openbsd
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
openbsd [2022/02/16 11:36] – maja | openbsd [2023/06/23 11:41] (current) – reorder maja | ||
---|---|---|---|
Line 3: | Line 3: | ||
below are my notes on [[https:// | below are my notes on [[https:// | ||
\\ | \\ | ||
+ | ===== About ===== | ||
i like OpenBSD, and use it where i can, its simple (good and bad), secure out the box, well documented and easy to learn.\\ | i like OpenBSD, and use it where i can, its simple (good and bad), secure out the box, well documented and easy to learn.\\ | ||
- | there are some things it doesn' | + | there are some things it doesn' |
- | i like that many funcitons/ | + | i like that many functions/ |
the file structure and service management are common sense too.\\ | the file structure and service management are common sense too.\\ | ||
\\ | \\ | ||
- | Mostly deployed as a ' | + | Mostly deployed as a ' |
- | the main pain point is hardware | + | the main challenge were new users get unstuck |
\\ | \\ | ||
- | I like to use OpenBSD on my cloud servers because its fast and light, and everything i need (with a few expections) | + | Although |
+ | Bluetooth | ||
\\ | \\ | ||
- | At home i have an OpenBSD | + | I like to use OpenBSD |
\\ | \\ | ||
+ | I like to use OpenBSD on older laptops as aux-systems, | ||
\\ | \\ | ||
- | post install: | + | At home i have OpenBSD running on a laptop, and at work running a web-server \\ |
- | create user, add to wheel, operator, staff with #usermod -G wheel operator staff my-user-name \\ | + | |
- | add to staff login group with #usermod -L staff my-user-name \\ | + | |
- | config ''/ | + | |
- | secure ssh server ''/ | + | |
- | patch os #syspatch, and packages #pkg_add -u \\ | + | |
- | firewall config appropriate for host in ''/ | + | |
- | if web server, config httpd, acme-client, | + | |
\\ | \\ | ||
+ | \\ | ||
+ | ===== Installation ===== | ||
+ | OpenBSD installer is a text_only affair. (like many other BSD's or Linux server distros)\\ | ||
+ | Although initially jarring compared to modern GUI installers, the OpenBSD installer is light, fast, and easy to follow along.\\ | ||
+ | \\ | ||
+ | Choosing the disk-sets can be tricky from a USB booted image, as seems you have to re-mount it, and advanced disk partitioning can be daunting initially.\\ | ||
+ | \\ | ||
+ | The [[https:// | ||
+ | |||
+ | |||
+ | ===== Setup ===== | ||
+ | my normal post install adjustments include:\\ | ||
+ | \\ | ||
+ | add my user to the operator and staff user groups with '' | ||
+ | add my user to the staff login profile with '' | ||
+ | \\ | ||
+ | sudo has been replaced with '' | ||
+ | as root create/ | ||
+ | \\ | ||
+ | i only use strong modern ssh keys, so i like to further secure the ssh-server\\ | ||
+ | edit the ''/ | ||
+ | \\ | ||
+ | keeping the OS and Apps upto date with binary patches\\ | ||
+ | os '' | ||
+ | \\ | ||
+ | For Servers adjust the firewall to allow access to services\\ | ||
+ | using '' | ||
+ | normally blocking all , allowing sshd and web with connection thresholds and overflows \\ | ||
+ | i might also install '' | ||
+ | \\ | ||
+ | and if your setting up a web server, config '' | ||
+ | \\ | ||
+ | For Desktops allow xenodm and setup your favorite DM/DE. FVWM and CWM are there in base, but XFCE and Gnome are in packages, as is Firefox and Chromium. | ||
+ | |||
+ | ===== Services ===== | ||
+ | init based service control system, check in ''/ | ||
+ | services are easily controlled, with '' | ||
+ | < | ||
+ | usage: | ||
+ | rcctl [-df] configtest|check|reload|restart|stop|start daemon ... | ||
