OpenBSD documentation with the distribution media is practical and concise – but it misses some important points. Purchasing OpenBSD is highly recommended. It comes with directions not available on the website. It is also one of the best ways to help support the project. That being said, nothing is perfect. Here are some tips on what other steps to take after following the OpenBSD installation instructions:
Verify root sshd Lockout
Recently, OpenBSD configured the Lockout option during installation. This option happens after an additional user to root is added to the system. Hopefully this was done and this step may be skipped.
Search for the option on the command line with:
grep PermitRootLogin /etc/ssh/sshd_config
Make certain you get back the following line
PermitRootLogin no
If not, edit /etc/ssh/sshd_config appropriately. The value may be commented out of set to yes. Change the value to “no”.
Starting Services
Intuitively, services are started with options in rc.conf; do not listen to your intuition. Start services in rc.local.conf. This is explained best in the rc.conf man page:
It is advisable to leave the /etc/rc.conf file untouched, and instead create and edit a new /etc/rc.conf.local file. Variables set in this file will override variables previously set in /etc/rc.conf.
The man page however does not say why. During major upgrades, and in some instances package install, /etc/rc.conf is overwritten with the latest version. Using rc.conf.local insures that your local configuration changes remain. This is especially important if it took a long time to figure out what command line parameters were needed to start a daemon. Using rc.local.conf means your intensive research will not be clobbered when it is time to upgrade.
spamd and sendmail
Spamd and sendmail are not configured by default with OpenBSD. It is only a matter of time before spammers find your sendmail server. Hundreds of messages can be received in this default state. Annoyingly it is that quick concise information on how to turn this awesome service on is missing. You have to search through packet filter, sendmail, and rc to find out what to do. The information here can be found buried in the man files.
Start spamd and sendmail in your rc.local.conf file:
# For normal use: "-L sm-mta -bd -q30m", and note there is a cron job
sendmail_flags="-L sm-mta -bd -q30m"
spamd_flags="" # for normal use: "" and see spamd(8)
spamd_black=NO # set to YES to run spamd without greylisting
spamlogd_flags="-l pflog0" # use eg. "-i interface" and see spamlogd(8)
This startup information comes from /etc/rc.conf.
Next, and most importantly, get sendmail working by itself. Configuring sendmail alone can be a chore. The configuration will not be discussed here. Configuration files are complex and there are big subtle differences between installations. It is important for sendmail to be 100% operational before adding an additional layer of protection.
Now configure the packetfilter to redirect email traffic to spamd. Insert the following rules into /etc/pf.conf:
# NAT rules and anchors for spamd(8)
table <spamd-white> persist
rdr pass inet proto tcp from !<spamd-white> to any port smtp -> 127.0.0.1 port spamd
This packet filter rule may be found in the spamd man page.
That is all that is needed for a basic install.
Redirect Administrative Email
Do you log into every box on your network to check mail? If you do, stop doing that. It is a lot easier to have sendmail deliver root email to you.
Edit /etc/mail/aliases. Create a line in the beginning of the file like the following:
root: administrator@mydomain.com
Then at the command prompt, type newaliases. This configures sendmail to redirect all root email to your administrator account.
Change motd
Changing motd is a good thing. Let’s say for the sake of argument, that a hacker actually acquires a logon for your OpenBSD box. The motd display message provides basic information about your system that might help them (i.e. the OpenBSD version number). There is also an argument in court that any use of the word “Welcome” is an open invitation for hackers to use your system. If your company can stomach it, have your legal department get a legal disclaimer for you to use in your motd. Alternatively, you could use a legally untested statement like this:
* * * * *-*-*-*-*-* * W A R N I N G * *-*-*-*-*-* * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR
AUTHORIZED USE ONLY. UNAUTHORIZED ACCESS IS STRICTLY
PROHIBITED BY LAW. VIOLATORS WILL BE PROSECUTED UNDER
THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR OTHER
APPLICABLE LAWS.
AUTHORIZED USERS MUST COMPLY WITH THE INFORMATION SECURITY
POLICIES AND STANDARDS OF THIS ORGANIZATION. THIS
INCLUDES AND IS NOT LIMITED TO THE MONITORING AND AUDITING
OF ALL USE OF THIS SYSTEM.
IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, DISCONNECT NOW.
BY CONTINUING, YOU CONSENT TO BEING MONITORED, AUDITED,
AND DISCIPLINED WITH LEGAL OR ADMINISTRATIVE ACTIONS BY
THIS ORGANIZATION.
* * * * *-*-*-*-*-* * W A R N I N G * *-*-*-*-*-* * * * *
Set PKG_PATH
Package management pulls installation packages using the PKG_PATH environmental variable. Update your root user’s profile with this variable. It is frustrating to track that value down when packages need updated.
Find the nearest repository to your site using OpenBSD’s mirror list (http://openbsd.org/ftp.html).
Edit /root/.profile and add the following line:
export PKG_PATH=<nearest package>
for example:
export PKG_PATH=ftp://filedump.se.rit.edu/pub/OpenBSD/
Check for Package Updates
Periodically check for package updates. Sometimes OpenBSD updates the packages for a distribution. This may happen if a critical bug has been repaired. From the command line, type the following command:
pkg_add –u
You may use the –v flag to get more verbose information during this process.
Package updates could be automated with a cron job. Issues might arise during an upgrade that would affect the base installation. Try to check for updates regularly to avoid these issues.
Adding Users after Install
Do not use vi to edit /etc/passwd. Old school administrators love to use vi and pwconv when adding or modifying user accounts. That will not work with OpenBSD. Fortunately, the developers understand the love affair with vi and create a program called vipw.
vipw allows the editing of /etc/passwd with vi. Upon completion, vipw updates the appropriate OpenBSD databases.
Alternatively, you may also use the adduser program.
Related posts:
- OpenBSD dos2unix
- Ntop 3.310 and FreeBSD 8.0
![[padlock button]](http://images.lomin.com/padlock_button.gif)
![[padlock button]](http://images.lomin.com/letter_button.png)
Tweets that mention Lomin Security – A Computer Network Defense Company » Missing OpenBSD Installation Instructions -- Topsy.com
April 27th, 2010 at 20:19