version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1597239367 host=38.81.163.143 name=Openbsd.Shell rev=5 targets=Guava.Packages text======= Creating a folder tree ======%0a%0aCreate a new folder tree for hosting web server resources and additional services.%0a%0a%3ccode>%0adoas mkdir -p /home/www/acme%0adoas mkdir -p /home/www/bin%0adoas mkdir -p /home/www/cache%0adoas mkdir -p /home/www/cgi-bin%0adoas mkdir -p /home/www/conf%0adoas mkdir -p /home/www/htdocs%0adoas mkdir -p /home/www/logs%0adoas mkdir -p /home/www/run%0adoas mkdir -p /home/www/tmp%0adoas mkdir -p /home/www/usr%0a%3c/code>%0a%0a====== Setting directory owners ======%0a%0aNext, you need to set the correct owners for the new folder tree.%0a%0a%3ccode>%0adoas chown root:daemon /home/www/acme%0adoas chown root:daemon /home/www/bin%0adoas chown www:daemon /home/www/cache%0adoas chown root:daemon /home/www/cgi-bin%0adoas chown root:daemon /home/www/conf%0adoas chown root:daemon /home/www/htdocs%0adoas chown root:daemon /home/www/logs%0adoas chown root:daemon /home/www/run%0adoas chown www:www /home/www/tmp%0adoas chown root:daemon /home/www/usr%0a%3c/code>%0a%0a====== Copying service files ======%0a%0aThe next step is to copy the old files into the new folder tree.%0a%0a%3ccode>%0adoas cp /var/www/bin/* /home/www/bin/%0adoas chown root:bin /home/www/bin/*%0adoas cp /var/www/cgi-bin/* /home/www/cgi-bin/%0adoas chown root:bin /home/www/cgi-bin/*%0adoas cp /var/www/conf/* /home/www/conf/%0adoas chown root:wheel /home/www/conf/*%0adoas mkdir -p /home/www/usr/sbin%0adoas chown root:daemon /home/www/usr/sbin%0adoas cp /var/www/usr/sbin/sendmail /home/www/usr/sbin/sendmail%0adoas chown root:daemon /home/www/usr/sbin/sendmail%0a%3c/code>%0a%0a====== Stopping services ======%0a%0aYou need to stop the web server and its additional services.%0a%0a%3ccode>%0adoas rcctl -d stop httpd%0adoas rcctl -d stop php73_fpm%0a%3c/code>%0a%0a====== Making changes to the configuration ======%0a%0aThe next step is to make changes to the configuration files of the web server and its services.%0a%0a/etc/httpd.conf:%0a%3ccode>%0achroot "/home/www"%0a%3c/code>%0a%0a/etc/php-fpm.conf:%0a%3ccode>%0alisten = /home/www/run/php-fpm.sock%0achroot = /home/www%0a%3c/code>%0a%0a====== Email security settings ======%0aSetting the minimum rights for the mail system%0a%3ccode>%0adoas chmod 640 /etc/mail/domains%0adoas chmod 640 /etc/mail/vusers%0adoas chmod 640 /etc/mail/hosts%0adoas chmod 640 /etc/mail/passwd%0adoas chmod 640 /etc/mail/vusers%0adoas chmod 640 /etc/mail/smtpd.conf%0adoas chown _dovecot:_dovecot /etc/dovecot/dovecot.conf%0adoas chown _dovecot:_dovecot /etc/dovecot/users.txt%0adoas chmod 640 /etc/dovecot/dovecot.conf%0adoas chmod 640 /etc/dovecot/users.txt%0a%3c/code>%0a%0aFirst make sure to set quotas%0a%0aSecond, make sure to change file permissions for%0a%0a/home/username%0a%0aWe symlinked /htdocs inside each user's home folder to /var/www/htdocs/%3cusername>%0a%0aWe installed%0a%0aInside /etc/httpd.conf:%0a%0a%3ccode>%0a location "/~username/*" {%0a root "/htdocs/username"%0a request strip 1%0a }%0a%3c/code>%0a%0aUpdate: hiding logs was causing problems%0a%0aWe also hide logs in /var/logs and /var/www/logs%0a%0a[[Guava/Packages|Packages installed]]%0a%0aPackages