# First things to do after installing OpenBSD on a server
2024-09-12T09:37:08Z

## regular user and doas

```
# adduser
cat << EOF >> /etc/doas.conf
permit persist user
EOF
```

Change root password with random chars produced by jot: 

``` 
# su -
# jot -rcs '' $l 32 126
# passwd
```

## aliases

J'ajoute mon mail dans /etc/mail/aliases
Add yourself to root alias, then run "newaliases":

```
/etc/mail/aliases:
root: me@stuff.tld
```

## SSH

```
# /etc/ssh/sshd_config
PermitRootLogin no
```

Install sshguard

```
# pkg_add sshguard
# rcctl enable sshguard
# rcctl start sshguard
```

## pf.conf

* will use sshguard
* reduce bruteforce on ssh
* Use blacklists from https://si3t.ch/evils/
* prepare future work with lines to edit/uncomment


```
touch /var/prx-brutes.txt
touch /var/pf-badhost.txt
```

```
#/etc/pf.conf
ifaces = "{ egress }"

# maybe useful later
#tcp_pass = "{ www https }" # change me
#udp_pass = "{ domain }" # change me

table <bruteforce> persist
table <sshguard> persist
table <prx> persist file "/var/prx-brutes.txt"
table <pf-badhost> persist file "/var/pf-badhost.txt"

set skip on { lo }
set limit table-entries 409600

antispoof for $ifaces

block

block quick from <bruteforce> label "BRUTES"
block quick from <sshguard> label "SSHGUARD"
block quick from <prx> label "PRX"
block quick from <pf-badhost> label "PFBADHOST"

# allow ping
pass on $ifaces inet6 proto ipv6-icmp all #icmp6-type echoreq
pass on $ifaces inet proto icmp all # icmp-type echoreq

pass in on $ifaces proto tcp to port ssh modulate state \
        (source-track rule, \
        max-src-conn 8, max-src-conn-rate 15/5, \
        overload <bruteforce> flush global)

#pass in on $ifaces proto tcp to port $tcp_pass modulate state
#pass in on $ifaces proto udp to port $udp_pass

pass out on $ifaces proto { tcp udp }
```

Reload pf:

```
# pfctl -f /etc/pf.conf
```

Prepare blacklist updates:


```
# /etc/daily.local
ftp -o- https://si3t.ch/pub/evils/prx-brutes.txt.gz | \
	gzcat > /var/prx-brutes.txt && \
	pfctl -t prx -T replace -f /var/prx-brutes.txt
ftp -o- https://si3t.ch/pub/evils/pf-badhost.txt.gz | \
	gzcat > /var/pf-badhost.txt && \
	pfctl -t pf-badhost -T replace -f /var/pf-badhost.txt
```

To go further, I also install iblock with a modified version not requiring inetd:

=> https://tildegit.org/prx/iblock/src/branch/icanserve

---
Comments?

=> mailto:bla@bla.si3t.ch?subject=first-things-to-do-on-openbsd-server

How to:
=> /log/_commentaires_.txt