| |||||
Basic OpenBSD InstallationStarting the Install / PartitioningThese instructions have been updated to cover OpenBSD 2.9. No install prompt changes were noticed between 2.9 and 3.0, except version related numbers. If however, in a 3.0 install, no DNS server is provided or the DNS server is not used during the install, network configuration files are not properly set up. Either not having or not using a DNS server during the install appears to create conditions that prevent Sendmail from delivering even the local mail that is the installation default. This is discussed more fully under network configuration and a tentative fix is discussed with sendmail on the page that discusses services. I would not do the work described on the following pages on an older version of OpenBSD. As a practical matter, you're likely to get a more secure system with much less work from a default install of the current system than trying to harden an older version. Once a new version becomes available, apply the suggestions from these pages, to the new version even if these pages are not yet updated. As a point of reference, all the OpenBSD systems I've built, have been OpenBSD 2.6, 2.7 , 2.8, 2.9, and 3.0 on PIII 500 and Celeron 533, generic white box clones. They have all been IDE only, with one or two 10/100 network cards. These are not anyone's idea of contemporary server hardware but they are more than adequate for firewalls and web servers connected by a T1 or SDSL line. Unless such a web server does a huge amount of disk intensive database type access building dynamic pages, a T1 line will be saturated before the IDE interface and the CPU is very unlikely to be the limiting resource. The only steps that are hardware specific are some kernel options disabled when building a custom kernel. Most of my computer cases now have removeable hard drive bays that let me swap hard disks in a few seconds. Depending on what's where, I typically have three to six working OpenBSD systems and have long since lost track of how many installs I've done. Most have applied the techniques described in these pages in varying degrees. When you have a computer that is ready for OpenBSD, put the OpenBSD boot / install floppy and the install CD ROM in their drives and boot from the floppy. The official CD ROM is bootable if your PC's bios supports it. If you need help creating a boot floppy see Creating bootable OpenBSD install floppies. The first prompt is for "(I)nstall, (U)pgrade, (S)hell?". We are only doing installs so type 'i' and press Enter. You're then prompted for terminal type and root disk. I've always used the defaults. When prompted "Do you want to use the entire hard disk for OpenBSD? [no]" change the default no to yes, i.e., type a 'y' and press enter. Hardening as described here is labor intensive. Though it's desirable to harden any system connected to the Internet, the measures described are excessive for anything but a full time Internet server. Full time Internet servers are not built on dual boot systems. Your first significant choices come when you get the > prompt of the disk partitioning program. At the > prompt type a 'p'. (Press Enter after each of the commands shown here and don't type the quotes.) You will see the current partioning information. If no partition information has been entered, you will see a c partition with the total disk size. The c partition is reserved. To add a partition type 'a' and the letter for the partition. Typically you will start with the 'a' partition so type 'a a' at the > prompt. This will become wd0a on an IDE drive or /dev/wd0a. A SCSI disk will be sd0a or /dev/sd0a. The root partition ("/") is normally mounted on wd0a. If you create separate partitions for the major file systems, the basic OpenBSD 2.9 install places less than 20MB in the root partition so it can be quite small. With today's huge hard disks, I typically make partitions at least two to four times the minimum necessary size. After entering the "a a" you will get a series of prompts. I normally use all defaults except mount point and partition size. As I said, / is normally mounted on wd0a. If you want a 64MB partition you can type '64m' or '64M' as the size. You could allocate nearly the entire hard disk to /. Though this is very flexible, it's not considered good practice as it increases the risk of filesystem damage and makes it harder to recover the system if there is filesystem damage. Using a single large partition also limits the mount options that can be applied to different areas. Mount options that may enhance security are discussed later. The b partition is normally the swap partition. After typing "a b" you only need to give the partition size as the b partition defaults to the swap type. Typically this is at least as large as physical memory; I normally make swap partitions twice the memory size if that is practical. If you try "a c" you'll get an error message. Continue with 'd' which will become wd0d or /dev/wd0d (or sd0d for SCSI disks). I typically create file systems for /home, /tmp, /usr and /var. This leaves /bin, /dev, /etc, /root and /sbin in / and these are included in the under 20MB size for the root partition. If you're going to add a lot of