installed:%0a%0a%3ccode>%0aImageMagick-6.9.10.62 image processing tools%0aalpine-2.21p3 UW e-mail client%0aanthy-9100hp2 japanese input method%0aantiword-0.37p0 converts MSWord Documents to ASCII Text and PostScript%0aapr-1.6.5p0 Apache Portable Runtime%0aapr-util-1.6.1p2 companion library to APR%0aargon2-20171227 C implementation of Argon2 - password hashing function%0aaspell-0.60.6.1p10 spell checker designed to eventually replace Ispell%0abash-5.0.11 GNU Bourne Again Shell%0aboehm-gc-7.6.0p3 garbage collection and memory leak detection for C and C++%0aboost-1.66.0p7 free peer-reviewed portable C++ source libraries%0abzip2-1.0.8 block-sorting file compressor, unencumbered%0acmake-3.15.3v0 portable build system%0acoreutils-8.31p1 file, shell and text manipulation utilities%0acurl-7.66.0 get files from FTP, Gopher, HTTP or HTTPS servers%0acvsps-2.1p2 generate patchsets from CVS repositories%0acyrus-sasl-2.1.27p1 RFC 2222 SASL (Simple Authentication and Security Layer)%0adb-4.6.21p7v0 Berkeley DB package, revision 4%0adesktop-file-utils-0.24p0 utilities for dot.desktop entries%0adjvulibre-3.5.27p6 view, decode and encode DjVu files%0adocx2txt-1.4p0 command line converter from Microsoft docx to ASCII text%0aelvis-2.2.0p5-no_x11 clone of the ex/vi text editor%0aemacs-26.3-no_x11 GNU editor: extensible, customizable, self-documenting%0afdm-2.0 fetch, filter and deliver mail%0afetchmail-6.3.26p3 mail retrieval utility for POP2, POP3, KPOP, IMAP and more%0afftw3-3.3.8p1 C routines for computing the Discrete Fourier Transform%0afftw3-common-3.3.8p1 common files for the fftw3 packages%0afiglet-2.2.5 generates ASCII banner art%0agawk-5.0.0p0 GNU awk%0agdk-pixbuf-2.38.2 graphic library for gtk+2%0ageomyidae-0.34 Gopher protocol daemon%0agettext-runtime-0.20.1p0 GNU gettext runtime libraries and programs%0agiflib-5.1.6 tools and library routines for working with GIF images%0agit-2.23.0 GIT - Tree History Storage Tool%0aglib2-2.60.7 general-purpose utility library%0agmake-4.2.1p4 GNU make%0agnupg-1.4.23p3 GNU privacy guard - a free PGP replacement%0agnupg-2.2.12p0 GNU privacy guard - a free PGP replacement%0agot-0.17 game of trees version control system%0agroff-1.22.4p0 GNU troff typesetter%0agtk-update-icon-cache-3.24.12 gtk+ icon theme caching utility%0ahicolor-icon-theme-0.17 fallback theme of the icon theme specification%0aicu4c-64.2p0 International Components for Unicode%0aii-1.7p3 minimalist IRC client%0airssi-1.2.2 modular IRC client with many features%0ajasper-2.0.14 reference implementation of JPEG-2000%0ajbigkit-2.1 lossless image compression library, with lightweight version%0ajpeg-2.0.3v0 SIMD-accelerated JPEG codec replacement of libjpeg%0ajq-1.6p0 lightweight and flexible command-line JSON processor%0ajsoncpp-1.8.4p2 JSON parsing C++ API%0alcms2-2.9p0 color management library%0aledger-3.1.1p4 command line double-entry accounting ledger%0alibarchive-3.4.0 multi-format archive and compression library%0alibb2-0.98.1v0 library providing BLAKE2b, BLAKE2s, BLAKE2bp, BLAKE2sp%0alibffi-3.2.1p5 Foreign Function Interface%0alibiconv-1.16p0 character set conversion library%0alibidn2-2.3.0 implementation of IDNA2008 internationalized domain names%0alibraw-0.19.5 library for reading RAW files%0alibtasn1-4.14 Abstract Syntax Notation One structure parser