BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Securing Small Networks with OpenBSD Simple Things to Improve Your System's Security

by Jacek Artymiak

Welcome back!

First, I'd like to thank all of the readers who sent me their suggestions on what they'd like to read about in the future installments of this series. Your input is very valuable to me, because I do not want to write about things you are not interested in. The list of topics is very long and I will have to sort it into thematic units that can be covered in one or more articles, but among your suggestions are also topics that can be bundled together with others in a form of a list of tips. And this time, we'll take a break from pf and discuss small and simple things that you can do to improve the security of your OpenBSD system.

Do Not Allow root Logins Over SSH

This is something you should turn off as soon as you install OpenBSD. Logging in as root over networks, whether they are public or private, is bad practice from the point of view of security. You should never trust your network, and assume that the traffic might be sniffed. And it doesn't matter that you are using SSH; always assume the worst. The good practice is to log in as an ordinary user and then use su to become superuser, or, even better, use sudo to execute commands you need to run as root. (As it happens, has two articles about sudo by Michael Lucas, "Eliminating Root with Sudo" and "Sudo Aliases and Exclusions.")

To turn root logins off, edit /etc/ssh/sshd_config and change

#PermitRootLogin yes


PermitRootLogin no

Save changes to make them permanent, and you won't have to worry about it anymore.

Learn to Use Groups and File Permissions

Juggling file permissions takes some practice, but those who master it will end up with a more secure system and less headaches. To help you with that, published an interesting article, "Using Groups to Eliminate Root," by Michael Lucas. Read it and apply that knowledge in practice.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

Learn to Use File Flags

Properly used, file permissions, ownership, and groups can greatly enhanced the overall security of your system, as shown in the default OpenBSD configuration. However, OpenBSD (and other BSD systems) provide an additional file protection mechanism known as file flags. Every file can have a number of flags (listed in man chflags and man 2 chflags), out of which the following are particularly interesting, from the point of view of system security:

  • sappnd: system append-only, only superuser can write to this file and even then, any writes are in append mode (information is added to the end of the file, without overwriting earlier information).

  • schg: system immutable, only superuser can change, move or delete this file.

  • uappnd: user append-only, only owner and superuser can write to this file and even then, any writes are in append mode (information added to the end of the file, without overwriting earlier information).

  • uchg: user immutable, only owner and superuser can change, move or delete this file.

To set flags, use chflags, e.g.:

$ chflags uchg ./signature

To unset flags, add no prefix, e.g.:

$ chflags nouchg ./signature

Once sappnd and schg flags are set, they can only be unset while the system is at security level 0 or -1. Not even root can change these flags in any other mode.

You can check file flags with ls -lo (compare its output with that of ls -l).

How do file flags help? Well, if you set schg flags on binaries, the attacker cannot modify them and insert rogue code. Similarly, if you set that flag on files in the /etc directory, nobody will be able to make changes to them.

Pages: 1, 2

Next Pagearrow

Sponsored by: