n3s0 || journal

OpenBSD Initial Virtual Private Server Baseline

Posted on 3 mins

OpenBSD Checklists Infrastructure

Summary

These are just some notes for common steps I perform after adding a server to a Virtual Private Server provider. Intended to act as a baseline. Documented so I have the steps for future use.

Apply Updates

Update the packages on the server.

pkg_add -u

Apply any available patches.

syspatch

Accounts

Update the password for root using the passwd(1) command. On VPS providers they have one generated automatically.

passwd root

Create a group for the user.

groupadd tloftus

Create a new user on the system using the following command(s). I don’t use root unless I need to. Once it’s created. I’ll set the password for the user using the passwd(1) command and generate the SSH keys for it.

useradd -d /home/username -m -c "Full Name" -g <username> \ 
  -G wheel -k /etc/skel -L staff -s /bin/ksh <username>

Configure doas. Generally I copy the base configuration from the examples and put it in the default path.

cp /etc/examples/doas.conf /etc/doas.conf

I change the following line so wheel is permitted for elevated privileges.

permit persist :wheel

SSH Configuration

For both the root and added user I generate the appropriate ssh(1) keys while logged into both accounts using the following command.

ssh-keygen -t ed25519

Edit the sshd_config file with the following values. Make sure to search for them in the text editor. I generally expect to

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no

Install Needed Applications

Some apps that I use on a regular basis. Just so the environment is the same across all of my servers. Additional packages needed for the server will be installed later.

pkg_add vim curl htop rsync

Firewall Configuration

For any Internet server I configure my firewalls to block traffic by default and then allow/pass traffic in/out after the fact.

The command below is the baseline configuration that comes with the system and provides suitable defaults.

cp /etc/examples/pf.conf /etc/pf.conf

Below are the additional lines I add to the pf.conf(5) file.

block log all 
pass in log proto tcp to port 22
pass out log inet proto icmp icmp-type echoreq
pass out log proto udp to port { 53 123 }
pass out log proto udp to port 33433 >< 33626
pass out log proto tcp to port { 22 53 80 123 443 }

Interface, Server Name, & DNS

Server name, DNS, and interface configurations.

General rule of thumb for me is to set the static interface for any server unless I know DHCP is configured with the settings I need.

Below is baseline the configuration for/etc/hostname.int. Where .int represents the name of the interface being configured.

inet <IP Address> <Subnet> NONE description "Purpose (int name)"
up

Baseline configuration for /etc/mygate. This is the gateway to the Internet.

<Gateway IP Address>

Baseline configuration for /etc/myname. Provides the full name of the host.

hostname.domain.tld

Baseline configuration for /etc/hosts. I generally add the IPv4 address and hostname to the server for this.

127.0.0.1	hostanme
::1		    hostname

10.238.164.240	hostname.domain.tld hostname

Baseline configuration for /etc/resolv.conf. This kind of stuff changes sometimes. At a minimum it has the following configuration.

nameserver 1.1.1.1
lookup file bind
``

## End Notes

These are notes for my base configuration for OpenBSD servers/machines
that are facing the Internet. As time goes on I'll be adding more things
that may assist in configuring and/or securing these in the future.