**..:: Notes on OpenBSD ::..**\\
\\
below are my notes on [[https://www.openbsd.org|OpenBSD]] and various configs \\
\\
===== About =====
i like OpenBSD, and use it where i can, its simple (good and bad), secure out the box, well documented and easy to learn.\\
there are some things it doesn't do as well. and some apps are not compatible. buts that's ok.\\
i like that many functions/features/apps are baked in, and yet remains light and simple.\\
the file structure and service management are common sense too.\\
\\
Mostly deployed as a 'security thing' OpenBSD has developed a reputation as being 'the most secure' of the BSD's or OS's.. its just a good OS full-stop!, and makes a excellent server, and a really good desktop.. esp  on laptops, as the OpenBSD Dev's really do eat their own dog-food.\\
the main challenge were new users get unstuck is hardware support/compatibility, especially with new devices, and closed source code/blobs.. eg; Broadcom Wifi and NVideo graphics as an example, which does not doubt reduce the audience on desktop/laptop.\\
\\
Although OpenBSD usually works well on laptops, it does not support many WiFi chips, or may be limited to slower speeds.\\
Bluetooth is not_supported!, No fancy filesystems and No Docker.\\
\\
I like to use OpenBSD on my cloud servers because its fast and light, and everything i need (with a few exceptions) is in the base install.\\
\\
I like to use OpenBSD on older laptops as aux-systems, because they are well supported\\
\\
At home i have OpenBSD running on a laptop, and at work running a web-server \\
\\
\\
===== Installation =====
OpenBSD installer is a text_only affair. (like many other BSD's or Linux server distros)\\
Although initially jarring compared to modern GUI installers, the OpenBSD installer is light, fast, and easy to follow along.\\
\\
Choosing the disk-sets can be tricky from a USB booted image, as seems you have to re-mount it, and advanced disk partitioning can be daunting initially.\\
\\
The [[https://www.openbsd.org/faq/index.html|FAQ]] has all the info you need, including steps for disk encryption and raid configs.


===== Setup =====
my normal post install adjustments include:\\
\\
add my user to the operator and staff user groups with ''usermod -G wheel operator staff my-user-name'' \\
add my user to the staff login profile with ''usermod -L staff my-user-name'' \\
\\
sudo has been replaced with ''doas''\\
as root create/config file ''/etc/doas.conf'' with ''"permit persist keepenv :wheel"'' \\
\\
i only use strong modern ssh keys, so i like to further secure the ssh-server\\
edit the ''/etc/ssh/sshd_config'' file and force ed22159 host keys, key-auth and disable root-password \\
\\
keeping the OS and Apps upto date with binary patches\\
os ''syspatch'', and packages ''pkg_add -u'' \\
\\
For Servers adjust the firewall to allow access to services\\
using ''PF'' firewall config appropriate for host in ''/etc/pf.conf''\\
normally blocking all , allowing sshd and web with connection thresholds and overflows \\
i might also install ''pftop'' ''curl'' and ''wget''
\\
and if your setting up a web server, config ''httpd'', ''acme-client'', ''php'' and ''dokuwiki'' \\
\\
For Desktops allow xenodm and setup your favorite DM/DE. FVWM and CWM are there in base, but XFCE and Gnome are in packages, as is Firefox and Chromium.

===== Services =====
init based service control system, check in ''/etc/rc.conf'' , ''/etc/rc.local'' and ''/etc/examples'' for guidance and ideas \\
services are easily controlled, with ''rcctl''\\
<code>
usage:	rcctl get|getdef|set service | daemon [variable [arguments]]
	rcctl [-df] configtest|check|reload|restart|stop|start daemon ...
	rcctl disable|enable|order [daemon ...]
	rcctl ls all|failed|off|on|rogue|started|stopped
</code>
eg; to stop the web-server's httpd daemon ''rcctl stop httpd''

