> Turning this into a learning experience: Does anyone have > any hints or advice about hardening OpenBSD for shell > accounts. Do people tweak things other than the login.conf > settings? I have to deal with student shell accounts where > students are learning to program and often create problems by > accident.
Well, in a non-disto specific way, I have a couple that we use, if your interested: A) Process daemon checking, in 30 minute increments specifically for: - Processes using 80+% CPU - Processes over the set quota for that user (config file sets them per login) - Processes spawning 'sleep' consistently - A process with the same name, but a different ID, using the high resources. In all cases, the first time it sees the problem, its logged. The next time it is run, it loads that array, and if it sees it still going on, it sends the process a KILL. So in essence, they must do it for more then 30 minutes. Never seems to nail GCC or anything like that.. Since it changes ID's and names with each file. B) Limit outgoing access to IRC servers.. Usually 6666 and 6667 - many time someone puts in PHPBB or some such garbage, and it gets cracked. The uploaded executables tend to connect to IRC servers to be used as DDOS bots, or spam bots. C) Limit appropriately with login.conf as suggested - specifically stack size, coredumpsize, number of processes, and number of fd's D) Put each user it their own group, and make the user, the web server, and the email server a member of it. Then you can set it as only user and group rwx, and not have folks surfing around in the directories grabbing others files. May want to do the same thing with config files. We generally as I had said - use linux, which gives us GRSec, and XATTR for this .. But a least access policy to system configuration files is probably a safe bet, even if only done with the usual user/group mechanism. E) Put it on a 10Mbps port :) Stops too much damage is someone launches an attack from it. F) Implement login.access, and hosts.allow lists, controlled by a unix command, to limit specific IP's to accessing the machine at all, on priv. Ports, or using other peoples login ID's. Seems to keep unknowns from getting on the box mostly (barring social engineering :) because they need a user, a password, AND to be from the right ISP. G) Not sure if OpenBSD might have an equivalent to Linux OOM Killer.. But this has saved the box before, when things get out of control very quickly. I try not to use limits, because it slows compiling to crap :( We do some other things too, if you want some details, drop me an offlist Email :) -D.