third party programs a /usr/local might be a useful additional partition. If you use the partitions suggested here, /home and /tmp will be empty, /usr will be close to 120MB and /var will start with several megabytes at the completion of the basic install. The system (kernel) source code will add somewhat less than 70MB to /usr/src/sys if a custom kernel is to be built. This can be reduced by about 30MB by removing source not applicable to your platform from the /usr/src/sys/arch directory. Since /var gets system log files and certain automated backups provided by OpenBSD it can grow quickly. I also typically add a significant number of custom logs and online backups in /var/local. /var is normally my largest partition. I like a large (2GB or more depending on available disk space) /tmp partition for work space for occasional full system backups and other big temporary files. Since /var will be my largest file system and I have in the past, used all space not already allocated to other partitions, I do /var last and take the default size which is all the remaining disk space. Partition letters do not need to be allocated sequentially or contiguously. Recently I've gotten huge (to me) 40GB disks and switched /var and /tmp around and sometimes not partitioned all the space. You can try to anticipate your system disk usage and allocate all your available disk space or you can leave some unpartitioned. Unfortunately, you cannot add space to a partition once it's created. You can add new partitions with mount points inside of an existing file system. For example, suppose /usr is filling up and much of this is in /usr/local. You could tar /usr/local, erase the contents of /usr/local, create a new partition with a mount point of /usr/local and restore the contents from the tar. /usr would have back the space erased from /usr/local and the new /usr/local would be whatever the new partition size was. Until recently, I've prefered to allocate all available disk space. If you get it wrong, all is not lost. If you follow the procedures described later, you will create a CD-R disk that will serve as an install / recovery disk. This can be used to restore the finished system configuration over a disk that you repartition after you learn how disk use is actually growing. At today's prices, having at least one CD-R drive available in any business and most homes, makes good sense. As disk prices have plummeted and drive sizes climed, the smallest disk I can buy today is much larger than I need. If a system crashes when it reboots, the system will check the integrity of filesystems that were mounted and writeable at the time of the crash. This time increases as the filesystem size increases. If a disk is much larger than you need, it might be better to leave a large unpartioned area for future use and to save time on these rare forced reboots. (Even if OpenBSD is very stable, and it is, hardware and electicity both fail and UPSs run out of battery power.) When you are done with partitioning, you can save your changes and exit with a "q". I feel safer first writing the changes with a "w" followed by "q" though the "w" should not be necessary. If the system has been previously installed with a recent OpenBSD system and the partition sizes are satisfactory, it is not necessary to make changes. Previous partitioning choices can be viewed with the "p" command. You will need to know which partitions go with which mount points. If you need to make changes, you can delete partitions with "d" and the partition letter. Previously, I often deleted all the partitions, except c which the system won't let you delete, and started over. Recent installs have been over previous OpenBSD systems with satisfactory partition sizes. On these, I've simply accepted the existing partitions. It should be possible to delete and reallocate adjacent partitions. Once you've deleted all existing partitions, the process is the same as partitioning a new hard disk. When you exit the partitioning program, normally the / and swap partitions are set with / on wd0a and swap on wd0b but you will be prompted to confirm the other partitions and their mount points. If you have assigned all partitions and mount points, you should see normally see the 'wd0d' partition defaulted to the mount point you gave it. If so, you can just type 'done'. If you have used pre-existing partitions and did not explicitly assign mount points to each partition, you must specify the mount points at this time. When all partitions have been assigned mount points, the program will cycle back to the first partition. When you see the first partition, typically 'wd0d' with the correct mount point, you can type 'done' or press Enter several times to cycle through the partitions again to review your choices. When you're satisfied, type 'done' to continue. You will then get an additional prompt to confirm that you are done with the current disk. If you have only one disk, press Enter in response to "Which one? [done]". The next prompt warns that existing data will be overwritten. Respond to "Are you really sure that you're ready to proceed? [n]" with a 'y' when you do wish to continue. The filesystems will be created. Network ConfigurationNetwork