, YAY OPENBSD
__________________
The more you learn, the more you realize how little you know .... |
|
|||
That was me, not Oko.. if this device is physically secure and there are no external users accessing it, then it makes little sense to disable your ability to modify pf configuration or write to raw devices, but whatever tickles your fancy.
|
|
|||
Quote:
That does tickle my fancy (i am paranoid hence i use OpenBSD for ALL my servers), firewalls should not be "touched" while in production, if it needs to be edited "shutdown now" and "exit" get me to where i want to be and take about 10 seconds. Just the way i do it, i do not find it a hassle in any way and was just sharing.
__________________
The more you learn, the more you realize how little you know .... |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hardening FreeBSD | cajunman4life | FreeBSD Security | 53 | 7th October 2008 12:06 PM |
Basic sshd hardening | anomie | Guides | 12 | 12th September 2008 03:39 AM |
Can I use this link for hardening FreeBSD 7 | mfaridi | FreeBSD Security | 1 | 9th July 2008 07:35 AM |