Local References (* works-in-progress)
Workstation Security Server Other
Setting up custom terminal windows * Explanation of inetd and rc.conf usage with links to hardening the box Quick Perl setup within Apache Chroot of OpenBSD Various loopback wiring diagrams
Making gtk-gnutella 0.93.3 on OpenBSD 3.3 * IPF and the examples from /usr/share/ipf/ Additional Setup for MySQL/Perl within Apache Chroot of OpenBSD * ICMP types and codes
       
       

/etc/rc.conf will start services in daemon mode, while /etc/inetd.conf will allow connections on ports and pass control of the connection to whichever program is listed.

/etc/rc.conf is used to start a program in daemon mode, in which it will listen on a specific port(s) for incoming connections.  This is used on servers that are expected to have alot of connections to each service enabled.  /etc/inetd.conf on the other hand configures an inet daemon, which listens on many ports.  Anytime a connection is made to a port listed in inetd.conf the inet daemon will pass control of the connection to another program.  That program will not run in daemon mode, and will finish when the connection is closed.  Apache will be run as a daemon since it can handle many seperate tcp connections per webpage request.  FTP will be started via inetd as each connection is unique and it is expected to be a low-volume service.

/etc/inetd.conf 

#       $OpenBSD: inetd.conf,v 1.37 2000/10/11 13:31:16 deraadt Exp $
#
# Internet server configuration database
#
ftp             stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -llUS
#telnet         stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd -k
#shell          stream  tcp     nowait  root    /usr/libexec/rshd       rshd -L
#login          stream  tcp     nowait  root    /usr/libexec/rlogind    rlogind
#exec           stream  tcp     nowait  root    /usr/libexec/rexecd     rexecd
#uucpd          stream  tcp     nowait  root    /usr/libexec/uucpd      uucpd
#finger         stream  tcp     nowait  nobody  /usr/libexec/fingerd    fingerd -lsm
ident           stream  tcp     nowait  nobody  /usr/libexec/identd     identd -elo
tftp            dgram   udp     wait    root    /usr/libexec/tftpd      tftpd -s /tftpboot
#comsat         dgram   udp     wait    root    /usr/libexec/comsat     comsat

The first column is the port, for example ftp listens on port 21, but the service name is used instead of the number.  cat /etc/services to see which services are known to the system.  Also, tcpwrappers could be used instead of the default programs listed from /usr/libexec, for more information see this excellant article on hardening a BSD box.

The inetd.conf snippet above is all that's used on this system.  Everything below those lines has been commented out as well.  comsat is included as it may be turned back on at some point if webmail type services are setup, but otherwise there isn't much else in there worth noting at this point.  Note that ftp is as insecure as telnet in many ways, so if you're concerned enough to only allow login via ssh, it may be worthwhile moving to scp as well.  Here again tcpwrappers may prove useful if allowing access to ftp and/or telnet only from within a private network.  Also be careful with the write permissions on a /tftpboot directory, if it isn't being used, don't create the directory at all, and comment the line out of inetd.conf.

/etc/rc.conf 

#!/bin/sh -
#
#       $OpenBSD: rc.conf,v 1.53 2000/10/16 14:57:13 aaron Exp $

# set these to "NO" to turn them off.  otherwise, they're used as flags
routed_flags=NO         # for normal use: "-q"
sendmail_flags="-q30m"  # for normal use: "-bd -q30m"
smtpfwdd_flags=NO       # for normal use: "", and no "-bd" above.
named_flags=""          # for normal use: ""
timed_flags=NO          # for normal use: ""
ntpdate_flags=NO        # for normal use: NTP server; run before ntpd starts
httpd_flags="-DSSL"     # for normal use: "" (or "-DSSL" after reading ssl(8))
# Set to NO if ftpd is running out of inetd
ftpd_flags=NO           # for non-inetd use: "-D"
# Set to NO if identd is running out of inetd
identd_flags=NO         # for non-inetd use: "-b -u nobody -elo"
# set the following to "YES" to turn them on
ipfilter=NO
ipnat=NO                # for "YES" ipfilter must also be "YES"
#portmap=YES            # almost always needed
inetd=YES               # almost always needed
check_quotas=YES        # NO may be desireable in some YP environments
sshd=YES                # if YES, run sshd
# miscellaneous other flags
# only used if the appropriate server is marked YES above
ipfilter_rules=/etc/ipf.rules   # Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules    # Rules for Network Address Translation
ipmon_flags=-Ds                 # To disable logging, use ipmon_flags=NO
syslogd_flags=                  # add more flags, ie. "-u -a /chroot/dev/log"
named_user=named                # Named should not run as root unless neccesary
named_chroot=/namedb            # Where to chroot named if not empty

This file has also been cropped a bit to show some specific steps.  First note that this is a script file, basically setting up environment for the system's own rc usage.  Routing is disabled, nat is disabled, ipf is going to be used, but isn't shown here.

Created June 15, 2001