library%0alibunbound-1.9.4 validating DNS resolver library%0alibunistring-0.9.7 manipulate Unicode strings%0alibuv-1.30.1 multi-platform library for asynchronous I/O%0alibwebp-1.0.3 Google WebP image format conversion tool%0alibxml-2.9.9 XML parsing library%0alinks-1.03p0 text browser, displays while downloading%0alua-5.3.5 powerful, light-weight programming language (version 5.3.5)%0alynx-2.8.9rel1p0 text web browser%0alz4-1.9.2 fast BSD-licensed data compression%0amariadb-client-10.3.20v1 multithreaded SQL database (client)%0amariadb-server-10.3.20v1 multithreaded SQL database (server)%0amawk-1.3.4.20171017 fast POSIX-compliant awk%0amcabber-1.1.0p4 console jabber client%0amercurial-5.0.2 fast, lightweight source control management%0amultitail-6.4.2p0 multi-window tail(1) utility%0amutt-1.12.2v3-sasl tty-based e-mail client%0anano-4.4 simple editor, inspired by Pico%0aneovim-0.3.8 continuation and extension of Vim%0anewsboat-2.15p0 RSS/Atom feed reader for text terminals%0anghttp2-1.39.2 library for HTTP/2%0angircd-25 lightweight irc server%0anode-10.16.3 V8 JavaScript for clients and servers%0anvi-2.1.3p2 ex/vi text editor with wide character support%0aoath-toolkit-2.6.2p1 toolkit for OATH/HOTP and TOTP%0aopenjp2-2.3.1 open-source JPEG 2000 codec library%0ap11-kit-0.23.18.1 library for loading and enumerating PKCS#11 modules%0apcre-8.41p2 perl-compatible regular expression library%0aphp-7.3.12 server-side HTML-embedded scripting language%0apico-5.09p20 UW text editor%0apkglocatedb-1.5 database of packages for use with locate(1)%0apng-1.6.37 library for manipulating PNG images%0aprofanity-0.7.1 console based XMPP client%0apy-pip-19.1.1 tool for installing Python packages%0apy3-neovim-0.3.2p0 Python plugin support for Neovim%0apy3-pip-19.1.1 tool for installing Python packages%0apython-2.7.16p1 interpreted object-oriented programming language%0apython-3.7.4 interpreted object-oriented programming language%0aquirks-3.182 exceptions to pkg_add rules%0arhash-1.3.5p0 utility and library for computing hash sums%0arsync-3.1.3 mirroring/synchronization over low bandwidth links%0aruby-2.6.5 object oriented script language with threads%0arust-1.38.0 compiler for Rust Language%0asacc-1.00 simple console gopher client%0ascreen-4.6.2 multi-screen window manager%0ashared-mime-info-1.10p5 shared mime database for desktops%0asic-1.2p1 simple irc client%0aslrn-1.0.2p2 SLang-based newsreader%0asqlite3-3.29.0 embedded SQL implementation%0asubversion-1.12.2 subversion revision control system%0atcsh-6.20.00p1 extended C-shell with many useful features%0atiff-4.0.10 tools and library routines for working with TIFF images%0atree-0.62 print ascii formatted tree of a directory structure%0atrn-4.0.77p2 threaded newsreader%0auim-1.8.8p0 multilingual input method library%0auim-chewing-0.1.0p2 chewing input method for uim%0aunzip-6.0p12 extract, list & test files in a ZIP archive%0avim-8.1.2061-no_x11 vi clone, many additional features%0aw3m-0.5.3p8 pager/text-based web browser%0aweechat-2.6 fast, light and extensible chat client%0awget-1.20.3p1 retrieve files from the web via HTTP, HTTPS and FTP%0axlsx2csv-20150318p1 convert XLSX files to CSV%0axz-5.2.4 LZMA compression and decompression tools%0azh-fonts-kc-1.05p2 extra chinese fonts%0azh-libchewing-0.5.1p0 