OpenBSD 3.8 Quick Guide I386 Adonis a.K.a NtWaK0

GNU Free Documentation License

Version 1.0, 2006-02-24

Copyright © 2006 Adonis aKa NtWaK0 (www.safehack.com)

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

1. Installation

http://www.openbsd.org/faq/faq4.html#MkFlop

http://www.openbsd.org/faq/pf/index.html

http://www.openbsd.org/faq/index.html

Creating floppies on Unix

Format and check for bad sectors.

# fdformat /dev/rfd0c

Format 1440K floppy `/dev/rfd0c'? (y/n): y

Processing VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV done.

If you do not see ALL "V"'s then the disk is most likely bad, and you should try a new one.

Write the installation image to floppy.

# dd if=floppy38.fs of=/dev/rfd0c bs=32k

Check to make sure that the copied image is the same as the original with the cmp command. If identical you will just get back the prompt.

# cmp /dev/rfd0c floppy38.fs

Creating floppies on Windows or DOS

You can get the tools from the tools directory on any of the OBSD FTP mirrors, or from the 3.8/tools directory on CD1 of the OpenBSD CD set.

To write the installation image.

Example usage of rawrite:

C:\> rawrite

RaWrite 1.2 - Write disk file to raw floppy diskette

Enter source file name: floppy38.fs

Enter destination drive: a

Please insert a formatted diskette into drive A: and press -ENTER- : Enter

Example usage of fdimage:

C:\> fdimage -q floppy38.fs a:

Example usage of ntrw:

C:\> ntrw floppy38.fs a:

Starting the install

When your boot is successful, you will see a lot of text messages scroll by. This text, is the dmesg, the kernel telling you what devices have been found, and where, a copy is saved as /var/run/dmesg.boot.

SHIFT+PGUP will let you examine text that has scrolled off the screen.

rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02

erase ^?, werase ^W, kill ^U, intr ^C, status ^T

(I)nstall, (U)pgrade or (S)hell? i

Specify terminal type: [vt220] Enter

kbd(8) mapping? ('?' for list) [none] Enter

Proceed with install? [no] y

Setting up disks

To enable all available security features you should configure the disk(s) to allow the creation of separate filesystems for /, /tmp, /var, /usr, and /home.

D - Clears any existing disklabel, creates a new default disklabel which covers just the current OpenBSD partition.
m - Modifies an existing entry in a disklabel.
r or reinit: Clears existing partition table, makes one big OpenBSD partition, flags it active, and installs the OpenBSD MBR code. Equivalent to saying "yes" to the "use *all* of ..." question.
p or print: Displays the current partition table in sectors. "p m" will show the partition table in megabytes, "p g" will show it in gigabytes.
e or edit: edit or alter a table entry.
f or flag: Marks a partition as the active partition, the one that will be booted from.
u or update: Updates the MBR with the OpenBSD boot code, similar to "reinit", except it doesn't alter the existing partition table.
exit and quit: Careful on these, as some users are used to "exit" and "quit" having opposite meanings.

MIN DISK PARTITIONS

(root) 100MB

/usr 250MB (no X) or 400MB (with X)

/var 25MB

/tmp 50MB

swap 32MB

Available disks are: wd0.

Which one is the root disk? (or done) [wd0] Enter

Do you want to use *all* of wd0 for OpenBSD? [no] Enter

>p

> d a

> a a

offset: [---] Enter

size: [---] 150m

Rounding to nearest cylinder:

FS type: [4.2BSD] Enter

mount point: [none] /

> a b

offset: [---] Enter

size: [---] 300m

Rounding to nearest cylinder:

FS type: [swap] Enter

> a d

offset: [---] Enter

size: [---] 120m

Rounding to nearest cylinder:

FS type: [4.2BSD] Enter

mount point: [none] /tmp

> a e

offset: [---] Enter

size: [---] 80m

Rounding to nearest cylinder:

FS type: [4.2BSD] Enter

mount point: [none] /var

> a g

offset: [---] Enter

size: [---] 3g

Rounding to nearest cylinder:

FS type: [4.2BSD] Enter

mount point: [none] /usr

> a h

offset: [---] Enter

size: [---] 4g

Rounding to nearest cylinder:

FS type: [4.2BSD] Enter

mount point: [none] /home

>q

Write new label?: [y] Enter

Mount point for wd0d (size=---)? (or 'none' or 'done') [/tmp] Enter

Mount point for wd0e (size=---)? (or 'none' or 'done') [/var] Enter

Mount point for wd0g (size=---)? (or 'none' or 'done') [/usr] Enter

Mount point for wd0h (size=---)? (or 'none' or 'done') [/home] Enter

Mount point for wd0d (size=---)? (or 'none' or 'done') [/tmp] done

Setting the system hostname

Enter system hostname (short form, e.g. 'foo'): puffy

STATIC IP

Configure the network? [yes] Enter

Available interfaces are: fxp0.

Which one do you wish to initialize? (or 'done') [fxp0] Enter

Symbolic (host) name for fxp0? [puffy] Enter

The default media for fxp0 is

media: Ethernet autoselect (100baseTX full-duplex)

Do you want to change the default media? [no] Enter

IP address for fxp0? (or 'dhcp') 199.185.137.55

Netmask? [255.255.255.0] Enter

IPv6 address for fxp0? (or 'rtsol' or 'none') [none]

No more interfaces to initialize.

DNS domain name? (e.g. 'bar.com') [my.domain] example.com

DNS nameserver? (IP address or 'none') [none] 199.185.137.1

Use the nameserver now? [yes] Enter

Default route? (IP address, 'dhcp' or 'none') 199.185.137.128

add net default: gateway 199.185.137.128

Edit hosts with ed? [no] Enter

Do you want to do any manual network configuration? [no] Enter

USING DHCP

Configure the network? [yes] Enter

Available interfaces are: fxp0.

