This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
openbsd:hardening [2020/04/02 12:07] net_wayfarer Dumped draft hardening script/document. |
openbsd:hardening [2020/06/05 09:51] (current) net_wayfarer PF section is mostly done. Not going to go rambling on with it and will update it with links as needed. |
||
---|---|---|---|
Line 38: | Line 38: | ||
# A list of mirrors can be found at https://www.openbsd.org/ftp.html. | # A list of mirrors can be found at https://www.openbsd.org/ftp.html. | ||
echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl | echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl | ||
- | # Alternatively, if wget is installed, one can scrape an up-to-date list of HTTPS mirrors using the | + | # Alternatively, one can scrape an up-to-date list of HTTPS mirrors using the following typed |
- | # following typed method, and must uncomment at least one of the following https:// prefixed lines. | + | # method, and must uncomment at least one of the following https:// prefixed lines. |
- | # wget "https://www.openbsd.org/build/mirrors.dat" -O - | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/;s/\t/\ /' > /etc/installurl | + | # ftp -o - "https://www.openbsd.org/build/mirrors.dat" 2>/dev/null | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null |
# | # | ||
################################################################## | ################################################################## | ||
Line 77: | Line 77: | ||
# process accounting should be enabled to prevent potentially malicious software from being daemonised | # process accounting should be enabled to prevent potentially malicious software from being daemonised | ||
# in the background, and to go unchecked. This may also help with optimising ulimit down the track | # in the background, and to go unchecked. This may also help with optimising ulimit down the track | ||
- | echo "accounting=YES" >> /etc/rc.conf.local | + | echo "accounting=YES" | tee -a /etc/rc.conf.local 2>&1 >/dev/null |
# | # | ||
# compress core dumps which will save storage space at the expense of CPU and memory | # compress core dumps which will save storage space at the expense of CPU and memory | ||
- | echo "savecore_flags=-z" >> /etc/rc.conf.local | + | echo "savecore_flags=-z" | tee -a /etc/rc.conf.local 2>&1 >/dev/null |
# | # | ||
################################################################## | ################################################################## | ||
Line 87: | Line 87: | ||
# The /tmp directory should be cleared at startup to ensure that any malicious code that may have | # The /tmp directory should be cleared at startup to ensure that any malicious code that may have | ||
# entered into the temp file is removed. This will be set as a crontab under root account. | # entered into the temp file is removed. This will be set as a crontab under root account. | ||
+ | # This is already a default in OpenBSD as of 6.6, no need to implement this. | ||
# | # | ||
- | rm -rf /tmp/* &>/dev/null | + | #rm -rf /tmp/* &>/dev/null |
- | crontab -l | { cat; echo "@reboot rm -rf /tmp/*"; } | crontab - | + | #crontab -l | { cat; echo "@reboot rm -rf /tmp/*"; } | crontab - |
# | # | ||
################################################################## | ################################################################## | ||
Line 112: | Line 113: | ||
# | # | ||
# sysctl -w net.inet.icmp.rediraccept=0 | # sysctl -w net.inet.icmp.rediraccept=0 | ||
- | # echo 'net.inet.icmp.rediraccept=0' >> /etc/sysctl.conf | + | # echo 'net.inet.icmp.rediraccept=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
# | # | ||
# This will discover dead connections and clear them. | # This will discover dead connections and clear them. | ||
# | # | ||
sysctl -w net.inet.tcp.always_keepalive=1 | sysctl -w net.inet.tcp.always_keepalive=1 | ||