configuration follows the disk formatting. You need host and domain names. Unless you're building a bridging firewall, you'll also need IP address, network mask, default route and default DNS server. After entering the host and domain names, the install process will show the recognized network interfaces with the first being the default selection. The first prompt for a network card is the IP address or dhcp. A server such as we're building won't use DHCP; it needs to be found at a constant location. You need an IP address. After the IP address, there is a prompt for a symbolic host name which will be defaulted to the host name already provided. Next you enter netmask and then the available media options are shown. Until recently I've always used the default media option. Starting with 2.9, I've run into repeated situations where my standard network card, a Netgear FA310TX, won't work reliably without specifying the correct media options. If you know from the list of options that the default is wrong, then change it. For example, if you have a 10/100 card but connect to a 10-BaseT hub or are using CAT 3 cabling, you may want to force the card to operate at 10 Mbps, especially if the card has had difficulty auto sensing what it is connected to. If you have multiple cards, the install defaults to done after the first. You have to explicitly provide the second device name (from the displayed list) to configure the second card. There is some performance overhead of auto sensing modes but forcing the wrong media settings will be a lot worse. Be espcially careful if you have a mixture of different speed equipiment such as 10mbps and 10/100mbps and the same machine might get connected to different equipment or has multiple NICs connected to different speed equipment. While just about all NICs, hubs and switches today are 10/100 (or faster), the Ehthernet connection on DSL routers and cable modems is typically 10mbps. Specifying 10baseT where the connected equipment is 10/100 will obviously waste most of the available bandwidth but specifying 100baseTX where connected equipment is 10mbps may freeze the connection. I have an old 10mbps hub that I use purely for testing some network and firewall configurations. If I connect a cable from a card that is set at 100baseTX to this hub, the collision light goes solid and cards on other machines connnected to this hub start reporting timeouts. Even worse, is improperly setting "mediaopt full-duplex". If a NIC or hub is not explicitly labeled full duplex, assume that it's not. My 10/100 NICs are but my 10/100 hubs are not. I mistakenly set some cards as full-duplex. You get no errors or messages and things seem to work. You can ping and ssh to systems and things seem normal. You know something is wrong when you transfer a large file and the speed is about that of 56Kbps modem. Because 56K is fast enough for ssh and small file transfers and the condition may have existed for some time, it can be difficult to reconcile the obviously too slow large file transfer with the fact that all connections over the same path are too slow. Next are prompts for default route and DNS server and normally you'll need both. If you are building a bridged firewall you don't need (or want) either. A bridged firewall won't be talking to the outside world, at least not as a typical UNIX server. If you're installing a routing firewall then you will need all the network information including IP addresses and netmasks for each network card. You may need to subnet, in which case you may be using a different netmask than provided by your ISP. Starting in OpenBSD 3.0, if you don't provide a DNS server the hosts file will be setup without a domain name even though you provided one and no resolv.conf file will be created. If you provide but choose not to use the DNS lookup when prompted, resolv.conf will be created but the hosts file will be set up without a domain. Either prevents sendmail from delivering local e-mail. The fix is discussed in "Removing Unneeded Services" when sendmail is discussed. Building Linux and OpenBSD Firewalls by Wes Sonnenreich and Tom Yates was the best source for the information on OpenBSD firewall and router network setup. It also briefly covers hardening an OpenBSD system. This book has some very practical information that I haven't found elsewhere but is sometimes written in an annoying, juvenile tone. With IP Tables replacing ipchains as the Linux firewall in the 2.4 Linux kernel (Red Hat 7) and with IP Filter being removed from OpenBSD immediately after the release of 2.9 (June 2001) due to licensing issues, Building Linux and OpenBSD Firewalls has for many purposes become instantly obsolete. If you have really immediate needs, i.e. are installing OpenBSD from 2.9 or earlier official CD ROMs or are more concerned with firewall routing issues than firewall rule sets, the book still has some value. Otherwise wait until a new edition covers the new firewall products. Firewall AsideI strongly disagree with Sonnenreich and Yates' comments on bridged firewalls. They dismiss bridged firewalls as a not recommended, advanced topic beyond the scope of the book. With the limited number of IP addresses I have, I could not have my LAN