____________________________________________________________________________ ____________________________________________________________________________ 01010111 01001001 01010010 01000101 01000100 01010011 -> 01000101 01000011 01010101 01010010 01001001 01010100 -> 01011001 ____________________________________________________________________________ HARDENING OPENBSD 4.X ____________________________________________________________________________ _________________________________ || 0x00: ABOUT ME || 0x01: INTRODUCTION || 0x02: DURING THE INSTALLATION || 0x03: AFTER THE INSTALLATION || 0x04: PATCHING THE SYSTEM || 0x05: BUILDING THE SYSTEM || 0x06: MAKING THE CRYPTO DEVICE || 0x07: CONCLUSION ____________________________________________________________ ____________________________________________________________ _________________ || 0x00: ABOUT ME Author: SkyOut Date: 2007 Website: http://wired-security.net/ ______________________ || 0x01: INTRODUCTION In this article I want to explain you how to make your default installation of OpenBSD 4.X even more secure, then it is anyway. We will discuss several aspects of hardening your OS, like making a crypto device to secure your files in the home folder, putting the directories /var/run and /tmp into the RAM to make it not that easy (or even impossible) to recover any data! Further more we will write some simple scripts, that do some jobs for us and make our life more relaxing! To do all this you do not need any special tools, it is all still build into OpenBSD 4.X! Let us start now... ________________________________ || 0x02: DURING THE INSTALLATION The first steps you have to take are necessary during the installation of the Operating System, when you are asked which partitions you want and how the disk shall be partitioned. In our case we will take a 10GB parition for the root directory /, 1GB for the Swap partition and all the rest will be taken for our /crypto partition! Of course you could use more partitions for special needs, that might be special for you, but in our example it is not necessary. After you have done this disklabel just finish the installation as normal! _______________________________ || 0x03: AFTER THE INSTALLATION After the installation we will now begin to modify configuration files and start securing our system. Let us begin with the /etc/fstab file, normally it would look something similar to this: === code ===>>> 1 /dev/wd0a / ffs rw 1 1 ==========>>> Now we do the following: === code ===>>> 1 /dev/wd0a / ffs rw,softdep 1 1 2 /dev/wd0b /tmp mfs rw,nodev,nosuid,-s=153600 0 0 3 /dev/wd0b /var/run mfs rw,nodev,nosuid,-s=1024 0 0 ==========>>> In line 1 we just set the softdep flag, more interesting are the following lines. In line 2 we put the /tmp directory into the RAM (mfs is a RAM-FS) with a size of about 150MB, of course you can change this size if you want it to be bigger! In line 3 we also put the /var/run directory into the RAM, this is necessary because sometimes this can be used to recover interesting data on your computer. For this we only use 1MB, that should be far enough. Take care, that there are programs like Lynx, that save files, which are downloaded in the /tmp directory. With 150MB only this could be far too less, so remember to change the temporary directory of Lynx or other programs before saving big files in the /tmp directory! _____________________________ || 0x04: PATCHING THE SYSTEM Now let us install some more things from the CVS to have a system, that is up-to-date and totally patched! We want a system with best security, so this is a necessary step. Let us do this by downloading the newest versions of SRC, PORTS and XF4 from the CVS of openbsd.org: === code ===>>> 1 export CVSROOT=anoncvs@anoncvs.openbsd.org:/cvs 2 cd /usr 3 cvs -q -z5 update -rOPENBSD_4_X {ports,src,XF4} ==========>>> Now you have all the updated tools saved on your computer, let us do one more thing, that could help us later on: === code ===>>> 1 echo "DEBUG=-g" >> /etc/mk.conf ==========>>> This will enable the debug flag for installations from the ports tree. It can be very helpful to install tools from ports with this flag to analyze the core dump, that is saved after a crash of a program (if such thing happens). Okay, so far! Now open an editor of your choice, preferably vi and edit the /etc/inetd.conf file. Comment out ALL lines by prepeding an # before the line, this will