User Tools

Site Tools


openbsd

This is an old revision of the document!


..:: Notes on OpenBSD ::..

below are my notes on OpenBSD and various configs

About

i like OpenBSD, and use it where i can, its simple (good and bad), secure out the box, well documented and easy to learn.
there are some things it doesn't do as well. and some apps are not compatible. buts that's ok.
i like that many functions/features/apps are baked in, and yet remains light and simple.
the file structure and service management are common sense too.

Mostly deployed as a 'security thing' OpenBSD has developed a reputation as being 'the most secure' of the BSD's or OS's.. its just a good OS full-stop!, and makes a excellent server, and a really good desktop.. esp on laptops, as the OpenBSD Dev's really do eat their own dog-food.
the main challenge were new users get unstuck is hardware support/compatibility, especially with new devices, and closed source code/blobs.. eg; Broadcom Wifi and NVideo graphics as an example, which does not doubt reduce the audience on desktop/laptop.

Although OpenBSD usually works well on laptops, it does not support many WiFi chips, or may be limited to slower speeds.
Bluetooth is not_supported!, No fancy filesystems and No Docker.

I like to use OpenBSD on my cloud servers because its fast and light, and everything i need (with a few exceptions) is in the base install.

I like to use OpenBSD on older laptops as aux-systems, because they are well supported

At home i have OpenBSD running on a laptop, and at work running a web-server


Installation

OpenBSD installer is a text_only affair. (like many other BSD's or Linux server distros)
Although initially jarring compared to modern GUI installers, the OpenBSD installer is light, fast, and easy to follow along.

Choosing the disk-sets can be tricky from a USB booted image, as seems you have to re-mount it, and advanced disk partitioning can be daunting initially.

The FAQ has all the info you need, including steps for disk encryption and raid configs.

Setup

my normal post install adjustments include:

add my user to the operator and staff user groups with usermod -G wheel operator staff my-user-name
add my user to the staff login profile with usermod -L staff my-user-name

sudo has been replaced with doas
as root create/config file /etc/doas.conf with “permit persist keepenv :wheel”

i only use strong modern ssh keys, so i like to further secure the ssh-server
edit the /etc/ssh/sshd_config file and force ed22159 host keys, key-auth and disable root-password

keeping the OS and Apps upto date with binary patches
os syspatch, and packages pkg_add -u

For Servers adjust the firewall to allow access to services
using PF firewall config appropriate for host in /etc/pf.conf
normally blocking all , allowing sshd and web with connection thresholds and overflows
i might also install pftop curl and wget
and if your setting up a web server, config httpd, acme-client, php and dokuwiki

For Desktops allow xenodm and setup your favorite DM/DE. FVWM and CWM are there in base, but XFCE and Gnome are in packages, as is Firefox and Chromium.

Services

init based service control system, check in /etc/rc.conf , /etc/rc.local and /etc/examples for guidance and ideas
services are easily controlled, with rcctl

usage:	rcctl get|getdef|set service | daemon [variable [arguments]]
	rcctl [-df] configtest|check|reload|restart|stop|start daemon ...
	rcctl disable|enable|order [daemon ...]
	rcctl ls all|failed|off|on|rogue|started|stopped

eg; to stop the web-server's httpd daemon rcctl stop httpd

Firewall PF

pf.conf and pf.os
pfctl
pftop

SSHD

Spamd

SpamD can is a 'spam deferral daemon' which runs in white/grey/black modes.
running black/block mode accepts all mail connections, and just tarpits them.
neat trick to capture pesky mailers and those not following rfc standards.

rc.conf.local
spamd_black=YES
spamd_flags=
and setup /etc/mail/spamd.conf
setup the default pf rulesets (in man page)
and point a MX record to your host

OpenSMTPD

/etc/mail/smtpd.conf

Rando install

must be install on laptop
boot iso and mount for files
#doas
get fw-iwn0 file
#fw_udpate -p /mnt
hostname.iwn0 config
up
dhclient iwn0
join wifiname wpakey wifipass
dhcp
ifconfig iwn0 up
ifconfig iwn0 scan
dhclient iwn0 or /netstart
test pings
#fw_update
#reboot
test zzz sleep
timefix 'date 20220222…..'
add user to wheel during install
#usermod -G/-L staff video operator username
apm -A or with more flags -A -z8 +300
machdep lida ction =1
sysctl.conf hw.smt=1 .. to enable all cores/hyperthreading
doas.conf persist nopass
#syspatch
#pkg_add -u

openbsd.1687517922.txt.gz · Last modified: 2023/06/23 10:58 by maja