User Tools

Site Tools


openbsd

This is an old revision of the document!


..:: Notes on OpenBSD ::..

below are my notes on OpenBSD and various configs

i like OpenBSD, and use it where i can, its simple (good and bad), secure out the box, well documented and easy to learn.
there are some things it doesn't do as well. and some apps are not compatible. buts thats ok.
i like that many funcitons/features/apps are baked in, and yet remains light and simple.
the file structure and service management are common sense too.

Mostly deployed as a 'security thing' OpenBSD has developed a reputation as being 'the most secure' of the BSD's or OS's.. its just a good os fullstop, and makes a excellent server, and a really good desktop.. esp on laptops, as the devs really do eat their own dogfood.
the main pain point is hardware compat, esp with closed source code/blobs.. Broadcom Wifi and NVideo graphics as an example, which does not doubt reduce the audience on desktop/laptop.

I like to use OpenBSD on my cloud servers because its fast and light, and everything i need (with a few expections) is in the base install.

At home i have an OpenBSD laptop, and at work a webserver


post install: create user, add to wheel, operator, staff with #usermod -G wheel operator staff my-user-name
add to staff login group with #usermod -L staff my-user-name
config /etc/doas.conf with “permit persist keepenv :wheel”
secure ssh server /etc/ssh/sshd_config by forcing ed22159 host keys, key-auth and disable root-password
patch os #syspatch, and packages #pkg_add -u
firewall config appropriate for host in /etc/pf.conf normally blocking all , allowing sshd and web with connection thresholds and overflows
if web server, config httpd, acme-client, and php

Services

check in rc.conf and /etc/examples for guidance and ideas
rcctl enable|disable|start|stop|reload \

Firewall PF

pf.conf and pf.os
pfctl
pftop

SSHD

Spamd

SpamD can is a 'spad deferal daeomn' which runs in white/grey/black modes.
running black/block mode accepts all mail connections, and just tarpirs them.
neat trick to capture pesky mailers and those not following rfc standards.

rc.conf.local
spamd_black=YES
spamd_flags=
and setup /etc/mail/spamd.conf
setup the default pf rulesets (in man page)
and point a MX record to your host

OpenSMTPD

/etc/mail/smtpd.conf

Rando install

must be install on laptop
boot iso and mount for files
#doas
get fw-iwn0 file
#fw_udpate -p /mnt
hostname.iwn0 config
up
dhclient iwn0
join wifiname wpakey wifipass
dhcp
ifconfig iwn0 up
ifconfig iwn0 scan
dhclient iwn0 or /netstart
test pings
#fw_update
#reboot
test zzz sleep
timefix 'date 20220222…..'
add user to wheel during install
#usermod -G/-L staff video operator username
apm -A or with more flags -A -z8 +300
machdep lida ction =1
sysctl.conf hw.smt=1 .. to enable all cores/hyperthreading
doas.conf persist nopass
#syspatch
#pkg_add -u

openbsd.1645523333.txt.gz · Last modified: 2022/02/22 09:48 by maja