Secure Architectures with OpenBSD
"This book works in tandem with the OpenBSD's manual pages. As a result, it will help many users grow and get the most from the system."—Theo de Raadt, OpenBSD project leader.\ "The OpenBSD system intimidates many administrators who would benefit from using it. This book lets people start much higher up on the curve. Secure Architectures with OpenBSD not only presents the hows, but also shows some of the whys that only insiders know."—Mike Frantzen, NFR Security\ "Secure Architectures with...
Search in google:
"This book works in tandem with the OpenBSD's manual pages. As a result, it will help many users grow and get the most from the system."—Theo de Raadt, OpenBSD project leader."The OpenBSD system intimidates many administrators who would benefit from using it. This book lets people start much higher up on the curve. Secure Architectures with OpenBSD not only presents the hows, but also shows some of the whys that only insiders know."—Mike Frantzen, NFR Security "Secure Architectures with OpenBSD explains all of the tasks an administrator has to know about to successfully maintain an OpenBSD server. It helps the reader save time by condensing the vast amount of information available in man pages into a compact form, reducing unneeded information, and explaining other things in much more detail and prose than a man page can afford."—Daniel Hartmeier, the OpenBSD Project "This book will become the de facto text for OpenBSD administration. Unix and BSD books abound, but none cover OpenBSD with the clarity and expertise of Palmer and Nazario. They explain the optimal way to configure and administer your OpenBSD machines, with a keen eye to security at all stages."—Brian Hatch, coauthor of Hacking Exposed Linux and Building Linux Virtual Private NetworksDescended from BSD, OpenBSD is a popular choice for those who demand stability and security from their operating system. No code goes into OpenBSD without first undergoing a rigorous security check, making it a terrific choice for Web servers, VPNs, and firewalls.Secure Architectures with OpenBSD is the insider's guide to building secure systems using OpenBSD. Written by Brandon Palmer and Jose Nazario, this book is a how-to for system and network administrators who need to move to a more secure operating system and a reference for seasoned OpenBSD users who want to fully exploit every feature of the system.After getting readers started with OpenBSD, the authors explain system configuration and administration, then explore more exotic hardware and advanced topics. Every chapter of the book addresses the issue of security because security is integrated into almost every facet of OpenBSD. Examples appear throughout the book, and the authors provide source code and system details unavailable anywhere else. This goes well beyond the basics and gives readers information they will need long after they have installed the system.Key topic coverage includes: Installation and upgrade details Basic system usage in OpenBSD versus other Unix systems Third-party software via packages and the ports tree SMTP services in OpenBSD Web services with Apache Using OpenBSD as a firewall OpenBSD as a Kerberos V client and server Use of Ipsec Configuration and use of IPv6 Network intrusion detectionSecure Architectures with OpenBSD takes you inside OpenBSD, giving you the insights and expertise no system manual can provide. The companion Web site tracks advances and changes made to the operating system, and it contains updates to the book and working code samples. Slashdot.org One nice feature of this book is that its authors refer to Linux equivalents where appropriate, e.g., in terms of configuration and system file locations and names. This makes it an ideal text for a Linux sysadmin who wants to take OpenBSD for a test drive on the public network. Two chapters covering the OpenBSD packet filter (pf) and IPSec are the gems of this text and even advanced Linux users will likely benefit from alternative approaches to solving the same problems in the alternate universe of a different operating system.
Chapter 1: Introduction\ The OpenBSD operating system (OS) is a secure, stable, and powerful operating system that is attracting many new and old UNIX users to it. The OS is well designed for both workstation and server use. OpenBSD supports many mainstream applications and also offers great hardware support. Because OpenBSD doesn't face many of the business pressures to increase sales and employ trendy gimmicks that Linux and other BSD systems have to deal with, it is able to be designed on technical merit. This means that while the system works very well, it isn't targeted at the user who wants to be able to "point and click" and not read the documentation. This book is written to help new users understand the features of the OpenBSD system and to give more seasoned users the education to fully exploit all that OpenBSD has to offer.\ OpenBSD came into existence on October 18, 1995, at 08:37 when Theo de Raadt committed the first branch into the CVS server from the NetBSD tree. The first release, OpenBSD2.0, became available in autumn 1996. Release dates have been every six months since then, with the most recent version, 3.4, being released on November 1, 2003.\ There are no firm numbers on a user base for OpenBSD. Even though CD sales could give an estimate, CDs are used to install only some systems. A huge number of installations are done over the Internet. The user base is, however, "pretty incredible," says Theo.\ 1.1 What Will This Book Cover?\ This book will cover the hardware that most users will be faced with, and some notes about other hardware they may not encounter. The i386 architecture is used for most of the examples as that is where most users first encounter it. Note, however, that OpenBSD works almost the same on all architectures.\ The book is broken down into the following sections:\ \ Introduction This chapter.\ Overview of OpenBSD A quick overview of what OpenBSD is and some of its main features.\ Installation A walkthrough of an installation detailing what various options mean, why one should make certain decisions, and what's really happening in the background. This up-to-date discussion applies specifically to the OpenBSD 3.4 installation, but also to most other versions.