- Installed "stock" installation of OpenBSD 4.5
- Added my own user.
- Disabled root ssh by password in /etc/ssh/sshd_config.
PermitRootLogin without-password
- Modified root's /root/.profile to suit my preferences:
# $OpenBSD: dot.profile,v 1.5 2005/03/30 21:18:33 millert Exp $
#
# sh/ksh initialization
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin
export PATH
: ${HOME='/root'}
export HOME
export PS1='\h# '
umask 022
PKG_PATH="ftp://ftp.rt.fm/pub/OpenBSD/`uname -r`/packages/i386"
export PKG_PATH
CVSROOT="anoncvs@rt.fm:/cvs"
export CVSROOT
alias halt="echo Please use the full path if you meant to halt snark.uckfu.com"
alias shutdown="echo Please use the full path if you meant to shutdown snark.uckfu.com"
alias reboot="echo Please use the full path if you meant to reboot snark.uckfu.com"
alias ll="ls -alLSrh"
alias "m"="mutt -f /var/mail/root"
- Set /etc/mail/aliases root: to my user.
- Modified /etc/profile
export PS1="$(whoami)@$(hostname -s)\$ "
[ $SHELL = /bin/ksh ] && set -o viraw
export LANG="en_US.UTF-8"
- Added packages for users:
vim-no_x11
emacs-no_x11
fetchmail
BitchX
nmap
pico
irssi
ircII
epic4
rsync
tmux
screen
zsh
tcsh
mutt
alpine
python
joe
mc
bzip2
- Installed from source:
uptimed (uprecords)
./configure && make && make install
denyhosts
python setup.py install
- Edited /etc/rc.local
[ -x /usr/local/sbin/uptimed ] && /usr/local/sbin/uptimed -m 5000 && echo -n ' uptimed'
if [ -x /usr/share/denyhosts/daemon-control-dist ]; then
/usr/share/denyhosts/daemon-control-dist start &
echo -n ' denyhosts'
fi
- Added ~/scripts to my user, with uptime-report.sh in it.
#!/bin/sh
thiscomputer=`hostname -s`
sysctl kern.version | head -n 1 | cut -d "=" -f 2 > ~/.${thiscomputer}.txt
/usr/local/bin/uprecords -a >> ~/.${thiscomputer}.txt
rsync -avzuP ~/.${thiscomputer}.txt webuser@mydomain:/web/webuser/public_html/uptimes/${thiscomputer}.txt
- Set uptime-report.sh to report home once an hour (crontab).
- Kept list of installed applications by group (for notifying users what is available):
Shells: sh, csh, ksh, zsh, bash, tcsh
Utilities: tmux, screen, uprecords, mc
Mail: mail, mailx, mutt, alpine, fetchmail
Editors: ed, vi, vim, mg, pico, nano, emacs, joe
Web: lynx, links, ftp, scp, ssh, rsync
Chat: irssi, epic4, bitchx, ircii, bitlbee
- Edit /etc/inetd.conf to change ident service and add bitlbee:
(All other lines are commented out)
ident stream tcp nowait _identd /usr/libexec/identd identd -elho
finger stream tcp nowait _fingerd /usr/libexec/fingerd fingerd -lsm
6667 stream tcp nowait _bitlbee /usr/local/libexec/bitlbee bitlbee
- Restart inetd to have changes take effect:
# pkill -HUP inetd
- Configure quotas in fstab:
/dev/wd0a / ffs rw 1 1
/dev/wd0d /usr/home ffs rw,nodev,nosuid,userquota=/var/quotas/quota.user,groupquota=/var/quotas/quota.group 1 2
- Configure a 100MB quota with 110MB hardlimit:
edquota dayid
Quotas for user dayid:
/usr/home KBytes in use: 0, limits (soft = 102400, hard = 112640)
inodes in use: 0, limits (soft = 0, hard = 0)
edquota -g wheel
Quotas for group wheel:
/usr/home KBytes in use: 0, limits (soft = 0, hard = 0)
inodes in use: 0, limits (soft = 0, hard = 0)
- Turn on quotas:
quoteaon -a
- Add group for shell accounts:
groupadd shellers
- Create custom adduser.sh for root:
#!/bin/sh
tail -n 10 /etc/passwd
echo -n "enter UID: "
read uid
echo -n "enter username: "
read name
useradd -b /usr/home -L sheller -s /bin/ksh -m -g shellers -u ${uid} ${name}
chmod 700 /usr/home/${name}
edquota -p dayid ${name}
- Create quota.sh for root:
#!/bin/sh
repquota -au | grep "+" && repquota -au | grep "+" | mail -s "Over Quota" root
- Make the scripts useable: chmod 544 /root/scripts/*.sh
- Added 30 7 * * * /bin/sh /root/scripts/quota.sh > /dev/null 2>&1 to root's cron
- Add sheller to login.conf:
sheller:\
:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\
:datasize-cur=64M:\
:datasize-max=128M:\
:umask=002:\
:maxproc-max=20:\
:maxproc-cur=15:\
:openfiles-cur=40:\
:stacksize-cur=4M:\
:localcipher=blowfish,6:\
:ypcipher=old:\
:tc=auth-defaults:\
:tc=auth-ftp-defaults: \
:passwordtries=0: \
:minpasswordlen=6: \
:password-dead=4w: \
:password-warn=1w: \
:passwordtime=2419200: \
:welcome=/etc/welcome: \
:priority=20: \
:expire-warn=1w:
- Stop shellers from being annoying and running top continuously:
chmod o-x /usr/bin/top
chown root:wheel /usr/bin/top
- Stop shellers from using other things they don't need:
chmod o-x /sbin/sysctl
chown root:wheel /sbin/sysctl
chmod o-x /sbin/ping
chown root:wheel /sbin/ping
chmod o-x /sbin/dmesg
chown root:wheel /sbin/dmesg
chmod o-x /usr/local/bin/nmap
chown root:wheel /usr/local/bin/nmap
- Create /etc/welcome for the shellers login group:
snark.uckfu.com: Unified Center to Know Free Unix
snark is OpenBSD 4.5 on a Pentium II 300MHz with 128MB/RAM.
If this is your first time logging in, you should first run /usr/bin/passwd.
Passwords are good for 4 weeks at a time.
You will receive 1 week of warning to change it.
If you do not change it, you will have 4 weeks to login and do so.
If you do not change it after 4 weeks, you will need to email
uckfu@dayid.org to be re-enabled.
Don't forget the manpages for almost every command (man(1)).
help(1) is always available also.
You should also take the time to read /usr/share/welcome.txt
You can read this by typing: less /usr/share/welcome.txt
If you do not wish to see this message in the future, do: touch .hushlogin
-----------------------------------------------------------------------------
- Create /usr/share/welcome with UNIX basics in it:
- Because I only created / and /usr/home:
removed /tmp and created /usr/home/tmp
chmod 1777 /usr/home/tmp
ln -s /usr/home/tmp /tmp
This way user's quotas count against them since I am only using quotas for /usr/home, and before, a user could write quite a lot to the root-disk's /tmp.
- Configured pf:
ext_if="dc0"
int_if="lo0"
table <slamm>
set skip on lo0
scrub in on $ext_if
block in
pass out
pass in quick on $ext_if inet proto icmp all icmp-type echoreq
pass in on $ext_if inet proto tcp to $ext_if port ssh keep state (max-src-conn 50, max-src-conn-rate 50/3, overload flush)
- Enabled pf with pfctl -f /etc/pf.conf && pfctl -e
- Enabled pf in /etc/rc.conf with pf=YES