Which one do you wish to initialize? (or 'done') [fxp0] Enter

Symbolic (host) name for fxp0? [puffy] Enter

The default media for fxp0 is

media: Ethernet autoselect (100baseTX full-duplex)

Do you want to change the default media? [no] Enter

IP address for fxp0? (or 'dhcp') dhcp

Issuing hostname-associated DHCP request for fxp0.

Sending on Socket/fallback/fallback-net

DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 1

DHCPOFFER from 199.185.137.128

DHCPREQUEST on fxp0 to 255.255.255.255 port 67

DHCPACK from 199.185.137.128

New Network Number: 199.185.137.0

New Broadcast Address: 199.185.137.255

bound to 199.185.137.55 -- renewal in 43200 seconds.

Done - no available interfaces found.

DNS domain name? (e.g. 'bar.com') [example.org] Enter

DNS nameserver? (IP address or 'none') [199.185.137.1] Enter

Use the nameserver now? [yes] Enter

Default route? (IP address, 'dhcp' or 'none') [199.185.137.128] Enter

Edit hosts with ed? [no] Enter

Do you want to do any manual network configuration? [no] Enter

Set the password for the root account

Password for root account? (will not echo) TyPeASeCurePaSSW0rDHeRe

Password for root account? (again) TyPeASeCurePaSSW0rDHeRe

Choosing installation media

Let's install the sets!

Location of sets? (cd disk ftp http or 'done') [cd] Enter

Available CD-ROMs are: cd0.

Which one contains the install media? (or 'done') [cd0] Enter

Pathname to the sets? (or 'done') [3.8/i386] Enter

Choosing file sets

File Name? (or 'done') [bsd.mp] all

[X] bsd

[X] bsd.rd

[ ] bsd.mp

[X] base38.tgz

[X] etc38.tgz

[X] misc38.tgz

[X] comp38.tgz

[X] man38.tgz

[ ] game38.tgz

[X] xbase38.tgz

[X] xetc38.tgz

[X] xshare38.tgz

[X] xfont38.tgz

[X] xserv38.tgz

File Name? (or 'done') -game38.tgz -bsd.mp

File Name? (or 'done') [done] Enter

Ready to install sets? [yes] Enter

Location of sets? (cd disk ftp http or 'done') [done] Enter

Finishing up

Start sshd(8) by default? [yes] y

To change edit /etc/rc.conf.local or /etc/rc.conf.

Start ntpd(8) by default? [no] y

To change edit /etc/rc.conf.local or /etc/rc.conf.

Do you expect to run the X Window System? [yes] y

Change the default console to com0? [no] Enter

Saving configuration files......done.

Generating initial host.random file ......done.

What timezone are you in? ('?' for list) [Canada/Mountain] ? Canada/Eastern

# halt

Before you reboot

Set your mount points to be what they will be on a normal reboot of your newly installed system.
- # /mnt/usr/sbin/chroot /mnt

After you reboot

Checks

Check Local Time Soft link

$ ln -fs /usr/share/zoneinfo/Canada/Eastern /etc/localtime

You can update the system time by using rdate.

$ rdate -ncv time.nrc.ca or any time server.

Check hostname

Use the hosname command to verify that the name of your machine is correct. The hostname is save in /etc/myname

# hostname

# cat /etc/myname

Check Gateway

# cat /etc/mygate

Check disk mounts

Check that the disks are mounted correctly by comparing the /etc/fstab file against the output of the mount and df commands.

# cat /etc/fstab

# mount

# df

# pstat -s

Check nameserver (DNS client)

# cat resolv.conf

# cat /etc/resolv.conf

search mydomain

nameserver 24.100.143.142 (My ISP DNS auto assigned using DHCP)

nameserver 24.100.143.143 (My ISP DNS auto assigned using DHCP)

nameserver 24.100.143.144 (My ISP DNS auto assigned using DHCP)

lookup file bind

You can either reboot or run the /etc/netstart script. You can do this by simply typing (as root). To test if the DNS is working type uname or uname -a and try to ping another host.

Disable RPC-based network services

We wont be running any NFS or YP we will make sure portmap=NO in /etc/rc.conf.local

A good approach is to never touch /etc/rc.conf itself. Instead, create the file /etc/rc.conf.local, copy just the lines you are about to change from /etc/rc.conf and adjust them as you like.

Mail Aliases

Edit /etc/mail/aliases and set the three standard aliases to go to either a mailing list, or the system administrator.

# Well-known aliases -- these should be filled in!

root: root

manager: root

dumper: root

Run newaliases after changes.

$ newaliases

Deny root SSH Login

If you wish to deny root logins over the network, edit the /etc/ssh/sshd_config file and set PermitRootLogin to ``no''

Adding users

The easiest way to add a user in OpenBSD is to use the adduser script. You can configure adduser by editing /etc/adduser.conf.

I will add a user called ntwak0. He will be given the $HOME directory /home/ntwak0, and will be a member of the group guest, with a shell set to /bin/ksh.

# adduser

Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells

Reading /etc/login.conf

Check /etc/master.passwd

Check /etc/group

Ok, let's go.

Enter username []: ntwak0

Enter full name []: Adonis a.K.a. NtWaK0 www.safehack.com

Enter shell csh ksh nologin sh [sh]: ksh

Uid [1002]: Enter

Login group ntwak0 [ntwak0]: guest

Login group is ``guest''. Invite ntwak0 into other groups: guest no

[no]: no

Login class auth-defaults auth-ftp-defaults daemon default staff

[default]: Enter

Enter password []: Type password, then Enter

Enter password again []: Type password, then Enter

Name: ntwak0

Password: ****

Fullname: Adonis a.K.a. NtWaK0 www.safehack.com

Uid: 1002

Gid: 31 (guest)

Groups: guest

Login Class: default

HOME: /home/ntwak0

Shell:i /bin/ksh

OK? (y/n) [y]: y

Added user ``ntwak0''

Copy files from /etc/skel to /home/ntwak0

Add another user? (y/n) [y]: n

Goodbye!

If you want a user to be able to use the root password add the user to wheel group. You can add your own variables by editing /usr/sbin/adduser.

path=('/bin','/usr/bin','/usr/local/bin')

This contains the list of directories that contain legitimate shells.

shellpref=('csh','sh','ksh','nologin')

This is a list of legitimate shells. Adduser will let you choose from any of these when creating a new user.

Adding users non interactively

# adduser -batch ntwak0 wheel 'ntwak0' passwordhere

I will add the same user using another method. The settings are located in /etc/usermgmt.conf and can be viewed by using user command:

$ user add -D

$ encrypt -p -b 6

Enter string:

$2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq

# user add -p '$2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq' - u 1002 -s /bin/ksh -c "NtWaK0 User" -m -g guest ntwak0

OR

# user add -p '$2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq' - u 1002 -s /bin/ksh -c "NtWaK0 User" -m -g wheel ntwak0

Note: Make sure to use ' ' (single quotes) around the password string, not " "

$ userinfo ntwak0

Change user logon information

# chpass root

To delete users use the rmuser utility. It will remove any crontab entries, their $HOME dir, and their mail. Also it will remove their /etc/passwd and /etc/group entries.

# userdel -r ntwak0

Initial Network Setup

Find out what network interfaces have been identified.

$ ifconfig -a

# lo - Loopback Interface
# pflog - Packet Filter Logging Interface
# sl - SLIP Network Interface
# ppp - Point to Point Protocol
# tun - Tunnel Network Interface
# enc - Encapsulating Interface
# bridge - Ethernet Bridge Interface
# vlan - IEEE 802.1Q Encapsulation Interface
# gre - GRE/MobileIP Encapsulation Interface
# gif - Generic IPv4/IPv6 Tunnel Interface
# carp - Common Address Redundancy Protocol Interface

If you don't have your interface configured, create the /etc/hostname.xxx file.

name = your interface will take the place of "xxx".

address_family address netmask broadcast [other options]

Simple configuration for an IPv4 address:

$ cat /etc/hostname.fxp0

inet 10.0.0.38 255.255.255.0 NONE

Force 100baseTX full-duplex mode.

inet 10.0.0.38 255.255.255.0 NONE media 100baseTX mediaopt full- duplex

Use special flags specific to a certain interface

$ cat /etc/hostname.vlan0

inet 172.21.0.31 255.255.255.0 NONE vlan 2 vlandev fxp1

If you have changed the network configuration you can reboot or run netstart script.

# sh /etc/netstart

Setting up aliases on an interface

To do this simply edit the file /etc/hostname.<if>

For the example, we assume that the user has an interface dc0 and is on the network 192.168.0.0. Other important information:

* IP for dc0 is 192.168.0.2

* NETMASK is 255.255.255.0

# cat /etc/hostname.dc0

inet 192.168.0.2 255.255.255.0 media 100baseTX

inet alias 192.168.0.3 255.255.255.255

inet alias 192.168.0.4 255.255.255.255

# ifconfig dc0 inet alias 192.168.0.3 netmask 255.255.255.255

To view these aliases you must use the command:

$ ifconfig -A

Check Routing tables

$ netstat -rn

$ route show

DHCP Client

To use the DHCP client dhclient, edit /etc/hostname.xl0 (interface is xl0). All you need to put in this hostname file is 'dhcp':

# echo dhcp > /etc/hostname.xl0

If you want to start a DHCP client from the command line, make sure /etc/dhclient.conf exists, then try:

# dhclient fxp0

Source Code

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract:

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract:

Extracting the source code

To extract the source tree from the CD to /usr/src (assuming the CD is mounted on /mnt):

# cd /usr/src; tar xzf /mnt/src.tar.gz

# cd /usr; tar xzf /mnt/XF4.tar.gz

# cd /usr; tar xzf /mnt/ports.tar.gz

Update the tree with a command like:

# cd [portsdir]/; cvs -d anoncvsserver.openbsd.org:/cvs update -Pd -rOPENBSD_3_8

Searching the ports tree

$ cd /usr/ports

$ make search key=fetchmail

Straightforward installation

$ cd /usr/ports/mail/fetchmail

$ make install

Updating using CVS

Following -Stable

Here is how someone using anoncvs regularly would update his source tree:

* First, start out by `get'-ing an initial tree:

(If you are following current):

# setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs

# cd /usr

# cvs -q get -P src

(If you are following the patch branch for 3.8):

# setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs

# cd /usr

# cvs -q get -rOPENBSD_3_8 -P src

* Anytime afterwards, to `update' this tree:

(If you are following current):

# cd /usr/src

# cvs -q up -Pd

(If you are following the patch branch for 3.8):

# cd /usr/src

# cvs -q up -rOPENBSD_3_8 -Pd

In the above example, -q is optional, only intended to minimize cvs's output. For those who like to see screenfulls of output, it can be omitted.

To use ports, it is similar to src:

(If you are following current):

# setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs

# cd /usr

# cvs -q get -P ports

(If you are following the patch branch for 3.8):

# setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs

# cd /usr

# cvs -q get -rOPENBSD_3_8 -P ports

* Anytime afterwards, to `update' this tree:

(If you are following current):

# cd /usr/ports

# cvs -q up -Pd

(If you are following the patch branch for 3.8):

# cd /usr/ports

# cvs -q up -rOPENBSD_3_8 -Pd

NOTE: For users wishing to use rsh, you must first set the CVS_RSH environment variable to point to the rsh(1) program:

* For Korn/Bourne shells:

$ export CVS_RSH=/usr/bin/rsh

* For csh/tcsh:

% setenv CVS_RSH /usr/bin/rsh

Rebuild Your Kernel

To rebuild the default kernel from stable:

# cd /usr/src/sys/arch/i386/conf

# /usr/sbin/config GENERIC

# cd /usr/src/sys/arch/i386/compile/GENERIC

# make clean && make depend && make

To reboot with the newly compiled kernel:

# cd /usr/src/sys/arch/i386/compile/GENERIC

# cp /bsd /bsd.old (Save an old copy of your kernel)

# cp bsd /bsd (Copy the new kernel into place)

# reboot

Building the userland (rebuild the system binaries)

Note that the use of the /usr/obj directory is mandatory. Failing to do this step before building the rest of the tree will likely leave your src tree in bad shape.

Make sure all the appropriate directories are created.

# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs

# cd /usr/src

# rm -r /usr/obj/*

# make obj && make build

Popular commands

http://www.openbsd.org/faq/faq2.html#ManPages

OpenBSD man pages

http://www.openbsd.org/cgi-bin/man.cgi

OpenBSD Packages

http://www.openbsd.org/faq/faq15.html

http://www.openbsd.org/3.8_packages/

Patching

Check http://www.openbsd.org/errata.html

You need to check http://www.openbsd.org/errata.html often for any security patches. You can get all the patch in on tar file from:

wget ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8.tar.gz

Example

Wget ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/016_openssl.patch

Apply by doing:

cd /usr/src

patch -p0 < 016_openssl.patch

And then rebuild and install OpenSSL:

cd lib/libssl

make obj

make depend

make

make install

2. Personalize

Changing Console Display

This can be done automatically at boot by adding the following lines to the end of your rc.local file:

wsfontload -h 8 -e ibm /usr/share/misc/pcvtfonts/vt220l.808

wsconscfg -dF 5

wsconscfg -t 80x50 5

Changing /etc files

Note that the /etc/motd file is modified by /etc/rc whenever the system is booted. To keep any custom message intact, ensure that you leave two blank lines at the top, or your message will be overwritten.

Make a backup copy of all files in /etc/.

Check for any local changes needed in the files /etc/rc.conf, /etc/rc.local, /etc/rc.securelevel, and /etc/rc.shutdown.

Installing X

When you installed OpenBSD you have the choise to install X if you have done so the next step is to configure your X windows.

Two programs are recommended for creating your XF86Config file: xf86cfg and xf86config.

xf86cfg configuration is confusing if you are not used to, alternately it offers a text-mode configuration 'xf86cfg -textmode'

I suggest you using XF86Config it help the process if you can connect from another computer 'ssh' and execute the installation sequence so you can more easily review error output, which is logged in /var/log/XFree86.0.log.

$ tail -f /var/log/XFree86.0.log

A starting point on a new machine with no idea about the video card, is to use XFree86 -configure option.

$ XFree86 -configure

Your XF86Config file is /root/XF86Config.new

To test the server, run:

$ XFree86 -xf86config /root/XF86Config.new

If the graphic screen worked well, use this Configuration as a basis for your X environment.

Copy the /root/XF86Config.new file to the standard location for your machine (usually at /etc/X11)

Note: make backups of any existing files before you copy anything

$ cp /etc/X11/XF86Config /etc/X11/XF86Config.org

$ cp /root/XF86Config.new /etc/X11/XF86Config

Starting:

# /usr/X11R6/bin/startx

To start X Window using 256 color mode:

# startx -- -bbp 8

To start X Window in true colour mode, use the following command

# startx -- -bbp 32

'startx' is a script to initialise services for the X Window environment which in the default OpenBSD configuration starts up a simple 'window manager' and a number of 'xterm' connections.

X won't start

If you have X completely set up and you are using an XF86Config that you know works then the problem most likely lies in the machdep.allowaperture. You also need to make sure that:

option APERTURE

Then you need to edit /etc/sysctl.conf and set machdep.allowaperture=2. This will allow X to access the aperture driver. This would already be set if you said that you would be running X when asked during the install. OpenBSD requires for all X servers that the aperture driver be set, because it controls access to the I/O ports on video boards.

Stopping:

To exit out of X, use Ctrl+Alt+Backspace

Printers

Edit /etc/printcap and /etc/hosts.lpd to get any printers set up.

Personalize ksh

The command prompt of ksh can easily be changed to something providing more information than the default "$ " by setting the PS1 variable. For example, inserting the following line:

export PS1='$PWD $ '

in your /etc/profile produces the following command prompt:

/home/nick $

See the file /etc/ksh.kshrc, which includes many useful features and examples, and may be invoked in your user's .profile.

Starting with OpenBSD 3.7, ksh has been enhanced:

\e - Insert an ASCII escape character.

\h - The hostname, minus domain name.

\H - The full hostname, including domain name.

\n - Insert a newline character.

\t - The current time, in 24-hour HH:MM:SS format.

\u - The current user's username.

\w - The current working directory. $HOME is abbreviated as `~'.

\W - The basename of the current working directory.

One could use the following command:

export PS1="\n\u@\H\n\w $ "

http://www.openbsd.org/faq/faq10.html#httpdchroot

Tuning your monitor resolution under X

Getting an X server working at an acceptable resolution with many multi-sync monitors is possible. If anyone has tried to do this with the standard xorgconfig or XF86Setup utilities, they probably didn't get the best possible results.

One of the more painful aspects is simply getting your monitor running with your preferred resolution, and then getting the vertical scan rate set to at least 72-75 Hz, a rate where the screen flicker is much less visible to humans.

The X server has a mechanism which allows you to describe in detail the video mode you want to use, this is the ModeLine. A ModeLine has four sections, a single number for the pixel clock, four numbers for horizontal timings, four numbers for vertical timings, and an optional section with a list of flags specifying other characteristics of the mode.

Generating a ModeLine is a black art... Luckily, there are several scripts which can do this for you. One is Colas XFree86 ModeLine Generator http://koala.ilog.fr/ftp/pub/Klone/. Another is The XFree86 Modeline Generator.

Before you can use these ModeLine generators, you need the vertical and horizontal sync limits for your monitor.

Once you have your ModeLines, put them into your /etc/X11/xorg.conf file.

Comment out the old ModeLines, so that you can use them again if the new ones don't work. Next, choose what resolution you actually want to run at.

Find out if X is running in accelerated mode (which it does with most video cards), so you know which "Screen" section of the xorg.conf to modify. Or, just modify all of the Screen sections.

Section "Screen"

Driver "Accel"

Device "Primary Card"

Monitor "Primary Monitor"

DefaultColorDepth 32

SubSection "Display"

Depth 32

Modes "1280x1024" "1024x768"

EndSubSection

The first resolution you see after the "Modes" keyword is the resolution that X is going to start in.

By pressing CTRL-ALT-KEYPAD MINUS, or CTRL-ALT-KEYPAD PLUS, you can switch between any resolutions that you list here.

According to the section above, X will try to start in 32-bit color mode (via the DefaultColorDepth directive, without it X will start in 8-bit color mode.) The first resolution it will try to use is 1280x1024 (it follows the order of the Modes line.) Note that "1280x1024" is just a label for the values in the ModeLine.

Note that the ModeLine generator script has options to relax its timings for older or smaller monitors, and also has the ability to provide ModeLines for specific resolutions. Depending on the type of hardware you have, it may not be very easy to use with the default options. If the picture is too tall, too wide, or too small, or is shifted horizontally or vertically, and the controls of the monitor aren't enough to correct its appearance, one can use xvidtune to adjust the ModeLine to better fit with the monitor's timings.

On most modern monitors, there is no fixed limit on the bandwidth, thus they are often not listed anymore in the specs. What happens is that the more you go up in bandwidth, the fuzzier the screen image becomes.

You can download the Colas XFree86 ModeLine Generator script at: http://koala.ilog.fr/ftp/pub/Klone/. You need to grab the Klone interpreter, and compile it. It is in the ports as lang/klone. The scripts exist under the scripts directory in the Klone distribution. (The port installs them to /usr/local/lib/klone/scripts.)

To install Klone:

* get the KloneXXX.tar.gz file in this directory (XXX = version number)

* unarchive somewhere

* compile by "make SYSTEM", where SYSTEM is linux, solaris, alpha, win32...

* install libs (see README, basically copy kl/ somewhere and make the env

var KLONEPATH points to it)

* put the klone executable, and scripts ypu want to use from the scripts/

dir somewhere

http://www.openbsd.org/faq/faq11.html#XF86

Ports Tree

This should be done before using ports tree.

# cd /usr; tar xzf /mnt/ports.tar.gz

Update the tree with a command like:

# cd [portsdir]/; cvs -d anoncvsserver.openbsd.org:/cvs update -Pd -rOPENBSD_3_8

Searching the ports tree

$ cd /usr/ports

$ make search key=fetchmail

Straightforward installation

$ cd /usr/ports/mail/fetchmail

$ make install

You probably want to clean the port's default working directory after you have built the package and installed it.

$ make clean

In addition, you can also clean the working directories of all dependencies of the port with this make target:

$ make clean=depends

If you wish to remove the source distribution set(s) of the port, you would use

$ make clean=dist

In case you have been compiling multiple flavors of the same port, you can clear the working directories of all these flavors at once using

$ make clean=flavors

To see the different flavors of a certain port, you would change to its subdirectory and issue

$ make show=FLAVORS

To list the different subpackages available for a port, use

$ make show=MULTI_PACKAGES

Uninstalling a port's package

$ make uninstall

Package Management

pkg_add(1) - a utility for installing and upgrading software packages.
pkg_delete(1) - a utility for deleting previously installed software packages.
pkg_info(1) - a utility for displaying information about software packages.
pkg_create(1) - a utility for creating software packages.

You can make things really easy by using the PKG_PATH environment variable. Just point it to your favorite location, and pkg_add(1) will automatically look there for any package you specify, and also fetch and install the necessary dependencies of this package automatically.

Example 1: fetching from your CDROM, assuming you mounted it on /mnt/cdrom

$ export PKG_PATH=/mnt/cdrom/3.8/packages/`machine -a`/

Example 2: fetching from a nearby FTP mirror http://www.openbsd.org/ftp.html

$ export PKG_PATH=ftp://your.ftp.mirror/pub/OpenBSD/3.8/packages/`machine -a`/

Add a line similar to the above examples to your ~/.profile. As with the classic PATH variable, you can specify multiple locations, separated by colons. HOWEVER, every path in the PKG_PATH variable MUST end in a slash (/).

http://www.openbsd.org/3.8_packages/

Installing new packages

$ sudo pkg_add -v packagename

$ sudo pkg_add ghostscript-fonts-6.0

$ sudo pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/`machine -a`/screen- 4.0.2.tgz

App Install

Installing tcsh

TCSH is an extended C-shell with many useful features like filename completion, history editing, etc.

http://openbsdports.org/ports.php?c=shells&n=tcsh

# cd /usr/ports/shells/tcsh && make install clean

edit /etc/shells and add /usr/local/bin/tcsh

Adding Aliases: Do this after installing tcsh. Edit the file ~/.cshrc or ~/.tcshrc and add

set prompt = "-- %T %n %~ -- \n$ "

alias updb '/usr/libexec/locate.updatedb'

updb will help you updating the database used by locate to find file easier.

Installing Nano

nano is a small, free and friendly editor which aims to replace Pico, the default editor included in the non-free Pine package. Rather than just copying Pico's look and feel, nano also implements some missing (or disabled by default) features in Pico, such as "search and replace" and "goto line number".

http://openbsdports.org/ports.php?c=editors&n=nano

# cd /usr/ports/editors/nano && make install clean

Installing wget

Retrieve files from the 'net via HTTP and FTP.

http://openbsdports.org/ports.php?c=net&n=wget

# cd /usr/ports/net/wget && make install clean

The wget configuration file is located in /etc/wgetrc

Installing curl

$ cd /usr/ports/net/curl && make install clean

$ /usr/local/bin/curl

cURL is a tool for getting files from FTP, HTTP, HTTPS, Gopher and DICT servers, with URL syntax support. cURL supports HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, user+password authentication and a busload of other useful tricks.

Installing nmap

Nmap is a utility for port scanning large networks, although it works fine for single hosts.

http://openbsdports.org/ports.php?c=net&n=nmap

# cd /usr/ports/net/nmap && make install clean

nmap –sS –P0 –vv localhost

nmap -sS -P0 -O -vv -T 1 192.168.1.1-254

nmap -sS -P0 -O -vv -T 1 -oN "scanout.txt" 192.168.1.10-13

nmap -sS -P0 -O -vv -T 2 -oN "scanout.txt" 192.168.1.10-13

nmap -sS -P0 -p 80,8080 -O -vv -T 2 -oN "scan_192.168.1.txt" 192.168.1.10-13

Stateless Firewalls & Source Port Scanning

nmap -sS -P0 -g 80 -p 139 192.168.1.1

Installing Nmap From Source

# Wget http://download.insecure.org/nmap/dist/nmap-4.01.tar.bz2

# bzip2 -cd nmap-3.50.tar.bz2 | tar xvf -

# cd nmap-3.50

# ./configure --without-nmapfe

# make

# make install

Installing hping

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired by the ping(8) unix command, but hping isn't just for sending ICMP echo requests.

http://openbsdports.org/ports.php?c=net&n=hping

A subset of the stuff you can do using hping:

- Firewall testing Advanced port scanning

- Network testing, using different protocols, TOS, fragmentation

- Manual path MTU discovery

- Advanced traceroute, under all the supported protocols

- Remote OS fingerprinting

- Remote uptime guessing

- TCP/IP stacks auditing

# cd /usr/ports/net/hping && make install clean

# /usr/local/sbin/hping

# /usr/local/sbin/hping 192.168.1.100 -c2 -S -p139 -n

# hping 10.10.1.1 -c2 -S -p80 -n

Installing firewalk

http://openbsdports.org/ports.php?c=net&n=firewalk

# cd /usr/ports/net/firewalk && make install clean

# /usr/local/sbin/firewalk

# firewalk -n -P1-8 -pTCP 10.0.0.1 10.0.0.20

# firewalk -n -oscan1 -t5 -s5555 -pudp -P50 –ixl0 r2 -T1 -S7-25,137-139 192.168.1.103 192.168.1.100

Installing ipaudit

IPaudit is a software package to record and display network activity. It includes ipaudit, which stores counts of bytes and packets for every combination of host/port pairs and protocol.

The utilities total and ipstrings can be used to investigate network traffic records from the command line.

# cd /usr/ports/net/ipaudit && make install clean

Installing Nitko

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

http://www.cirt.net/nikto/nikto-current.tar.gz

# tar -zxvf nikto-current.tar.gz

# more config.txt

To run it

# ./nikto.pl -Cgidirs all -host youriphere -nolookup > ~/outfile.txt

To update nikto

# ./nikto.pl -update

Installing Nessus

Before installing nessus we need to install bison and libnet packages.

# cd /usr/ports/devel/bison

# make install

# make clean

Or

# pkg_add /usr/ports/packages/i386/all/ bison-1.35p1.tgz

Or

# pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/bison- 1.35p1.tgz

We need to install libnet package

# pkg_add /usr/ports/packages/i386/all/ libnet-1.1.2.1.tgz

Or

# pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/libnet- 1.1.2.1.tgz

To install Nessus, you need to download the latest distribution available at:

# lynx -source http://install.nessus.org | sh

Or

# pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/nessus- core- 2.2.5p0.tgz

Or

# ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/nessus-core- 2.2.5p0- no_x11.tgz

Follow the screen instruction.

$ /usr/local/sbin/nessus-mkcert

CA certificate life time in days [1460]:

Server certificate life time in days [365]:

Your country (two letter code) [FR]: CA

Your state or province name [none]: QC

Your location (e.g. town) [Paris]: Montreal

Your organization [Nessus Users United]: Adonis a.K.a NtWaK0

$ /usr/local/sbin/nessus-adduser

Login : scanthem

Authentication (pass/cert) [pass] :

Login password : [ScanThem]

hit ctrl-D once you are done :

Login : scanthem

Password : [ScanThem]

DN :

Rules :

Is that ok ? (y/n) [y] y

user added.

$ /usr/local/sbin/nessus-update-plugins

Installing Nessus from the tar file

Get the files :

ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/libnasl-2.2.5p0.tgz

ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/nessus-core-2.2.5p0.tgz

ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/nessus-libraries- 2.2.5p0.tgz

ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/nessus-plugins- 2.2.5p0.tgz

Compiling the files

You must compile them in this order.

Compiling nessus-libraries

cd nessus-libraries

./configure

make

make install

Installing libnasl

cd libnasl

./configure

make

make install

Repeat the same operation with nessus-core and nessus-plugins.

If you are using Linux, then make sure that /usr/local/lib is in /etc/ld.so.conf, and type ldconfig. Solaris users will have to execute :

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

(you may want to add this into your ~/.profile)

If you do not want the client to use GTK (if your system lacks X11 for instance), then you can compile a stripped-down version of the client which will work on command-line. To do this, add the -- disable-gtk option to configure while building nessus-core :

cd nessus-core ; ./configure --disable-gtk ; make && make install

Nessus is installed on your system.

Source : http://www.nessus.org/install.html

In the file /usr/local/etc/nessus/nessusd.conf. Typically this is where you can specify the resources you want nessusd to use, the speed at which it should read data, and so on...

Note that if you don't have a nessusd.conf file, nessusd will create one for you !

Once all of this is done, I can safely start nessusd as root :

nessusd –D

One suggestion is to run your NMAP scan first and feed the results into NESSUS. Like:

# nmap -oN output_file -sT -sU -O .... target1 target2 ...

Installing Nessus Windows client

Get the client for windows from http://nessuswx.nessus.org/index.htm#download or http://nessuswx.nessus.org/archive/nessuswx-1.4.5d.zip

Extract and Run nessuswx-1.4.5d.zip

Nessus Server IP: 192.168.202.129

Installing Snort (The Pig)

Installing snort 2.0.x from the package

If you like to install an older version the come with OpenBSD package get if from

#pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/snort- 2.3.3p0.tgz

Snort config will be installed in /usr/local/share/examples/snort/snort.conf

Installing snort 2.1.x from the source

# wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz

# tar zxvf snort-2.1.1-RC1.tar.gz

# mv snort-2.1.1-RC1 /snort/

# cd /snort

# ./configure

# make

# make install

# make clean

# mkdir /var/log/snort

# vi /snort/etc/snort.conf

Change the rules path from ../rules to /snort/rules

Starting Snort

$ /usr/local/bin/snort -A fast -c /usr/local/share/examples/snort/snort.conf –D

$ /usr/local/bin/snort -c /snort/etc/snort.conf -v -i xl0

$ /usr/local/bin/snort -A full -c /snort/etc/snort.conf -v -i xl0

$ /usr/local/bin/snort –N -A none -c /snort/etc/snort.conf -i xl0 –D

$ /snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

$ /usr/local/bin/snort –N -A full -c /snort/etc/snort.conf -i xl0 –D

$ /usr/local/bin/snort –N -A fast -c /snort/etc/snort.conf -i xl0 –D

$ /usr/local/bin/snort –dev –l ./log -A full -c /snort/etc/snort.conf - i xl0

If you want to see the application data in transit, try the following:

./snort -vd

If you want to display, showing the data link layer headers do this:

./snort -vde

If you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically know to go into packet logger mode:

./snort -dev -l ./log

Of course, this assumes you have a directory named log in the current directory.

In order to log relative to the home network, you need to tell Snort which network is the home network:

./snort -dev -l ./log -h 192.168.1.0/24

If you're on a high speed network or you want to log the packets into a more compact form for later analysis you should consider logging in binary mode. Binary mode logs the packets in tcpdump format to a single binary file in the logging directory:

./snort -l ./log -b

Once the packets have been logged to the binary file, you can read the packets back out of the file with any sniffer that supports the tcpdump binary format such as tcpdump or Ethereal. Snort can also read the packets back by using the -r switch.

./snort -dv -r packet.log

If you only wanted to see the ICMP packets from the log file, simply specify a BPF filter at the command line and Snort will only see the ICMP packets in the file:

./snort -dvr packet.log icmp

Updating Snort Rules

Get it from http://oinkmaster.sourceforge.net/

wget http://heanet.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-2.0.tar.gz

#tar -zxvf oinkmaster-2.0.tar.gz

# cd oinkmaster-2.0

# vi oinkmaster.conf

Some rules in the 2_1 tarball at www.snort.org/dl/rules/ use the "flowbits" keyword, which is unfortunate since Snort 2.1.0 doesn't handle those (although Snort 2.1.1 RC1+ does, which you may want to use instead). You can use this simple workaround in Oinkmaster 0.9+ to disable those though:

modifysid * "(.*\bflowbits:.*)" | "#$1"

Change the URL to point to

url = http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz

Change tmp dir to point to

# Example for UNIX:

tmpdir = /tmp/

Snort 2.4 or higher is required to run CURRENT

url = http://www.snort.org/pub-bin/downloads.cgi/Download/sub_rules/snortrules- snapshot- CURRENT_s.tar.gz

Installing ircd

# cd /usr/ports/net/irc

# make install clean

Configuration file are located in /etc/ircd ircd.conf

Running Linux binaries on OpenBSD

OpenBSD/i386 is able to run Linux binaries when the kernel is compiled with the COMPAT_LINUX option and the runtime sysctl kern.emul.linux is also set. If you are using the GENERIC kernel (which you should be), COMPAT_LINUX is already enabled, and you will just need to do:

# sysctl kern.emul.linux=1

For this to be done automatically each time the computer boots, remove the # (comment) character at the beginning of the line in /etc/sysctl.conf, so that it reads and reboot your system to have it take effect.

#kern.emul.linux=1 # enable running Linux binaries

kern.emul.linux=1 # enable running Linux binaries

To install a package you would issue

# export PKG_PATH=ftp://your.ftp.mirror/pub/OpenBSD/3.8/packages/i386

# pkg_add redhat_base-8.0p4.tgz

Activating Apache Web

Edit /etc/rc.conf file and change httpd_flags=NO to httpd_flags="-DSSL"

This will start httpd with ssl enabled.

If you do not want any FTP service make sure you have the following line in /etc/rc.conf.

ftpd_flags=NO # for non-inetd use: ftpd_flags="-D"

A good approach is to never touch /etc/rc.conf itself. Instead, create the file /etc/rc.conf.local, copy just the lines you are about to change from /etc/rc.conf and adjust them as you like.

Setting SSL

To start off, you need to create your server key and certificate using OpenSSL:

# openssl genrsa -out /etc/ssl/private/server.key 1024

Or, if you wish the key to be encrypted with a passphrase that you will have to type in when starting servers

# openssl genrsa -des3 -out /etc/ssl/private/server.key 1024

The next step is to generate a Certificate Signing Request which is used to get a Certifying Authority (CA) to sign your certificate. To do this use the command:

#openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr

This server.csr file can then be given to Certifying Authority who will sign the key. If you cannot afford this, or just want to sign the certificate yourself, you can use the following.

#openssl x509 -req -days 365 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

With /etc/ssl/server.crt and /etc/ssl/private/server.key in place, you should be able to start httpd with the - DSSL flag .

#!/bin/sh

Today="`date`"

echo Today is $Today

echo "Activating the Apache Web"

Edit /etc/rc.conf file and change httpd_flags=NO to httpd_flags="-DSSL" >> dobyhand.txt

echo "Setting SSL"

#openssl genrsa -out /etc/ssl/private/server.key 1024

echo "key encrypted with a passphrase that you will have to type to start the service"

openssl genrsa -des3 -out /etc/ssl/private/server.key 1024

echo "Generate a Certificate Signing Request which is used to get"

echo "a Certifying Authority (CA) to sign your certificate."

openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr

echo "This server.csr file can then be given to Certifying Authority"

echo "who will sign the key. One such CA is Thawte Certification"

echo "We will sign the certificate ourself"

openssl x509 -req -days 365 -in /etc/ssl/private/server.csr -signkey \ /etc/ssl/private/server.key -out /etc/ssl/server.crt

echo " With /etc/ssl/server.crt and /etc/ssl/private/server.key in place"

echo "you should be able to start httpd with the -DSSL flag"

http://www.openbsd.org/faq/faq10.html#httpdchroot

Recompiling Apache

apachectl stop

echo "Rebuild and install httpd and its modules"

cd usr.sbin/httpd

make -f Makefile.bsd-wrapper obj

make -f Makefile.bsd-wrapper cleandir

make -f Makefile.bsd-wrapper depend

make -f Makefile.bsd-wrapper

make -f Makefile.bsd-wrapper install

apachectl start

Rebuild and install OpenSSL

cd lib/libssl

make obj

make depend

make

make install

Configuring email

If you have a box that need to be accessed from the outside to handles email, web acess and secure shell for remote logins. On the clean (Inside) side I have a DNS and NTP server for accurate time.

To get sendmail, NTP, httpd, and NAT to work, these are the lines to change in /etc/rc/conf or /etc/rc/conf.local:

sendmail_flags="-bd -q30m" # for normal use: "-bd -q30m"

named_flags="" # for normal use: ""

ntpdate_flags="FQN-SERVER.COM" # for normal use: NTP server httpd_flags="" # for normal use: "" (or "-DSSL")

dhcpd_flags=-q # for normal use: "-q"

pf=YES # Packet filter / NAT

ntpd=YES # run ntpd if it exists

pf_rules=/etc/pf.conf # Packet filter rules file

nat_rules=/etc/nat.conf # NAT rules file

Make sure that /etc/sysctl.conf has this line in it:

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets

Sendmail should have been setup automatically since you edited /etc/rc.conf but I've occasionally had to make one change in /etc/mail/sendmail.cf:

Djmy-domain-name.com

Note: If you don't own a domain, or plan on having it point to your DSL machine, you should not be using sendmail.

Changing services Banner

sshd

Open /version.h and cut the "_3.5p1" from the end. Re-compile and it's done.

To recompile ssh.

# cd /usr/src/lib/libssl

# make build

Update ssh and Rebuild it

Warning: ssh in OpenBSD 3.1 has a bug.!!!

Upgrading openssh to 3.8 is strongly recommended.

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.8.tgz and execute the following steps (as root):

# cd /usr/src/usr.bin

# tar xvfz .../openssh-3.8.tgz

# cd ssh

# make obj

# make cleandir

# make depend

# make

# make install

# cp ssh_config sshd_config /etc/ssh

# mkdir /var/empty

Using vipw(8) you will add this line to your password file:

sshd:*:27:27::0:0:sshd privsep:/var/empty:/sbin/nologin

Then add this line to /etc/group:

sshd:*:27:

Apache

Open /src/include/httpd.h and search for:

#define SERVER_BASEVENDOR “Apache Group”

#define SERVER_BASEPRODUCT “Apache”

#define SERVER_BASEREVISION “”

Change this to the desired values (BASEVENDOR: Microsoft, BASEPRODUCT: Microsoft-IIS, BASEREVISION: 5.0). Now re-compile apache.

Next: open your httpd.conf and search for the ServerTokens directive. If it’s not there, add it. Set ServerTokens to Min (“ServerTokens Min”).

More information about the ServerTokens directive is at: http://carnagepro.com/pub/Docs/Apache2/mod/core.html#servertokens .

Recompiling Apache.

apachectl stop

echo "Rebuild and install httpd and its modules"

cd usr.sbin/httpd

make -f Makefile.bsd-wrapper obj

make -f Makefile.bsd-wrapper cleandir

make -f Makefile.bsd-wrapper depend

make -f Makefile.bsd-wrapper

make -f Makefile.bsd-wrapper install

apachectl start

Top

	Home \| Table of Contents \| Overview Map
	OpenBSD 3.8 Quick Guide I386 Adonis a.K.a NtWaK0
	Adonis a.K.a. NtWaK0 ntwak0@safehack.com

Adonis a.K.a. NtWaK0	SafeHack
Adonis a.K.a. NtWaK0	Last updated:2006-02-25 2/25/2006