Security Suggestions
After the initial OpenBSD install I will next update all my sources to stable and then rebuild. Finally I will batten down the hatches a little more.
What follows are recommendations only. Some people will view such measures as too paranoid or not extreme enough. Using or not using the below suggestions is up to you.
Each level briefly explained:
The end of the boot process will show your security level or at a prompt:
If you want to adjust to a higher level at the command prompt:
Common used flags:
Checking to see if a file has a flag set:
Two popular flag settings:
Disallowing changes to the kernel:
Disallowing changes to the binaries:
I like to set a sappnd flag to root's history file. If there is a root compromise of the system, looking over the history file will help in tracing the intruder's movements.
Also, setting the sappnd flag to a user's history file will also prevent the old script kiddie trick of covering their tracks by sending history output to /dev/null via a soft link.
By default OpenBSD 3.9 now encryptes the swap partition. To turn this on for OpenBSD versions 3.7 and below:
Step 1 - Enable this feature without a reboot
Step 2 - Edit the sysctl config file, so that after a reboot the swap partition will be encrypted
1. As root change the kernel state variable:
2. Edit /etc/sysctl.conf from:
Disable inetd by editing the /etc/rc.conf file from:
Ssh not only encrypts the login (authentication) process but the entire ssh session is also encrypted.
Almost all Linux or BSD distros include the OpenSSH server and client. And for Windows, Putty would be the equivalent to a free client.
To disable telnet, edit the /etc/inetd.conf file from:
You might be surprised how easy it is to use sftp. Almost all Linux and BSD distros come with a sftp client and for Windows both CuteFtp and WS_Ftp support sftp.
Two examples of a /etc/fstab file with security in mind:
1. The following layout shows an average paranoid setup:
The difference between the two, the below has the root (/) partition set to read-only and the /home partition set to noexec.
2. More paranoia added to the mix with a dash of less usability:
I'm not sure there is an equivalant program for OpenBSD. But using the command rm with the option -P, will overwrite regular files 3 times before deleting them.
Using rm with -P option:
Or add a command alias for BASH:
I like to increase this to 10 characters, which is done by editing the /etc/login.conf file.
Edit the /etc/login.conf file adding this line under the default class:
If you notice any errors, please let me know.
What follows are recommendations only. Some people will view such measures as too paranoid or not extreme enough. Using or not using the below suggestions is up to you.
- Security levels
- Using kernel flags
- Encrypted swap file
- Disable inetd
- SSH over telnet
- SFTP over FTP
- Mounting partitions
- rm using the -P option
- Increase minimum password length
Security levels
Security levels essentially set how the kernel will handle system security. There are four security levels: -1, 0, 1, 2. Securelevel two being the most secure level. Securelevels are set from the /etc/rc.securelevel file.Each level briefly explained:
- Securelevel -1 : There's no additional kernel security and many of the normal security features, such as permissions, are functional. Use this level for machines not in production use.
- Securelevel 0 : When OpenBSD first boots up securelevel 0 is used. If this level is set in your rc.securelevel file securelevel 1 will actually be used when the boot process is finished. There are no added features of securelevel 0.
- Securelevel 1 : OpenBSD's default securelevel. Writing to /dev/mem and /dev/kmem won't work. Raw disk devices are read-only. Schg and sappnd flags cannot be removed. Kernel modules cannot be loaded or unloaded 'on the fly'.
- Securelevel 2 : Includes all securelevel 1 features plus: Limited setting of the system clock. pfctl cannot change PF or NAT rules. DDB kernel debugger sysclt values cannot be changed.
The end of the boot process will show your security level or at a prompt:
# sysctl kern.securelevel
If you want to adjust to a higher level at the command prompt:
# sysctl -w kern.securelevel=2
You cannot adjust from a higher level to a lower level at the command prompt. Only a reboot can do this.Using kernel flags
Setting kernel flags is like setting permissions but with an added twist. With the setting of some flags, not even root can make changes. Changes can only be made by booting into a lower securelevel or booting into single user mode.Common used flags:
- sappnd : Can only be set or removed by root. Files set with this flag can be added to but not removed or edited. Good for log files. This flag cannot not be removed with the system running in securelevel 1 or greater.
- schg : Can only be set or removed by root. Files set with this flag cannot be changed, moved or replaced. This flag cannot not be removed with the system running in securelevel 1 or greater.
- uappnd : Can be set or removed by user or root. Files can be added to but not edited or removed by the average user (prevents accidental removal). The user or root may remove this flag at any time.
