2024-09-12T09:37:08Z
# adduser cat << EOF >> /etc/doas.conf permit persist user EOF
Change root password with random chars produced by jot:
# su - # jot -rcs '' $l 32 126 # passwd
J'ajoute mon mail dans /etc/mail/aliases
Add yourself to root alias, then run "newaliases":
/etc/mail/aliases: root: me@stuff.tld
# /etc/ssh/sshd_config PermitRootLogin no
Install sshguard
# pkg_add sshguard # rcctl enable sshguard # rcctl start sshguard
touch /var/prx-brutes.txt touch /var/pf-badhost.txt
#/etc/pf.conf
ifaces = "{ egress }"
# maybe useful later
#tcp_pass = "{ www https }" # change me
#udp_pass = "{ domain }" # change me
table persist
table persist
table persist file "/var/prx-brutes.txt"
table persist file "/var/pf-badhost.txt"
set skip on { lo }
set limit table-entries 409600
antispoof for $ifaces
block
block quick from label "BRUTES"
block quick from label "SSHGUARD"
block quick from label "PRX"
block quick from label "PFBADHOST"
# allow ping
pass on $ifaces inet6 proto ipv6-icmp all #icmp6-type echoreq
pass on $ifaces inet proto icmp all # icmp-type echoreq
pass in on $ifaces proto tcp to port ssh modulate state \
(source-track rule, \
max-src-conn 8, max-src-conn-rate 15/5, \
overload flush global)
#pass in on $ifaces proto tcp to port $tcp_pass modulate state
#pass in on $ifaces proto udp to port $udp_pass
pass out on $ifaces proto { tcp udp } Reload pf:
# pfctl -f /etc/pf.conf
Prepare blacklist updates:
# /etc/daily.local ftp -o- https://si3t.ch/pub/evils/prx-brutes.txt.gz | \ gzcat > /var/prx-brutes.txt && \ pfctl -t prx -T replace -f /var/prx-brutes.txt ftp -o- https://si3t.ch/pub/evils/pf-badhost.txt.gz | \ gzcat > /var/pf-badhost.txt && \ pfctl -t pf-badhost -T replace -f /var/pf-badhost.txt
To go further, I also install iblock with a modified version not requiring inetd:
=> https://tildegit.org/prx/iblock/src/branch/icanserve
Comments?
=> mailto:prx@si3t.ch?subject=first-things-to-do-on-openbsd-server
How to:
text/plainThis content has been proxied by September (ba2dc).