intelligent phonetic input method library%0azip-3.0p1 create/update ZIP files compatible with PKZip(tm)%0azstd-1.4.3 zstandard fast real-time compression algorithm%0a%3c/code>%0a%0aTo set the user's default prompt to "username$ ", stick this into /etc/profile:%0a%0a%3ccode>%0aexport PS1="`whoami`$ "%0a%3c/code>%0a%0a%3ccode>%0a # chmod -R o-rx /var/log%0a # chmod o-rx /var/run/utmp%0a # chmod o-r /var/log/wtmp*%0a%3c/code>%0a%0aSeems like there is no way to hide processes from users:%0a%0ahttp://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%0a%3ccode>%0a# chmod 750 /var/www/logs/%0a# chmod 640 /var/www/logs/*%0a# chmod 750 /var/log%0a# chmod o-rx /var/log/*%0a# chmod -R o-rx /etc/mail%0a%3c/code>%0a%0ato turn accounting on.. only users love making use of it too%0a%0aadd login.conf rules%0a%0a[@%0afree:\%0a :maxproc-cur=50:\%0a :maxproc-max=100:\%0a :openfiles-cur=512:\%0a :openfiles-max=1024:\%0a :memoryuse-cur=32M:\%0a :memoryuse-max=64M:\%0a :vmemoryuse-cur=64M:\%0a :vmemoryuse-max=128M:\%0a :memorylocked-cur=32M:\%0a :memorylocked-max=64M:\%0a :stacksize-cur=32M:\%0a :stacksize-max=64M:\%0a :localcipher=blowfish,a:\%0a :minpasswordlen=10:\%0a :requirehome@:\%0a :umask=022:%0a%0aguest:\%0a :maxproc-cur=25:\%0a :maxproc-max=50:\%0a :openfiles-cur=512:\%0a :openfiles-max=1024:\%0a :memoryuse-cur=32M:\%0a :memoryuse-max=64M:\%0a :vmemoryuse-cur=64M:\%0a :vmemoryuse-max=128M:\%0a :memorylocked-cur=32M:\%0a :memorylocked-max=64M:\%0a :stacksize-cur=32M:\%0a :stacksize-max=64M:\%0a :localcipher=blowfish,a:\%0a :minpasswordlen=10:\%0a :requirehome@:\%0a :umask=022:%0a@]%0a%0aFor each new user:%0a%0a%3ccode>%0a# adduser%0a# chmod 700 /home/username /home/username/.ssh%0a# chmod 600 /home/username/{.Xdefaults,.cshrc,.cvsrc,.login,.mailrc,.profile}%0a# mkdir /var/www/htdocs/username%0a# ln -s /var/www/htdocs/username /home/username/htdocs%0a# chown username:username /var/www/htdocs/username /home/username/htdocs%0a# edquota username%0a%3c/code>%0a%0aIn /etc/httpd.conf:%0a%0a%3ccode>%0a location "/~username/*" {%0a root "/htdocs/username"%0a request strip 1 %0a }%0a%3c/code>%0a%0aIn nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a%0aany new suid binary's with %0a%3ccode>%0a # find / -perm -4000%0a%3c/code>%0a%0aCheck /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%0aIn /etc/ssh/sshd_config, turn off X11 forwarding%0a%0aCreate symlinks for users so they don't complain:%0a%0a%3ccode>%0aln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0aln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a%3c/code>%0a%0aYou will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a%0a%3ccode>%0a# mkdir /var/www/etc/%0a# cp /etc/resolv.conf /var/www/etc/%0a# chown -R www:daemon /var/www/etc%0a%3c/code>%0a time=1623404219 author:1623404219=jrmu diff:1623404219:1623404169:=276,309c276,291%0a%3c :maxproc-cur=50:\%0a%3c :maxproc-max=100:\%0a%3c :openfiles-cur=512:\%0a%3c :openfiles-max=1024:\%0a%3c :memoryuse-cur=32M:\%0a%3c :memoryuse-max=64M:\%0a%3c :vmemoryuse-cur=64M:\%0a%3c :vmemoryuse-max=128M:\%0a%3c :memorylocked-cur=32M:\%0a%3c :memorylocked-max=64M:\%0a%3c :stacksize-cur=32M:\%0a%3c :stacksize-max=64M:\%0a%3c :localcipher=blowfish,a:\%0a%3c :minpasswordlen=10:\%0a%3c :requirehome@:\%0a%3c :umask=022:%0a%3c %0a%3c guest:\%0a%3c :maxproc-cur=25:\%0a%3c :maxproc-max=50:\%0a%3c :openfiles-cur=512:\%0a%3c :openfiles-max=1024:\%0a%3c :memoryuse-cur=32M:\%0a%3c :memoryuse-max=64M:\%0a%3c :vmemoryuse-cur=64M:\%0a%3c :vmemoryuse-max=128M:\%0a%3c :memorylocked-cur=32M:\%0a%3c :memorylocked-max=64M:\%0a%3c :stacksize-cur=32M:\%0a%3c :stacksize-max=64M:\%0a%3c :localcipher=blowfish,a:\%0a%3c :minpasswordlen=10:\%0a%3c :requirehome@:\%0a%3c :umask=022:%0a---%0a> :maxproc-cur=50:\%0a> :maxproc-max=100:\%0a> :openfiles-cur=512:\%0a> :openfiles-max=1024:\%0a> :memoryuse-cur=32M:\%0a> :memoryuse-max=64M:\%0a> :vmemoryuse-cur=64M:\%0a> :vmemoryuse-max=128M:\%0a> :memorylocked-cur=32M:\%0a> :memorylocked-max=64M:\%0a> :stacksize-cur=32M:\%0a> :stacksize-max=64M:\%0a> :localcipher=blowfish,a:\%0a> :minpasswordlen=10:\%0a> :requirehome@:\%0a> :umask=022:%0a host:1623404219=38.81.163.143 author:1623404169=jrmu diff:1623404169:1623403760:=275c275%0a%3c free:\%0a---%0a> freeshell:\%0a host:1623404169=38.81.163.143 author:1623403760=jrmu diff:1623403760:1611800974:=274,293d273%0a%3c [@%0a%3c freeshell:\%0a%3c :maxproc-cur=50:\%0a%3c :maxproc-max=100:\%0a%3c :openfiles-cur=512:\%0a%3c :openfiles-max=1024:\%0a%3c :memoryuse-cur=32M:\%0a%3c :memoryuse-max=64M:\%0a%3c :vmemoryuse-cur=64M:\%0a%3c :vmemoryuse-max=128M:\%0a%3c :memorylocked-cur=32M:\%0a%3c :memorylocked-max=64M:\%0a%3c :stacksize-cur=32M:\%0a%3c :stacksize-max=64M:\%0a%3c :localcipher=blowfish,a:\%0a%3c :minpasswordlen=10:\%0a%3c :requirehome@:\%0a%3c :umask=022:%0a%3c @]%0a%3c %0a339c319%0a%3c %3c/code>%0a---%0a> %3c/code>%0a\ No newline at end of file%0a host:1623403760=38.81.163.143 author:1611800974=jrmu diff:1611800974:1597239367:=0a1%0a> %0a113,114d113%0a%3c %0a%3c [[Guava/Packages|Packages installed]]%0a host:1611800974=125.231.24.226 author:1597239367=jrmu diff:1597239367:1597239367:=1,318d0%0a%3c %0a%3c ====== Creating a folder tree ======%0a%3c %0a%3c Create a new folder tree for hosting web server resources and additional services.%0a%3c %0a%3c %3ccode>%0a%3c doas mkdir -p /home/www/acme%0a%3c doas mkdir -p /home/www/bin%0a%3c doas mkdir -p /home/www/cache%0a%3c doas mkdir -p /home/www/cgi-bin%0a%3c doas mkdir -p /home/www/conf%0a%3c doas mkdir -p /home/www/htdocs%0a%3c doas mkdir -p /home/www/logs%0a%3c doas mkdir -p /home/www/run%0a%3c doas mkdir -p /home/www/tmp%0a%3c doas mkdir -p /home/www/usr%0a%3c %3c/code>%0a%3c %0a%3c ====== Setting directory owners ======%0a%3c %0a%3c Next, you need to set the correct owners for the new folder tree.%0a%3c %0a%3c %3ccode>%0a%3c doas chown root:daemon /home/www/acme%0a%3c doas chown root:daemon /home/www/bin%0a%3c doas chown www:daemon /home/www/cache%0a%3c doas chown root:daemon /home/www/cgi-bin%0a%3c doas chown root:daemon /home/www/conf%0a%3c doas chown root:daemon /home/www/htdocs%0a%3c doas chown root:daemon /home/www/logs%0a%3c doas chown root:daemon /home/www/run%0a%3c doas chown www:www /home/www/tmp%0a%3c doas chown root:daemon /home/www/usr%0a%3c %3c/code>%0a%3c %0a%3c ====== Copying service files ======%0a%3c %0a%3c The next step is to copy the old files into the new folder tree.