Google
Web BSDatwork.com
Hardening OpenBSD Internet Servers
This tutorial on how-to harden or improve security on OpenBSD Internet servers includes sections that apply to any UNIX system. Hardening is making a computer more secure by removing unneeded functions, restricting access and tracking changes and processes. It was revised to cover OpenBSD 3.0 on Dec. 15, 2001 and includes an overview of the 2.9 to 3.0 changes. A new page on priorities ranks the value of the techniques presented here. Familiarity with UNIX system administration but not OpenBSD is assumed.
  • Introduction to Hardening Concepts
  • Priorities, Costs and Benefits
  • Installing a Minimum OpenBSD System
  • Hardening an OpenBSD System
  • Creating and Using a Recovery CD ROM
  • Users and Security Groups
    • This how-to harden OpenBSD tutorial begins with an introduction to Hardening Concepts, mostly applicable to all operating systems but opening with a small section that discusses the security characteristics of OpenBSD.
    A new page (Dec. 20, 2001) Priorities, Costs and Benefits ranks the techniques discussed here and elsewhere in terms security payoff versus the effort and risks involved. Some background on the development of these pages is provided. The importance of staying up-to-date with OpenBSD releases is discussed and how these techniques may make upgrades more difficult is a factor in the ranking. Techniques with the highest security benefits are ranked most highly but the variable amount of up front and or ongoing effort are considered as well of the risks of implementing some of the techniques. A corresponding Check List page reduces steps to short action items with values from 0 (not recommended) to 5 (essential) in a suggested order of completion.
    Basic OpenBSD Installation is an OpenBSD specific, step-by-step tutorial, intended for those new to OpenBSD. In addition to reviewing each install prompt it covers disk partitioning issues, network choices, and strongly recommends installing only the minimum system plus the development tools if a custom kernel is going to be made or software installed via source.
    A single page with detailed step-by-step how-to harden OpenBSD instructions grew unmanageably large. Now the Hardening OpenBSD Contents page provides one paragraph summaries of the details pages. These pages cover § Users, Files and Auditing § Removing Unneeded Services § Packet Filter and IP Filter as a Host Firewall § Immutable Files, Securelevels, Read Only Filesystems, Mount Options § Logon Banners to Warn, Not Help Intruders § Removing Files, CD-ROM as System Lock § Building a Custom Kernel
    A final OpenBSD specific page covers creating a recovery CD ROM. The recovery CD ROM also contains executable programs deleted in the Removing Files section so that they may be used when the CD ROM is in the drive and mounted but are otherwise not available. The CD can also be used to migrate a standard configuration to multiple machines
    The hardening OpenBSD tutorial closes with Users, Groups and Security which is UNIX oriented and not OpenBSD specific. This covers restricting file and directory access via user or security groups. In particular it includes detailed how-to instructions to assure that a group of users share write access to a directory or directory tree by setting the GUID bit on directories and using the correct umask.
    Use of good passwords and sound password Managment is often considered part of the hardening process. Password Management is now a small part of the large section on Good and Bad Passwords and Password Cracking .
    When discussing passwords, there are links to password.pl, a highly configurable Perl password generator. The source code for an earlier version is now located in the password section.
    Intrusion detection is often considered part of hardening a system. Some intrusion detection techniques are discussed in the How-To Homegrown Intrusion Detection section.
    Original URL: http://geodsoft.com/howto/harden/
    Related URL: http://www.openbsd.org
    Content Copyright © Original Author