I reinstall the Soekris 5501 done in , this time with different partitioning, and a newer version of OpenBSD: 4.4. This time, we partition differently, to this effect:
# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 148M 29.7M 110M 21% /
/dev/wd0e 123M 2.0K 117M 0% /home
/dev/wd0d 984M 382M 553M 41% /usr
/dev/wd0f 2.3G 2.9M 2.1G 0% /var
We pick up the routine at the and replace it here...
Putting /tmp
on a memory-based filesystem
Edit /etc/fstab
to contain:
/dev/wd0a / ffs rw 1 1 /dev/wd0e /home ffs rw,nodev,nosuid 1 2 /dev/wd0d /usr ffs rw,nodev 1 2 /dev/wd0f /var ffs rw,nodev,nosuid 1 2 swap /tmp mfs -s=128000,rw,nodev,nosuid 0 0
Now say mount -a. The command df -h should now give something along the lines of:
# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 148M 29.7M 110M 21% /
/dev/wd0e 123M 2.0K 117M 0% /home
/dev/wd0d 984M 382M 553M 41% /usr
/dev/wd0f 2.3G 2.9M 2.1G 0% /var
mfs:2675 60.5M 1.0K 57.4M 0% /tmp
Adding a mortal user
Add the user to /etc/sudoers
and turn off insults and lectures:
visudo
<snip>
Defaults !lecture,!insults
username
ALL=(ALL) SETENV: ALL
Configure the packages
system
Put in ~/.profile
a stanza:
PKG_PATH=ftp://osis.service.rug.nl/pub/os/bsd/openbsd/4.4/packages/i386/ export PKG_PATH
and resource the profile: . ~/.profile
Add some packages
Configure a couple of network interfaces
/etc/hostname.vr0
:
dhcp NONE NONE NONE
/etc/hostname.vr1
:
dhcp NONE NONE NONE
/etc/hostname.vr2
inet 10.0.30.1 255.255.255.0 NONE
/etc/hostname.vr3
inet 10.0.14.1 255.255.255.0 NONE
Configure OpenSSH
In /etc/ssh/sshd_config
add some lines:
ListenAddress 192.168.5.4 ListenAddress 10.0.5.1
Procedure 56. Enable the DHCP daemon
Configure
, make
and install
ISC DHCPd 4.1.0
Install a virtual machine with plenty of space to build software
Get the ISC DHCP daemon, version 4.1.0
./configure --enable-paranoia --enable-early-chroot
make
cd ..
tar cvzf dhcp-4.1.0-compiled.tgz dhcp-4.1.0
Warning | |
---|---|
Note that the DHCP dameon uses some very insecure C calls, so once the intruder is inside the network where it is used, the DHCP server should be considere compromised. |
Copy and install the compiled dhcp-4.1.0
scp root@buildbox:/root/dhcp-4.1.0-compiled.tgz ./
tar zxvf dhcp-4.1.0-compiled.tgz
sudo su -
ln -s /home/ordinaryuser/dhcp-4.1.0 ./
cd dhcp-4.1.0
make install
Warning | |
---|---|
As before, the path from where make install is run on the target machine must be identical to the path where make is run on the build machine. |
Try out the DHCP daemon
Steal or create a suitable DHCP config, create the leases database, and start the daemon, running in the foreground, logging to stdout, with config in /etc/dhcp3/dhcpd.conf, and listening on (e.g.) vr0:
touch /var/db/dhcpd.leases
dhcpd -f -d -cf /etc/dhcp3/dhcpd.conf if0
if1
etc.
