Building Firewalls With OpenBSD And PF, 2nd Edition (2003)
.pdfChapter 4
ConŒguring OpenBSD
In this chapter we will discuss conŒguring OpenBSD for pf, performance, and security. Also discussed are user management and installing additional software from ports and packages.
Once OpenBSD completes its Œrst reboot cycle, you will be able to log in as root using the password created during the system installation stage. There are a few things that you can do nowŠadd ordinary user account, conŒgure networking, pf, routing, add software, and patch the system.
4.1 User Management
Although you can do everything as root, it is never a good idea, because the system assumes that you know what you are doing and will not prevent you from doing stupid things like erasing the whole Œlesystem or overwriting /bsd with garbage. You are the superuser after all, with all beneŒts and responsibilities it brings! The long history of stupid mistakes that required installing stuff from scratch convinces us that doing everything as root is dangerous and irresponsible. Let's see what you can do to help you save your system from your mistakes.
4.1.1 Adding Users
Every time you log on as root from the console, OpenBSD will remind you that it is not a good thing to do. (Another constant reminder is the # prompt, displayed in place of the $ prompt shown to ordinary users.) To avoid these reminders, create an ordinary user account that you will use to log on the Œrewall then `become' root, if necessary. But the constant nagging is not the only reason to create an ordinary user account, without it you will not be able to log on your Œrewall via SSH (logging on as root over SSH is blocked by default and it should stay that way).
68 |
Chapter 4: ConŒguring OpenBSD |
|
|
Logging as root is disabled, when the following entry is present /etc/ssh/sshd_conŒg:
#PermitRootLogin yes
If you ever need to enable it (always a bad idea), remove the hash character (#) from that line and restart the sshd(8) daemon with:
# kill -HUP `cat /var/run/sshd.pid'
Adding a new user is simple, use adduser(8) and answer the questions you see on the screen. The Œrst time you use it, the system will ask you a few questions related to the general settings that will be applied to all newly created accounts. Your answers are stored in /etc/adduser.conf and can be changed at any time.
4.1.2 Letting Users Do As Root Does (su)
How does an ordinary user become root? With su(1), but access to that command is limited to those users who belong to the wheel group. To add a user to wheel either type wheel when adduser(8) asks you about the groups you'd like to invite the newly created user to. Another way is to edit
/etc/group:
# vi /etc/group
and (assuming the name of the new user is joe) change:
wheel:*:0:root
to:
wheel:*:0:root,joe
To save changes, press the Esc key, then type :x, and hit the Enter/Return key. Afterwards, when you want to become root, type:
$ su
Section 4.1: User Management |
69 |
|
|
Hit the Enter/Return key and type in the root password you gave during installation. Congratulations! You are now the superuser root, with all of the powers and the responsibilities. To drop back to ordinary user status, type exit and hit the Enter/Return key. For more information, read the su(1) manual and remember not to give access to su(1) to anyone who asks. Ideally, you should only give it to the administrator that takes over the management of your machine. Junior administrators who are helping you, should only be given access to a few essential commands via sudo(8) discussed later in this chapter.
4.1.3 Changing the User Password
Users and administrators can change passwords with passwd(1). You can only change your own password, unless you have root privileges, in which case you can change passwords for anyone on the system. The new password will need to be given twice:
# passwd joe
4.1.4 Giving Users Limited Access to Root Privileges (sudo)
Adding a user to wheel lets him or her become root, but that still doesn't prevent stupid mistakes. A better way to do it is through sudo(8), which limits access to commands owned by root via settings stored in /etc/sudoers. Unlike other system conŒguration Œles, /etc/sudoers ought to be edited with a special tool, called visudo(8). Only users with root privileges can use that command.
For example, to let joe run pfctl(8), add the following line to /etc/sudoers:
joe firewall = /sbin/pfctl
To save changes, press Esc, then type :x, and hit the Enter/Return key. Then, to use pfctl(8), type something like this:
$ sudo pfctl -s rules
You will be asked to type your password (for user joe, not root).
70 |
Chapter 4: ConŒguring OpenBSD |
|
|
Be careful with how much privileges you give to an ordinary user. Never, ever given anyone ALL : ALL,
: /usr/bin/su, or : /usr/sbin/visudo rights.
Access to sudo(8) and su(1) is independent of each other. For more information read the manual pages for su(1), sudo(8), visudo(8) and sudoer(5).
4.1.5 Removing Users
Users can be removed with rmuser(8), e.g.:
# rmuser joe
Again, you need to have root privileges to do that.
4.2 Hardening OpenBSD
Although OpenBSD is very secure in its default conŒguration, there are a few things that you can do to make it even safer, like disabling non-essen- tial services or patching the system. Doing these things is essential before and after putting any system in production use regardless of its purpose and security track record.
4.2.1 Disabling Non-Essential Services
OpenBSD does not run many services enabled by default, but a few of these exists and should be disabled unless you really need them on a Œrewall. On OpenBSD 3.4 these services are: ident(1), comsat(8), daytime, and time. To disable them, open /etc/inetd.conf in a text editor and put # at the beginning of these lines:
ident |
stream |
tcp |
nowait |
_identd |
+ /usr/libexec/identd |
identd -el |
|
||
ident |
stream |
tcp6 |
nowait |
_identd |
+ /usr/libexec/identd |
identd -el |
|
||
127.0.0.1:comsat dgram |
udp |
wait |
root |
|
+ /usr/libexec/comsat |
comsat |
|
||
[::1]:comsat |
dgram |
udp6 |
wait |
root |
+ /usr/libexec/comsat |
comsat |
|
||
Section 4.2: Hardening OpenBSD |
|
|
71 |
||
|
|
|
|
|
|
daytime |
stream |
tcp |
nowait |
root |
internal |
daytime |
stream |
tcp6 |
nowait |
root |
internal |
time |
stream |
tcp |
nowait |
root |
internal |
time |
stream |
tcp6 |
nowait |
root |
internal |
If you want to be 100% sure that the Œrewall exposes no unwanted services to the outside world, use the nmap(1) port scanner (available in OpenBSD ports and packages) and aim it at your Œrewall host. Be careful with this tool and never install it on the Œrewall itself. Also, watch out who you are aiming it at. Port scanning can get you in trouble if you do it on hosts that you do not control, so don't try it outside of your network or you may encounter serious legal problems. Not every administrator has time to Œnd out who is scanning her or his network.
4.2.2 Patching
Patching the system is something that any OpenBSD administrator ought to do as soon as patches are available, because leaving your system unpatched is simply asking for trouble.
Applying patches to a Œrewall running OpenBSD is a bit different than doing the same on a workstation, because the Œrewall must not be loaded with the compiler toolbox (comp34.tgz) or the source code. There is just too much possible risk. The solution is to keep a separate machine for compiling modiŒed binaries, which will later be transferred to the production machine. What is usually done be hand or by a custom script, may soon be automated by debardage, a very promising tool from sysŒve.com:
http://debardage.sysŒve.org |
(debardage home) |
Patch announcements are posted to announce and security-announce mailing lists. If you do not yet subscribe to these lists, do it now. Doing this will help you track patches released from the moment you subscribe, but you also need to check if there were any patches released before you subscribed. Also, the announcements are just thatŠannouncements; you need to download the patches yourself. The list of patches for the current and previous releases of OpenBSD can be found on the Errata page:
http://www.openbsd.org/errata.html |
(OpenBSD Errata) |
72 |
Chapter 4: ConŒguring OpenBSD |
|
|
The OpenBSD team only supports the latest two releases of the system. For example, after OpenBSD 3.4 was released, patches are only issued for OpenBSD 3.4 and 3.3, but not for OpenBSD 3.2 or earlier releases. This policy forces you to upgrade, which a good thing if you really are serious about security.
To apply patches, you will need to install the OpenBSD compiler tools (comp34.tgz) and the OpenBSD sources for the same release as the one you are running on the Œrewall, not the machine you are building patches on. These are the same as the sources that have been used to build that particular release of OpenBSD, not the CURRENT sources held in CVS. For the 3.4 release, you need to to get the OPENBSD_3_4 branch of the source code repository. Strictly speaking, the patches are in CVS, but extracting them from there would take uninitiated users too much time and effort.
The ofŒcial archives of sources for each release are available on the original OpenBSD CD-ROMs or online from many OpenBSD FTP mirror servers (see Chapter 3, Installing OpenBSD). If you are downloading them with ftp(1), they are always available in the top directory for the release you are using. For OpenBSD 3.4, descend into pub/OpenBSD/3.4 and download these Œles:
XF4.tar.gz
ports.tar.gz
src.tar.gz
sys.tar.gz
Next, move the source archives to the /usr/src directory:
#mv XF4.tar.gz /usr/src
#mv ports.tar.gz /usr/src
#mv src.tar.gz /usr/src
#mv sys.tar.gz /usr/src
#cd /usr/src
and unpack them with:
# tar -zxvf *.tar.gz
Section 4.2: Hardening OpenBSD |
73 |
|
|
Once you have the OpenBSD sources, you will need to download the patches. The latest set of patches is always available on the FTP mirror servers in the subdirectories of the pub/OpenBSD/patches directory. For example, if you are looking for patches for OpenBSD 3.4, you will Œnd them in pub/OpenBSD/patches/3.4. Download the 3.4.tar.gz archive into your home directory and unpack it:
# tar -zxvf 3.4.tar.gz
You will now have a directory named 3.4 with the following subdirectories:
alpha/
amiga/
common/
hp300/
i386/
m68k/
mac68k/
macppc/
mvme68k/
ports/
sparc/
sparc64/
vax/
Out of these subdirectories, only three are of interest to us: common (contains patches for all hardware platforms), ports (contains patches for the ports collection, applicable to all hardware platforms), and the subdirectory containing patches applicable to the hardware platform you use. For Intel x86 machines, you need the patches from i386.
As you can see, when you list them, they are numbered in the order they are released, and that's the order you should apply them in. This is important, because the same Œle may be patched more than once.
Every patch comes with detailed instructions on how you should apply it, so the Œrst step is reading them:
Note that the author is using patches for OpenBSD 3.1 in this example, because there were no patches for Open-
74 |
Chapter 4: ConŒguring OpenBSD |
|
|
BSD 3.4 released at the time this book was sent to the printers. You should never patch sources of one release of OpenBSD with patches for another release.
# less /home/joe/3.1/common/004_sshbsdauth.patch
Fix a bug in the BSD_AUTH access control handling
Apply by doing:
cd /usr/src
patch -p0 < 004_sshbsdauth.patch cd usr.bin/ssh
make obj
make cleandir make depend
make && make install
...
As you can see, we are told to change the present working directory to /usr/src and apply this patch with:
# patch -p0 < /home/joe/3.1/common/004_sshbsdauth.patch
Hmm |
... Looks like a unified diff to me... |
The |
text leading up to this was: |
--------------------------
|Fix a bug in the BSD_AUTH access control handling
|
|Apply by doing:
|cd /usr/src
| patch -p0 < 004_sshbsdauth.patch
|cd usr.bin/ssh
|make obj
| make cleandir
|make depend
| make && make install
|
|Index: usr.bin/ssh/auth.c |======================================================= |RCS file: /cvs/src/usr.bin/ssh/auth.c,v
|retrieving revision 1.41
Section 4.2: Hardening OpenBSD |
75 |
|
|
|
|
|diff -u -r1.41 auth.c |
|
|
|--- |
usr.bin/ssh/auth.c 19 Mar 2002 15:31:47 -0000 |
1.41 |
|+++ usr.bin/ssh/auth.c 22 May 2002 20:28:25 -0000
--------------------------
Patching file usr.bin/ssh/auth.c using Plan A...
Hunk #1 succeeded at 410. done
$
What happens next depends on the commands listed in the Apply by doing: section. In case of 004_sshbsdauth.patch for OpenBSD 3.1 shown above, we need to execute some additional commands to create new binaries from patched sources:
$ cd usr.bin/ssh
#make obj
#make cleandir
#make depend
#make && make install
Now you need to stop all related processes (ssh/sshd in this case) processes and restart them to make sure that the system and users use new binaries:
# kill -HUP `cat /var/run/sshd.pid'
Sometimes a full reboot will be required for the changes to have effect, in that case, restart the system with:
# reboot
Once you are happy that everything is working Œne, you can copy new binaries to the production machine.
How do we know which binaries have been modiŒed? The output from make install contains a list of binaries and other Œles changed during compilation. Make a list of their locations, ownership, and access rights. Use scp(1) to copy them to the production machine. Then, log on the production machine, become superuser with su(1), replace old binaries with the new ones, and restart the relevant processes. (You must stop them Œrst; merely restarting them with kill -HUP may not be enough.) A system
76 |
Chapter 4: ConŒguring OpenBSD |
|
|
reboot is not out of place in case of more extensive changes. Of course, it needs to be done at times when it will cause the least inconvenience to users. Use your own judgment to decide what needs to be done and when is the best time to do it.
You do not have to apply all patches. Patches issued for hardware platforms you do not use or for ports you do not install can be ignored. All others ought to be applied as soon as you learn about them.
4.2.3 When a Patch Is Not Enough
There is another way to `patch' the system, you can update the source of the system and ports via CVS and recompile everything. This will be necessary, if you are using binaries with statically-linked libraries (the library code and the actual program binary are glued together). When the same library is also available in dynamic form, you need to rebuild the library and the program that links it statically, even if the patch was issued for the library and not for the program. You will Œnd the necessary information on these pages:
http://www.openbsd.org/anoncvs.html |
(OpenBSD AnonCVS) |
http://www.openbsd.org/faq/upgrade-minifaq.html |
(Upgrading OpenBSD) |
4.3 ConŒguring Networking
OpenBSD comes with most network services needed to run a Œrewall conŒgured out of the box, all you have to do are some minor tweaks. Most of this is done during the installation stage, but may have to be Œne-tuned before the machine is put into production use.
ƒHostname. Stored in /etc/myname, the hostname lets us use identiŒers which are easier to remember that IP addresses. The contents of /etc/myname is a short hostname, e.g. firewall instead of the full name, e.g. firewall.example.com. You can always check the full hostname and the short hostname with hostname(1):
$ hostname firewall.example.com