User Tools

Site Tools


openbsd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
openbsd [2022/02/16 10:47] – created majaopenbsd [2023/06/23 11:41] (current) – reorder maja
Line 3: Line 3:
 below are my notes on [[https://www.openbsd.org|OpenBSD]] and various configs \\ below are my notes on [[https://www.openbsd.org|OpenBSD]] and various configs \\
 \\ \\
 +===== About =====
 +i like OpenBSD, and use it where i can, its simple (good and bad), secure out the box, well documented and easy to learn.\\
 +there are some things it doesn't do as well. and some apps are not compatible. buts that's ok.\\
 +i like that many functions/features/apps are baked in, and yet remains light and simple.\\
 +the file structure and service management are common sense too.\\
 +\\
 +Mostly deployed as a 'security thing' OpenBSD has developed a reputation as being 'the most secure' of the BSD's or OS's.. its just a good OS full-stop!, and makes a excellent server, and a really good desktop.. esp  on laptops, as the OpenBSD Dev's really do eat their own dog-food.\\
 +the main challenge were new users get unstuck is hardware support/compatibility, especially with new devices, and closed source code/blobs.. eg; Broadcom Wifi and NVideo graphics as an example, which does not doubt reduce the audience on desktop/laptop.\\
 +\\
 +Although OpenBSD usually works well on laptops, it does not support many WiFi chips, or may be limited to slower speeds.\\
 +Bluetooth is not_supported!, No fancy filesystems and No Docker.\\
 +\\
 +I like to use OpenBSD on my cloud servers because its fast and light, and everything i need (with a few exceptions) is in the base install.\\
 +\\
 +I like to use OpenBSD on older laptops as aux-systems, because they are well supported\\
 +\\
 +At home i have OpenBSD running on a laptop, and at work running a web-server \\
 +\\
 +\\
 +===== Installation =====
 +OpenBSD installer is a text_only affair. (like many other BSD's or Linux server distros)\\
 +Although initially jarring compared to modern GUI installers, the OpenBSD installer is light, fast, and easy to follow along.\\
 +\\
 +Choosing the disk-sets can be tricky from a USB booted image, as seems you have to re-mount it, and advanced disk partitioning can be daunting initially.\\
 +\\
 +The [[https://www.openbsd.org/faq/index.html|FAQ]] has all the info you need, including steps for disk encryption and raid configs.
 +
 +
 +===== Setup =====
 +my normal post install adjustments include:\\
 +\\
 +add my user to the operator and staff user groups with ''usermod -G wheel operator staff my-user-name'' \\
 +add my user to the staff login profile with ''usermod -L staff my-user-name'' \\
 +\\
 +sudo has been replaced with ''doas''\\
 +as root create/config file ''/etc/doas.conf'' with ''"permit persist keepenv :wheel"'' \\
 +\\
 +i only use strong modern ssh keys, so i like to further secure the ssh-server\\
 +edit the ''/etc/ssh/sshd_config'' file and force ed22159 host keys, key-auth and disable root-password \\
 +\\
 +keeping the OS and Apps upto date with binary patches\\
 +os ''syspatch'', and packages ''pkg_add -u'' \\
 +\\
 +For Servers adjust the firewall to allow access to services\\
 +using ''PF'' firewall config appropriate for host in ''/etc/pf.conf''\\
 +normally blocking all , allowing sshd and web with connection thresholds and overflows \\
 +i might also install ''pftop'' ''curl'' and ''wget''
 +\\
 +and if your setting up a web server, config ''httpd'', ''acme-client'', ''php'' and ''dokuwiki'' \\
 +\\
 +For Desktops allow xenodm and setup your favorite DM/DE. FVWM and CWM are there in base, but XFCE and Gnome are in packages, as is Firefox and Chromium.
 +
 +===== Services =====
 +init based service control system, check in ''/etc/rc.conf'' , ''/etc/rc.local'' and ''/etc/examples'' for guidance and ideas \\
 +services are easily controlled, with ''rcctl''\\
 +<code>
 +usage: rcctl get|getdef|set service | daemon [variable [arguments]]
 + rcctl [-df] configtest|check|reload|restart|stop|start daemon ...
 + rcctl disable|enable|order [daemon ...]
 + rcctl ls all|failed|off|on|rogue|started|stopped
 +</code>
 +eg; to stop the web-server's httpd daemon ''rcctl stop httpd''
 +
 +==== SSHD ====
 +OpenBSD team long ago forked SSH and created their own version, and probably their best known project. it's so good its now the de-facto variant installed on most other OS's.\\
 +\\
 +As a client i rarely modify the local file. if the host is a workstation/laptop i create a new ed25519 private key. ''ssh-keygen -t ed25519''\\
 +\\
 +although defaults are always sane, for servers  i modify the ''/etc/ssh/sshd_config'' file and allow only ed25519 host keys from being presented, this gets rid of of a lot of probing attempts, as well as adjusting root login conditions\\
