This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
openbsd:hardening [2020/06/03 06:45] net_wayfarer wget output of mirrors.dat to /etc/installurl via sed and co, does not parse tab characters as intended. Removing it. |
openbsd:hardening [2020/06/05 09:51] (current) net_wayfarer PF section is mostly done. Not going to go rambling on with it and will update it with links as needed. |
||
|---|---|---|---|
| Line 38: | Line 38: | ||
| # A list of mirrors can be found at https://www.openbsd.org/ftp.html. | # A list of mirrors can be found at https://www.openbsd.org/ftp.html. | ||
| echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl | echo "https://cdn.openbsd.org/pub/OpenBSD" > /etc/installurl | ||
| - | # Alternatively, if wget is installed, one can scrape an up-to-date list of HTTPS mirrors using the | + | # Alternatively, one can scrape an up-to-date list of HTTPS mirrors using the following typed |
| - | # following typed method, and must uncomment at least one of the following https:// prefixed lines. | + | # method, and must uncomment at least one of the following https:// prefixed lines. |
| - | # wget "https://www.openbsd.org/build/mirrors.dat" -O - | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' > /etc/installurl | + | # ftp -o - "https://www.openbsd.org/build/mirrors.dat" 2>/dev/null | grep -e "^GC" -e "^UHS" | uniq | sed 's/^GC/\#\#/;s/^UHS/\#\#/' | tee /etc/installurl 2>&1 >/dev/null |
| # | # | ||
| ################################################################## | ################################################################## | ||
| Line 77: | Line 77: | ||
| # process accounting should be enabled to prevent potentially malicious software from being daemonised | # process accounting should be enabled to prevent potentially malicious software from being daemonised | ||
| # in the background, and to go unchecked. This may also help with optimising ulimit down the track | # in the background, and to go unchecked. This may also help with optimising ulimit down the track | ||
| - | echo "accounting=YES" >> /etc/rc.conf.local | + | echo "accounting=YES" | tee -a /etc/rc.conf.local 2>&1 >/dev/null |
| # | # | ||
| # compress core dumps which will save storage space at the expense of CPU and memory | # compress core dumps which will save storage space at the expense of CPU and memory | ||
| - | echo "savecore_flags=-z" >> /etc/rc.conf.local | + | echo "savecore_flags=-z" | tee -a /etc/rc.conf.local 2>&1 >/dev/null |
| # | # | ||
| ################################################################## | ################################################################## | ||
| Line 87: | Line 87: | ||
| # The /tmp directory should be cleared at startup to ensure that any malicious code that may have | # The /tmp directory should be cleared at startup to ensure that any malicious code that may have | ||
| # entered into the temp file is removed. This will be set as a crontab under root account. | # entered into the temp file is removed. This will be set as a crontab under root account. | ||
| + | # This is already a default in OpenBSD as of 6.6, no need to implement this. | ||
| # | # | ||
| - | rm -rf /tmp/* &>/dev/null | + | #rm -rf /tmp/* &>/dev/null |
| - | crontab -l | { cat; echo "@reboot rm -rf /tmp/*"; } | crontab - | + | #crontab -l | { cat; echo "@reboot rm -rf /tmp/*"; } | crontab - |
| # | # | ||
| ################################################################## | ################################################################## | ||
| Line 112: | Line 113: | ||
| # | # | ||
| # sysctl -w net.inet.icmp.rediraccept=0 | # sysctl -w net.inet.icmp.rediraccept=0 | ||
| - | # echo 'net.inet.icmp.rediraccept=0' >> /etc/sysctl.conf | + | # echo 'net.inet.icmp.rediraccept=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
| # | # | ||
| # This will discover dead connections and clear them. | # This will discover dead connections and clear them. | ||
| # | # | ||
| sysctl -w net.inet.tcp.always_keepalive=1 | sysctl -w net.inet.tcp.always_keepalive=1 | ||
| - | echo 'net.inet.tcp.always_keepalive=1' >> /etc/sysctl.conf | + | echo 'net.inet.tcp.always_keepalive=1' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
| # | # | ||
| # The TCP/IP Stack is what controls the communication of the computer on a data network. | # The TCP/IP Stack is what controls the communication of the computer on a data network. | ||
| Line 124: | Line 125: | ||
| # attack. | # attack. | ||
| # sysctl -w net.inet.icmp.bmcastecho=0 | # sysctl -w net.inet.icmp.bmcastecho=0 | ||
| - | # echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf | + | # echo 'net.inet.icmp.bmcastecho=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