+ | rcctl disable|enable|order [daemon ...] | ||
+ | rcctl ls all|failed|off|on|rogue|started|stopped | ||
+ | </ | ||
+ | eg; to stop the web-server' | ||
+ | |||
+ | ==== SSHD ==== | ||
+ | OpenBSD team long ago forked SSH and created their own version, and probably their best known project. it's so good its now the de-facto variant installed on most other OS' | ||
+ | \\ | ||
+ | As a client i rarely modify the local file. if the host is a workstation/ | ||
+ | \\ | ||
+ | although defaults are always sane, for servers | ||
+ | <file - sshd_config> | ||
+ | #HostKey / | ||
+ | #HostKey / | ||
+ | HostKey / | ||
+ | # | ||
+ | PermitRootLogin prohibit-password | ||
+ | </ | ||
+ | \\ | ||
+ | which ends up with entertaining log files like ''/ | ||
+ | < | ||
+ | Jun 23 09:44:58 freyja sshd[95566]: | ||
+ | Jun 23 09:44:59 freyja sshd[72370]: | ||
+ | Jun 23 10:11:40 freyja sshd[39801]: | ||
+ | Jun 23 10:12:17 freyja sshd[52019]: | ||
+ | Jun 23 10:13:23 freyja sshd[12803]: | ||
+ | Jun 23 10:16:04 freyja sshd[56545]: | ||
+ | Jun 23 10:18:30 freyja sshd[23558]: | ||
+ | Jun 23 10:41:08 freyja sshd[82987]: | ||
+ | Jun 23 10:43:22 freyja sshd[50498]: | ||
+ | Jun 23 10:53:12 freyja sshd[8374]: Unable to negotiate with 218.92.0.31 port 17833: no matching host key type found. Their offer: ecdsa-sha2-nistp256, | ||
+ | Jun 23 10:55:36 freyja sshd[93234]: | ||
+ | Jun 23 10:57:45 freyja sshd[16168]: | ||
+ | Jun 23 11:02:15 freyja sshd[48351]: | ||
+ | Jun 23 11:12:35 freyja sshd[75959]: | ||
+ | Jun 23 11:25:11 freyja sshd[38673]: | ||
+ | Jun 23 11:26:01 freyja sshd[53372]: | ||
+ | |||
+ | $ grep negotiate / | ||
+ | 508 | ||
+ | </ | ||
+ | |||
+ | ==== Firewall PF ==== | ||
+ | PF is a super firewall, there is a good doco available in the [[https:// | ||
+ | main file is the ''/ | ||
+ | '' | ||
+ | '' | ||
+ | \\ | ||
+ | Combine SSH and PF and you'll passively discard a lot | ||
+ | <file text pf.conf> | ||
+ | # Allow SSH, trap and block offenders into ' | ||
+ | pass inet proto tcp from any to $ext_if port ssh \ | ||
+ | flags S/SA keep state \ | ||
+ | (max-src-conn 20, max-src-conn-rate 5/3, \ | ||
+ | | ||
+ | </ | ||
+ | < | ||
+ | $ doas pfctl -t ssh-abuse -Ts | wc -l | ||
+ | 1081 | ||
+ | </ | ||
+ | |||
+ | ==== Spamd ==== | ||
+ | SpamD can is a 'spam deferral daemon' | ||
+ | running black/block mode accepts all mail connections, | ||
+ | neat trick to capture pesky mailers and those not following rfc standards.\\ | ||
+ | \\ | ||
+ | rc.conf.local \\ | ||
+ | | ||
+ | | ||
+ | and setup / | ||
+ | setup the default pf rulesets (in man page)\\ | ||
+ | and point a MX record to your host \\ | ||
+ | ==== OpenSMTPD==== | ||
+ | / | ||
+ | ==== Rando install ==== | ||
+ | must be install on laptop \\ | ||
+ | boot iso and mount for files \\ | ||
+ | #doas \\ | ||
+ | get fw-iwn0 file \\ | ||
+ | #fw_udpate -p /mnt \\ | ||
+ | hostname.iwn0 config \\ | ||
+ | up \\ | ||
+ | dhclient iwn0 \\ | ||
+ | join wifiname wpakey wifipass \\ | ||
+ | dhcp\\ | ||
+ | ifconfig iwn0 up \\ | ||
+ | ifconfig iwn0 scan \\ | ||
+ | dhclient iwn0 or /netstart \\ | ||
+ | test pings \\ | ||
+ | #fw_update \\ | ||
+ | #reboot \\ | ||
+ | test zzz sleep \\ | ||
+ | timefix 'date 20220222.....' | ||
+ | add user to wheel during install \\ | ||
+ | #usermod -G/-L staff video operator username \\ | ||
+ | apm -A or with more flags -A -z8 +300 \\ | ||
+ | machdep lida ction =1 \\ | ||
+ | sysctl.conf hw.smt=1 .. to enable all cores/ | ||
+ | doas.conf persist nopass \\ | ||
+ | #syspatch \\ | ||
+ | #pkg_add -u \\ | ||
openbsd.1645011384.txt.gz · Last modified: 2022/02/16 11:36 by maja