GeodSoft logo   GeodSoft

Hardening OpenBSD Internet Servers
Check List

Below is a list of most tasks described in these Hardening OpenBSD pages or related pages on this web site, arranged in approximately the order it makes sense to do them in. The values, 0 - 5 represent the approximate importance of the task as described on the priorities page: 5 - essential, 4 - very important, 3 - recommended, 2 - useful in some situations, 1 - applicable in special circumstances, 0 - not recommended. Print and review the list and mark all the NO's that will not be performed. Then start from the top, marking the YES's as they are completed.

YN ValOperation or Description
YESNO 5 Install minumum system: base, bsd, etc, man.
YES NO  3 Install compilers / development tools.
YES NO  5 Do NOT install X, games, misc.
YES NO  5 Root password 8 plus characters, mixed case, with symbols and digits.
YES NO  1 Kernel source code intalled.
YES NO  1 Previous GENERIC compared to new GENERIC.
YES NO  1 Pervious CUSTOM compared to new GENERIC
YES NO  1 Old CUSTOM options merged with new GENERIC
YES NO  5 Generic kernel saved when building custom kernel.
YES NO  1 Custom kernel built, "installed", and tested.
YES NO  4 1 - 4 admin users created with passwords, 8 plus characters, mixed case, with symbols and digits.
YES NO  4 Administrative users in group wheel.
YES NO  2 Refine and test file removal script.
YES NO  1 Remove users named, popa3d, uucp, and www, if not needed.
YES NO  1 Fix errors caused by uucp removal in /etc/newsyslogd and /etc/mtree/special.
YES NO  4 Adjust sendmail to DNS availability when needed.
YES NO  1 Adjust sendmail to removed IPv6 support
YES NO  4 Disable rstatd and and rusersd in /etc/inetd.conf
YES NO  4 Disable portmap /etc/rc.conf
YES NO  2 Comment portmap, yp and NFS lines from /etc/rc.
YES NO  3 Disable time, daytime, in /etc/inetd.conf.
YES NO  3 Disable ident and comsat in /etc/inetd.conf.
YES NO  4 Enable TCP Wrappers in /etc/inetd.conf and /etc/hosts.allow and /etc/hosts.deny, if FTP or telenet must be used.
YES NO  3 Disable inetd in /etc/rc.conf, if no services started.
YES NO  4 If using TCP Wrappers enable IPs needed for sshd and sendmail.
YES NO  4 Disable PermitRootLogin in /etc/sshd_config
YES NO  3 Disable Protcol 1 in /etc/sshd_config
YES NO  2 Disable specific interfaces in /etc/sshd_config
YES NO  3 Do full system backup to protect changes.
YES NO  3 Install NTP from source or package for accurate time synchronization.
YES NO  4 Configure HTTP, FTP, SMTP, DHCP, POP3, IMAP or other protocols specific to machines intended function.
YES NO  4 Use "nestat -an" or nmap to check for unknown open ports.
YES NO  5 Close all unknown open ports.
YES NO  4 Install or develop automated host intrusion detection.
YES NO  2 Tighten permsision settings on intitialization and security files and adjust /etc/changelist, /etc/mtree/special, and /etc/security.
YES NO  3 Adapt syslock and sysunlock scripts for immutable files and securelevel 2.
YES NO  2 Set nodev and nosuid mount options in /etc/rc.local and cron job.
YES NO  1 Set noexec mount option (on /tmp) in /etc/rc.local and cron job.
YES NO  0 Set read only file system(s) /? /usr?
YES NO  2 Adjust login banners to supress system data and warn intruders.
YES NO  3 Do full system backup to protect changes.
YES NO  5 Set up host based firewall, if no outer firewall
YES NO  2 Run tested remove script.
YES NO  2 Create recovery CD from deleted and reinstall tars.
YES NO  5 Develop and test backup procedures.
YES NO  5 Install and configure applications with data.
YES NO  4 Create application users and groups with appropriate directory permissions and umask.
transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
How-To >
Harden OpenBSD >
Details Contents >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.