%0a%3c %0a%3c %3ccode>%0a%3c doas cp /var/www/bin/* /home/www/bin/%0a%3c doas chown root:bin /home/www/bin/*%0a%3c doas cp /var/www/cgi-bin/* /home/www/cgi-bin/%0a%3c doas chown root:bin /home/www/cgi-bin/*%0a%3c doas cp /var/www/conf/* /home/www/conf/%0a%3c doas chown root:wheel /home/www/conf/*%0a%3c doas mkdir -p /home/www/usr/sbin%0a%3c doas chown root:daemon /home/www/usr/sbin%0a%3c doas cp /var/www/usr/sbin/sendmail /home/www/usr/sbin/sendmail%0a%3c doas chown root:daemon /home/www/usr/sbin/sendmail%0a%3c %3c/code>%0a%3c %0a%3c ====== Stopping services ======%0a%3c %0a%3c You need to stop the web server and its additional services.%0a%3c %0a%3c %3ccode>%0a%3c doas rcctl -d stop httpd%0a%3c doas rcctl -d stop php73_fpm%0a%3c %3c/code>%0a%3c %0a%3c ====== Making changes to the configuration ======%0a%3c %0a%3c The next step is to make changes to the configuration files of the web server and its services.%0a%3c %0a%3c /etc/httpd.conf:%0a%3c %3ccode>%0a%3c chroot "/home/www"%0a%3c %3c/code>%0a%3c %0a%3c /etc/php-fpm.conf:%0a%3c %3ccode>%0a%3c listen = /home/www/run/php-fpm.sock%0a%3c chroot = /home/www%0a%3c %3c/code>%0a%3c %0a%3c ====== Email security settings ======%0a%3c Setting the minimum rights for the mail system%0a%3c %3ccode>%0a%3c doas chmod 640 /etc/mail/domains%0a%3c doas chmod 640 /etc/mail/vusers%0a%3c doas chmod 640 /etc/mail/hosts%0a%3c doas chmod 640 /etc/mail/passwd%0a%3c doas chmod 640 /etc/mail/vusers%0a%3c doas chmod 640 /etc/mail/smtpd.conf%0a%3c doas chown _dovecot:_dovecot /etc/dovecot/dovecot.conf%0a%3c doas chown _dovecot:_dovecot /etc/dovecot/users.txt%0a%3c doas chmod 640 /etc/dovecot/dovecot.conf%0a%3c doas chmod 640 /etc/dovecot/users.txt%0a%3c %3c/code>%0a%3c %0a%3c First make sure to set quotas%0a%3c %0a%3c Second, make sure to change file permissions for%0a%3c %0a%3c /home/username%0a%3c %0a%3c We symlinked /htdocs inside each user's home folder to /var/www/htdocs/%3cusername>%0a%3c %0a%3c We installed%0a%3c %0a%3c Inside /etc/httpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c location "/~username/*" {%0a%3c root "/htdocs/username"%0a%3c request strip 1%0a%3c }%0a%3c %3c/code>%0a%3c %0a%3c Update: hiding logs was causing problems%0a%3c %0a%3c We also hide logs in /var/logs and /var/www/logs%0a%3c %0a%3c Packages installed:%0a%3c %0a%3c %3ccode>%0a%3c ImageMagick-6.9.10.62 image processing tools%0a%3c alpine-2.21p3 UW e-mail client%0a%3c anthy-9100hp2 japanese input method%0a%3c antiword-0.37p0 converts MSWord Documents to ASCII Text and PostScript%0a%3c apr-1.6.5p0 Apache Portable Runtime%0a%3c apr-util-1.6.1p2 companion library to APR%0a%3c argon2-20171227 C implementation of Argon2 - password hashing function%0a%3c aspell-0.60.6.1p10 spell checker designed to eventually replace Ispell%0a%3c bash-5.0.11 GNU Bourne Again Shell%0a%3c boehm-gc-7.6.0p3 garbage collection and memory leak detection for C and C++%0a%3c boost-1.66.0p7 free peer-reviewed portable C++ source libraries%0a%3c bzip2-1.0.8 block-sorting file compressor, unencumbered%0a%3c cmake-3.15.3v0 portable build system%0a%3c coreutils-8.31p1 file, shell and text manipulation utilities%0a%3c curl-7.66.0 get files from FTP, Gopher, HTTP or HTTPS servers%0a%3c cvsps-2.1p2 generate patchsets from CVS repositories%0a%3c cyrus-sasl-2.1.27p1 RFC 2222 SASL (Simple Authentication and Security Layer)%0a%3c db-4.6.21p7v0 Berkeley DB package, revision 4%0a%3c desktop-file-utils-0.24p0 utilities for dot.desktop