chroot the DHCP daemon
# create a directory for vnode disks and a mount point for the DHCP vnode disk
sudo mkdir -p /var/fs /var/
# create a 16MB file to form the DHCP vnode disk
sudo dd if=/dev/zero of=/var/fs/dhcpdfs bs=1024 count=16310
# associate the (existing) special device /dev/vnd0c with the file /var/fs/dhcpdfs
sudo vnconfig -c -v /dev/svnd0c /var/fs/dhcpdfs
# put a filesystem on the _raw_ device
sudo newfs /dev/rsvnd0c
# mount the block device on the directory
sudo mount -o rw,softdep,nosuid /dev/svnd0c /var/dhcpd/
# create the necessary directories in the chroot jail
sudo mkdir -p /var/dhcpd/dev /var/dhcpd/etc /var/dhcpd/var/run /var/dhcpd/var/db
# put proper ownership and permissions on the dirs
sudo chgrp _dhcp /var/dhcpd/var/run /var/dhcpd/var/db/
sudo chmod 0775 /var/dhcpd/var/run/ /var/dhcpd/var/db
# Put the lease file in the jail and link it back to the real world
sudo touch /var/dhcpd/var/db/dhcpd.leases
sudo chown _dhcp /var/dhcpd/var/db/dhcpd.leases
sudo chmod 0755 /var/dhcpd/var/db/dhcpd.leases
sudo ln -sf /var/dhcpd/var/db/dhcpd.leases /var/db/dhcpd.leases
# create PF interface devices that dhcpd (well, at least the OpenBSD patched version) uses
# create one interface for each shared-network statement in the dhcpd.conf
BPFMAJ="`ls -l /dev/bpf0 | awk '{ print $5; }' | sed -e 's/,//g'`"
export BPFMAJ
cd /var/dhcpd/dev
sudo mknod -m 0600 bpf0 c $BPFMAJ 0
sudo mknod -m 0600 bpf1 c $BPFMAJ 1
sudo mknod -m 0600 bpf1 c $BPFMAJ 2
sudo mknod -m 0600 bpf1 c $BPFMAJ 3
sudo mknod -m 0600 bpf1 c $BPFMAJ 4
sudo mknod -m 0600 bpf1 c $BPFMAJ 5
# move the dhcpd.conf to the jail, and link back to it from the real world
sudo mv /etc/dhcpd.conf /etc/dhcpd.conf.starters
sudo cp /etc/dhcpd.conf.starters /var/dhcpd/etc/dhcpd.conf
sudo ln -s /var/dhcpd/etc/dhcpd.conf /etc/dhcpd.conf
Test the daemon in the jail
sudo /usr/sbin/dhcpd -f -d -cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd vr2 vr3 sis0 sis1\
Add the daemon to the boot sequence
Put the following sections in their respective files:
# no use even starting if executable missing or flags not set if [ -x /usr/sbin/dhcpd -a "X${dhcpd_flags}" != X"NO" ]; then # if there is a jail, use it if [ -f /var/fs/dhcpdfs ] ; then if vnconfig -c /dev/svnd0c /var/fs/dhcpdfs ; then if fsck -p /dev/svnd0c ; then if mount -o rw,softdep,nosuid /dev/svnd0c /var/dhcpd ; then if [ "X${dhcpd_leases}" != "X" ]; then touch "${dhcpd_leases}" else touch /var/db/dhcpd.leases fi if [ -f /etc/dhcpd.interfaces ]; then dhcpd_ifs=`awk -F\# '{ print $1; }' < /etc/dhcpd.interfaces` fi echo -n ' dhcpd (v4.1)(chrooted)'; /usr/sbin/dhcpd ${dhcpd_flags} ${dhcpd_ifs} fi fi fi else if [ "X${dhcpd_leases}" != "X" ]; then touch "${dhcpd_leases}" else touch /var/db/dhcpd.leases fi if [ -f /etc/dhcpd.interfaces ]; then dhcpd_ifs=`awk -F\# '{ print $1; }' < /etc/dhcpd.interfaces` fi echo -n ' dhcpd (v4.1)(not chrooted)'; /usr/local/sbin/dhcpd ${dhcpd_flags} ${dhcpd_ifs} fi else echo "not starting DHCP daemon: executable missing or no parameters set" fi
/etc/rc.conf.local
:
dhcpdv3_flags="-cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd -q" dhcpdv3_leases="/var/dhcpd/var/db/dhcpd.leases"
/etc/dhcpd.interfaces
:
vr2
vr3
sis0
sis1
Check whether the DHCP daemon is running
ps axu|grep dhcpd
_dhcp 23450 0.0 0.2 2696 976 ?? Is 4:35PM 0:00.01 /usr/sbin/dhcpd -cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd -q vr2 vr
Procedure 57. Enabling BIND
Turn on the daemon
Put in /etc/rc.conf.local
:
named_flags='-4'
And configure it
Edit /var/named/etc/named.conf
to your tastes.
Procedure 58. Enabling PF (and having it do something useful)
enable PF
Enable PF: pfctl -ef /etc/pf.conf
To enable it from boot, in /etc/rc.conf.local
, put:
pf=YES pf_rules=/etc/pf.conf
enable forwarding
In /etc/sysctl.conf
uncomment:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
enable the tftp-proxy
In /etc/inetd.conf
, uncomment or add:
#127.0.0.1/6969 dgram tcp wait root /usr/libexec/tftp-proxy tftp-proxy -v 127.0.0.1/6969 dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v
in /etc/pf.conf
:
# NAT nat on $wan_if from $datanet to any -> ($wan_if:0) no nat on $wan_if to port tftp nat-anchor "tftp-proxy/*" rdr-anchor "tftp-proxy/*" rdr on $datanet_if proto udp from $datanet to any port tftp -> 127.0.0.1 port 6969 # for now pass all # anchor "tftp-proxy/*"
Note | |
---|---|
At this point, tftp from $datanet will work, but only if we have proper routing, which means a default route must be added by hand, since the router is acting as the DHCP server already, and doesn't use DHCP on the WAN interface yet. This will be corrected later on, when the $wan_if uses DHCP and adds a default route when it comes up. |