- | echo 'net.inet.tcp.always_keepalive=1' >> /etc/sysctl.conf | + | echo 'net.inet.tcp.always_keepalive=1' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
# | # | ||
# The TCP/IP Stack is what controls the communication of the computer on a data network. | # The TCP/IP Stack is what controls the communication of the computer on a data network. | ||
Line 124: | Line 125: | ||
# attack. | # attack. | ||
# sysctl -w net.inet.icmp.bmcastecho=0 | # sysctl -w net.inet.icmp.bmcastecho=0 | ||
- | # echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf | + | # echo 'net.inet.icmp.bmcastecho=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
# | # | ||
# Disable ICMP routing redirects. This could allow the computer to have its routing table corrupted by an | # Disable ICMP routing redirects. This could allow the computer to have its routing table corrupted by an | ||
Line 130: | Line 131: | ||
# | # | ||
sysctl -w net.inet.ip.redirect=0 | sysctl -w net.inet.ip.redirect=0 | ||
- | echo 'net.inet.ip.redirect=0' >> /etc/sysctl.conf | + | echo 'net.inet.ip.redirect=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
sysctl -w net.inet6.ip6.redirect=0 | sysctl -w net.inet6.ip6.redirect=0 | ||
- | echo 'net.inet6.ip6.redirect=0' >> /etc/sysctl.conf | + | echo 'net.inet6.ip6.redirect=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
# | # | ||
# Disable ICMP broadcast probes. This could allow an attacker to reverse engineer details of your | # Disable ICMP broadcast probes. This could allow an attacker to reverse engineer details of your | ||
Line 138: | Line 139: | ||
# | # | ||
# sysctl -w net.inet.icmp.maskrepl=0 | # sysctl -w net.inet.icmp.maskrepl=0 | ||
- | # echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf | + | # echo 'net.inet.icmp.maskrepl=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
# | # | ||
# Disable IP source routing. This could allow attackers to spoof IP addresses that you normally trust as | # Disable IP source routing. This could allow attackers to spoof IP addresses that you normally trust as | ||
Line 144: | Line 145: | ||
# | # | ||
# sysctl -w net.inet.ip.sourceroute=0 | # sysctl -w net.inet.ip.sourceroute=0 | ||
- | # echo 'net.inet.ip.sourceroute=0' >> /etc/sysctl.conf | + | # echo 'net.inet.ip.sourceroute=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
################################################################# | ################################################################# | ||
################################################################# | ################################################################# | ||
Line 157: | Line 158: | ||
## | ## | ||
## | ## | ||
- | ## Generate a random ID for the IP packets as opposed to incrementing them by one. On machines connected to a busy | + | ## Normalise incoming network packets by means of reassembling fragmented packets and removing ambiguity. |
- | ## network, you may want to specify providing random-id after you have filtered unwanted packets. | + | ## https://home.nuug.no/~peter/pf/en/scrub.html |
+ | ## https://serverfault.com/questions/412083/openbsd-pf-match-in-all-scrub-no-df-causes-https-to-be-unreachable-on-mobile | ||
+ | ## https://man.openbsd.org/i386/pf.conf#TRAFFIC_NORMALISATION | ||
## | ## | ||
- | ## # match in all scrub (random-id) | + | ## # match in all scrub (no-df random-id reassemble tcp) |
## | ## | ||
- | ## Enabling blackholes for udp and tcp will drop all packets that are received on a closed port and will not | + | ## Enabling blackholes for UDP and TCP will drop all packets that are received on a closed port and will not |
## give a reply. The following is a two part process and must be implemented to achieve the desired effect. | ## give a reply. The following is a two part process and must be implemented to achieve the desired effect. | ||
## | ## | ||
+ | ## | ||
+ | ## By default, openbsd drops packets, https://www.openbsd.org/faq/pf/options.html | ||
