	Eric's Home Page
Menu: Home UP FreeBSD 4.6 Redhat 7.3 Olympus C-2100UZ Reavis Trail OpenBSD 2.9 Windows survival kit TopoUSA vs. Topo! RH6.2 vs Caldera 2.3 Links Contact Info My Resume My Public Key EMAIL Eric BadTux Portal[et]	Keeping Secure on the World Wide Web with OpenBSD 2.9 I have a confession to make: In the summer of 2000, my home machine was 0wned. Yes, that's right. I, Eric Green, had a machine compromised by a hacker. I, hardly the least knowledgable person in existence, had a machine hacked and rooted. In fact, it was a Red Hat 6.2 box, and they got in via an exploit for which Red Hat had issued a patch 2 months previously. I should have updated my system and then the attack would have slid off it. But at the time I was working 60-hour (or more) weeks pushing for the BRU-Pro 1.0 release, and one day I found that 'ssh' didn't work right, realized that my machine had to be compromised, and after verifying this with 'rpm' and a clean version of 'ls' from my laptop, I found that my machine was infected with the t0rn root-kit and realized that it'd been months since I'd applied any security updates. Mea culpa. Since then, I've never had any system directly on the Internet. They've always been behind a custom-built firewall of some kind. At first I used a specially-stripped version of Red Hat 6.2 (didn't even have 'tar' on it!). Then the rpc.statd problem hit, requiring an update to my packet filter rules (rpc.statd is apparently built into the kernel, and would otherwise have required rebooting my firewall -- something I don't like to do). Finally, in disgust I gave up, went out and bought a Linksys firewall router from Fry's Electronics, and was a happy camper. Recently some things have happened that require me to be a little more flexible with my mappings, filtering, and port forwarding. The Linksys is a good little router but wasn't going to do what I wanted to do, not to mention the irritating habit its DHCP server had of resetting all my internal resolv.conf and nameserver files to whatever it got from @Home. It was time to pull out the old firewall box and put it back to work. I thought of using Slackware. Slackware has a good reputation amongst knowlegable types. But Slackware is not immune to the variety of exploits that have been aimed against Linux boxes of late. If ever I got busy at work again and forgot to update my system, some l33t script kiddie was likely to 0wn my firewall. No, Linux just wasn't secure enough. I wanted something that wouldn't get hacked just because I got busy at work. So after some consideration, I chose an OS that hasn't had a remote exploit in four years: OpenBSD 2.9. OpenBSD 2.9: The Review Installation: My firewall is a geriatric Pentium 166 with 32mb of RAM and a 1gb IDE hard drive, as well as an 8-speed CDROM drive. It has two PCI 10/100 network cards in it -- a Hawking with a Via Rhine, and a Hawking with a RTL8139. Both cards cost $15 at Fry's Electronics. Both are supported out of the box with OpenBSD. Incidentally, the case this thing lives in is the old Cybermax case that came with my first Windows 95 computer in 1995, as is the floppy drive. Perhaps the durability of their equipment is why Cybermax is no longer in business while people selling cheap junk still survive. I downloaded the 'i386' directory out of the OpenBSD 2.9 FTP archive and burned it to a CD-ROM. I then wrote a boot floppy. I had the OpenBSD install section of the FAQ open on my laptop and followed the directions, telling it that I was using the whole drive for OpenBSD (no fdisk step), and using the disk tag editor to set up a / of 100mb, a swap of 128mb, a /home of 10mb, and /usr for the rest. The only gotcha here are the reserved areas -- tag 'b' has to be the swap, tag 'c' is the whole drive (you can't change it), and tag 'a' has to be the root partition. Otherwise things don't seem to work right. After that, you can use the 16 entries any way you wish. Configuration: After installation and reboot, I found myself at a command prompt. OpenBSD doesn't have any fancy GUI stuff. What OpenBSD does have is two things: a piece of EMAIL sent to root telling what to do next, and an excellent checklist accessed via 'man afterboot'. 'man afterboot' told me how to set up my hostname.rl0 and hostname.vr0 files to enable my network cards, and edit rc.conf to turn on various network services. After that it was a case of reading the excellent set of 'man' pages that come with OpenBSD. The OpenBSD team has upgraded and enhanced the 'man' pages considerably over those that were released with BSD only four years ago. 'man dhcpd' and 'man dhcpd.conf' told me how to set up a DHCP server for my internal network to take the place of the one that'd been provided by the LinkSYS. I made sure that my dhcpd.interfaces file listed only my internal interface. Having my DHCP server answer queries on the @Home network would have been a major goof! man ipf* and the examples in /usr/share/ipf/example.* showed me how to set up the packet filter. I double-verified that no DHCP requests from the outside world would ever get near my DHCP server by setting up a rule in /etc/ipf.rules that read: block in on rl0 proto tcp/udp from any to any port = bootps I actually copied one of the example files ('very light firewall') and modified it with my network addresses, and also added block filters on common ports that the script kiddies scan so that my system would appear to be a black hole to the most common port scans. All of this was helped by the excellent manual and examples. Next I had to make my internal network talk to my external network, using NAT (Network Address Translation). man ipnat told me how to do that. While I was at it, I also did a little bit of port forwarding, which I won't go into detail about here for obvious reasons. Setting up the name server was a case of typing 'man named' and following directions to set up forward and reverse zone files for my internal network. OpenBSD ships with BIND4, which is adequate for this purpose. They recommend upgrading to BIND8 if you want the capability to do secure zone transfers, which is recommended if you're setting up an externally visible domain (so that you can have an off-site secondary server without compromising things). I set up my ipf.conf to block off-site attempts to connect to the DNS server (I hope!). Finally I set up 'sendmail' to masquerade my outgoing EMAIL to say it was coming from 'badtux.org', and send it out through my local @Home mail server as the forwarder (since many recipients nowdays will not accept mail from a masquerading SMTP server, due to the spammer problem, sigh). 'sendmail' is, well, 'sendmail'. This was undeniably the most arduous part of the whole install, because I also had to set it up so it would accept mail from my internal domain and relay it. The difficulty with configuring 'sendmail' is not the OpenBSD project's fault, though -- the problem rests strictly with 'sendmail'. Perhaps the OpenBSD people could consider a more modern/efficient/etc. mailer for future releases, because 'sendmail' is showing its age, and there doesn't appear to be a reasonable way of fixing it. Daily operations There aren't any. It Just Works(tm). It just sits there, forwarding packets as configured, handling my internal name and DHCP services, etc. I do suggest checking the logs from time to time, but even that isn't really too critical, since OpenBSD 2.9 comes with a cron job set up that EMAIL's you with the system stats from time to time. Check the EMAIL to make sure you're not running out of disk space and that none of your system files have been changed. Voila. Conclusions OpenBSD came secure out of the box, and is ridiculously simple to set up as a firewall router and DHCP/name server for a home network (well, ridiculously simple for anybody capable of operating /bin/vi and reading the f'ing manual). It runs on cast-off hardware with zest, and if your current network cards don't work with it, it works with the $15 Hawking cards that you can buy at Fry's Electronics. And it's not going to be hacked if you fall a few weeks behind on your updates because your primary job is something else. I give OpenBSD 2.9 my highest 5-star rating. It is a workhorse, plain and simple.

