{"id":79,"date":"2019-10-08T12:00:21","date_gmt":"2019-10-08T10:00:21","guid":{"rendered":"http:\/\/blog.remyblom.nl\/?p=79"},"modified":"2021-05-26T09:11:47","modified_gmt":"2021-05-26T07:11:47","slug":"hardening-my-freshly-installed-openbsd-6-5-box","status":"publish","type":"post","link":"https:\/\/blog.remyblom.nl\/?p=79","title":{"rendered":"Hardening my freshly installed OpenBSD 6.5 box"},"content":{"rendered":"\n

First I want to be able to use my regular user, the one I made during installation<\/a>, to use doas<\/code> which is pretty much something like sudo<\/code>. Let’s edit the file \/etc\/doas.conf<\/code> to enable it.<\/p>\n\n\n\n

Ah, and now it turns out that my favorite editor is not available by default, so let’s first install that. I install nano<\/code> in this process, but you might like another editor, or even, you might be happy using vi<\/code>, whatever your preferences are, this is the time to make them available!!<\/p>\n\n\n\n

$ su root\n# pkg_add nano<\/code><\/pre>\n\n\n\n
On a recent install  pkg_add<\/code> wasn’t working, giving me errors like: <\/p>\n\n\n\n
# pkg_add nano\nhttps:\/\/cdn.openbsd.org\/pub\/OpenBSD\/6.9\/packages-stable\/amd64\/: TLS handshake failure: ocsp verify failed: ocsp response not current\nhttps:\/\/cdn.openbsd.org\/pub\/OpenBSD\/6.9\/packages\/amd64\/: TLS handshake failure: ocsp verify failed: ocsp response not current\nhttps:\/\/cdn.openbsd.org\/pub\/OpenBSD\/6.9\/packages\/amd64\/: empty\nCan't find nano<\/code><\/pre>\n\n\n\n
The problem was my clock was ahead 2 hours:<\/p>\n\n\n\n
# date\nWed May 26 19:08:28 CEST 2021\n# date 1709\nWed May 26 17:09:00 CEST 2021<\/code><\/pre>\n\n\n\n
And now pkg_add<\/code> was working just as it should.<\/p>\n\n\n\n
doas<\/h2>\n\n\n\n
And now we have nano<\/code> at our fingertips, so let’s put that to effect:<\/p>\n\n\n\n
$ su root\n# nano \/etc\/doas.conf<\/code><\/pre>\n\n\n\n
create the file with the following content, permitting users from the wheel group to do-as…<\/p>\n\n\n\n
permit persist :wheel<\/code><\/pre>\n\n\n\n
ssh & sshd<\/h2>\n\n\n\n
One of the first things I like to do is enabling hasing of the hostnames in ~\/.ssh\/known_hosts<\/code> so an attacker is not able to see which boxes I visit from this machine. In \/etc\/ssh\/ssh_config<\/code> set:<\/p>\n\n\n\n
HashKnownHosts yes<\/code><\/pre>\n\n\n\n
Next I only want to use public-private key authentication on ssh. So first let’s upload my public key, from my local<\/strong> machine:<\/p>\n\n\n\n
$ ssh-copy-id -i id_rsa user@hostname<\/code><\/pre>\n\n\n\n
As soon as we verified that the key is working we disable password login for the ssh-server in \/etc\/ssh\/sshd_config<\/code> make sure to set:<\/p>\n\n\n\n
PasswordAuthentication no\nChallengeResponseAuthentication no<\/code><\/pre>\n\n\n\n
And we reload sshd<\/code>:<\/p>\n\n\n\n
$ doas rcctl reload sshd<\/code><\/pre>\n\n\n\n
And now log out and back in.<\/p>\n\n\n\n
firewall<\/h2>\n\n\n\n
Trying to read and learn about PF, the OpenBSD Packet Filter, that can do firewalling, NAT, just to name a few, I was a bit overwhelmed. And I actually had a hard time finding examples of rules that would do what I wanted. In the end I just sad down, and with some trail and error I ended up with a simple set of rules that did what I wanted, which I added to the end of \/etc\/pf.conf<\/code><\/p>\n\n\n\n
# here I go!! following conf by R3MY B7OM!\n#\n# WHAT I WANT:\n#\n# pass all out, block all in, except on http\/https\n\nweb = \"{ 80, 443 }\"\n\nblock in\npass out\n\npass in proto tcp from any to any port $web\n\n# I want to restrict access to any port to a group of trusted ip\/ranges:\n# 10.1.0.0\/16       # Some IP Range that I trust\n# 192.168.0.0.\/16   # Other IP Range that is okay!\n\ntrusted = \"{ 10.1.0.0\/16, 192.168.0.0\/16, server.hostname.com foo.hostname.com }\"\n\npass in proto tcp from $trusted to any<\/code><\/pre>\n\n\n\n
To activate the current config type:<\/p>\n\n\n\n
$ doas pfctl -f \/etc\/pf.conf<\/code><\/pre>\n\n\n\n
Do take care tho, you might apply rules that shut yourself out of your box. I saw people do cronjobs that disable pf<\/code> every 2 minutes or so, but as long as you have access to the console, you don’t need these fancy work-arounds, you just use the console to change your ruleset.<\/p>\n\n\n\n
Now in the above ruleset I opened up 80 and 443 for http and https traffic, but I have not yet installed any webserver. But to test the correct rules are set in pf you can use this very useful command:<\/p>\n\n\n\n
$ doas nc -l 80<\/code><\/pre>\n\n\n\n
It starts listening on port 80. doas<\/code> is needed for lower port-numbers. You can use telnet to connect to the port and everything you enter there will echo here. Great little tool.<\/p>\n\n\n\n
$ telnet hostname 80<\/code><\/pre>\n\n\n\n
syspatch and pkg_add<\/h2>\n\n\n\n
To keep your system up-to-date you should regularly check to see patches are available:<\/p>\n\n\n\n
$ doas syspatch -c<\/code><\/pre>\n\n\n\n
Install the available patches:<\/p>\n\n\n\n
$ doas syspatch<\/code><\/pre>\n\n\n\n
Keeping installed packages up-to-date, use:<\/p>\n\n\n\n
$ doas pkg_add -u<\/code><\/pre>\n\n\n\n
Only see what pkg_add -u<\/code> will do:<\/p>\n\n\n\n
$ doas pkg_add -us<\/code><\/pre>\n\n\n\n
Now that we have this out of the way, let’s install the famous LEMP-stack<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"
First I want to be able to use my regular user, the one I made during installation, to use doas which is pretty much something like sudo. Let’s edit the file \/etc\/doas.conf to enable it. Ah, and now it turns out that my favorite editor is not available by default, so let’s first install that. … <\/p>\n
Continue reading “Hardening my freshly installed OpenBSD 6.5 box”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,4,2],"tags":[],"class_list":["post-79","post","type-post","status-publish","format-standard","hentry","category-hardening","category-openbsd","category-vps"],"_links":{"self":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/79","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=79"}],"version-history":[{"count":22,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/79\/revisions"}],"predecessor-version":[{"id":271,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/79\/revisions\/271"}],"wp:attachment":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}