I’ve spent the last few days setting up a new OpenBSD server, focusing on the security aspects.
I’m not a security expert, but during this days I’ve learned a few things which i would like to share.
So, I will describe these security tips, without getting into much detail, from general to special. For more details on these, just google or ask me.
Firstly, why OpenBSD?
Well, i had no experience with this OS, so i thought to give it a try. Furthermore, OpenBSD is (generally?) considered to be (one of) the most secure systems around. So, why not?
1) When connecting remotely to your server, always do that with SSH2.
2) You should not login over SSH as root. Create an account, add it to the wheel group so that you can
su with it, and change the PermitRootLogin option to no in /etc/ssh/ssh_config .
3) Use long passwords. You can even set the min. password length as you wish.
4) Always use the latest release, and always patch as soon as possible your system, when a patch is available.
5) Enable only the needed services, and check thoroughly for open ports. e.g. Disable the inetd and sendmail f you don’t need them.
6) After you finish your configurations, change your security level to 2. This is the highest possible, but be aware that this can make administration more difficult.
7) Change your web server’s directives, so that you don’t show to people which server you use.
8 ) Enable your swap partition encryption (this is enabled by default).
9) Use pf (packet filter) to create strict rules for your firewall. For example, block all incoming traffic, and only enable the few services that you really need. In addition to that, use antispoof and packet normalization (scrub) rules.
10) In your pf rules, include rules against bruteforcing. With this, you can avoid DoS (Denial of Service) attacks.
11) Block incoming traffic based on ip, for example allow ssh logins only from your local network or what fits your needs.
12) Try to fool nmap (using pf), so that you not reveal which of your ports are open, and which OS you are using and also log the scanning attempts.
13) Change the sysctl.conf flags, so that your system reboots automatically during a kernel panic.
14) Use file flags like schg, sappnd and uappnd to disable deletion and editing of specific files and directories, like /var/log.
15) Keep a track of your files’ checksums, and your downloads’ checksums.
16) Use snort (or other NIDS and Host IDS) in addition to the pf and system logging to prevent and identify security breaches and attempted attacks.
17) You can use honeyd to create virtual hosts and honey traps for the script kiddies.
18) Use SaDoor for remote stealth administration.
19) If possible (if you are administering the router used), use static ARP in your network, to avoid ARP poisoning attacks.