Eric's Home Page

Keeping Secure on the World Wide Web with OpenBSD 2.9

I have a confession to make: In the summer of 2000, my home machine was 0wned.

Yes, that's right. I, Eric Green, had a machine compromised by a hacker. I, hardly the least knowledgable person in existence, had a machine hacked and rooted. In fact, it was a Red Hat 6.2 box, and they got in via an exploit for which Red Hat had issued a patch 2 months previously. I should have updated my system and then the attack would have slid off it. But at the time I was working 60-hour (or more) weeks pushing for the BRU-Pro 1.0 release, and one day I found that 'ssh' didn't work right, realized that my machine had to be compromised, and after verifying this with 'rpm' and a clean version of 'ls' from my laptop, I found that my machine was infected with the t0rn root-kit and realized that it'd been months since I'd applied any security updates. Mea culpa.

Since then, I've never had any system directly on the Internet. They've always been behind a custom-built firewall of some kind. At first I used a specially-stripped version of Red Hat 6.2 (didn't even have 'tar' on it!). Then the rpc.statd problem hit, requiring an update to my packet filter rules (rpc.statd is apparently built into the kernel, and would otherwise have required rebooting my firewall -- something I don't like to do). Finally, in disgust I gave up, went out and bought a Linksys firewall router from Fry's Electronics, and was a happy camper.

Recently some things have happened that require me to be a little more flexible with my mappings, filtering, and port forwarding. The Linksys is a good little router but wasn't going to do what I wanted to do, not to mention the irritating habit its DHCP server had of resetting all my internal resolv.conf and nameserver files to whatever it got from @Home. It was time to pull out the old firewall box and put it back to work. I thought of using Slackware. Slackware has a good reputation amongst knowlegable types. But Slackware is not immune to the variety of exploits that have been aimed against Linux boxes of late. If ever I got busy at work again and forgot to update my system, some l33t script kiddie was likely to 0wn my firewall.

No, Linux just wasn't secure enough. I wanted something that wouldn't get hacked just because I got busy at work. So after some consideration, I chose an OS that hasn't had a remote exploit in four years: OpenBSD 2.9.

OpenBSD 2.9: The Review

Installation:

My firewall is a geriatric Pentium 166 with 32mb of RAM and a 1gb IDE hard drive, as well as an 8-speed CDROM drive. It has two PCI 10/100 network cards in it -- a Hawking with a Via Rhine, and a Hawking with a RTL8139. Both cards cost $15 at Fry's Electronics. Both are supported out of the box with OpenBSD. Incidentally, the case this thing lives in is the old Cybermax case that came with my first Windows 95 computer in 1995, as is the floppy drive. Perhaps the durability of their equipment is why Cybermax is no longer in business while people selling cheap junk still survive.

I downloaded the 'i386' directory out of the OpenBSD 2.9 FTP archive and burned it to a CD-ROM. I then wrote a boot floppy. I had the OpenBSD install section of the FAQ open on my laptop and followed the directions, telling it that I was using the whole drive for OpenBSD (no fdisk step), and using the disk tag editor to set up a / of 100mb, a swap of 128mb, a /home of 10mb, and /usr for the rest. The only gotcha here are the reserved areas -- tag 'b' *has* to be the swap, tag 'c' is the whole drive (you can't change it), and tag 'a' *has* to be the root partition. Otherwise things don't seem to work right. After that, you can use the 16 entries any way you wish.

Configuration:

After installation and reboot, I found myself at a command prompt. OpenBSD doesn't have any fancy GUI stuff. What OpenBSD does have is two things: a piece of EMAIL sent to root telling what to do next, and an excellent checklist accessed via 'man afterboot'. 'man afterboot' told me how to set up my hostname.rl0 and hostname.vr0 files to enable my network cards, and edit rc.conf to turn on various network services.

After that it was a case of reading the excellent set of 'man' pages that come with OpenBSD. The OpenBSD team has upgraded and enhanced the 'man' pages considerably over those that were released with *BSD only four years ago.

'man dhcpd' and 'man dhcpd.conf' told me how to set up a DHCP server for my internal network to take the place of the one that'd been provided by the LinkSYS. I made sure that my dhcpd.interfaces file listed only my internal interface. Having my DHCP server answer queries on the @Home network would have been a major goof!

man ipf and the examples in /usr/share/ipf/example.* showed me how to set up the packet filter. I double-verified that no DHCP requests from the outside world would ever get near my DHCP server by setting up a rule in /etc/ipf.rules that read:

  block in on rl0 proto tcp/udp from any to any port = bootps

I actually copied one of the example files ('very light firewall') and modified it with my network addresses, and also added block filters on common ports that the script kiddies scan so that my system would appear to be a black hole to the most common port scans. All of this was helped by the excellent manual and examples.

Next I had to make my internal network talk to my external network, using NAT (Network Address Translation). man ipnat told me how to do that. While I was at it, I also did a little bit of port forwarding, which I won't go into detail about here for obvious reasons.

Setting up the name server was a case of typing 'man named' and following directions to set up forward and reverse zone files for my internal network. OpenBSD ships with BIND4, which is adequate for this purpose. They recommend upgrading to BIND8 if you want the capability to do secure zone transfers, which is recommended if you're setting up an externally visible domain (so that you can have an off-site secondary server without compromising things). I set up my ipf.conf to block off-site attempts to connect to the DNS server (I hope!).

Finally I set up 'sendmail' to masquerade my outgoing EMAIL to say it was coming from 'badtux.org', and send it out through my local @Home mail server as the forwarder (since many recipients nowdays will not accept mail from a masquerading SMTP server, due to the spammer problem, sigh). 'sendmail' is, well, 'sendmail'. This was undeniably the most arduous part of the whole install, because I also had to set it up so it would accept mail from my internal domain and relay it. The difficulty with configuring 'sendmail' is not the OpenBSD project's fault, though -- the problem rests strictly with 'sendmail'. Perhaps the OpenBSD people could consider a more modern/efficient/etc. mailer for future releases, because 'sendmail' is showing its age, and there doesn't appear to be a reasonable way of fixing it.

Daily operations

There aren't any. It Just Works(tm). It just sits there, forwarding packets as configured, handling my internal name and DHCP services, etc. I do suggest checking the logs from time to time, but even that isn't really too critical, since OpenBSD 2.9 comes with a cron job set up that EMAIL's you with the system stats from time to time. Check the EMAIL to make sure you're not running out of disk space and that none of your system files have been changed. Voila.

Conclusions

OpenBSD came secure out of the box, and is ridiculously simple to set up as a firewall router and DHCP/name server for a home network (well, ridiculously simple for anybody capable of operating /bin/vi and reading the f'ing manual). It runs on cast-off hardware with zest, and if your current network cards don't work with it, it works with the $15 Hawking cards that you can buy at Fry's Electronics. And it's not going to be hacked if you fall a few weeks behind on your updates because your primary job is something else. I give OpenBSD 2.9 my highest 5-star rating. It is a workhorse, plain and simple.