openbsd server

Embed Doc
Copy Link
Readcast
Collections

CommentGo Back

Download

openbsd server

•

•

2 crypt harddisk

•

3 harden the installation

o

o

3.2 clear console on logout

o

3.3 lockdown single user mode

•

4 dsl-router and firewall

o

4.1 dsl connection

o

o

4.3 dns server bind

o

•

5 server: nfs, dhcp and ntp

o

o

o

•

6 isakmpd (ipsec-wlan)

•

o

7.1 configure postfix

o

7.2 dovecot imap-server

o

7.3 procmail and fetchmail

•

•

9 cvs-server and mirror

o

o

9.2 use repository

o

9.3 mail on commit

o

9.4 openbsd mirror with cvsync

•

10 subversion-server

o

10.1 subversion-server

o

10.2 use repository

•

11 oamp - openbsd apache mysql php

o





11.1.2 mod_perl

o

11.2 mysql server

o



11.3.1 phpldapadmin

•

o

o

•

13 install additional stuff

o

13.1 mergemaster

o

o

o

o

o

o

o

•

read the very good manpage:

•

# man afterboot

..* add the following line to enable linux kernel-emulation:: .. .. kern.emul.linux=1

•

edit fstab and add options softdep all partitions

•

create cdrom and floppy entries in /etc/fstab:

•

# mkdir -p /mnt/dvd; mkdir -p /mnt/floppy

•

# vi /etc/fstab

••

/dev/cd0a /mnt/dvd cd9660 ro,nodev,nosuid,noauto 0 0

•

/dev/fd0a /mnt/floppy msdos rw,nodev,nosuid,noauto 0 0

•

don't use inetd:

•

# echo "inetd=NO" >> /etc/rc.conf.local

•

add an user:

•

# adduser

•

edit /etc/sudoers:

•

# visudo

••

# Uncomment to allow people in group wheel to run all commands

•

%wheel ALL=(ALL) ALL

•

install ports tree:

•

# cd /tmp

•

# ftp ftp://ftp.openbsd.org/pub/OpenBSD/VERSION/ports.tar.gz

•

# cd /usr

•

# tar xzvf /tmp/ports.tar.gz

•

create a directory for scripts# mkdir /usr/local/src/ # mkdir /usr/local/src/scripts # cd /root/ # ln -s/usr/local/src/scripts

2 crypt harddisk

•

cgd is obsolete, use vnconfig

•

create an image file on the whole mounted partition:

•

# nice dd if=/dev/prandom of=/mnt/my_partition/encrypted bs=512

•

configure

svnd0

(set password):

•

# vnconfig -cvk svnd0 /mnt/my_partition/encrypted

•

create a filesystem on

svnd0c

:

•

# newfs /dev/svnd0c

•

# mkdir /my_partition

•

edit

/etc/rc.local

insert at the end of this file:

•

# svnd addition

•

echo 'mounting crypted disks:'

•

for count in First Second Last

•

do

•

wrong_pw="NO"

•

echo -n "$count try /my_partition - "

•

/usr/sbin/vnconfig -u svnd0 >/dev/null 2>&1

•

/usr/sbin/vnconfig -k svnd0 /mnt/my_partition/encrypted

•

mount /dev/svnd0c /my_partition && break

•

wrong_pw="YES"

•

done

•

if [ "X${wrong_pw}" != X"NO" ]; then

•

echo "Password 3 times wrong."

•

else

•

echo "Successful."

•

/usr/bin/midiplay -x -t 200

•

fi

•

unset wrong_pw

3 harden the installation

•

do not permit root-login and let sshd listen on another port in

/etc/ssh/sshd_config

:

•

Port 2222

•

PermitRootLogin no

•

maybe change firewall-rules to open 2222 instead of ssh default 22

•

for working cvs over ssh - maybe add

PORT=2222

on clients in

~/.ssh/config

3.2 clear console on logout

•

edit

/etc/gettytab

:

•

P|Pc|Pc console:\

•

:np:sp#9600:\

•

:cl=\E[H\E[2J:

3.3 lockdown single user mode

of 00

Leave a Comment