Dear All,

May I know what is the method to lock down/harden openbsd 5.7?


Currently, I had implemented several approaches like following.

1.No direct root login from terminal
2.No remote login approaches including ssh or telnet. I had rename the config file.
3.Remove unnecessary user or groups

Please help to expand the list. Thanks.

OpenBSD is hardened out of the box ("secure by default"). So you're probably wasting time and effort.

http://www.openbsd.org/security.html

Have a look at kern.securelevel. but if you up it from the default without understanding what you're doing and why, you're only going to cause yourself unnecessary grief.

Yes direct root login is dangerous and unnecessary, but on a single user desktop outside of a production/enterprise environment, it's not really an issue. Use sudo(8) (or doas(1) for -current or 5.8-release) if you prefer.

If you don't need sshd, disable it in /etc/rc.conf.local, if you do then it should already be configured properly "out of the box" (rather than allowing root login by default as is the case with some OS).

http://www.openbsd.org/openssh/faq.html

If you're building ports, don't do the whole build as root, add your user to the wsrc group and set up sudo. http://www.openbsd.org/faq/faq15.html#PortsConfig (and set up a read only ports tree).

Better still: use binary packages, as there isn't likely to be any advantage to building ports yourself (unless you're running -stable?).

I'm admit that OpenBSD was secure by default but still there must be area that I'm missed out to harden it further.

No x window server.
No preallocate port from range 49951 - 65535 using sysctl.
Enforce maxproc.
Enforce file descriptors
Install root kit hunter

What makes you think you must have missed something?

pf.conf could be more restrictive.

Remove as many programs as you can also.

Apply all security patches.

Yes, I had applied all security patches. Thanks for remind.