Differences

This shows you the differences between two versions of the page.

--- openbsd:hardening [2020/06/03 06:45]
net_wayfarer wget output of mirrors.dat to /etc/installurl via sed and co, does not parse tab characters as intended. Removing it.
+++ openbsd:hardening [2020/06/03 09:12]
net_wayfarer Replaced wget command with ftp.
@@ Line 38: / Line 38: @@
 #      A list of mirrors can be found at https://www.openbsd.org/ftp.html.
 echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl
-#      Alternatively, if wget is installed, one can scrape an up-to-date list of HTTPS mirrors using the
+#      Alternatively, one can scrape an up-to-date list of HTTPS mirrors using the following typed
-#      following typed method, and must uncomment at least one of the following https:// prefixed lines.
+#      method, and must uncomment at least one of the following https:// prefixed lines.
-# wget "https://www.openbsd.org/build/mirrors.dat" -O - | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' > /etc/installurl
+# ftp -o - "https://www.openbsd.org/build/mirrors.dat" 2>/dev/null | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null
 #
 ##################################################################
@@ Line 77: / Line 77: @@
 #      process accounting should be enabled to prevent potentially malicious software from being daemonised
 #      in the background, and to go unchecked. This may also help with optimising ulimit down the track
-echo "accounting=YES" >> /etc/rc.conf.local
+echo "accounting=YES" | tee -a /etc/rc.conf.local 2>&1 >/dev/null
 #
 #      compress core dumps which will save storage space at the expense of CPU and memory
-echo "savecore_flags=-z" >> /etc/rc.conf.local
+echo "savecore_flags=-z" | tee -a /etc/rc.conf.local 2>&1 >/dev/null
 #
 ##################################################################
@@ Line 87: / Line 87: @@
 #      The /tmp directory should be cleared at startup to ensure that any malicious code that may have
 #      entered into the temp file is removed. This will be set as a crontab under root account.
+#      This is already a default in OpenBSD as of 6.6, no need to implement this.
 #
-rm -rf /tmp/* &>/dev/null
+#rm -rf /tmp/* &>/dev/null
-crontab -l | { cat; echo "@reboot rm -rf /tmp/*"; } | crontab -
+#crontab -l | { cat; echo "@reboot rm -rf /tmp/*"; } | crontab -
 #
 ##################################################################
@@ Line 112: / Line 113: @@
 #
 # sysctl -w net.inet.icmp.rediraccept=0
-# echo 'net.inet.icmp.rediraccept=0' >> /etc/sysctl.conf
+# echo 'net.inet.icmp.rediraccept=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
 #
 #      This will discover dead connections and clear them.
 #
 sysctl -w net.inet.tcp.always_keepalive=1
-echo 'net.inet.tcp.always_keepalive=1' >> /etc/sysctl.conf
+echo 'net.inet.tcp.always_keepalive=1' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
 #
 #      The TCP/IP Stack is what controls the communication of the computer on a data network.
@@ Line 124: / Line 125: @@
 #      attack.
 # sysctl -w net.inet.icmp.bmcastecho=0
-# echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf
+# echo 'net.inet.icmp.bmcastecho=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
 #
 #      Disable ICMP routing redirects.  This could allow the computer to have its routing table corrupted by an
@@ Line 130: / Line 131: @@
 #
 sysctl -w net.inet.ip.redirect=0
-echo 'net.inet.ip.redirect=0' >> /etc/sysctl.conf
+echo 'net.inet.ip.redirect=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
 sysctl -w net.inet6.ip6.redirect=0
-echo 'net.inet6.ip6.redirect=0' >> /etc/sysctl.conf
+echo 'net.inet6.ip6.redirect=0' | tee -a  /etc/sysctl.conf 2>&1 >/dev/null
 #
 #     Disable ICMP broadcast probes.  This could allow an attacker to reverse engineer details of your
@@ Line 138: / Line 139: @@
 #
 # sysctl -w net.inet.icmp.maskrepl=0
-# echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf
+# echo 'net.inet.icmp.maskrepl=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
 #
 #     Disable IP source routing.  This could allow attackers to spoof IP addresses that you normally trust as
@@ Line 144: / Line 145: @@
 #
 # sysctl -w net.inet.ip.sourceroute=0
-# echo 'net.inet.ip.sourceroute=0' >> /etc/sysctl.conf
+# echo 'net.inet.ip.sourceroute=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null
 #################################################################
 #################################################################
@@ Line 157: / Line 158: @@
 ##
 ##
-##   Generate a random ID for the IP packets as opposed to incrementing them by one. On machines connected to a busy
+##   Normalise incoming network packets by means of reassembling fragmented packets and removing ambiguity.
-##   network, you may want to specify providing random-id after you have filtered unwanted packets.
+##   https://home.nuug.no/~peter/pf/en/scrub.html
+##   https://serverfault.com/questions/412083/openbsd-pf-match-in-all-scrub-no-df-causes-https-to-be-unreachable-on-mobile
+##   https://man.openbsd.org/i386/pf.conf#TRAFFIC_NORMALISATION
 ##
-##   # match in all scrub (random-id)
+##   # match in all scrub (no-df random-id reassemble tcp)
 ##
-##   Enabling blackholes for udp and tcp will drop all packets that are received on a closed port and will not
+##   Enabling blackholes for UDP and TCP will drop all packets that are received on a closed port and will not
 ##   give a reply. The following is a two part process and must be implemented to achieve the desired effect.
 ##
@@ Line 169: / Line 172: @@
 ##    We do not send out any reset (RST) packets back, especially if the ports are closed.
 ##
-##   # block drop out quick proto {tcp udp} flags R/R
+##   # block all
 ##
 ##################################################################

IRCNow

Page Tools

Site Tools

User Tools

Differences