| # | # | ||
| # Disable ICMP routing redirects. This could allow the computer to have its routing table corrupted by an | # Disable ICMP routing redirects. This could allow the computer to have its routing table corrupted by an | ||
| Line 130: | Line 131: | ||
| # | # | ||
| sysctl -w net.inet.ip.redirect=0 | sysctl -w net.inet.ip.redirect=0 | ||
| - | echo 'net.inet.ip.redirect=0' >> /etc/sysctl.conf | + | echo 'net.inet.ip.redirect=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
| sysctl -w net.inet6.ip6.redirect=0 | sysctl -w net.inet6.ip6.redirect=0 | ||
| - | echo 'net.inet6.ip6.redirect=0' >> /etc/sysctl.conf | + | echo 'net.inet6.ip6.redirect=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
| # | # | ||
| # Disable ICMP broadcast probes. This could allow an attacker to reverse engineer details of your | # Disable ICMP broadcast probes. This could allow an attacker to reverse engineer details of your | ||
| Line 138: | Line 139: | ||
| # | # | ||
| # sysctl -w net.inet.icmp.maskrepl=0 | # sysctl -w net.inet.icmp.maskrepl=0 | ||
| - | # echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf | + | # echo 'net.inet.icmp.maskrepl=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
| # | # | ||
| # Disable IP source routing. This could allow attackers to spoof IP addresses that you normally trust as | # Disable IP source routing. This could allow attackers to spoof IP addresses that you normally trust as | ||
| Line 144: | Line 145: | ||
| # | # | ||
| # sysctl -w net.inet.ip.sourceroute=0 | # sysctl -w net.inet.ip.sourceroute=0 | ||
| - | # echo 'net.inet.ip.sourceroute=0' >> /etc/sysctl.conf | + | # echo 'net.inet.ip.sourceroute=0' | tee -a /etc/sysctl.conf 2>&1 >/dev/null |
| ################################################################# | ################################################################# | ||
| ################################################################# | ################################################################# | ||
| Line 157: | Line 158: | ||
| ## | ## | ||
| ## | ## | ||
| - | ## Generate a random ID for the IP packets as opposed to incrementing them by one. On machines connected to a busy | + | ## Normalise incoming network packets by means of reassembling fragmented packets and removing ambiguity. |
| - | ## network, you may want to specify providing random-id after you have filtered unwanted packets. | + | ## https://home.nuug.no/~peter/pf/en/scrub.html |
| + | ## https://serverfault.com/questions/412083/openbsd-pf-match-in-all-scrub-no-df-causes-https-to-be-unreachable-on-mobile | ||
| + | ## https://man.openbsd.org/i386/pf.conf#TRAFFIC_NORMALISATION | ||
| ## | ## | ||
| - | ## # match in all scrub (random-id) | + | ## # match in all scrub (no-df random-id reassemble tcp) |
| ## | ## | ||
| - | ## Enabling blackholes for udp and tcp will drop all packets that are received on a closed port and will not | + | ## Enabling blackholes for UDP and TCP will drop all packets that are received on a closed port and will not |
| ## give a reply. The following is a two part process and must be implemented to achieve the desired effect. | ## give a reply. The following is a two part process and must be implemented to achieve the desired effect. | ||
| ## | ## | ||
| + | ## | ||
| + | ## By default, openbsd drops packets, https://www.openbsd.org/faq/pf/options.html | ||
| ## # set block-policy drop | ## # set block-policy drop | ||
| ## | ## | ||
| ## We do not send out any reset (RST) packets back, especially if the ports are closed. | ## We do not send out any reset (RST) packets back, especially if the ports are closed. | ||
| + | ## https://www.openbsd.org/faq/pf/filter.html#defdeny | ||
| + | ## # block all | ||
| + | ## | ||
| + | ## Under no circumstances should this PF section be deemed as complete. A seasoned system administrator | ||
| + | ## will know how to write a proper firewall configuration tailored to their network, as each and every | ||
| + | ## network is unique in their own ways. However, the following below are some general recommended | ||
| + | ## reading on writing a proper firewall configuration. Do not simply just copy and paste rules into your own | ||
| + | ## machine. Do take time in reading up and consulting the various information that are available in both free | ||
| + | ## and paid (book) forms. | ||
| ## | ## | ||
| - | ## # block drop out quick proto {tcp udp} flags R/R | + | ## # https://harrykar.blogspot.com/2010/07/openbsd-packet-filteringpf.html |
| + | ## # http://daemonforums.org/showthread.php?t=8419 | ||
| ## | ## | ||
| ################################################################## | ################################################################## | ||