Both sides previous revisionPrevious revisionNext revision | Previous revision |
openbsd [2023/06/23 10:32] – [Installation] maja | openbsd [2023/06/23 11:41] (current) – reorder maja |
---|
| |
===== Setup ===== | ===== Setup ===== |
post install: | my normal post install adjustments include:\\ |
create user, add to wheel, operator, staff with #usermod -G wheel operator staff my-user-name \\ | |
add to staff login group with #usermod -L staff my-user-name \\ | |
config ''/etc/doas.conf'' with "permit persist keepenv :wheel" \\ | |
secure ssh server ''/etc/ssh/sshd_config'' by forcing ed22159 host keys, key-auth and disable root-password \\ | |
patch os #syspatch, and packages #pkg_add -u \\ | |
firewall config appropriate for host in ''/etc/pf.conf'' normally blocking all , allowing sshd and web with connection thresholds and overflows \\ | |
if web server, config httpd, acme-client, and php \\ | |
\\ | \\ |
| add my user to the operator and staff user groups with ''usermod -G wheel operator staff my-user-name'' \\ |
| add my user to the staff login profile with ''usermod -L staff my-user-name'' \\ |
| \\ |
| sudo has been replaced with ''doas''\\ |
| as root create/config file ''/etc/doas.conf'' with ''"permit persist keepenv :wheel"'' \\ |
| \\ |
| i only use strong modern ssh keys, so i like to further secure the ssh-server\\ |
| edit the ''/etc/ssh/sshd_config'' file and force ed22159 host keys, key-auth and disable root-password \\ |
| \\ |
| keeping the OS and Apps upto date with binary patches\\ |
| os ''syspatch'', and packages ''pkg_add -u'' \\ |
| \\ |
| For Servers adjust the firewall to allow access to services\\ |
| using ''PF'' firewall config appropriate for host in ''/etc/pf.conf''\\ |
| normally blocking all , allowing sshd and web with connection thresholds and overflows \\ |
| i might also install ''pftop'' ''curl'' and ''wget'' |
| \\ |
| and if your setting up a web server, config ''httpd'', ''acme-client'', ''php'' and ''dokuwiki'' \\ |
| \\ |
| For Desktops allow xenodm and setup your favorite DM/DE. FVWM and CWM are there in base, but XFCE and Gnome are in packages, as is Firefox and Chromium. |
| |
===== Services ===== | ===== Services ===== |
check in rc.conf and /etc/examples for guidance and ideas \\ | init based service control system, check in ''/etc/rc.conf'' , ''/etc/rc.local'' and ''/etc/examples'' for guidance and ideas \\ |
rcctl enable|disable|start|stop|reload \\\ | services are easily controlled, with ''rcctl''\\ |
==== Firewall PF ==== | <code> |
pf.conf and pf.os \\ | usage: rcctl get|getdef|set service | daemon [variable [arguments]] |
pfctl \\ | rcctl [-df] configtest|check|reload|restart|stop|start daemon ... |
pftop \\ | rcctl disable|enable|order [daemon ...] |
| rcctl ls all|failed|off|on|rogue|started|stopped |
| </code> |
| eg; to stop the web-server's httpd daemon ''rcctl stop httpd'' |
==== SSHD ==== | ==== SSHD ==== |
| OpenBSD team long ago forked SSH and created their own version, and probably their best known project. it's so good its now the de-facto variant installed on most other OS's.\\ |
| \\ |
| As a client i rarely modify the local file. if the host is a workstation/laptop i create a new ed25519 private key. ''ssh-keygen -t ed25519''\\ |
| \\ |
| although defaults are always sane, for servers i modify the ''/etc/ssh/sshd_config'' file and allow only ed25519 host keys from being presented, this gets rid of of a lot of probing attempts, as well as adjusting root login conditions\\ |
| <file - sshd_config> |
| #HostKey /etc/ssh/ssh_host_rsa_key |
| #HostKey /etc/ssh/ssh_host_ecdsa_key |
| HostKey /etc/ssh/ssh_host_ed25519_key |
| #PermitRootLogin yes |
| PermitRootLogin prohibit-password |
| </file> |
| \\ |
| which ends up with entertaining log files like ''/etc/var/authlog''\\ |
| <code> |
| Jun 23 09:44:58 freyja sshd[95566]: Unable to negotiate with 35.167.89.48 port 44522: no matching host key type found. Their offer: ssh-rsa [preauth] |
| Jun 23 09:44:59 freyja sshd[72370]: Unable to negotiate with 35.167.89.48 port 45206: no matching host key type found. Their offer: ssh-dss [preauth] |
| Jun 23 10:11:40 freyja sshd[39801]: Unable to negotiate with 218.92.0.112 port 29204: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:12:17 freyja sshd[52019]: Unable to negotiate with 61.177.172.185 port 51943: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:13:23 freyja sshd[12803]: Unable to negotiate with 218.92.0.31 port 11816: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:16:04 freyja sshd[56545]: Unable to negotiate with 220.135.177.191 port 46403: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:18:30 freyja sshd[23558]: Unable to negotiate with 218.92.0.35 port 43999: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:41:08 freyja sshd[82987]: Unable to negotiate with 218.92.0.17 port 38235: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:43:22 freyja sshd[50498]: Unable to negotiate with 218.92.0.113 port 55744: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:53:12 freyja sshd[8374]: Unable to negotiate with 218.92.0.31 port 17833: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:55:36 freyja sshd[93234]: Unable to negotiate with 218.92.0.17 port 25671: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 10:57:45 freyja sshd[16168]: Unable to negotiate with 218.92.0.35 port 42553: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 11:02:15 freyja sshd[48351]: Unable to negotiate with 218.92.0.24 port 61448: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 11:12:35 freyja sshd[75959]: Unable to negotiate with 218.92.0.31 port 41679: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 11:25:11 freyja sshd[38673]: Unable to negotiate with 218.92.0.98 port 18570: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] |
| Jun 23 11:26:01 freyja sshd[53372]: Unable to negotiate with 220.80.14.246 port 63144: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] |
| |
| $ grep negotiate /var/log/authlog | wc -l |
| 508 |
| </code> |
| |
| ==== Firewall PF ==== |
| PF is a super firewall, there is a good doco available in the [[https://www.openbsd.org/faq/pf/index.html|FAQ]] section\\ |
| main file is the ''/etc/pf.conf'' and by default everything in is blocked and everything out allowed.\\ |
| ''pfctl'' is the main command to interact with pf. including viewing and modifying config on the fly.\\ |
| ''pftop'' is a additional package, and is a top-like cli tool to monitor pf live\\ |
| \\ |
| Combine SSH and PF and you'll passively discard a lot |
| <file text pf.conf> |
| # Allow SSH, trap and block offenders into 'ssh-abuse' table |
| pass inet proto tcp from any to $ext_if port ssh \ |
| flags S/SA keep state \ |
| (max-src-conn 20, max-src-conn-rate 5/3, \ |
| overload <ssh-abuse> flush global) |
| </file> |
| <code> |
| $ doas pfctl -t ssh-abuse -Ts | wc -l |
| 1081 |
| </code> |
| |
==== Spamd ==== | ==== Spamd ==== |