Checking to see if a file has a flag set:
#ls -lo /bsd
-rw-r--r-- 1 root wheel schg 5358488 Mar 30 11:47 /bsd
The schg text is the evidence of a flag being set.-rw-r--r-- 1 root wheel schg 5358488 Mar 30 11:47 /bsd
Two popular flag settings:
Disallowing changes to the kernel:
# chflags schg /bsd
Disallowing changes to the binaries:
# chflags -R schg /bin
I like to set a sappnd flag to root's history file. If there is a root compromise of the system, looking over the history file will help in tracing the intruder's movements.
Also, setting the sappnd flag to a user's history file will also prevent the old script kiddie trick of covering their tracks by sending history output to /dev/null via a soft link.
Encrypt the swap partition
Encrypting your swap partition is mainly done to prevent any local user from potentially abusing the system.By default OpenBSD 3.9 now encryptes the swap partition. To turn this on for OpenBSD versions 3.7 and below:
1. As root change the kernel state variable:
# sysctl -w vm.swapencrypt.enable=1
2. Edit /etc/sysctl.conf from:
#vm.swapencrypt.enable=1
to:
vm.swapencrypt.enable=1
and to check if the kernel state is set:
# sysctl vm.swapencrypt.enable
Disable inetd
On a default install inetd is enabled. On my OpenBSD server at home I only run sshd, ntpd, syslogd, and httpd. None of which run off of inetd. So I typically disable inetd.Disable inetd by editing the /etc/rc.conf file from:
inetd=YES
to:
inetd=NO
and to stop inetd without a reboot:
# kill `cat /var/run/inetd.pid`
SSH over telnet
Telnet will not be running on a default install. I'm not sure there are any good arguments to running the telnet service. As most know, the login process of telnet uses plain text authentication, making sniffing a practical approach to gaining illegal remote access to a system. Then next on the menu would be performing a local exploit.Ssh not only encrypts the login (authentication) process but the entire ssh session is also encrypted.
Almost all Linux or BSD distros include the OpenSSH server and client. And for Windows, Putty would be the equivalent to a free client.
To disable telnet, edit the /etc/inetd.conf file from:
telnet
to:
#telnet
SFTP over FTP
Sftp will be running on a default install. Sftp will prevent the problem of sniffing ftp passwords which are transmitted in plain text.You might be surprised how easy it is to use sftp. Almost all Linux and BSD distros come with a sftp client and for Windows both CuteFtp and WS_Ftp support sftp.
Note: There are performance issues when using sftp. You will notice transfer speeds to be slower than ftp speeds. This can be 'blamed' on the fact that sftp communication is encrypted thus adding to the transfer time.
Mounting partitions
The way partitions are mounted can greatly affect system security. How partitions are mounted at boot time is controlled by the fstab file.Two examples of a /etc/fstab file with security in mind:
1. The following layout shows an average paranoid setup:
/dev/wd0a / ffs rw 1 1
/dev/wd0h /home ffs rw,nodev,nosuid 1 2
/dev/wd0d /tmp ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0g /usr ffs ro,nodev 1 2
/dev/wd0e /var ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0h /home ffs rw,nodev,nosuid 1 2
/dev/wd0d /tmp ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0g /usr ffs ro,nodev 1 2
/dev/wd0e /var ffs rw,nodev,nosuid,noexec 1 2
The difference between the two, the below has the root (/) partition set to read-only and the /home partition set to noexec.
2. More paranoia added to the mix with a dash of less usability:
/dev/wd0a / ffs ro 1 1
/dev/wd0h /home ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0d /tmp ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0g /usr ffs ro,nodev 1 2
/dev/wd0e /var ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0h /home ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0d /tmp ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0g /usr ffs ro,nodev 1 2
/dev/wd0e /var ffs rw,nodev,nosuid,noexec 1 2
rm using the -P option
Most of the Linux distros ship with a nice file wiping utility called shred.I'm not sure there is an equivalant program for OpenBSD. But using the command rm with the option -P, will overwrite regular files 3 times before deleting them.
Using rm with -P option:
# rm -P filename
Or add a command alias for BASH:
# echo "alias rm='rm -P' " >> .bash_profile
Increase minimum password length
The default minimum length for OpenBSD login passwords is 6 characters.I like to increase this to 10 characters, which is done by editing the /etc/login.conf file.
Edit the /etc/login.conf file adding this line under the default class:
:minpasswordlen=10:\
Note: login.conf does not have to be converted (cap_mkdb) to a database file, unlike FreeBSD.
If you notice any errors, please let me know.
Other OpenBSD tutorials
|
|