Hardening OpenBSD Internet Servers

Taking OpenBSD Security to the Limit

This tutorial on how-to harden or improve security on OpenBSD Internet servers includes sections that apply to any UNIX system. Hardening is making a computer more secure by removing unneeded functions, restricting access and tracking changes and processes. It was revised to cover OpenBSD 3.0 on Dec. 15, 2001 and includes an overview of the 2.9 to 3.0 changes. A new page on priorities ranks the value of the techniques presented here. Familiarity with UNIX system administration but not OpenBSD is assumed.

It's been suggested (Nov. 2006) that since these pages were written for OpenBSD 3.0 that they are irrelevant to current OpenBSD (4.0). I strongly disagree. Though a few specific details, such as the 3.0 sendmail DNS lookups issues are irrelevant, this should be obvious from the context. Nearly everything else is as relevant as when it was written. This section is not for novices. I've installed 3.4 and 3.9 systems since this was written and saw no meaningful changes in the install process, system layout, initialization files, or basic administrative issues. It should be clear from practically everything I say, that nothing should be used from this section verbatim.

If you can't adjust for files no longer included in the install, or services that are no longer default, or other similar minor system variations, you have no business attempting to apply these techniques. The hardware supported by the kernel is obviously going to be quite different. Intelligent use of this section requires that you understand what your system is for, and what you need and do not need. If you cannot addapt the sample scripts provided, please stick to a default install. A default install of the current OpenBSD is always relatively secure. In the right circumstances, the techniques discussed here can make it more secure (often at the expense of upgradability). If you don't understand the implications of the suggested changes, you are likely to make your system less secure.

• Introduction to Hardening Concepts
• Priorities, Costs and Benefits
• Installing a Minimum OpenBSD System
• Hardening an OpenBSD System
• Creating and Using a Recovery CD ROM
• Users and Security Groups

This how-to harden OpenBSD tutorial begins with an introduction to Hardening Concepts, mostly applicable to all operating systems but opening with a small section that discusses the security characteristics of OpenBSD.

A new page (Dec. 20, 2001) Priorities, Costs and Benefits ranks the techniques discussed here and elsewhere in terms security payoff versus the effort and risks involved. Some background on the development of these pages is provided. The importance of staying up-to-date with OpenBSD releases is discussed and how these techniques may make upgrades more difficult is a factor in the ranking. Techniques with the highest security benefits are ranked most highly but the variable amount of up front and or ongoing effort are considered as well of the risks of implementing some of the techniques. A corresponding Check List page reduces steps to short action items with values from 0 (not recommended) to 5 (essential) in a suggested order of completion.

Basic OpenBSD Installation is an OpenBSD specific, step-by-step tutorial, intended for those new to OpenBSD. In addition to reviewing each install prompt it covers disk partitioning issues, network choices, and strongly recommends installing only the minimum system plus the development tools if a custom kernel is going to be made or software installed via source.

A single page with detailed step-by-step how-to harden OpenBSD instructions grew unmanageably large. Now the Hardening OpenBSD Contents page provides one paragraph summaries of the details pages. These pages cover  §  Users, Files and Auditing  §  Removing Unneeded Services  §  Packet Filter and IP Filter as a Host Firewall  §  Immutable Files, Securelevels, Read Only Filesystems, Mount Options  §  Logon Banners to Warn, Not Help Intruders  §  Removing Files, CD-ROM as System Lock  §  Building a Custom Kernel

A final OpenBSD specific page covers creating a recovery CD ROM. The recovery CD ROM also contains executable programs deleted in the Removing Files section so that they may be used when the CD ROM is in the drive and mounted but are otherwise not available. The CD can also be used to migrate a standard configuration to multiple machines

The hardening OpenBSD tutorial closes with Users, Groups and Security which is UNIX oriented and not OpenBSD specific. This covers restricting file and directory access via user or security groups. In particular it includes detailed how-to instructions to assure that a group of users share write access to a directory or directory tree by setting the GUID bit on directories and using the correct umask.

Use of good passwords and sound password Managment is often considered part of the hardening process. Password Management is now a small part of the large section on Good and Bad Passwords and Password Cracking .

When discussing passwords, there are links to password.pl, a highly configurable Perl password generator. The source code for an earlier version is now located in the password section.

Intrusion detection is often considered part of hardening a system. Some intrusion detection techniques are discussed in the How-To Homegrown Intrusion Detection section.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in https://geodsoft.com/terms.htm (or https://geodsoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of https://geodsoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.