The most secure OS in the world?

To those who are following along with the last posts of this blog, you know that I "fall in love" with OpenBSD. Is a different Open Source Project, from many others that I did pay attention to, in the last years. Is not Linux, is based on UNIX.

"With Cats, they Dump Foo, as Ninjas can do."

See for your self, connect to irc.libera.chat and join #OpenBSD. Many users here are like ninjas. Is a awesome source of knowledge and a community that is there to help anyone solving their problems. Like we can do with the man pages, they normally suggest to read them, "since is one of the best soap we can eat to get the proper victimins."

If you search for security issues in some sites like https://sploitus.com/ and https://vulners.com/, you find that FreeBSD Jails can look safe, while the difference between both is more than different configurations locations, but different approach's, which result in "ZERO" results on this sites, about OpenBSD security holes. Security is their "holy gold", and with it, a stable and rebust Operating System.

After almost 2 weeks, I wish to test OpenBSD security, by creating the next configurtion:

# My ISP router let me configure the DNS based on some popular services like no-ip.
# So I setup a No-IP DNS to expose the Firewall that have two network cards.
# I install the full OpenBSD system, since this machine will serve as a Desktop too.
# Reading about OpenBSD, we find that the Native-Land already have almost everything we need to start,
# without installing extra software to accomplish the "Hosting a service at home" propose.
# 1: A Firewall https://www.openbsd.org/faq/pf/ to monitor, limit and block traffic that we don't expect
# 2: A HTTP daemon https://man.openbsd.org/httpd to serve HTTP requests
# 3: A Relay daemon https://man.openbsd.org/relayd to redirect traffic and much more

For now, we only serve a HTML page saying "hello", but the propose can grow.
Since I wish to run a framework with a database, I need to install few software. Here we try NodeJS and MongoDB.

Once again, the Security holes for OpenBSD:
https://vulners.com/search?query=OpenBSD are old, and all related issues target Linux Kernel.
And for my surprise: in https://sploitus.com/?query=OpenBSD#exploits
we have 5 new (exploits) in OpenSSH, which we will not expose to the Internet.

Those who develop Exploits, should work for the development of those systems that they are able to exploit, since in the end of this "fight", is what will happen.
Another popular website is: https://www.exploit-db.com/ that have some Security issues from older versions.

In this Firwall Desktop I install some packages:

i3, i3status, dmenu, alacritty, vim(option-6)e, git, newsboat, irssi, calcurse and ungoogled-chromium

I want to dedicate a machine to HTTPD that is a "old" i3 laptop with 4 CPUs, using 2 by default.
Another i5 will host the database. Since OpenBSD installation is really simple I setup this machines with OpenBSD. (last release 7.8) For this machines I remove all games and xlibs with '-x* -g*' option in the installation process. Hopefully was not a bad choice, but this publication will be shared, to ask advices within the OpenBSD community. What improvements I should do and what more I need to learn.

# ISP Router static IP: 10.0.0.1
# Firewall static IP: 10.0.0.2 (this)
# HTTPD static IP: 10.42.35.231
# The Database machine can only talk with our HTTPD server
# With this configuration, the Database server cannot speak with the internet.
# I didn't setup everything I wish to serve, but not everything is ready.

# /etc/pf.conf
external="re0"
internal="re1"
server="10.42.35.231"
http_ports="{80,443}"
#ssh_ports="22"

set skip on lo
set optimization conservative
set fingerprints "/etc/pf.os"
set timeout interval 10
set timeout frag 30
set loginterface re0
set state-policy if-bound

anchor "relayd/*"

table persist { \
0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \
198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4 }
#table persist counters
table persist

