DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 102
Thanked 0 Times in 0 Posts
Default Hardening OpenBSD

Can anyone help me harden OpenBSD? Am I off to a good start with the commands below? Anything I should add?

edit /etc/rc.securelevel
Code:
sysctl kern.securelevel=2

Code:
chflags schg /bsd
chflags -R schg /bin


Code:
chflags schg /bsd
chflags schg /etc/changelist
chflags schg /etc/daily
chflags schg /etc/inetd.conf
chflags schg /etc/netstart
chflags schg /etc/pf.conf
chflags schg /etc/rc
chflags schg /etc/rc.conf
chflags schg /etc/rc.local
chflags schg /etc/rc.securelevel
chflags schg /etc/rc.shutdown
chflags schg /etc/security
chflags schg /etc/mtree/special

chflags -R schg /bin
chflags -R schg /sbin
chflags -R schg /usr/bin
chflags -R schg /usr/libexec
chflags -R schg /usr/sbin
edit etc/sysctl.conf
Code:
vm.swapencrypt.enable=1
edit /etc/rc.conf
Code:
inetd=NO
edit /etc/inetd.conf
Code:
#telnet
Reply With Quote
  #2   (View Single Post)  
Old 21st December 2009
ephemera's Avatar
ephemera ephemera is offline
Knuth's homeboy
 
Join Date: Apr 2008
Posts: 537
Thanked 49 Times in 43 Posts
Default

Whats the role of this m/c: desktop or server?

What are you protecting yourself against?
Reply With Quote
  #3   (View Single Post)  
Old 21st December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 102
Thanked 0 Times in 0 Posts
Default

its just a router/firewall

nothing really, im a windows .NET developer trying to learn unix to expand my horizons. So far I like BSD ALOT better then windows. The best way to learn something is to actually use it, read and ask alot of questions.
Reply With Quote
  #4   (View Single Post)  
Old 21st December 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.

Setting the schg flag is just silly, you'll have to boot into single-user mode if you ever need to recompile your kernel or adjust firewall rules.. you cannot remove those flags unless the securelevel is <= 0.

Swap is already encrypted, vm.swapencrypt.enable is already 1.. redundant much?

The services running as part of inetd are not insecure, and if you're concerned that someone will find a problem.. block access using pf.

There is no telnetd included with OpenBSD, that makes no sense at all.

OpenBSD "as-is" has been audited by some very intelligent people, the term "secure by default" isn't just a slogan.. they have 10 years of a fairly clean track record to prove it.

Want to harden the system? learn more about it first.. you'll find you have no reason to make such drastic changes to the base system.
Reply With Quote
  #5   (View Single Post)  
Old 21st December 2009
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 102
Thanked 0 Times in 0 Posts
Default

interesting...those were the recommendations that i got from this site http://www.openbsd101.com/security.html. Im still reading through openbsd.org at the moment.
Reply With Quote
  #6   (View Single Post)  
Old 21st December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,611
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
.. they have 10 years of a fairly clean track record to prove it.
13.5 years. 1996 was the first public release of OpenBSD 1.2.
Reply With Quote
  #7   (View Single Post)  
Old 21st December 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by EverydayDiesel View Post
interesting...those were the recommendations that i got from this site http://www.openbsd101.com/security.html. Im still reading through openbsd.org at the moment.
That is an unofficial website, not associated with the OpenBSD project.. poorly maintained and often incorrect.

The website, FAQ and system manuals are the official documentation.

@jggimi, I should have added a '+' symbol eh?
Reply With Quote
  #8   (View Single Post)  
Old 21st December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,611
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by EverydayDiesel View Post
interesting...those were the recommendations that i got from this site http://www.openbsd101.com/security.html. Im still reading through openbsd.org at the moment.
You should learn to -avoid- 3rd party "howto" documents.

The OpenBSD Project frowns on them. As do I. Usually, such documents, no matter the subject, are:
  • Out-of-date by the time you read them
  • Not maintained by the author
  • Written by newbies who are proud of what they have accomplished
  • Written by newbies who may not understand the subject matter at hand
  • Written by newbies who are not cognizant of the many architectures and broad types of environments that the OS works within
  • Written for one particular environment only, which will not likely match yours.
  • Will usually send other newbies in entirely the wrong direction
I haven't read the "howto" you refer to. I don't have to. Your efforts in this direction will only cause you problems, so I know the document fits squarely within this discriptive type.