## # set block-policy drop | ## # set block-policy drop | ||
## | ## | ||
## We do not send out any reset (RST) packets back, especially if the ports are closed. | ## We do not send out any reset (RST) packets back, especially if the ports are closed. | ||
+ | ## https://www.openbsd.org/faq/pf/filter.html#defdeny | ||
+ | ## # block all | ||
+ | ## | ||
+ | ## Under no circumstances should this PF section be deemed as complete. A seasoned system administrator | ||
+ | ## will know how to write a proper firewall configuration tailored to their network, as each and every | ||
+ | ## network is unique in their own ways. However, the following below are some general recommended | ||
+ | ## reading on writing a proper firewall configuration. Do not simply just copy and paste rules into your own | ||
+ | ## machine. Do take time in reading up and consulting the various information that are available in both free | ||
+ | ## and paid (book) forms. | ||
## | ## | ||
- | ## # block drop out quick proto {tcp udp} flags R/R | + | ## # https://harrykar.blogspot.com/2010/07/openbsd-packet-filteringpf.html |
+ | ## # http://daemonforums.org/showthread.php?t=8419 | ||
## | ## | ||
################################################################## | ################################################################## | ||
Line 250: | Line 265: | ||
# Strip off the ability to being able to enumerate the list of previously logged in users and their IPs. | # Strip off the ability to being able to enumerate the list of previously logged in users and their IPs. | ||
chmod o= /var/log/wtmp* | chmod o= /var/log/wtmp* | ||
- | crontab -l | { cat; echo "@reboot chmod o= /var/log/wtmp*"; } | crontab - | + | mv /etc/newsyslog.conf /etc/newsyslog.conf.orig ; sed 's/644/640' /etc/newsyslog.conf.orig > /etc/newsyslog.conf |
# | # | ||
# Restrict users from being able to access tools normally used diagnostic purposes, as this can be abused. | # Restrict users from being able to access tools normally used diagnostic purposes, as this can be abused. | ||
Line 256: | Line 271: | ||
chmod o= /usr/sbin | chmod o= /usr/sbin | ||
chmod o= /usr/local/sbin | chmod o= /usr/local/sbin | ||
+ | # | ||
+ | # Strip sbin paths for unprivileged users. | ||
+ | mkdir /etc/skel.orig/ | ||
+ | mv /etc/skel/.profile /etc/skel.orig/.profile | ||
+ | sed 's/\/sbin://g ; s/\/usr\/usr/\/usr/ ; s/\/usr\/local\/u/\/u/' /etc/skel.orig/.profile > /etc/skel/.profile | ||
+ | mv /etc/skel/.cshrc /etc/skel.orig/.cshrc | ||
+ | sed 's/\ \/sbin// ; s/sbin\,// ; s/local\/sbin\,//' /etc/skel.orig/.cshrc > /etc/skel/.cshrc | ||
+ | mv /etc/login.conf /etc/login.conf.orig | ||
+ | sed 's/\/usr\sbin\ \/sbin// ; s/\ \/usr\/local\/sbin.*/\:\\/' /etc/login.conf.orig > /etc/login.conf | ||
+ | ## At this point you may want to consider about replicating the default login and renaming it to something else | ||
+ | ## Like trusted, and give it the paths that does not have sbin stripped out. | ||
# | # | ||
# Restrict users from being able to access tools normally used system maintenance, as this can be abused. | # Restrict users from being able to access tools normally used system maintenance, as this can be abused. | ||
- | chmod o= /usr/bin/fstat | + | mv /usr/bin/fstat /usr/sbin && ln -s /usr/sbin/fstat /usr/bin/fstat && chmod -h 550 /usr/bin/fstat |
- | chmod o= /usr/bin/netstat | + | mv /usr/bin/netstat /usr/sbin && ln -s /usr/sbin/netstat /usr/bin/netstat && chmod -h 550 /usr/bin/netstat |
- | chmod o= /usr/bin/logger | + | mv /usr/bin/logger /usr/sbin && ln -s /usr/sbin/logger /usr/bin/logger && chmod -h 550 /usr/bin/logger |
+ | chmod o= /usr/sbin/* | ||
+ | # | ||
+ | # Restrict users from seeing processes that does not belong to them. | ||
+ | # http://openbsd-archive.7691.n7.nabble.com/Patch-to-hide-processes-from-people-td382607.html | ||
</code> | </code> |