antispoof quick for { $external, $internal }
block all
#block in quick from
block in quick from
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
block in quick on $external from urpf-failed label uRPF
block in quick on $internal from urpf-failed label uRPF
block in quick on $external from to any
block drop quick proto udp to $server
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass out on egress proto { tcp udp icmp } keep state
# SSH max connections filtering
# We don't expose SSH to the internet
#block in log quick proto tcp from to any label SSH_BRUTES
#pass in on $external proto tcp to $server port $ssh_ports flags S/SA synproxy state (max-src-conn 1, max-src-conn-rate 3/1, overload flush global)
# HTTP max connections filtering
# We only serve a static and simple html page, so 10 connections in 1 secound is an abuse!
block in log quick from to any label HTTP_BRUTES
pass in on $external proto tcp to $server port $http_ports flags S/SA synproxy state (max-src-conn 1, max-src-conn-rate 10/1, overload flush global)
# Pass / keep going
pass # establish keep-state
pass out quick inet
pass in on $external from $server to $internal keep state
pass out on $internal proto { tcp udp icmp } from ($internal) to $external keep state
pass in on egress proto tcp from any to any port $http_ports rdr-to $server
pass in quick proto udp to $server port {domain ntp}


Maybe I can make some improvements. If you wish to fix something, I remember you that this blog is hosted in Github, and you can find me in #OpenBSD as CommonNickname.

After allowing the necessary traffic for our main desktop and local servers, that are already setup and running, we can configure the RelayD. Relayd can do a lot, so read the man pages, since they can be better than many public tutorials.

# This Firewall Relayd to redicted traffic and filter HTTP requests
table { 10.42.35.231 }

log state changes
log connection

http protocol "http" {
# lets log various extra things to the log
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"
match url log
# Return Errors
return error
# Update header passed to the httpd server
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
# Security HTTP headers response
match response header remove "Server"
match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header append "X-Frame-Options" value "monkeyTest.ddns.net"
match response header append "X-XSS-Protection" value "1; mode=block"
match response header append "X-Content-Type-Options" value "nosniff"
match response header append "Referrer-Policy" value "strict-origin"
match response header append "Content-Security-Policy" value "default-src https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' unsafe-inline' 'unsafe-eval'"
match response header append "Permissions-Policy" value "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
# set recommended tcp options
tcp { nodelay, socket buffer 65536, backlog 100 }
# Pass / Let them Pass
pass request quick header "Host" value "monkeyTest.ddns.net" forward to
# Block HTTP requests PATHs
block path "/cgi-bin/*" value "*command=*"
block request

} http protocol "https" {
# Handle TLS used with Let's Encrypt Certificates
tls keypair "monkeyTest.ddns.net"
# lets log various extra things to the log
match header log "Host"
match header log "X-Forwarded-For"
match header log "User-Agent"
match header log "Referer"

match url log
# Update header passed to the httpd server
match request header set "X-Forwarded-Proto" value "https"
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Forward" value "by=$SERVER_ADDR:$SERVER_PORT;for=$REMOTE_ADDR;host=$HOST;proto=https"
match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header append "X-Frame-Options" value "monkeyTest.ddns.net"
match response header append "X-XSS-Protection" value "1; mode=block"
match response header append "X-Content-Type-Options" value "nosniff"
match response header append "Referrer-Policy" value "strict-origin"
match response header append "Content-Security-Policy" value "default-src https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' unsafe-inline' 'unsafe-eval'"
match response header append "Permissions-Policy" value "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
# set recommended tcp options
tcp { nodelay, socket buffer 65536, backlog 100 }
# TLS and CIPHERS
tls { no tlsv1.0, ciphers "HIGH:!aNULL:!SSLv3:!DSS:!ECDSA:!RSA:-ECDH:ECDHE:+SHA384:+SHA256" }
# Block Paths
block path "/cgi-bin/*" value "*command=*"
# Pass / Let them Pass
pass request quick header "Host" value "monkeyTest.ddns.net" forward to
}

relay "http_monkeyTest.ddns.net" {
listen on * port 80
protocol "http"
forward to port 80 mode loadbalance check http "/" code 200
}

relay "ssl_monkeyTest.ddns.net" {
listen on * port 443
protocol "https"
forward to port 443 mode loadbalance check http "/" code 200
}

This code have some values that are not real, like the IP of my local-network, but this configurations, work with me while I am still learning about OpenBSD.

The HTTPD server use Let's Encrypt. The domain used for this article don't exist, while the server get several attacks attemps, from the very first secounds that is alive. I suspect that malicious activity is from people who monitor No-IP new domains, or automated bots that are everywhere. Maybe I can configure this server to use a better DNS service. Cloudflared is not part of OpenBSD packages but I need to find another one that is less popular. If you have any suggestions, let me know.