\ Basic Use Basic system usage and some of the major usage differences between OpenBSD and other UNIX systems.\ Basic Default Services Usage and management of services that run by default on a freshly installed system.\ Online Help Resources Descriptions of the "man," GNU Info, and "perldoc" facilities for online help.\ X Window System Information regarding the XWindow system on an OpenBSD host.\ User Administration Addition and deletion of users and management of the space that these users will work in.\ Networking Setting up basic networking, advanced networking topics, and bridging.\ inetd Function and configuration of services that are run from inetd.\ Other Installed Services Additional information about services that are installed on a default system, but not enabled on start-up.\ Precompiled Third-Party Software: Packages Use of the precompiled packages that are available for OpenBSD.\ The Ports Tree: Third-Party Software from Source Use of the ports tree and compiling applications from source.\ Disks and Filesystems The creation and care of filesystems and disk devices.\ Backup Utilities Tools and techniques for system backup.\ Housekeeping Regular system housekeeping chores.\ Mail Server Operations SMTP services in OpenBSD.\ The Domain Name Services The domain name system setup and use.\ Web Servers with Apache Web services with the Apache and mod ssl servers.\ OpenSSH The OpenBSD secure shell daemon and client.\ The OpenBSD Development Environment Languages and software development tools.\ Packet Filtering and NAT Using OpenBSD as a firewall and setting up systems to do NAT (Network Address Translation).\ NFS: The Network Filesystem Setting up and using an OpenBSD NFS server and client.\ NIS and YP Services Configuration of an NIS server and clients.\ Kerberos Configuration and operation of OpenBSD as a Kerberos V client and server.\ Authentication Methods The numerous login methods for OpenBSD, including S/Key.\ IPsec: Security at the IP Layer Configuring an OpenBSD client and gateway for secure IP networking.\ IP Version 6 (IPv6) Overview of how OpenBSD is able to use IPv6 and basic usage in normal activities.\ Systrace A system call policy mechanism, which can safely limit the actions of any application on an OpenBSD system.\ Network Intrusion Detection While not a standard part of OpenBSD, use of tools in the ports tree to allow OpenBSD to be used as a network security monitor.\ Upgrading Upgrading an OpenBSD system.\ Kernel Compilation The GENERIC kernel, the few reasons to compile a new kernel, and tweaks to the kernel without compilation.\ Bug Reports with OpenBSD Checking for and reporting system bugs.\ CVS Basics Use of CVS on OpenBSD to access the kernel source and for system deployment.\ Applying Source Code Patches Ways to apply system and application patches.\ Tuning the Kernel with sysctl Tunable kernel parameters.\ A dmesg Walkthrough Information available from dmesg and how it applies to system use.\ Core File Evaluation Evaluation of core files from system and application crashes.\ Other OpenBSD Tools and Resources Documentation reference for OpenBSD and other sources of information.\ IPsec m4 m4 processing scripts for the IPv6 chapter.\ \ During the preparation of this book, a friend who was reviewing the table of contents asked me, "Where is the chapter on security?" Just as in OpenBSD, security is everywhere. We sprinkle it in almost every chapter, because this is how security is best done. A chapter or two at the end of a book simply cannot demonstrate how OpenBSD has integrated security into almost every facet of the system.\ 1.2 Whom Is This Book For?\ This book targets both the user who is new to OpenBSD and the user who has been using the system for a while. It is not intended to be a beginner's guide; it presumes that the user knows UNIX and is moving to OpenBSD or looking to expand his or her knowledge base. In addition, given that networking is a core function of any OpenBSD system, having a basic understanding of networking is important. This book will not cover the specifics of editors like vi or emacs; the user is expected to be able to edit his or her own files. Finally, this book concentrates on the use of server-end tools; it will not cover the clients being used to access these services, except in terms of how that might change decisions during server configuration.\ The first section of the book can probably be skimmed by experienced and savvy UNIX administrators, but many will want to read these chapters in depth. These chapters include the basics of the layout of the OpenBSD system and its installation.
1Introduction1IGetting started72Overview of OpenBSD93Installation174Basic use455Basic default services656Online help resources737X window system83IISystem configuration and administration938User administration959Networking11110Inetd13311Other installed services14112Precompiled third-party software : packages15113The Ports Tree : third-party software from source15914Disks and filesystems16915Backup utilities18716Housekeeping20717Mail server operations21518The domain name services22719Web servers with Apache24320OpenSSH253IIIAdvanced features26721The OpenBSD development environment26922Packet filtering and NAT28523NFS : the network filesystem31324NIS and YP services31925Kerberos32526Authentication methods33927IPsec : security at the IP layer34728IPv6 : IP version 638129Systrace40530Network intrusion detection41731Upgrading42532Kernel compilation43533Bug reports with OpenBSD443IVAppendixes451ACVS basics453BApplying source code Patches461CTuning the Kernel with sysctl465DA dmesg walkthrough469ECore file evaluation475FOther OpenBSD tools and resources481GIPsec m4487Index493
\ Slashdot.org\ One nice feature of this book is that its authors refer to Linux equivalents where appropriate, e.g., in terms of configuration and system file locations and names. This makes it an ideal text for a Linux sysadmin who wants to take OpenBSD for a test drive on the public network. Two chapters covering the OpenBSD packet filter (pf) and IPSec are the gems of this text and even advanced Linux users will likely benefit from alternative approaches to solving the same problems in the alternate universe of a different operating system.\ \
