jump to navigation

Secure Web Server with OpenBSD 16 May, 2006

Posted by netlog in OpenBSD.
trackback

The OpenBSD team prides itself on producing one of the most—if not the most—secure operating systems in the world. If you are concerned about keeping the sensitive data within your organization protected, consider OpenBSD. As a member of the 4.4BSD-lite family of operating systems, OpenBSD sets itself apart by claiming to be "secure by default". The basis for this claim is the diligence of the OpenBSD code auditing team and the inclusion of military grade cryptography in the base system (including Kerbos, OpenSSH, and IPSec). OpenSSH runs best with this OpenBSD (as it was developed by the OpenBSD team).

You can install OpenBSD in a couple of ways. The easiest method is to order the OpenBSD CD-ROM from the OpenBSD ordering page. The OpenBSD team, headed by Theo de Raadt, relies on the sale of these CD-ROM packages for its financial survival, so it prefers that users choose this method. Installation via CD-ROM is outlined in detail inside the CD case.

The second—and faster—way of installing OpenBSD is over the Internet via FTP or HTTP. Though this install is free, a post-installation courtesy is to order the CD-ROM anyway, make a donation to OpenBSD, and / or buy a limited edition OpenBSD T-shirt or poster.

This tutorial demonstrates a network install of the OpenBSD operating system, along with PHP4 and MySQL. It presents an advanced system administrator build, which assumes basic knowledge of the VI editor.

[Author's Note: Because OpenBSD is a Canadian-made product, export of the security suite and source code is not restricted in any way. However, while U.S. readers can download (import) OpenBSD, exporting or re-exporting cryptographic software from the US is still a serious criminal offence. For those of you living in the US, do not attempt to export the OpenBSD operating system once you've downloaded it. If you are an American citizen located outside the US, do not download OpenBSD from an American site. You have been warned! Of course, downloading OpenBSD from an American site to an American location is fine. Always choose the server nearest you.]

Create OpenBSD Boot Floppy
OpenBSD runs on a number of hardware platforms. The following directions are somewhat specific to "IBM PC" aka "Intel/AMD" architecture machines. To install OpenBSD over the network, your host computer needs either a floppy or a CD-ROM drive and an Ethernet card that OpenBSD can recognize. So check your hardware first. If you use an Intel-based system, your information is under i386.

To create a bootable CD-ROM, you need a CD burner and CD creation software. To simplify the multi-step process of creating the floppy boot install disk on Windows, which is somewhat involved, I developed an installer package. I did not alter the boot installer in any way, but if you prefer to receive the software directly from the OpenBSD site, you'll find it in the tools section of the 3.6 release site. Navigate to your relevant hardware and download the necessary files.

To complete the example install, you need 1-3 floppy disks and a standard 1.44M floppy drive on your Windows computer. For a standard build, you need only the first disk. The second disk is for special RAID and SCUSI situations, and the third is for laptops. This tutorial uses Windows 2000, but floppy disk creation should work seamlessly with Windows NT and XP as well. If you use an older DOS system or Windows 95/98, then you must use the fdimage.exe file included in the downloadable openbsd36_floppy_install.zip file (with documentation).

The following steps will guide you through a Windows 2000, XP, and NT OpenBSD boot floppy creation:

1. Download the OpenBSD 3.6 floppy images.
2. Format your floppy disk: My computer –> 3 1/2 floppy A: –> right click –> format.
3. Place the directory openbsd36_floppy_install on your c:\ drive as C:\openbsd36_floppy_install.
4. Open a dos prompt and type:

cd C:\openbsd36_floppy_creation

5. Now that openbsd36_floppy_creation is your working directory type:

ntrw floppy36.fs a:

For a standard Intel architecture, you need only the first disk. If the first disk does not take you to the install screen (or you are using a laptop), you may have to make one or two more floppy boot disks. Again, format your second and third floppy disks then type the following, respectively (see Figure 1):

ntrw floppyB36.fs a:
ntrw floppyC36.fs a:
Figure 1. OpenBSD Floppy Creation (Win2000)

Put your newly created floppy boot installer in the a: drive of the computer on which you want to install OpenBSD. Make sure your CMOS is set up to boot from floppy first, and then boot from hard drive second.

