Summary
These are just some notes for common steps I perform after adding a server to a Virtual Private Server provider. Intended to act as a baseline. Documented so I have the steps for future use.
Apply Updates
Update the packages on the server.
pkg_add -u
Apply any available patches.
syspatch
Accounts
Update the password for root using the passwd(1) command. On VPS providers they have one generated automatically.
passwd root
Create a group for the user.
groupadd tloftus
Create a new user on the system using the following command(s). I don’t use root unless I need to. Once it’s created. I’ll set the password for the user using the passwd(1) command and generate the SSH keys for it.
useradd -d /home/username -m -c "Full Name" -g <username> \
-G wheel -k /etc/skel -L staff -s /bin/ksh <username>
Configure doas. Generally I copy the base configuration from the examples and put it in the default path.
cp /etc/examples/doas.conf /etc/doas.conf
I change the following line so wheel is permitted for elevated privileges.
permit persist :wheel
SSH Configuration
For both the root and added user I generate the appropriate ssh(1) keys while logged into both accounts using the following command.
ssh-keygen -t ed25519
Edit the sshd_config file with the following values. Make sure to search for them in the text editor. I generally expect to
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
Install Needed Applications
Some apps that I use on a regular basis. Just so the environment is the same across all of my servers. Additional packages needed for the server will be installed later.
pkg_add vim curl htop rsync
Firewall Configuration
For any Internet server I configure my firewalls to block traffic by default and then allow/pass traffic in/out after the fact.
The command below is the baseline configuration that comes with the system and provides suitable defaults.
cp /etc/examples/pf.conf /etc/pf.conf
Below are the additional lines I add to the pf.conf(5) file.
block log all
pass in log proto tcp to port 22
pass out log inet proto icmp icmp-type echoreq
pass out log proto udp to port { 53 123 }
pass out log proto udp to port 33433 >< 33626
pass out log proto tcp to port { 22 53 80 123 443 }
Interface, Server Name, & DNS
Server name, DNS, and interface configurations.
General rule of thumb for me is to set the static interface for any server unless I know DHCP is configured with the settings I need.
Below is baseline the configuration for/etc/hostname.int. Where
.int represents the name of the interface being configured.
inet <IP Address> <Subnet> NONE description "Purpose (int name)"
up
Baseline configuration for /etc/mygate. This is the gateway to the
Internet.
<Gateway IP Address>
Baseline configuration for /etc/myname. Provides the full name of
the host.
hostname.domain.tld
Baseline configuration for /etc/hosts. I generally add the IPv4
address and hostname to the server for this.
127.0.0.1 hostanme
::1 hostname
10.238.164.240 hostname.domain.tld hostname
Baseline configuration for /etc/resolv.conf. This kind of stuff
changes sometimes. At a minimum it has the following configuration.
nameserver 1.1.1.1
lookup file bind
``
## End Notes
These are notes for my base configuration for OpenBSD servers/machines
that are facing the Internet. As time goes on I'll be adding more things
that may assist in configuring and/or securing these in the future.