disable all not needed services (unless you want to use them, but in our example it is a desktop system and we do not need the inetd services!). Another time we will edit a config file, this time we will modify the /etc/rc.local.conf file to shut down not needed services, my config looks like this: === code ===>>> 1 sshd_flags=NO 2 ntpd_flags=NO 3 sendmail_flags=NO 4 inetd=NO ==========>>> As you can see we have disabled all services (SSH, Sendmail, Inetd, NTPD). ____________________________ || 0x05: BUILDING THE SYSTEM Let us come to the point, where we will build the kernel and the whole system, just take the following steps as shown here, I will not explain them in detail. The only thing, that might be interesting to you is the kernel you will use, in this example we will use the GENERIC config, if you have a multiprocessor please use GENERIC.MP, of course you can do further changes, depends on your wishes... === code ===>>> 1 cd /usr/src/sys/arch/i386/conf 2 config GENERIC 3 cd ../compile/GENERIC 4 make clean && make depend && make && make install ==========>>> After waiting some time, next step: === code ===>>> 1 cd /usr/src 2 make build ==========>>>orcing on the password much more slower. After some time and hopefully no errors your system is finally built! Now reboot your machine. _________________________________ || 0x06: MAKING THE CRYPTO DEVICE Let us now come to the most interesting point, we will make the crypto device for our system. First of all we will do the following: === code ===>>> 1 umount /crypto 2 tunefs -m 0% /dev/wd0d 3 mount /crypto ==========>>> With those commands we made the system save no space on the disk (0%)! This is important and you should do it. Now let us go some steps further and look at the output of "df -k", it could look similar to this: === code ===>>> 1 Filesystem 1K-blocks Used Avail Capacity Mounted on 2 /dev/wd0a 10318758 3275390 6527432 33% / 3 /dev/wd0d 46327274 44021682 -10770 100% /crypto 4 /dev/svnd1c 43300516 39164862 4135654 90% /home ==========>>> As you can see the value of "Avail" for /dev/wd0d is negative, therefore we will take the value of "Used", which is "44021682", normally this wouldn't be the case and you should use the value of "Avail" and not "Used", now let us call the following commands: === code ===>>> 1 /bin/dd if=/dev/prandom of=/crypto/cryptfile bs=1024 count=44021682 2>&1 2 /usr/sbin/vnconfig -cK 4096 /dev/svnd1c /crypto/cryptfile 3 /sbin/newfs -m 0% /dev/rsvnd1c ==========>>> While doing so, you will be asked for a password, remember this password well, maybe write it down! Even more you will be asked for the name of a so called SALT file, you can choose any name for it, for example "mysalt.salt". This SALT file makes bruteforcing on the password much more slower. Now let us mount our system! Do this by calling the following commands (you will be asked for the password and the name of the salt file, for example you could choose "mysalt.salt"): === code ===>>> 1 /usr/sbin/vnconfig -cK 4096 /dev/svnd1c /crypto/cryptfile 2 /sbin/mount -o softdep,nosuid,nodev -f /dev/svnd1c /home ==========>>> The value of "4096" is NOT the Bits, that are used, it is the rounds, that the algorithm will take, you can specify it as you want! To automate this process you can write this into a simple shellscript, like "cryptmount.sh" or whatever you like. To unmount the crypto device do the following commands: === code ===>>> 1 /sbin/umount /home 2 /usr/sbin/vnconfig -u /dev/svnd1c ==========>>> Also this could be written into a simple script, named "cryptumount.sh" for example! If all has worked fine your /home directory should be mounted and you can create your first user. If something went wrong repeat the steps described in this section and maybe reboot (which shouldn't be necessary normally). ___________________ || 0x07: CONCLUSION We have learned how to make our OpenBSD 4.X system more secure, we have moved /var/run and /tmp into the RAM and made a crypto device for our home partition. Further more we have disabled not needed services, like inetd and patched the system to have all up-to-date. All in all we should now have a very secure system, that can't be bruteforced easily (depends on your password) and files can not be recovered! Happy Hacking ____________________________________________________________________________ ____________________________________________________________________________ EOF