To complete the install, you need an Ethernet card that OpenBSD supports. The networking setup procedure is quite straightforward. The following instructions explain how to set up DHCP for a DSL connection. At each listed prompt, just follow the instructions:

1. Would you like to (I)nstall, (U)pgrade, or (S)hell? Choose I. ENTER.
2. Terminal type? ENTER
3. Do you wish to select a keyboard-encoding table? Choose no. ENTER.
4. Proceed with install? Press y. ENTER.
5. Which one is the root disk? Choose "(or 'done')[wd0]". ENTER.
6. Do you want to use *all* of wd0 for OpenBSD? Choose no. ENTER.
7. fdisk: 1>q. ENTER.
8. Initial label editor (Enter '?' for help at this prompt.)
9. TYPE: ">?". ENTER.

The tools you see are part of the OpenBSD label/partition editor. The disk label editor screen might not look pretty, but it is very powerful. The most important commands for a basic install are 'a' for add partition, 'd' for delete partition, 'p' for print label, and 'q' for quit. OpenBSD requires a manual file system setup. During this process 'm' is for megabytes and 'g' is for gigabytes. This tutorial assumes you are installing OpenBSD on a system dedicated to OpenBSD. (For dual boot issues, see the FAQ.)

Configure the File Structure and the Network
Now on with the install. First, clear the possibility that OpenBSD recognized an existing partition on your hard-drive by typing the following:

z a. ENTER.

The "z" command zeroes the partitions, leaving only C. Author Note: Thanks to Joel Dinel for the partition zeroing hint.

Now you can add the file structure. This consists of /(root), /var, /swap, /usr, and /home. File size is an important consideration:

* The root / must be at least 150m; 500m is recommended.
* /tmp can be as small as 150m. Performance can increase if this is larger.
* /var should be larger for a server because /var/www and /var/mail can fill up quickly (especially if you expect to handle larger mail attachments).
* swap should be twice the size of the RAM you have or twice the size of the RAM you expect to have.
* 512MB of RAM makes a swap space of 1,024MB ideal. One gig of RAM makes two gigs of swap space.
* /usr and /home need to be larger if you are creating a desktop workstation with X Windows.

I am using a 10GB hard drive. You should use values that make sense for your situation. Keep in mind that the values for offset will differ depending on the size of your hard drive. The following instructions create the basic file structure for the operating system:

TYPE: a a. ENTER.
offset:[63]. ENTER.
size:500m. ENTER.
FS type: [4.2BSD]. ENTER.
mount point:[none] /. ENTER.

TYPE: a b. ENTER.
offset:[614880]. ENTER.
size: [19386045] 1024m. ENTER.
FS type: [swap]. ENTER.

TYPE: a d. ENTER.
offset: [2712528]. ENTER.
size: [17288397] 500m. ENTER.
FS type: [4.2BSD]. ENTER.
mount point: [none] /tmp. ENTER.

TYPE: a e. ENTER.
offset: [3327408]. ENTER.
size: [16673517] 3g. ENTER.
FS type: [4.2BSD]. ENTER.
mount point: [none] /var. ENTER.

TYPE: a f. ENTER.
offset:[5425056]. ENTER.
size: [14575869] 2g. ENTER.
FS type: [4.2BSD]. ENTER.
mount point: [none] /usr. ENTER.

TYPE: a g. ENTER.
offset: [9619344]. ENTER.
size: [10381581] 2g. ENTER.
FS type: [4.2BSD]. ENTER.
mount point: [none] /home. ENTER.

Now that you have created the file structure, write the changes:

TYPE: p. ENTER.

This shows the partitions you are about to create. Leave a little extra space for future changes (like RAM upgrades, or log files filling /var) or leave the size of the g partition unspecified and g will use up the rest of your hard disk:

TYPE: q. ENTER.
Write new label? Choose y. ENTER.

Now, cycle through the options you have created. Hit ENTER until the /home directory appears, then type "done".

The next step destroys all existing data on these partitions:

Are you sure that you're ready to proceed? TYPE: y. ENTER.

You will be prompted for a system hostname. Use any name you like. I used the name ftknox.