 +<file - sshd_config>
 +#HostKey /etc/ssh/ssh_host_rsa_key
 +#HostKey /etc/ssh/ssh_host_ecdsa_key
 +HostKey /etc/ssh/ssh_host_ed25519_key
 +#PermitRootLogin yes
 +PermitRootLogin prohibit-password
 +</file>
 +\\
 +which ends up with entertaining log files like ''/etc/var/authlog''\\
 +<code>
 +Jun 23 09:44:58 freyja sshd[95566]: Unable to negotiate with 35.167.89.48 port 44522: no matching host key type found. Their offer: ssh-rsa [preauth]
 +Jun 23 09:44:59 freyja sshd[72370]: Unable to negotiate with 35.167.89.48 port 45206: no matching host key type found. Their offer: ssh-dss [preauth]
 +Jun 23 10:11:40 freyja sshd[39801]: Unable to negotiate with 218.92.0.112 port 29204: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:12:17 freyja sshd[52019]: Unable to negotiate with 61.177.172.185 port 51943: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:13:23 freyja sshd[12803]: Unable to negotiate with 218.92.0.31 port 11816: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:16:04 freyja sshd[56545]: Unable to negotiate with 220.135.177.191 port 46403: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:18:30 freyja sshd[23558]: Unable to negotiate with 218.92.0.35 port 43999: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:41:08 freyja sshd[82987]: Unable to negotiate with 218.92.0.17 port 38235: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:43:22 freyja sshd[50498]: Unable to negotiate with 218.92.0.113 port 55744: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:53:12 freyja sshd[8374]: Unable to negotiate with 218.92.0.31 port 17833: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:55:36 freyja sshd[93234]: Unable to negotiate with 218.92.0.17 port 25671: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:57:45 freyja sshd[16168]: Unable to negotiate with 218.92.0.35 port 42553: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 11:02:15 freyja sshd[48351]: Unable to negotiate with 218.92.0.24 port 61448: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 11:12:35 freyja sshd[75959]: Unable to negotiate with 218.92.0.31 port 41679: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 11:25:11 freyja sshd[38673]: Unable to negotiate with 218.92.0.98 port 18570: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 11:26:01 freyja sshd[53372]: Unable to negotiate with 220.80.14.246 port 63144: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
 +
 +$ grep negotiate /var/log/authlog | wc -l
 +     508
 +</code>
 +
 +==== Firewall PF ====
 +PF is a super firewall, there is a good doco available in the [[https://www.openbsd.org/faq/pf/index.html|FAQ]] section\\
 +main file is the ''/etc/pf.conf'' and by default everything in is blocked and everything out allowed.\\
 +''pfctl'' is the main command to interact with pf. including viewing and modifying config on the fly.\\
 +''pftop'' is a additional package, and is a top-like cli tool to monitor pf live\\
 +\\
 +Combine SSH and PF and you'll passively discard a lot
 +<file text pf.conf>
 +# Allow SSH, trap and block offenders into 'ssh-abuse' table
 +pass inet proto tcp from any to $ext_if port ssh \
 +        flags S/SA keep state \
 +        (max-src-conn 20, max-src-conn-rate 5/3, \
 +         overload <ssh-abuse> flush global)
 +</file>
 +<code>
 +$ doas pfctl -t ssh-abuse -Ts | wc -l
 +    1081
 +</code>
 +
 +==== Spamd ====
 +SpamD can is a 'spam deferral daemon' which runs in white/grey/black modes.\\
 +running black/block mode accepts all mail connections, and just tarpits them.\\
 +neat trick to capture pesky mailers and those not following rfc standards.\\
 +\\
 +rc.conf.local \\
 + spamd_black=YES \\
 + spamd_flags= \\
 +and setup /etc/mail/spamd.conf\\
 +setup the default pf rulesets (in man page)\\
 +and point a MX record to your host \\
 +==== OpenSMTPD====
 +/etc/mail/smtpd.conf
 +==== Rando install ====
 +must be install on laptop \\
 +boot iso and mount for files \\
 +#doas \\
 +get fw-iwn0 file \\
 +#fw_udpate -p /mnt \\
 +hostname.iwn0 config \\
 +up \\
 +dhclient iwn0 \\
 +join wifiname wpakey wifipass \\
 +dhcp\\
 +ifconfig iwn0 up \\
 +ifconfig iwn0 scan \\
 +dhclient iwn0  or /netstart \\
 +test pings \\
 +#fw_update \\
 +#reboot \\
 +test zzz sleep \\
 +timefix 'date 20220222.....' \\
 + add user to wheel during install \\
 +#usermod -G/-L staff video operator username \\
 +apm -A or with more flags -A -z8 +300 \\
 +machdep lida ction =1 \\
 +sysctl.conf hw.smt=1 .. to enable all cores/hyperthreading\\
 +doas.conf persist nopass \\
 +#syspatch \\
 +#pkg_add -u \\
  
openbsd.1645008429.txt.gz · Last modified: 2022/02/16 10:47 by maja