Read the FAQ. It is the closest thing the OpenBSD Project has to "howto" documents, and is fairly complete, well maintained, and factually accurate.
Reply With Quote
  #9   (View Single Post)  
Old 21st December 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

Best way to harden OpenBSD... install it and turn off ssh; place claymore mines around computer, face toward intruders. Problem solved.


@windows 2 unix: You might also like to read the Art of Unix Programming, and some of the long ago depreciated docs on porting software from POSIX/Unix to Windows: it usually demonstrates the fundamental differences in the programming environment, if you're familiar with C.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 21st December 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 762
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by TerryP View Post


@windows 2 unix: You might also like to read the Art of Unix Programming, and
Are you kidding? That book is a joke written by couple Linux guys who have heard of the Art of Computer Programming. If you want to read one intro book about Unix the Unix Programming Environment by Brian Kerrnighan and Rob Pike is the way to go.

Last edited by Oko; 22nd December 2009 at 03:32 AM.
Reply With Quote
Old 22nd December 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.
I completely agree with the first part of your comment Oko, also the second part, that said i DO use securelevel=2 on my firewall, why? because i do NOT change alot on it, not even reload pf rules. By default after a reboot i am at securelevel=1, i change this manually to 2, that's just me, i like to use it and do believe in the right circumstances (firewall) it's beneficial.

If or when i do need to edit/reload something i log into my firewall locally and "shutdown now" to single user mode, then "exit" back up, leaving me at securelevel=1, then i make my changes, confirm them, and then type "sysctl -w kern.securelevel=2" and finish.

I also use tools like AIDE and sha checksums on log files, binaries and config files, in addition i run snort and portsentry and a HARD pf.conf file. I also use tools like bwm-ng, pftop, ntop, tcpdump and trafshow to inform me. In addition nessusd and nmap help too.

I use chflags, on SOME files, mostly just log files, binaries and config files, chflags are TRICKY and MUST be tested before you deploy, i have had it RUIN some setups with one simple enter ...

Remember that a misconfigured or worse unknown user account or buggy serivce can make your security life hell, even a well intended rm * (silly example i know) in the wrong directory could give you a large headache.

That also said, OpenBSD is pretty dam secure by default, and all this maybe quite unnecessary, but it makes me feel safer
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 22nd December 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
its just a router/firewall
This perception of "just" probably needs to be changed, security is ongoing and your router/firewall is the nexus point of your network, your "doorman" if you will. It is the first line of defense in what should be a ringed style of layered goodness.

Also recall that any user can comprimise security unintentionally or otherwise, making all this useless to some degree, wisedom of what you are doing or want to do is more important that what software/hardware you are using.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 22nd December 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Ah yes one more post

I have acutally given my real IP to script kiddies (after they mouthed off about how 1337 they were) and dared them to attack, this one was a CounterStrike server (back about 6 years ago before that Source crap) running on OpenBSD with linux emulation.

The only thing on that server that was "hardend" was the pf.conf file, and i recall that i did not have any state limiting or anything that has since been added to PF.

Needless to say i was VERY confident about it's security, and guess what? NO interuptions to gameplay whatsoever, i believe he even tried some of the "cool" cheats that CS had back then, with the server shutdown and all, NOTHING worked on it, YAY OPENBSD
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 23rd December 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by There0 View Post
Quote:
Originally Posted by BSDfan66 View Post
None of this is necessary or recommended, OpenBSD is already "hardened".. bumping the kern.securelevel will only serve to bite you in the butt.
I completely agree with the first part of your comment Oko
That was me, not Oko.. if this device is physically secure and there are no external users accessing it, then it makes little sense to disable your ability to modify pf configuration or write to raw devices, but whatever tickles your fancy.
Reply With Quote
Old 23rd December 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
That was me, not Oko.. if this device is physically secure and there are no external users accessing it, then it makes little sense to disable your ability to modify pf configuration or write to raw devices, but whatever tickles your fancy.
RightO, BSDfan666 = Oko, promise not to again.

That does tickle my fancy (i am paranoid hence i use OpenBSD for ALL my servers), firewalls should not be "touched" while in production, if it needs to be edited "shutdown now" and "exit" get me to where i want to be and take about 10 seconds. Just the way i do it, i do not find it a hassle in any way and was just sharing.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardening FreeBSD cajunman4life FreeBSD Security 53 7th October 2008 12:06 PM
Basic sshd hardening anomie Guides 12 12th September 2008 03:39 AM
Can I use this link for hardening FreeBSD 7 mfaridi FreeBSD Security 1 9th July 2008 07:35 AM


All times are GMT. The time now is 11:26 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick