OpenBSD - usage wiki

openbsd
dnssec
sshfp
karl
anti-rop
syspatch
pf
Tags: #<Tag:0x00007fe3bd574d58> #<Tag:0x00007fe3bd574c18> #<Tag:0x00007fe3bd574ad8> #<Tag:0x00007fe3bd574998> #<Tag:0x00007fe3bd574858> #<Tag:0x00007fe3bd574718> #<Tag:0x00007fe3bd5745d8>
#1

Still Open, after all these years

In its core OpenBSD is a simple and clean Unix-like operating system with proactive security features.

What’s under-appreciated is its simplicity: OpenBSD is surprisingly simple to use in modern virtualisation environments. For example it supports VMware ESXi without additional tools via vmt. On Linux systems you may have to install open-vm-tools.

Generally the system appears to be less noisy (in the logs). It probably isn’t popular, because of its reputation that favours rigour over debate.

Upgrading an OpenBSD system manually (old way pre 6.1)

  1. Download a suitable ramdisk kernel ( bsd.rd ), for example for OpenBSD 6.5 on AMD64
  2. Place bsd.rd to / and reboot the system
  3. Type bsd.rd in the bootloader

Then run something like pkg_add -vri and update all packages.

Result:

  • Keep OpenBSD up to date, use KARL, Anti-ROP etc. And syspatch from now on.

syspatch - what we do now

If you are on a more recent OpenBSD (6.1 or newer) you can use syspatch.

ushellnotpass# syspatch
Get/Verify syspatch65-001_rip6cks... 100% |******************************************************|   196 KB    00:01
Installing patch 001_rip6cksum
Relinking to create unique kernel... done; reboot to load the new kernel

Then just reboot: your kernel, each time :wink:

Run Rsyslog instead of Syslogd

Syslogd has a couple of quirks, e. g. it does not add its host IP to the syslog information. Rsyslog is pretty much the standard in the Linux world, and it’s available in the ports.

pkg_add rsyslog
rcctl disable syslogd
rcctl enable rsyslog
/etc/rc.d/rsyslogd start

Then just configure it.

OpenSSH hardening - brute-force protection, block bots via cipher settings

ushellnotpass# tail -n 7 /etc/ssh/sshd_config
KexAlgorithms           [email protected]
HostKeyAlgorithms       ssh-ed25519
Ciphers                 [email protected]
MACs                    [email protected] 

If you do that you will find some of your usual botnet friends failing during preauth.

May 3 14:33:40 ushellnotpass sshd[123]: Unable to negotiate with 58.242.83.XX port 51697: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

Well then… 白白

sshguard

On Linux hosts I use Fail2ban, but for OpenBSD I use sshguard due to compatibility reasons.
This tool will at least slow down password brute-force attempts, which appear too often from a single IPv4 or IPv6 endpoint.

Now obviously we should be able to limit access to important systems by enforcing key-based authentication or Multi-Factor Authentication (TOTP). And that is possible as well, but not easily enforceable depending on the environments.

Rate limiting with PF

Take a look at the following idiomatic PF rule:

block drop in quick from <bruteforce> to any
pass inet proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-src-conn 60, max-src-conn-rate 15/5, overload <bruteforce> flush global, src.track 5)

Result:

  • slows down non-distributed password attacks, prepare for blocking
  • define ciphers that most scripts cannot deal with (but most legit clients can)

Getting fitting SSHFP DNS records from OpenSSH server keys

This should apply to other Unix-like operating systems in the same way. You need to have a valid DNSSEC setup for the FQDN.

~ % ssh-keygen -r ssh.hostname.com -f /etc/ssh/ssh_host_ed25519_key.pub
ssh.hostname.com IN SSHFP 4 1 12...c4
ssh.hostname.com IN SSHFP 4 2 41...31

After the SSHFP the first digit is the algorithm (4 refers to Ed25519) and the second digit each is the fingerprint type (1 - SHA1 , 2 - SHA256).

With this you can set the respective .config:

Host ssh.hostname.com
    VerifyHostKeyDNS yes

Which will result into the following extra check:

debug1: Server host key: ssh-ed25519 SHA256:Q...E
debug1: found 4 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS

DNS TXT records to improve SSH security, in conjunction with DNSSEC to verify the fingerprints.