💾 Archived View for nox.im › posts › 2021 › 0701 › hosted-openbsd-server-setup captured on 2023-04-26 at 13:26:58. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Hosted OpenBSD Server Setup

I recently went to Vultr[1] for their hosted OpenBSD servers.

1: Vultr

One of the outstanding feature of OpenBSD is that it is configured for safety *by default*. In all the internet arguments this is often missed. Any system can be configured to be reasonably secure, but often takes a lot of effort. With OpenBSD that bit is a core component of the operating system.

Having something as critical as security baked into the defaults is simply neat. This post is actually more a log for myself of what I did for future reference. I hope it may be of use for others. The entire setup is rather straightforward and took well under half an hour. UPDATE: Three month later I'm still pleased with customer support, speed and the service as a whole.

vultr control panel[1]

1: vultr control panel

The chosen parameters for my setup come up at just $5 per month.

os: OpenBSD 6.9
server: 1x CPU, 1G memory, 25G SSD storage
location: Tokyo, Japan
hostname: orwell.nox.im

Less than a minute later we can open the server console in an noVNC window. We can log in with `root` and the password from the vulture product page.

Setup User and SSH

We don't want to operate all with root, so create a user with

adduser

This goes through a brief wizard and copies an environment from `/etc/skel` (if you ever want to change the template).

Next copy over the ssh pubkey

cp ~/.ssh/id_rsa.pub root@XXX.XXX.XXX.XXX:/home/dre/pubkey

and add it to authorized keys, I used vi to add it in in case there are other records.

vi /home/dre/.ssh/authorized_keys
:r /home/dre/pubkey
:wq

now we can ssh from our local machine to our remote host

ssh -i ~/.ssh/id_rsa dre@XXX.XXX.XXX.XXX
OpenBSD 6.9 (GENERIC.MP) #1: Sat May 22 13:19:59 MDT 2021

Welcome to OpenBSD: The proactively secure Unix-like operating system.

orwell$

We should forbid to log in with password and also as root

vi /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no

The OpenBSD equivalent to the more common `sudo` command is `doas`. We first need to enable it:

vi /etc/doas.conf
permit persist :wheel

then add your user, here `dre` to the group wheel:

usermod -G wheel dre

we upgrade and reboot

syspatch
reboot

now we can verify that we can't sign in as root anymore (it still works through noVNC just not via SSH).

ssh root@XXX.XXX.XXX.XXX
root@XXX.XXX.XXX.XXX: Permission denied (publickey,keyboard-interactive).

Setup httpd

Since OpenBSD 5.6 the web server daemon `httpd` is available in the base system, so we don't have to install anything to run a web server. It supports CGI (via FastCGI) and TLS. Enable it to start at boot with

doas rcctl enable httpd

Also edit `/etc/rc.conf.local` and add the following line, it might have said "NO" before.

httpd_flags=

Then edit the config file to serve content from `/var/www/htdocs/nox.im`.

doas vi /etc/httpd.conf
ext_ip="XXX.XXX.XXX.XXX" # external IP of this box

server "default" {
        listen on $ext_ip port 80
        root "/htdocs/nox.im"
}
types {
        include "/usr/share/misc/mime.types"
}

The target directory isn't available yet, let's create it and give the user write permissions:

mkdir -p /var/www/htdocs/nox.im
chown dre /var/www/htdocs/nox.im

then upload contents to /var/www/htdocs/nox.im

if we didn't enable it as per above, start httpd with the `-f` flag, otherwise we can omit it.

doas /etc/rc.d/httpd -f start

our server is now available (without TLS)

http://XXX.XXX.XXX.XXX/

We can see access logs with

tail -f /var/www/logs/access.log

The A record is used to point the domain name at one or multiple IP addresses. AAAA record does the same thing as the A record but for IPv6. Set it in your DNS panel if you have a domain, I did this for nox.im:

@ 10800 IN A XXX.XXX.XXX.XXX
www 10800 IN A XXX.XXX.XXX.XXX

or use a cname for the www subdomain instead of an A record

www 10800 IN CNAME nox.im

now we can ssh to our server via

ssh dre@nox.im

Edit `/etc/motd` to change the welcome "message of the day" you see when you ssh into the server.

If you want to add an SSL certificate with Let's Encrypt or another CA, you can read the post on how to use acme client with Let's Encrypt on OpenBSD[1].

1: acme client with Let's Encrypt on OpenBSD

If you wish to block certain countries, see a snippet on blocking country traffic with pf[1].

1: blocking country traffic with pf

Setup rsync

Since we set up SSH keys, we can use scp or better, rsync to copy files between our local machine and our server. We can install rsync from ports:

doas pkg_add rsync

For it to start successfully, we have to create a `/etc/rsyncd.conf` file, we need to know the uid and gid of our user for the target directory, so the files end up with the right owner.

orwell$ id
uid=1000(dre) gid=1000(dre) groups=1000(dre), 0(wheel)
orwell$ group info daemon
name    daemon
passwd  *
gid     1

The `rsyncd.conf` then looks as follows:

orwell$ cat /etc/rsyncd.conf
[global]
use chroot  = yes
max connection = 5
log file = /var/log/rsyncd.log

[web]
path = /var/www/htdocs/nox.im/
read only = false
list = yes
uid = 1000
gid = 1

Finally enable and start the rsync daemon:

doas rcctl enable rsync
doas rcctl start rsync

And try to copy files:

rsync -a -P --delete ./public/ dre@nox.im:/var/www/htdocs/nox.im/

Done.

- `-a` puts rsync into archive mode

- `--delete` will delete files found on the server but not the source

- `-P` will not set directory timestamps

It then pushes the contents of `./public/` (with a trailing slash!) to `/var/www/htdocs/nox.im/` on the server. It'll only update the files that are required by comparing timestamps.

Enable IPv6

Ensure that slaacd is enabled and running.

rcctl enable slaacd
rcctl start slaacd

Edit `/etc/hostname.vio0` add the inet6 autoconf and further - Disable IPv6 autoconf temporary address extensions on the interface `-tempoorary` - Disable IPv6 persistent Semantically Opaque Interface Identifiers on the interface. `-soii`

inet6 autoconf -soii -temporary

Restart the network and test

sh /etc/netstart vio0
ping6 -c3 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888): 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=0 hlim=119 time=0.642 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=1 hlim=119 time=0.683 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 hlim=119 time=0.663 ms


3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.642/0.663/0.683/0.017 ms

When set up http, the website will be reachable through `https://[2001:19f0:7001:40ff:5400:3ff:fe70:ec42]/` too and you can add an AAAA IPv6 record for your domain:

@ 10800 IN AAAA 2001:19f0:7001:40ff:5400:3ff:fe70:ec42

Install Software Packages

Note that OpenBSD packages are "frozen" with the OpenBSD base system for releases, which happen every six months. This means that any installed package is only as recent as the OpenBSD release they’re running on, excluding security patches.

Our server doesn't need many tools, I install Go as it is the primary development language and alongside git allow easy deployments and tests as well as a few other utilities for debugging.

doas pkg_add go git htop curl

Installing and running services will be the subject of later articles. For the base system we're done for now.