LinkedIn Sourceforge Twitter

Vincent's Blog

Pleasure in the job puts perfection in the work (Aristote)

Hardening your openbsd machine.

Posted on 2018-07-13 12:42:00 from Vincent in OpenBSD Firewall

You have selected OpenBSD because this is one of the most secured OS (maybe the most secured :-) ), but people around you ask to go further. Your current machine is directly facing internet and some people fear that this machine could be compromised. In this blog I will explain what I did to secure one of my machine.

I know that based on standard parameter OpenBSD is already very strong and can correctly react to most of the attacks. But some people are willing more. My proposition here is to put the whole system read-only.


In fact, you don't have to deviate from the standard setup of OpenBSD.
Just install it as you usually do. Install the applications you need and configure them.
Once your setup correspond to your needs, just put the whole machine in read-only.

Putting the system readonly.

Edit your /etc/fstab and replace "rw" by "ro" on each line except /tmp and /var.
For more security, I also add "noexec" on /home, /var and /tmp. So applications installed by hazard there will not be able to be started.
Because /dev is a special folder and because "/" is now readonly, I create a memory filesystem with /dev. In this case I allocate 32MBRam to it.

In my case the whole fstab file looks like this:

81379a06de1dd84a.b none swap sw
81379a06de1dd84a.a / ffs ro 1 1
81379a06de1dd84a.k /home ffs ro,nodev,nosuid,noexec 1 2
81379a06de1dd84a.d /tmp ffs rw,nodev,nosuid,noexec 1 2
81379a06de1dd84a.f /usr ffs ro,nodev 1 2
81379a06de1dd84a.g /usr/X11R6 ffs ro,nodev 1 2
81379a06de1dd84a.h /usr/local ffs ro,nodev,wxallowed 1 2
81379a06de1dd84a.j /usr/obj ffs ro,nodev,nosuid 1 2
81379a06de1dd84a.i /usr/src ffs ro,nodev,nosuid 1 2
81379a06de1dd84a.e /var ffs rw,nodev,nosuid,noexec 1 2
swap /dev mfs rw,-P=/dev,-s=32m 0 0

How to put back a filesystem in read-write mode ?

You can always put back a filesystem in read-write thanks to the mount command. For example to put back /home in read-write:

# mount -uw /home

Once files adapted to you can put it back in read-only mode by doing:

# mount -ur /home

For sure, you have to be root for that.
Up to you to configure /etc/doas.conf for specific needs.
In the following example, I allow the user "vi" to execute the mount command.

permit persist vi as root cmd /sbin/mount


Protecting your machine like this generate several caveats:
- you have to mount read-write and mount read-only before and after each manipulation
- you have to understand which filesystem you have to mount read-write (f.e. if you do a pkg_add).
- your /etc/random.seed file is not updated during the shutdown process.

Concerning this last aspect, don't be afraid, this /etc/random.seed file is regenerated during the boot process.
But if you really want to avoid this trouble during the shutdown process, you can create the following /etc/rc.shutdown file:

echo "mount / read-write"
mount -uw /

Since this file will be executed just before the real shutdown process, your /etc will be read-write like in a normal setup and the shutdown process will be smoothly executed.

On which machine to use it ?

Best is to implement such feature on your firewalls or internet facing machines.

But for the demonstration I do it on my laptop too. And it works very well ;-). In this case, I have to put /home in read-write because several applications are writing in different folders: ~/.config for example.


If some persons are scared that even OpenBSD could be hacked, this simple precautions will add extra difficulties to attackers willing to corrupt your machine.
A good PF configuration combined to this read-only setup will reduce the probability that you will have troubles on your critical machine.
If this is not yet enough, you can setup a tool like log2table to detect and block your attackers before they enter on your machine.
Like with an onion, those protections are shields protecting your machine. More you have, better you are protected and more are comfortable people around you (customers, managers, ...).

34, 31
displayed: 6462

1. From Andrew on Thu Aug 16 02:34:48 2018

Love the fstab file. Unfortunately, vi can be "shelled out of". To replicate: 1. doas vi 2. :shell 3. whoami

2. From Vincent on Thu Aug 16 04:25:44 2018

Hello Andrew. Not sure i understand correctly your remark. I would just emphasis that "vi" is my userid. This explain the doas conf entry I propose.

3. From Andrew on Tue Aug 21 09:17:01 2018

Humble apologies. You are correct. I thought "vi" was the command. Eyeballed my configuration and it is the same. Please keep posting :-)

What is the first vowel of the word Moon?