and a firewall without bridging; bridging seems simpler than routing to me. A bridging firewall cannot provide Network Address Translation (NAT or masquerading in Linux terms) but also does not require any IP addresses. Without IP addresses, a bridged firewall cannot be remotely managed but also cannot be attacked via the network. There is a have your cake and eat it too trick, that can be used on a bridged firewall. One of the NICs, usually the inside one, can have a non routeable IP address, such as 10.11.12.1. One or more local computers can also have 10.11.12.0/24 addresses, in addition to their standard IP address and thus access the firewall via the network for management. In this configuration, there is no way an outside attacker can touch the firewall without getting through the firewall, cracking one of the management computers and then attacking the firewall from the management computer. Also the O'Reilly Building Internet Firewalls, Second Edition has a long chapter on hardening UNIX "bastion hosts" as they call a hardened system and one on Windows NT/2000 as well. The two books and these web pages cover some common ground but there are different emphases and points of view in each. After providing the name server IP address, you will be asked "Would you like to use the name server now?[y]" Change the default response to 'n' if you are not connected to the network (suggested for maximum security). If you don't use a name server, you will be given an opportunity to manually edit the host table. The instructions suggest you may want to edit the host table to provide the name of an NFS or FTP server from which you will be installing. Then there is an "Escape to shell?[n]" prompt; accept the default. Next, you'll be asked to type and retype the root password. This should be a good password, not subject to dictionary or common password list attacks. See password.pl for sample, program generated, good passwords. Next is a prompt asking if you will be using the X Window System. Change the default 'y' to 'n'. The stripped server we're building will be reduced to the bare essentials necessary to run the required services only. Minimal Software InstallYou are then prompted for the type of install. You can install via FTP, HTTP, tape, CD-ROM, NFS or local disk. The FTP and HTTP options are for fast Internet connections and will install directly from one of the OpenBSD mirrors. These instructions assume a CD ROM install. The OpenBSD Installation Guide for 2.8 - 3.0 doesn't seem to have the instructions for the other types of media. The large (100K) INSTALL.i386 file in the 3.0/i386 directory of OpenBSD mirror sites has rather complete instructions for installing by means other than CD, somewhat over halfway down in the file. After typing "c" for a CD ROM install, confirm the install CD ROM drive. You will then be prompted for the install directory. The default (on Intel architecture) is /3.0/i386. If your install files are in another directory relative to the CD ROM root, you will need to provide that directory. The prompt wording suggests that the leading slash should not be included. The default does include the leading slash and it works with the leading slash. A list of install files is then displayed. base29.tgz, etc29.tgz, man29.tgz and bsd are pre-checked. In 3.0 the names are the same but each "29" has become a "30". Type 'comp29.tgz' or 'comp30.tgz' to install the GNU C, C++, and Fortran compilers and other development tools. You'll need the C compiler to build the custom kernel described later. Having the compilers is also handy for adding software for which source code but not OpenBSD packages is available. You don't need to install the comp install set if you don't plan to build a custom kernel or add other software from source code. If you follow the file removal step described later, the compilers will be removed before finishing the system. Don't install the X Window components. Servers such as we're setting up may go for days at a time with no one logged in and aren't intended to be easy to use interactively. Actually, for many purposes, if you know what you are doing, the command line is at least arguably easier than GUI interfaces. After confirming that you're "Ready to extract the selected file sets?[y]", the selected software will be installed. A progress report is displayed for each install set. I've seen an install stop working and display a "stalled" error message on a few occasions. At least once, pressing Enter got it started again. A Ctrl+C will drop you out of the install process and you'll have to start over. If you do have to start over, it's not necessary to repeat the partitioning. Just assign each partition to a mount point.
At the completion of the install, you will be prompted (defaulted
to "n") if you wish to install additional sets. Following
version 2.7, a prompt related to SSL encryption was removed as
the patents expired and SSL is now included in the base install.
A time zone prompt is last. The installation makes all device
nodes, creates the /boot file and does some other final
installation. If everything has gone as expected the install
process displays
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|
|||||
