> Turning this into a learning experience: Does anyone have
> any hints or advice about hardening OpenBSD for shell
> accounts. Do people tweak things other than the login.conf
> settings? I have to deal with student shell accounts where
> students are learning to program and often create problems by
> accident.
Well, in a non-disto specific way, I have a couple that we use,
if your interested:
A) Process daemon checking, in 30 minute increments specifically for:
- Processes using 80+% CPU
- Processes over the set quota for that user (config file sets them
per login)
- Processes spawning 'sleep' consistently
- A process with the same name, but a different ID, using the high
resources.
In all cases, the first time it sees the problem, its logged. The
next time it is run, it loads that array, and if it sees it still
going on, it sends the process a KILL. So in essence, they must do
it for more then 30 minutes. Never seems to nail GCC or anything
like that.. Since it changes ID's and names with each file.
B) Limit outgoing access to IRC servers.. Usually 6666 and 6667 - many
time someone puts in PHPBB or some such garbage, and it gets cracked.
The uploaded executables tend to connect to IRC servers to be used
as DDOS bots, or spam bots.
C) Limit appropriately with login.conf as suggested - specifically
stack size, coredumpsize, number of processes, and number of
fd's
D) Put each user it their own group, and make the user, the web server,
and the email server a member of it. Then you can set it as only user
and group rwx, and not have folks surfing around in the directories
grabbing others files. May want to do the same thing with config files.
We generally as I had said - use linux, which gives us GRSec, and XATTR
for this .. But a least access policy to system configuration files is
probably a safe bet, even if only done with the usual user/group
mechanism.
E) Put it on a 10Mbps port :) Stops too much damage is someone launches an
attack from it.
F) Implement login.access, and hosts.allow lists, controlled by a unix
command, to limit specific IP's to accessing the machine at all, on
priv. Ports, or using other peoples login ID's. Seems to keep unknowns
from getting on the box mostly (barring social engineering :) because
they need a user, a password, AND to be from the right ISP.
G) Not sure if OpenBSD might have an equivalent to Linux OOM Killer.. But
this has saved the box before, when things get out of control very
quickly. I try not to use limits, because it slows compiling to crap :(
We do some other things too, if you want some details, drop me an offlist
Email :)
-D.
