User Tools

Site Tools


openbsd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
openbsd [2023/06/23 10:52] – [Setup] majaopenbsd [2023/06/23 11:41] (current) – reorder maja
Line 52: Line 52:
 \\ \\
 and if your setting up a web server, config ''httpd'', ''acme-client'', ''php'' and ''dokuwiki'' \\ and if your setting up a web server, config ''httpd'', ''acme-client'', ''php'' and ''dokuwiki'' \\
-\\ 
 \\ \\
 For Desktops allow xenodm and setup your favorite DM/DE. FVWM and CWM are there in base, but XFCE and Gnome are in packages, as is Firefox and Chromium. For Desktops allow xenodm and setup your favorite DM/DE. FVWM and CWM are there in base, but XFCE and Gnome are in packages, as is Firefox and Chromium.
  
 ===== Services ===== ===== Services =====
-check in rc.conf and /etc/examples for guidance and ideas \\ +init based service control system, check in ''/etc/rc.conf'' , ''/etc/rc.local'' and ''/etc/examples'' for guidance and ideas \\ 
-rcctl enable|disable|start|stop|reload \\\ +services are easily controlled, with ''rcctl''\\ 
-==== Firewall PF ==== +<code> 
-pf.conf and pf.os \\ +usage: rcctl get|getdef|set service daemon [variable [arguments]] 
-pfctl \\ + rcctl [-df] configtest|check|reload|restart|stop|start daemon ... 
-pftop \\+ rcctl disable|enable|order [daemon ...] 
 + rcctl ls all|failed|off|on|rogue|started|stopped 
 +</code> 
 +eg; to stop the web-server's httpd daemon ''rcctl stop httpd'' 
 ==== SSHD ==== ==== SSHD ====
 +OpenBSD team long ago forked SSH and created their own version, and probably their best known project. it's so good its now the de-facto variant installed on most other OS's.\\
 +\\
 +As a client i rarely modify the local file. if the host is a workstation/laptop i create a new ed25519 private key. ''ssh-keygen -t ed25519''\\
 +\\
 +although defaults are always sane, for servers  i modify the ''/etc/ssh/sshd_config'' file and allow only ed25519 host keys from being presented, this gets rid of of a lot of probing attempts, as well as adjusting root login conditions\\
 +<file - sshd_config>
 +#HostKey /etc/ssh/ssh_host_rsa_key
 +#HostKey /etc/ssh/ssh_host_ecdsa_key
 +HostKey /etc/ssh/ssh_host_ed25519_key
 +#PermitRootLogin yes
 +PermitRootLogin prohibit-password
 +</file>
 +\\
 +which ends up with entertaining log files like ''/etc/var/authlog''\\
 +<code>
 +Jun 23 09:44:58 freyja sshd[95566]: Unable to negotiate with 35.167.89.48 port 44522: no matching host key type found. Their offer: ssh-rsa [preauth]
 +Jun 23 09:44:59 freyja sshd[72370]: Unable to negotiate with 35.167.89.48 port 45206: no matching host key type found. Their offer: ssh-dss [preauth]
 +Jun 23 10:11:40 freyja sshd[39801]: Unable to negotiate with 218.92.0.112 port 29204: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:12:17 freyja sshd[52019]: Unable to negotiate with 61.177.172.185 port 51943: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:13:23 freyja sshd[12803]: Unable to negotiate with 218.92.0.31 port 11816: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:16:04 freyja sshd[56545]: Unable to negotiate with 220.135.177.191 port 46403: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:18:30 freyja sshd[23558]: Unable to negotiate with 218.92.0.35 port 43999: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:41:08 freyja sshd[82987]: Unable to negotiate with 218.92.0.17 port 38235: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:43:22 freyja sshd[50498]: Unable to negotiate with 218.92.0.113 port 55744: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:53:12 freyja sshd[8374]: Unable to negotiate with 218.92.0.31 port 17833: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:55:36 freyja sshd[93234]: Unable to negotiate with 218.92.0.17 port 25671: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 10:57:45 freyja sshd[16168]: Unable to negotiate with 218.92.0.35 port 42553: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 11:02:15 freyja sshd[48351]: Unable to negotiate with 218.92.0.24 port 61448: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 11:12:35 freyja sshd[75959]: Unable to negotiate with 218.92.0.31 port 41679: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 11:25:11 freyja sshd[38673]: Unable to negotiate with 218.92.0.98 port 18570: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
 +Jun 23 11:26:01 freyja sshd[53372]: Unable to negotiate with 220.80.14.246 port 63144: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
 +
 +$ grep negotiate /var/log/authlog | wc -l
 +     508
 +</code>
 +
 +==== Firewall PF ====
 +PF is a super firewall, there is a good doco available in the [[https://www.openbsd.org/faq/pf/index.html|FAQ]] section\\
 +main file is the ''/etc/pf.conf'' and by default everything in is blocked and everything out allowed.\\
 +''pfctl'' is the main command to interact with pf. including viewing and modifying config on the fly.\\
 +''pftop'' is a additional package, and is a top-like cli tool to monitor pf live\\
 +\\
 +Combine SSH and PF and you'll passively discard a lot
 +<file text pf.conf>
 +# Allow SSH, trap and block offenders into 'ssh-abuse' table
 +pass inet proto tcp from any to $ext_if port ssh \
 +        flags S/SA keep state \
 +        (max-src-conn 20, max-src-conn-rate 5/3, \
 +         overload <ssh-abuse> flush global)
 +</file>
 +<code>
 +$ doas pfctl -t ssh-abuse -Ts | wc -l
 +    1081
 +</code>
  
 ==== Spamd ==== ==== Spamd ====
openbsd.1687517536.txt.gz · Last modified: 2023/06/23 10:52 by maja