The following steps guide you through configuring the network using DHCP:

* Configure the network? Choose yes. ENTER.
* If you are using an Ethernet card that is supported by OpenBSD, then you should be prompted to initialize an interface. Press ENTER.
* Symbolic (host) name for vr0? TYPE: "([ftknox] dlink530TX)". ENTER. You should see the speed options for your Ethernet card.
* Do you want to change the media options? Choose no. ENTER.
* IPv4 address for vr0? (or 'none' or 'dhcp') TYPE: dhcp. ENTER.
* Enter your DNS domain name and the address of your DNS nameserver.
* Default IPv4 route? Choose dhcp. ENTER.
* Edit hosts with ed? Choose no. ENTER.
* Do you want to do any manual network configuration? Choose no. ENTER.
* Password for root account? Do not use any word in any language. Numbers and letters and special characters are best in combination.

Now that the network and file structure configuration is done, it is time to access an (F)TP server to install the operating system:

Where are the install sets? (or 'done') TYPE: f ENTER.
HTTP/FTP proxy URL? (e.g., 'http://proxy:8080'. or 'none') Choose none. ENTER.
Display the list of known FTP servers? Choose yes. ENTER.

Find the server that is closest to you (heeding the warnings from the introduction regarding international distribution):

* Server? (IP address, hostname, list#, 'done' or '?') TYPE: "ftp.openbsd.org". ENTER.
* Does the server support passive mode FTP? Choose yes. ENTER.
* Server directory? Choose pub/OpenBSD/3.6/i386. ENTER.
* Login? Choose anonymous. ENTER.

The following sets are available:

* File name? (or 'done') [bsd.mp] TYPE all. ENTER.
* File name? (or 'done') TYPE: "-game36.tgz". ENTER.
* File name? (or 'done') TYPE: "done". ENTER.
* Ready to install sets? TYPE: "yes" ENTER.

And away you go. You are now installing the entire OpenBSD operating system over the Internet to your host (server) computer. So depending on your connection speed, this could take minutes or hours. If it works, you will see various messages about getting somefile.tgz, followed by a percentage. Of course, 100 percent is the target.

Then you will be prompted with the following questions:

* Where are the install sets? (or 'done') TYPE: done ENTER.
* Start sshd(8) by default? Choose yes. ENTER.
* Do you expect to run the X window System? Choose either yes or no. ENTER. (*/ I personally believe that X Windows has no place on a server, but you may think differently.\*)
* Change the default console to com0? Choose no ENTER.
* Set your time zone. This one's self-explanatory.

You should now have a congratulations screen and a root prompt. Take your boot floppy out of the a: drive and TYPE halt. Reboot your machine to start using OpenBSD. You will notice that because you started sshd by default that it will have generated a new dsa and rsa host key. This is excellent. OpenSSH runs seamlessly with OpenBSD because the same people make both. For further information, read the OpenSSH FAQ. The afterboot section of the man pages offers a wealth of information that you should read as well:

TYPE: "man afterboot".

One of the strengths of OpenBSD is the high quality of its man pages. Make sure you read these before attempting to post a question on any OpenBSD forum. (Browsing Hint: Page Up and Page Down move you through the man pages; ENTER scrolls one line; TYPE "q" to quit.)

Set Up SU
To use SU, you must first create a regular user, which you will regularly log in as:

1. Log in as root.
2. TYPE: "adduser".
3. Choose your favorite shell. I use the default [sh].
4. Use the default login class.
5. Use the default Home partition: [/home].

Continue using the defaults, unless you have a special situation. I choose not to send a message to myself and to be prompted for passwords by default. One thing I do change is the password encryption method. Blowfish is my algorithm of choice (and is likely the default). Enter username and full name when prompted.

Now continue as root:

1. TYPE: "vi /etc/group".
2. The top line should read: "wheel:*0:root".
3. TYPE "i" to enter vi insert mode.
4. Move to the end of the first line using the right arrow.
5. Add a comma and the username of the user you just created. (e.g., wheel:*0:root,user1)
6. Press ESC and TYPE ":wq" to write the file and exit vi.

Test this out:

1. Press CTRL-ALT-F2 to open a new login screen.
2. Log in as the new user you just created.
3. TYPE "su".
4. Enter your root password.

You should once again have a root prompt ‘#’. Use this prompt to install the ports and package collections. The following section shows you how.

Install Ports and the Package Collection
Now that su is installed and working, OpenBSD’s functionality considerably expands with the installation of both the ports and the package collections. Installing new functionality on OpenBSD requires Root or pseudo (su) Root privileges. All of the following instructions require that you be logged in as the SuperUser (root).

Issue the following commands to install several thousand program skeletons:

1. ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/ports.tar.gz
2. mv ports.tar.gz /usr
3. cd /usr
4. tar -xzf ports.tar.gz

Pop back into your open root console:

TYPE: CTRL-ALT-F1.

