Still Open, after all these years
In its core OpenBSD is a simple and clean Unix-like operating system with proactive security features.
What’s under-appreciated is its simplicity: OpenBSD is surprisingly simple to use in modern virtualisation environments. For example it supports VMware ESXi without additional tools via vmt. On Linux systems you may have to install
Generally the system appears to be less noisy (in the logs). It probably isn’t popular, because of its reputation that favours rigour over debate.
Upgrading an OpenBSD system manually (old way pre 6.1)
- Download a suitable ramdisk kernel (
bsd.rd), for example for OpenBSD 6.5 on AMD64
/and reboot the system
bsd.rdin the bootloader
Then run something like
pkg_add -vri and update all packages.
- Keep OpenBSD up to date, use KARL, Anti-ROP etc. And
syspatchfrom now on.
syspatch - what we do now
If you are on a more recent OpenBSD (6.1 or newer) you can use
ushellnotpass# syspatch Get/Verify syspatch65-001_rip6cks... 100% |******************************************************| 196 KB 00:01 Installing patch 001_rip6cksum Relinking to create unique kernel... done; reboot to load the new kernel
Then just reboot: your kernel, each time
Run Rsyslog instead of Syslogd
Syslogd has a couple of quirks, e. g. it does not add its host IP to the syslog information. Rsyslog is pretty much the standard in the Linux world, and it’s available in the ports.
pkg_add rsyslog rcctl disable syslogd rcctl enable rsyslog /etc/rc.d/rsyslogd start
Then just configure it.
OpenSSH hardening - brute-force protection, block bots via cipher settings
ushellnotpass# tail -n 7 /etc/ssh/sshd_config KexAlgorithms [email protected] HostKeyAlgorithms ssh-ed25519 Ciphers [email protected] MACs [email protected]
If you do that you will find some of your usual botnet friends failing during preauth.
May 3 14:33:40 ushellnotpass sshd: Unable to negotiate with 58.242.83.XX port 51697: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Well then… 白白
On Linux hosts I use Fail2ban, but for OpenBSD I use sshguard due to compatibility reasons.
This tool will at least slow down password brute-force attempts, which appear too often from a single IPv4 or IPv6 endpoint.
Now obviously we should be able to limit access to important systems by enforcing key-based authentication or Multi-Factor Authentication (TOTP). And that is possible as well, but not easily enforceable depending on the environments.
Rate limiting with PF
Take a look at the following idiomatic PF rule:
block drop in quick from <bruteforce> to any pass inet proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-src-conn 60, max-src-conn-rate 15/5, overload <bruteforce> flush global, src.track 5)
- slows down non-distributed password attacks, prepare for blocking
- define ciphers that most scripts cannot deal with (but most legit clients can)
Getting fitting SSHFP DNS records from OpenSSH server keys
This should apply to other Unix-like operating systems in the same way. You need to have a valid DNSSEC setup for the FQDN.
~ % ssh-keygen -r ssh.hostname.com -f /etc/ssh/ssh_host_ed25519_key.pub ssh.hostname.com IN SSHFP 4 1 12...c4 ssh.hostname.com IN SSHFP 4 2 41...31
SSHFP the first digit is the algorithm (
4 refers to Ed25519) and the second digit each is the fingerprint type (
1 - SHA1 ,
2 - SHA256).
With this you can set the respective
Host ssh.hostname.com VerifyHostKeyDNS yes
Which will result into the following extra check:
debug1: Server host key: ssh-ed25519 SHA256:Q...E debug1: found 4 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS
DNS TXT records to improve SSH security, in conjunction with DNSSEC to verify the fingerprints.