==== SSHD ====
OpenBSD team long ago forked SSH and created their own version, and probably their best known project. it's so good its now the de-facto variant installed on most other OS's.\\
\\
As a client i rarely modify the local file. if the host is a workstation/laptop i create a new ed25519 private key. ''ssh-keygen -t ed25519''\\
\\
although defaults are always sane, for servers  i modify the ''/etc/ssh/sshd_config'' file and allow only ed25519 host keys from being presented, this gets rid of of a lot of probing attempts, as well as adjusting root login conditions\\
<file - sshd_config>
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#PermitRootLogin yes
PermitRootLogin prohibit-password
</file>
\\
which ends up with entertaining log files like ''/etc/var/authlog''\\
<code>
Jun 23 09:44:58 freyja sshd[95566]: Unable to negotiate with 35.167.89.48 port 44522: no matching host key type found. Their offer: ssh-rsa [preauth]
Jun 23 09:44:59 freyja sshd[72370]: Unable to negotiate with 35.167.89.48 port 45206: no matching host key type found. Their offer: ssh-dss [preauth]
Jun 23 10:11:40 freyja sshd[39801]: Unable to negotiate with 218.92.0.112 port 29204: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 10:12:17 freyja sshd[52019]: Unable to negotiate with 61.177.172.185 port 51943: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 10:13:23 freyja sshd[12803]: Unable to negotiate with 218.92.0.31 port 11816: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 10:16:04 freyja sshd[56545]: Unable to negotiate with 220.135.177.191 port 46403: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
Jun 23 10:18:30 freyja sshd[23558]: Unable to negotiate with 218.92.0.35 port 43999: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 10:41:08 freyja sshd[82987]: Unable to negotiate with 218.92.0.17 port 38235: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 10:43:22 freyja sshd[50498]: Unable to negotiate with 218.92.0.113 port 55744: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 10:53:12 freyja sshd[8374]: Unable to negotiate with 218.92.0.31 port 17833: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 10:55:36 freyja sshd[93234]: Unable to negotiate with 218.92.0.17 port 25671: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 10:57:45 freyja sshd[16168]: Unable to negotiate with 218.92.0.35 port 42553: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 11:02:15 freyja sshd[48351]: Unable to negotiate with 218.92.0.24 port 61448: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 11:12:35 freyja sshd[75959]: Unable to negotiate with 218.92.0.31 port 41679: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 11:25:11 freyja sshd[38673]: Unable to negotiate with 218.92.0.98 port 18570: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
Jun 23 11:26:01 freyja sshd[53372]: Unable to negotiate with 220.80.14.246 port 63144: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

$ grep negotiate /var/log/authlog | wc -l
     508
</code>

==== Firewall PF ====
PF is a super firewall, there is a good doco available in the [[https://www.openbsd.org/faq/pf/index.html|FAQ]] section\\
main file is the ''/etc/pf.conf'' and by default everything in is blocked and everything out allowed.\\
''pfctl'' is the main command to interact with pf. including viewing and modifying config on the fly.\\
''pftop'' is a additional package, and is a top-like cli tool to monitor pf live\\
\\
Combine SSH and PF and you'll passively discard a lot
<file text pf.conf>
# Allow SSH, trap and block offenders into 'ssh-abuse' table
pass inet proto tcp from any to $ext_if port ssh \
        flags S/SA keep state \
        (max-src-conn 20, max-src-conn-rate 5/3, \
         overload <ssh-abuse> flush global)
</file>
<code>
$ doas pfctl -t ssh-abuse -Ts | wc -l
    1081
</code>

==== Spamd ====
SpamD can is a 'spam deferral daemon' which runs in white/grey/black modes.\\
running black/block mode accepts all mail connections, and just tarpits them.\\
neat trick to capture pesky mailers and those not following rfc standards.\\
\\
rc.conf.local \\
 spamd_black=YES \\
 spamd_flags= \\
and setup /etc/mail/spamd.conf\\
setup the default pf rulesets (in man page)\\
and point a MX record to your host \\
==== OpenSMTPD====
/etc/mail/smtpd.conf
==== Rando install ====
must be install on laptop \\
boot iso and mount for files \\
#doas \\
get fw-iwn0 file \\
#fw_udpate -p /mnt \\
hostname.iwn0 config \\
up \\
dhclient iwn0 \\
join wifiname wpakey wifipass \\
dhcp\\
ifconfig iwn0 up \\
ifconfig iwn0 scan \\
dhclient iwn0  or /netstart \\
test pings \\
#fw_update \\
#reboot \\
test zzz sleep \\
timefix 'date 20220222.....' \\
 add user to wheel during install \\
#usermod -G/-L staff video operator username \\
apm -A or with more flags -A -z8 +300 \\
machdep lida ction =1 \\
sysctl.conf hw.smt=1 .. to enable all cores/hyperthreading\\
doas.conf persist nopass \\
#syspatch \\
#pkg_add -u \\