Notice that true root keeps track of all uses of su. Press ENTER to get your prompt back, and type "login". Log in as the user you created. Type "su", enter the root password, and voila!

Using Ports: Invoking the tcsh Shell
All of the ports work in a similar fashion. Navigate to the port directory you want and type "make && make install" within the port directory that includes the Makefile. For example, to install the tcsh shell:

1. TYPE: "cd /usr/ports/shells/tcsh".
2. TYPE: "make && make install".

And that is the basic formula for installing ports. Many ports, like tcsh, have special instructions that appear during or following the install. In this case:

1. TYPE: "vi /etc/shells".
2. Add the line /bin/tcsh to this file.
3. Save and quit (ESC, :wq).

At the root prompt, type "/usr/local/bin/tcsh" to invoke the tcsh shell. I like this shell for its up-arrow command history function (never type the same thing twice). You can perform subsequent invocations of this shell by typing tcsh at the command prompt. I suggest continuing to use the tcsh shell for the rest of the tutorial.

Packages Collection
The packages collection is the preferred way of installing software onto your OpenBSD system. Packages "automagically" install the required dependencies. As with the Ports system, you must be logged in as the SuperUser (root). You can browse the packages online. (Note: Intel architecture is i386.) Tell pkg_add where to find the packages via FTP. Do not attempt to install packages from an older or a newer release number of OpenBSD. Because this tutorial builds OpenBSD version 3.6, make sure you get the packages from the version 3.6 folder (setenv as seen below):

TYPE setenv PKG_PATH ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/

Install MySQL and PHP
Install MySQL4:

TYPE: "pkg_add mysql-server-4.0.20.tgz"

Note the instructions on the screen. You will return to this after you install PHP.

Install PHP4:

TYPE pkg_add php4-core-4.3.10.tgz

Enable the PHP4 module:

TYPE /usr/local/sbin/phpxs -s
TYPE cp /usr/local/share/doc/php4/php.ini-recommended /var/www/conf/php.ini

Install PHP4_MySQL4 connectivity:

TYPE pkg_add php4-mysql-4.3.10.tgz
TYPE /usr/local/sbin/phpxs -a mysql

Enable MCRYPT:

TYPE pkg_add php4-mcrypt-4.3.10.tgz
TYPE /usr/local/sbin/phpxs –a mcrypt

Enable MHASH:

TYPE pkg_add php4-mhash-4.3.10
TYPE /usr/loca./sbin/phpxs –a mhash

Enable IMAP:

TYPE pkg_add php4-imap-4.3.10.tgz
TYPE /usr/local/sbin/phpxs –a imap

Enable DOMXML:

TYPE pkg_add php4-domxml-4.3.10.tgz
TYPE /usr/local/sbin/phpxs –a domxml

Enable PEAR libraries:

TYPE pkg_add php4-pear-4.3.10.tgz

Use PHP to manipulate graphics:

TYPE pkg_add php4-gd-4.3.10-no_x11.tgz
TYPE /usr/local/sbin/phpxs –a gd

Enable CURL:

TYPE pkg_add php4-curl-4.3.10.tgz
TYPE /usr/local/sbin/phpxs –a curl

Create MYSQL passwords and user:

TYPE /usr/local/bin/mysqld_safe &
TYPE /usr/local/bin/mysqladmin -u root password mypassword

Access the server with your new password:

TYPE /usr/local/bin/mysql -u root –p

Enter your password at the prompt. You should see the mysql prompt. A problem with MySQL is it ships with two anonymous users who have no passwords. Change this within MySQL by entering the following (Note: the '' marks are two single quotation marks in a row):

mysql> TYPE SELECT Host, User FROM mysql.user;
mysql> TYPE SET PASSWORD FOR ''@'localhost' = PASSWORD('newpwd');
mysql> TYPE SET PASSWORD FOR ''@'host_name' = PASSWORD('newpwd');

Change ''@'host_name' to the value that corresponds to the name you gave your system, displayed on your screen under Host where User = root (e.g., lockdown.cyborgspiders.com):

mysql> TYPE exit

Now that you are back at the '#' prompt, TYPE ps to verify that mysqld_safe is still running.

