HiR's Secure OpenBSD, Apache, MySQL and PHP Guide

Install php-mysql and mysql-server. This will install all necessary dependencies, including php, libiconv and several perl modules needed by the MySQL scripts.

$ sudo pkg_add php-mysql mysql-server
Ambiguous: choose package for php-mysql
 a       0: 
         1: php-mysql-5.2.17p16
         2: php-mysql-5.3.27
Your choice: 2
Ambiguous: choose dependency for php-mysql-5.3.27: 
 a       0: php-5.3.27
         1: php-5.3.27-ap2
Your choice: 0

REF: http://www.h-i-r.net/p/hirs-secure-openbsd-apache-mysql-and.html

Match Address for root login

# vi /etc/ssh/sshd_config
Match Address 127.0.0.1
 PermitRootLogin yes

REF: http://blog.dhampir.no/content/ssh-how-to-permit-root-login-only-from-local-network-ip

install m:tier thin client

0) Download the thin client python code:

http://www.mtier.org/products/thin-client/

1) install from pkg_add: gtk+3 , python3.

2) install from src: pycairo, pygobject .

PYTHON=python3.2 ./configure

(http://stackoverflow.com/questions/7065310/how-to-install-pygobject-with-python-3-support)

Makefile err may need to be corrected manually.

3) modify /etc/X11/xinit/xinitrc for startx automatically.

p.s. *.pc files for pkg-config  need to be linked to /usr/lib/pkg-config .

(http://people.freedesktop.org/~dbn/pkg-config-guide.html)

snmpd setup (renewed)

1) edit /etc/snmpd.conf and modify listen_addr
2) enable snmpd in /etc/rc.conf on startup
3) apply access control via /etc/pf.conf

Reverse ftp-proxy setup

use ftp-proxy -R internal.server.ip -D7 -v can easily setup a reverse FTP proxy on OpenBSD.

Remember to allow packet forwarding in sysctl.conf, and also turn on the ftp-proxy anchor in pf.conf.

OpenBSD on USB drive with boot loader

if you install OpenBSD on a USB drive but cannot boot from it, you may try install GAG boot loader into the MBR. Remember to make your USB drive the first boot disk because GAG can only install to the first drive!

running scim input method with built-in fvwm

1) edit ~/.xsession
export LC_CTYPE=en_US.UTF-8
export XMODIFIERS=@im=scim
export GTK_IM_MODULE="scim"
scim -d&
/usr/X11R6/bin/xterm &
exec dbus-launch /usr/X11R6/bin/fvwm

2) Exit and login again via xdm.

install OpenBSD on USB drive

1) if you want to keep a FAT partition for using on Windows, make the FAT partition the first one, otherwise Windows cannot read it.

2) Install OpenBSD on the selected USB drive as the normal installation process. Remember to make the OpenBSD MBR active, or use tools such as Linux GParted to flag it as boot.

3) Soft update set in /etc/fstab could make I/O much faster: rw,softdep.

REFERENCE:
http://openbsd.org/faq/faq14.html#flashmemLive
http://openbsd.org/faq/faq14.html#flashmemBoot
http://openbsd.org/faq/faq14.html#SoftUpdates

icewm workstation with chinese input

1) pkg_add icewm firefox scim-chewing gnome-terminal
2) edit ~/.xsession for normal user:
export LC_CTYPE=en_US.UTF-8
export XMODIFIERS=@im=scim
export GTK_IM_MODULE="scim"
scim -d&
exec dbus-launch icewm-session
3) login from xdm with normal user, then all done!
4) if using startx, then edit ~/.xinitrc instead.

load icewm Desktop via xdm

1) install icewm via pkg_add.
# pkg_add icewm

2) edit /etc/rc.conf.local for xdm at startup
xdm_flags=""

3) edit /etc/X11/xdm/Xsession, and replace the fvwm line to icewm.
/usr/local/bin/icewm

REFERENCE:
http://openbsdsupport.org/desktopOBSD.html

install xfce desktop with extra fonts using xdm login

1) setup package path.
# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.2/packages/amd64/

2) install xfce, firefox.
# pkg_add xfce firefox-i18n-en-US

3) copy extra fonts for X11.
# mkdir -p /usr/local/lib/X11/fonts/myfonts
# cp *ttc /usr/local/lib/X11/fonts/myfonts

4) edit non-root xsession for xfce startup.
$ vi .xsession
exec startxfce4

5) login xdm as non-root user. then you can browse non-English websites with Firefox on Xfce!

REFERENCE:
http://www.oesf.org/forum/index.php?showtopic=18833
http://www.openbsd.org/faq/truetype.html

CPAN and RRDs.pm of rrdtool

1. upgrade CPAN
cpan> install CPAN
cpan> reload cpan

2. install App::Cpan to use the `cpan -I` switch

3. then, local::lib can be compiled and installed!

4. #pkg_add p5-RRD

REFERENCE:

http://www.perlmonks.org/?node_id=637987
http://search.cpan.org/dist/local-lib/lib/local/lib.pm#The_bootstrapping_technique
http://my14all.sourceforge.net/install.html

manage default route/gateway as WAN backup

No matter using BSD, Linux, or any other Unix-like systems, we can always make use of managing default gateway settings, as manual WAN backup.

# edit /etc/mygate as default gateway.
# route show
# route del default
# route add default 10.10.1.1

batch adding users with perl

#!/usr/bin/perl
# The format is username:password:shell:homedir:groupname

open FILE, $ARGV[0] or die "Cannot open file: $!";

foreach $line (@lines=<FILE>){

chomp($line);
($name,$pass,$shel,$dirc,$grup)=split(/:/,$line);
chomp($epas=`encrypt $pass`);
system "useradd -s $shel -d $dirc -g $grup -p '$epas' $name";
#print $epas,"\n";

$pattern="^".$name."\$";
open CHROOTFILE, "/etc/ftpchroot" or die "Cannot open file: $!";
open APPENDFILE, ">>/etc/ftpchroot" or die "Cannot append file: $!";
if(!grep (/$pattern/,<CHROOTFILE>)) {print APPENDFILE "$name\n";}

}

apache simple setup

1. edit /var/www/conf/httpd.conf. change DocumentRoot and Directory according to your needs. since apache is chrooted, contents cannot set outside /var/www.

2. apachectl start.

PF Stateful Tracking Limitation Options

An example rule:

pass in on $ext_if proto tcp to $web_server \
    port www keep state \
    (max 200, source-track rule, max-src-nodes 100, max-src-states 3)

The rule above defines the following behavior:

• Limit the absolute maximum number of states that this rule can create to 200
• Enable source tracking; limit state creation based on states created by this rule only
• Limit the maximum number of nodes that can simultaneously create state to 100
• Limit the maximum number of simultaneous states per source IP to 3

A separate set of restrictions can be placed on stateful TCP connections that have completed the 3-way handshake.

max-src-conn number

Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.

max-src-conn-rate number / interval

Limit the rate of new connections to a certain amount per time interval.

Both of these options automatically invoke the source-track rule option and are incompatible with source-track global.
Since these limits are only being placed on TCP connections that have completed the 3-way handshake, more aggressive actions can be taken on offending IP addresses.

overload <table>

Put an offending host's IP address into the named table.

flush [global]

Kill any other states that match this rule and that were created by this source IP. When global is specified, kill all states matching this source IP, regardless of which rule created the state.

An example:

table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $ext_if proto tcp to $web_server \
    port www flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

This does the following:

• Limits the maximum number of connections per source to 100
• Rate limits the number of connections to 15 in a 5 second span
• Puts the IP address of any host that breaks these limits into the <abusive_hosts> table
• For any offending IP addresses, flush any states created by this rule.

REFERENCES:

http://www.openbsd.org/faq/pf/filter.html#stateopts

http://kestas.kuliukas.com/pf.conf/

Ruby on Rails package for OpenBSD

Ruby on Rails 3 can be simply installed on OpenBSD via pkg_add:

# pkg_add -v ruby-rails

However, Javascript Runtime (ex. node.js) and sqlite3-dev should also be required.

# pkg_add -v sqlite3
# pkg_add -v libexecinfo gmake python (for compiling node.js)

sftp subsystem request failed

subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer

This happened when using sshd chrooting on Linux.

This was sorted after changing

Subsystem sftp /usr/lib/openssh/sftp-server

to

Subsystem sftp internal-sftp

REFERENCE:
http://forums.debian.net/viewtopic.php?f=5&t=42818

Privilege separation of OpenSSH

sshd will run as root until the user authenticates, at which point the sshd child will be setuid(2) the authenticated user. For instance, on my home machine, see:

root       998  0.0  0.2  2700  832 ?        S    Aug08   0:03 /usr/local/sbin/sshd
root     16477  0.0  0.2  6152  848 ?        S    Aug09   0:00 sshd: azarin [priv]
azarin   16479  0.0  0.3  6168 1100 ?        S    Aug09   0:12 sshd: azarin () pts/15

In this case, the main sshd daemon, pid 998, is listening on 22/tcp.  I
logged in and the sshd all of my processes see in this session is under
pid 16479.

If you do not trust the portion of sshd running as root then here are some
things you are going to run into:

* sshd cannot bind to port 22/tcp or any other port 1024 or below.  Due to
limitations in kernels, only a user with uid 0 (i.e. 'root') can bind to a
port numbered 1024 or below.  To the best of my knowledge, apache and
BIND's named (if you use the -u flag) accomplish binding to a privileged
port by binding as the port then spawning a child that is setuid(2)'d to
the appropriate user.  sshd, however, does not do this.

* If you use shadowed passwords, then this will not work.  Period.
/etc/shadow on most systems is chmod 600 and owned by root.  (Any other
combination of ownership and permissions is broken.)  I do not know if
using PAM will remove this requirement, but I do not think so.  Also,
other password authentication mechanisms may also fail.

If you are set on running sshd as a non uid 0 user (i.e. not root), then
you will have to bind it to a port above 1024/tcp.  Also, since password
authentication may not work, the use of key-based authentication is your
best bet for gaining access.  Lastly, this sshd will *only* allow login by
the user running it.  It will not allow authentication for another user
since you cannot setuid(2) to that user.


Personally, I suggest using a version of OpenSSH that supports privilege
separation.  In a controlled environment, requiring key-based
authentication is a good idea.  However, if everyone who will SSH to this
machine is not very technically savvy and have a habit of accessing from
multiple computers, a requirement on key-based authentication may be too
much of a hassle.

REFERENCE: http://seclists.org/basics/2003/Aug/564

compiling OpenSSH

1. download source code from openssh.com.

2. zlib-dev and openssl-dev packages are prerequisites, for both Unix-like and Windows Cygwin.

3. ./configure --prefix to specify the installed dir. then make&make install.

4. create or modify the startup of sshd via rc-conf, upstart, or cygrunsrv on Windows.

ssh SendEnv LANG encoding problem

If there's problem to show characters correctly for non-English LANG, we can comment out the line of 'SendEnv LANG' in /etc/ssh/ssh_config, in order to use the server setup instead.