-
Notifications
You must be signed in to change notification settings - Fork 0
/
openbsd_notes
156 lines (103 loc) · 5.88 KB
/
openbsd_notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
====================================================================================================================================
OPENBSD NOTES
====================================================================================================================================
for openbsd add the following to /etc/pkg.conf
installpath = ftp://mirrors.syringanetworks.net/pub/OpenBSD/%c/packages/%a
====================================================================================================================================
And set networking with /etc/hostname.<interface>
inet 172.16.0.1 255.240.0.0
====================================================================================================================================
To check out source code: http://www.bsdnow.tv/tutorials/patching-obsd
Learn about man page authoring: man mdoc
Create a patch: cvs diff a_file.c > mypatch.diff
====================================================================================================================================
Set prompt in .kshrc file. Pick with working directory but remove ! which is the command count.
====================================================================================================================================
Stop brute force ssh attacks.
https://www.crummylogic.com/wordpress/?p=325
1. add to /etc/pf.conf
table <abuse> persist
2. add to /etc/pf.conf
pass in on em2 inet proto tcp from any to (em2) port ssh flags S/SA keep state (max-src-conn-rate 5/15, overload <abuse> flush)
3. add to /etc/pf.conf
block in from <abuse>
4. restart pf
pfctl -f /etc/pf.conf
5. Check for failed logins. Set at 5 in 15 minutes from same IP.
doas pfctl -t abuse -T show
====================================================================================================================================
Check for failed ssh logins.
doas grep sshd.\*Failed /var/log/authlog
====================================================================================================================================
Set a warning banner by updating sshd_config with the following line:
Banner /etc/issue
Sample /etc/issue file:
----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.
+ At any time, the XYZG may inspect and seize data stored on this IS.
+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.
+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.
+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------
Above is standard sample, consult your legal team for exact user agreement and legal notice details.
====================================================================================================================================
#######################################
# ~/.profile
#######################################
# $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 matthieu Exp $
#
# sh/ksh initialization
PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
export PATH HOME TERM
alias ll='ls -saloFT'
###END###
#######################################
# ~/.cwmrc
#######################################
bind CS-b /usr/local/bin/firefox
bind CS-o /usr/local/bin/libreoffice
###END###
#######################################
# ~/.Xdefaults
#######################################
! $OpenBSD: dot.Xdefaults,v 1.3 2014/07/10 10:22:59 jasper Exp $
XTerm*loginShell:true
XTerm*background:black
XTerm*foreground:green
XTerm*faceName:Terminus
XTerm*faceSize:10
###END###
#######################################
# ~/.xsession
#######################################
cwm
###END###
#######################################
# Installing from a USB thumb drive
#######################################
To install OpenBSD using a USB thumb drive.
Step 1: Download the install<version>.fs, also depicted as install*.fs, file
from http://ftp.openbsd.org/pub/OpenBSD/<version>/<architecture> or from the
closest mirror.
Step 2: Verify the SHA256 signature. Look for the file SHA256. Run the SHA256SUM
on the file and compare with the number listed in the SHA256 file.
sha356sum install*.fs
Step 3: Validate the cryptographic signature using signify program. If on Ubuntu
you can install signify-openbsd (apt-get install signify-openbsd). The .pub key is
found in the CVS. You can browse it at: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/signify.
The SHA256.sig file is in the same directory where you downloaded the install60.fs file.
Then run command:
signify-openbsd -Cp ./base_key.pub -x SHA256.sig install60.fs
Step 4: Copy the install60.fs to the USB drive using dd command. The following assumes
the USB device is at /dev/rsd6c. See my other post on mounting microSD.
dd if=/location/install*.fs of=/dev/rsd6c bs=1m
###END###