Edit APACHE httpd.conf file:

1. vi /var/www/conf/httpd.conf
2. Change the email address for ServerAdmin to you@youraddress.com.
3. Change your ServerName to a valid DNS entry. If you do not have a valid DNS name for your host, enter the IP address associated with your LAN.
4. TYPE ifconfig –a to find the INET address associated with your working Ethernet card.
5. Find the line that says inet 192.168.1.106 or some similar value.
6. AddType application/x-httpd-php .php and delete the comment tag '#'.
7. Also, you must add php to the Apache Directory Index: DirectoryIndex index.html index.php (Optionally, add index.phtml, index.php4, and index.php3.).
8. Exit VI and save forced.
9. Press ESC and TYPE ":wq!" ENTER.

Starting and Stopping APACHE as the SuperUser
To start Apache:

TYPE apachectl start (c as in current, t as in table, l as in linux)

To stop Apache:

TYPE apachectl stop (c as in current, t as in table, l as in linux)

Start Apache now. Then navigate to the htdocs directory to test PHP:

TYPE cd /var/www/htdocs
TYPE ls

You are now viewing the htdocs directory. This is the directory from which Apache serves files to the world:

TYPE lynx 127.0.0.1

This should show you a congratulations screen. Apache is running with the index.html file.

For PHP to work, you must create an index.php file:

TYPE vi index.html

Remember, press i for insert mode. Beneath the <body bgcolor="#ffffff"> tag, add <?php phpinfo(); ?>. Press ESC:wq index.php. This saves the file as index.php with your changes. Test this out:

TYPE lynx 127.0.0.1/index.php

You should see a very detailed display about your new PHP-enabled Apache Web server. Read through it. Notice how the variables in the httpd.conf file and the php.ini file affect the output. Depending on your purposes, you will want to make configuration changes to these files. (Note: the Apache documentation is installed by default. To avoid embarrassment (and death threats) on the mailing lists, RTFM.)

Connect to MySQL Using PHP
To connect to MySQL from PHP, you need to create a new PHP document:

vi mysql.php
<html>
<head>
<title>PHP MySQL connection test</title>
<body>
<?php
$connect = mysql_connect('localhost', 'root', 'yourpasswordhere');
// if no connect then die
if (!connect) {
die('something went wrong' .mysql_error());
}
echo 'It is time to enjoy your new OpenBSD Apache PHP MySQL powered web server.';
// good form to close the connection
mysql_close($connect);
// close the php
?>
</body>
</html>

Mission Accomplished
If you followed these directions correctly, you now have the magic key to OpenBSD 3.6, Apache 1.3.29 mod_ssl/2.8.16, OpenSSL/0.9.7d, MySQL 4.0.20, and PHP 4.3.10. NEVER GIVE UP ROOT! OpenBSD ships "secure by default", meaning all non-essential services are disabled. The OpenBSD code-auditing team promotes open source as the only real solution to a truly transparent security model. This working model greatly simplifies the system administrator’s security duties. Security becomes a consideration prior to implementing new services rather than an after-the-fact, hole-plugging technique.

OpenBSD also ships with Apache chrooted by default. While this will create some challenges for the system admin with certain programs, the benefit is that should Apache become compromised the cracker will not have write access to the operating system. Running Apache "jailed" restricts the daemon from "seeing" beyond the root directory of the chrooted directory (the cracker may not get beyond read access to Apache).

While not immune to security breaches, OpenBSD takes a proactive stance against cracking techniques. Buffer overflow attacks are historically a weak point in *nix systems, so OpenBSD has taken measures to protect the stack and to ensure that no page is both writeable and executable at the same time. It is a credit to the OpenBSD community that security announcements are few and far between.

Proactive security, however, is a continual process. Keeping up to date is important. To receive security announcements from OpenBSD, send an email to OpenBSD.org with "subscribe security-announce" in the message body.

Security concerns need to be based on the value of your data. My next article will demonstrate how to use SSH to remotely administer your OpenBSD/Apache/PHP/MySQL Web server.

Comments»

1. rendhyawan hakim - 25 February, 2009

mas, boleh bagi2 tutorial untuk upgrade apache 1.3 ke 2.2 nggak…
saya baru pake openbsd nih mas,
mohon bimbingannya

Best Regard,
erHA

2. Da2n - 24 June, 2010

السلام عليكم ورحمة الله وبركاته

Mas bolehkah saya bersilaturrahmi kedapa Mas?..

Jazakallah..


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: