First, I'd like to thank all of the readers who sent me their suggestions
on what they'd like to read about in the future installments of
this series. Your input is very valuable to me, because I do not
want to write about things you are not interested in. The list of
topics is very long and I will have to sort it into thematic units
that can be covered in one or more articles, but among your suggestions
are also topics that can be bundled together with others in a form
of a list of tips. And this time, we'll take a break from
and discuss small and simple things that you can do to improve the security of your OpenBSD system.
Do Not Allow
root Logins Over SSH
This is something you should turn off as soon as you install
OpenBSD. Logging in as
root over networks, whether they are public
or private, is bad practice from the point of view of security.
You should never trust your network, and assume that the traffic
might be sniffed. And it doesn't matter that you are using SSH;
always assume the worst. The good practice is to log in as an ordinary
user and then use
su to become superuser, or, even
sudo to execute commands you need to run
root. (As it happens, ONLamp.com has two articles about
sudo by Michael Lucas, "Eliminating Root with Sudo"
and "Sudo Aliases and Exclusions.")
To turn root logins off, edit
Save changes to make them permanent, and you won't have to worry about it anymore.
Learn to Use Groups and File Permissions
Juggling file permissions takes some practice, but those who master it will end up with a more secure system and less headaches. To help you with that, ONLamp.com published an interesting article, "Using Groups to Eliminate Root," by Michael Lucas. Read it and apply that knowledge in practice.
Learn to Use File Flags
Properly used, file permissions, ownership, and groups can greatly
enhanced the overall security of your system, as shown in the default
OpenBSD configuration. However, OpenBSD (and other BSD systems)
provide an additional file protection mechanism known as file flags.
Every file can have a number of flags (listed in
man 2 chflags), out of which the
following are particularly interesting, from the point of view of
sappnd: system append-only, only superuser can write to this file and even then, any writes are in append mode (information is added to the end of the file, without overwriting earlier information).
schg: system immutable, only superuser can change, move or delete this file.
uappnd: user append-only, only owner and superuser can write to this file and even then, any writes are in append mode (information added to the end of the file, without overwriting earlier information).
uchg: user immutable, only owner and superuser can change, move or delete this file.
To set flags, use
$ chflags uchg ./signature
To unset flags, add
no prefix, e.g.:
$ chflags nouchg ./signature
schg flags are set,
they can only be unset while the system is at security level 0 or
-1. Not even root can change these flags in any other mode.
You can check file flags with
ls -lo (compare its
output with that of
How do file flags help? Well, if you set
schg flags on binaries,
the attacker cannot modify them and insert rogue code. Similarly,
if you set that flag on files in the
nobody will be able to make changes to them.
Pages: 1, 2