On Tue, Mar 07, 2006 at 11:42:23PM -0500, Peter wrote: > Hi. I've set up several firewalls with OpenBSD but I have yet to go to > any extremes regarding "hardening". So far I have updated the source > (stable), recompiled the system & kernel, removed the source code, > turned off inetd, and set up a tight pf.conf. I have been reading up > on an interesting strategy of removing tons of executables, storing > them on a cd, and setting up symlinks to the cd mount point so they can > be accessed when needed. > > My firewall will be providing internet access (NAT) to a small office > lan (not mine). > > What strategies are others using in this area?
As mentioned, restrict sshd(8). Ideally, turn it off, but that's not usually necessary/possible. Depending on how far you're willing to deviate from base, some other tricks: 1. Use sudo exclusively - set an empty or nonsense root password 2. Use public key authentication only for sshd(8), and restrict which users can log in. 2a. If you really need something password-like, use S/KEY. 2b. If neither is feasible, audit the passwords (use John the Ripper for existing passwords; some schemes exist to act when setting new passwords) 3. Restrict the use of ports, and research into the security of a program before installing. mail/postfix is unlikely to open too many holes; www/php5 is best left alone, if security is the goal [1]. 4. Audit suid/sgid executables - quite a few are not needed on a minimalist system, but again - breaking stuff will lead to other stuff breaking. (Where 'audit' will typically mean 'remove any that are not needed' - the other end, a full source audit, is very, very time-consuming and difficult.) 5. Monitor the appropriate lists (did you know about the pf DoS problems in 3.8-rel? They are not in the patches, and very unlikely to cause trouble, but it's good to know what not to do). Actually, regarding 1 - I find myself wondering whether logging in as root, where no suspicious stuff in my own account can reach me, is not preferable to using sudo (which is trivially subverted with a single line in .profile). Does anyone have a good opinion on this? (Yes, I know that root is not to be used for trivial matters, and yes, I know when to log out.) Of course, sudo does have the invaluable side effect of producing quite informative log files. Removing (non-s*id) binaries and sources, while annoying to an attacker, is also quite annoying to the system administrator and will not stop a knowledgeable attacker anyway. Joachim [1] Of course, PHP is quite often impossible to avoid - it *is* the biggest in what it does, after all.