Security tips

Posted in OpenBSD, Security - 1 June 2010 - No comment

Here I try to explain what further measures I took to further secure my system.

Note: it is Considered Wise(tm) to backup any files before you edit them to something likeorigfile-dist where origfile is the name of the file you’re about to modify.

I tortured my system with the following:

  1. Login to the machine as root.
    Add your own user account.
    Put that account in de group wheel, so you will be able to su to root.
  2. If you’re just a little paranoid, you should edit /etc/sshd_config:
    “PermitRootLogin yes” -> “PermitRootLogin no”
    This disables root logins over the network and that’s a Good Thing(tm).
  3. Different versions of OpenBSD have different services enabled/disabled by default. Check /etc/inetd.conf and /etc/rc.conf and disable what you don’t like and enable what pleases you. Use a portscanner like nmap to double check you haven’t forgotten anything to turn on or off.
  4. OpenBSD’s 2.7 /etc/inetd.conf file contains some lines I like to comment out: 
        ..
    finger
    ..
    comsat
    ntalk
    ..
    daytime
    time
    ..
    rstatd/1-3
    rusersd/1-3
    ..

    So I commented them out (-:

  5. If portmap makes you puke, edit /etc/rc.conf and change portmap=YES into something better. For instance: portmap=NO.
  6. /etc/inetd.conf contains a line for the ident daemon:
    ident stream tcp nowait nobody /usr/libexec/identd identd -elo
    But I’d like to run it through the tcp_wrapper, so I changed it to:
    ident stream tcp nowait nobody /usr/libexec/tcpd identd -elo
  7. /etc/hosts.allow and /etc/hosts.deny define which hosts may or may not use certain system facilities. If you’re paranoid you place only one line in /etc/hosts.deny:

    ALL: ALL

    After that you define the hosts that do may connect to your system in /etc/hosts.allow, e.g.:

    in.proftpd: 192.168.0. trusted-host.microsoft.com .no-evil-here.net
    identd: ALL

  8. cron is a neat, but powerful scheduler for Unices. But you might not want to have anyone being able to use it. For limited access create a file in /var/cron called allow if only a limited set of people may have a crontab. Create a deny file in that same directory if you want everyone to be able to use cron except a few nasty bastards you don’t like/trust enough.

    /var/cron/allow:

    root
    alex
    forge

  9. Remote syslog. It is possible for whisper in syslogd‘s ear that it should send it’s log entries not only to the various files in /var/log, but also to a remote host listening to the UDP syslog port (udp/514).
    Fire up /etc/syslog.conf in vi and place anywhere you like the following line:

    *.*			@192.168.5.14

    Now syslogd will send ALL entries feeded to it also to udp/192.168.5.14:514. Be careful to only use tabs when editing /etc/syslog.conf. Spaces are poison forsyslogd.

Tags: ,

Comments are closed.