OpenBSD

OpenBSD is a UNIX-like operating system, forked from NetBSD in 1995 by Theo de Raadt. Designed to be secure by default, OpenBSD includes notable security features such as unveil and pledge, which help enforce application security policies and restrict system resource access.

Latest Version: 7.5
Previous Version: 7.4
Release Cycle: every 6 months
Primary Focus: Security

Objectives of this document

Get an overview of OpenBSD, starting with version 7.4:

Configuring network
Installing nginx
Configuring the firewall
Updating the system
Upgrading the system to 7.5

Context

Virtual Machine Setup: MS Hyper-V ...What?! 😅
Resources: 5GB storage, 1GB RAM
Network Configuration:
- NETWORK: 192.168.1.0/24
- GATEWAY: 192.168.1.1
- DNS: 8.8.8.8, 8.8.4.4

Installation release (7.4)

ISO: https://cdn.openbsd.org/pub/OpenBSD/7.4/amd64/install74.iso (603 MB)

Installation Note

Installer: bsd.rd (install.sub), a RAM disk kernel, source available at http://cvsweb.openbsd.org/src/distrib/miniroot
Installation is really simple.
Hostname: openbsd.local
Network Interface: hvn0, configured via DHCP (autoconf)
Root: password set
SSH: Enabled
Disk Layout: sd0, using the auto-layout option
It is recommended to install all the sets.

Shutdown the box

Type:halt -p

Configuring the network

The hostname

Apply the new name (obsd.lab.local) editing the file /etc/myname :obsd.lab.local

Apply now:hostname -s obsd.lab.local

For a Static IP Address (IP: 192.168.1.26)

Set the static IP address modifying the file /etc/hostname.hvn0 :inet 192.168.1.26 255.255.255.0

Set the gateway IP address modifying the file /etc/mygate :192.168.1.1

Resolving DNS, change the file /etc/resolv.conf:nameserver 8.8.8.8 nameserver 8.8.4.4 lookup file bind

Restart the network stack to apply the changes:sh /etc/netstart hvn0

DHCP Configuration:

Let's change the file /etc/hostname.hvn0 :inet autoconf

Then, remove the old IP address:ifconfig hvn0 delete 192.168.1.26 rm /etc/mygate route flush

Get the new IP address:dhcpleasectl hvn0

Don't forget to change your /etc/hosts file.

Finally, check the result with: ifconfig hvn0

You can also check your Internet connection with: ping yahoo.fr

Adding a User

You can interactively use the command:adduser

The hard way:

To add a user named admin:useradd -m admin

Allow admin to use su for administration:usermod -G wheel admin

Assign a password to admin:passwd admin

Check the results with: id admin

You can now use ssh to administrate the box remotely:ssh admin@IP_ADDRESS

Sudo?

OpenBSD does not include sudo by default. However, you can install it using:pkg_add sudo

OpenBSD comes with doas as an alternative. To use doassomething, configure the file /etc/doas.conf by referring to the man pages for doas.conf(5) and doas(1), or use the example at /etc/examples/doas.conf.

Installing nginx

While OpenBSD includes httpd by default, this tutorial will focus on installing Nginx to demonstrate how to install a package in OpenBSD.

Let's install nginx:pkg_add nginx

You can read the documentation at: /usr/local/share/doc/pkg-readmes/nginx

The configuration file is here: /etc/nginx/nginx.conf

No need to tune it. It is enough for our test.

By default nginx is chrooted in /var/www, and the default root web directory is /var/www/htdocs.

Configuring Daemons

Enable nginx at startup:rcctl enable nginx

Start nginx: rcctl start nginx

Creating an HTML File

cd /var/www/htdocs echo '<h1>It works!</h1>' > index.html

You can now browse the test page from another computer by navigating to http://<IP_ADDRESS>.

Configuring the Firewall

OpenBSD uses Packet Filter (PF) for firewalling.

It is enabled by default.

Change the file /etc/pf.conf (allow only ping/ssh/www from anywhere):set skip on lo block log all pass in on egress inet proto icmp all icmp-type echoreq pass in on egress inet proto tcp from any to any port {ssh, www} pass out

Let's load the new PF rules!pfctl -f /etc/pf.conf

Action	Command
Check the rules syntax	`pfctl -nf /etc/pf.conf`
Apply new rules	`pfctl -f /etc/pf.conf`
View active rules	`pfctl -s rules`
Flush current rules	`pfctl -F rules`
Disable PF	`pfctl -d`
Enable PF	`pfctl -e`
Check logs	`tcpdump -nettti pflog0`

Updating the System

Use simply syspatch to update the userland/kernel and pkg_add -u to update binary packages.

You can see the patches at https://www.openbsd.org/errata.html.

Upgrading OpenBSD

To upgrade from version 7.4 to 7.5:

Read: https://www.openbsd.org/faq/upgrade75.html

Run sysupgrade, the program will download all the install sets, verify their signatures, and reboot to perform the upgrade automatically. In some cases, configuration files cannot be modified automatically, you need to run sysmerge to check and perform these configuration changes.

Finish up by upgrading the packages using pkg_add -u.

Oh, don't forget to update the userland/kernel for this version (7.4):syspatch

You can check your version, using: uname -a

Disk usage (sample)

Type: df -hThe results:Filesystem Size Used Avail Capacity Mounted on /dev/sd0a 902M 123M 735M 15% / /dev/sd0e 826M 20.0K 785M 1% /home /dev/sd0d 2.9G 1.8G 1017M 64% /usr

What else?

The kernel: /bsd

Hypervisor: vmm(4)

Default MTA: OpenSMTPD

Pros vs. Cons

Pros

Installation is pretty straightforward
Enhanced security
Comprehensive documentation
Ease of administration

Cons

No container technologies
No advanced filesystems like ZFS, HAMMER

You can read more on OpenBSD, 👉 https://www.openbsdjumpstart.org

Last update: 2024/08/03

Click to top.