entries%0a%3c djvulibre-3.5.27p6 view, decode and encode DjVu files%0a%3c docx2txt-1.4p0 command line converter from Microsoft docx to ASCII text%0a%3c elvis-2.2.0p5-no_x11 clone of the ex/vi text editor%0a%3c emacs-26.3-no_x11 GNU editor: extensible, customizable, self-documenting%0a%3c fdm-2.0 fetch, filter and deliver mail%0a%3c fetchmail-6.3.26p3 mail retrieval utility for POP2, POP3, KPOP, IMAP and more%0a%3c fftw3-3.3.8p1 C routines for computing the Discrete Fourier Transform%0a%3c fftw3-common-3.3.8p1 common files for the fftw3 packages%0a%3c figlet-2.2.5 generates ASCII banner art%0a%3c gawk-5.0.0p0 GNU awk%0a%3c gdk-pixbuf-2.38.2 graphic library for gtk+2%0a%3c geomyidae-0.34 Gopher protocol daemon%0a%3c gettext-runtime-0.20.1p0 GNU gettext runtime libraries and programs%0a%3c giflib-5.1.6 tools and library routines for working with GIF images%0a%3c git-2.23.0 GIT - Tree History Storage Tool%0a%3c glib2-2.60.7 general-purpose utility library%0a%3c gmake-4.2.1p4 GNU make%0a%3c gnupg-1.4.23p3 GNU privacy guard - a free PGP replacement%0a%3c gnupg-2.2.12p0 GNU privacy guard - a free PGP replacement%0a%3c got-0.17 game of trees version control system%0a%3c groff-1.22.4p0 GNU troff typesetter%0a%3c gtk-update-icon-cache-3.24.12 gtk+ icon theme caching utility%0a%3c hicolor-icon-theme-0.17 fallback theme of the icon theme specification%0a%3c icu4c-64.2p0 International Components for Unicode%0a%3c ii-1.7p3 minimalist IRC client%0a%3c irssi-1.2.2 modular IRC client with many features%0a%3c jasper-2.0.14 reference implementation of JPEG-2000%0a%3c jbigkit-2.1 lossless image compression library, with lightweight version%0a%3c jpeg-2.0.3v0 SIMD-accelerated JPEG codec replacement of libjpeg%0a%3c jq-1.6p0 lightweight and flexible command-line JSON processor%0a%3c jsoncpp-1.8.4p2 JSON parsing C++ API%0a%3c lcms2-2.9p0 color management library%0a%3c ledger-3.1.1p4 command line double-entry accounting ledger%0a%3c libarchive-3.4.0 multi-format archive and compression library%0a%3c libb2-0.98.1v0 library providing BLAKE2b, BLAKE2s, BLAKE2bp, BLAKE2sp%0a%3c libffi-3.2.1p5 Foreign Function Interface%0a%3c libiconv-1.16p0 character set conversion library%0a%3c libidn2-2.3.0 implementation of IDNA2008 internationalized domain names%0a%3c libraw-0.19.5 library for reading RAW files%0a%3c libtasn1-4.14 Abstract Syntax Notation One structure parser library%0a%3c libunbound-1.9.4 validating DNS resolver library%0a%3c libunistring-0.9.7 manipulate Unicode strings%0a%3c libuv-1.30.1 multi-platform library for asynchronous I/O%0a%3c libwebp-1.0.3 Google WebP image format conversion tool%0a%3c libxml-2.9.9 XML parsing library%0a%3c links-1.03p0 text browser, displays while downloading%0a%3c lua-5.3.5 powerful, light-weight programming language (version 5.3.5)%0a%3c lynx-2.8.9rel1p0 text web browser%0a%3c lz4-1.9.2 fast BSD-licensed data compression%0a%3c mariadb-client-10.3.20v1 multithreaded SQL database (client)%0a%3c mariadb-server-10.3.20v1 multithreaded SQL database (server)%0a%3c mawk-1.3.4.20171017 fast POSIX-compliant awk%0a%3c mcabber-1.1.0p4 console jabber client%0a%3c mercurial-5.0.2 fast, lightweight source control management%0a%3c multitail-6.4.2p0 multi-window tail(1) utility%0a%3c mutt-1.12.2v3-sasl tty-based e-mail client%0a%3c nano-4.4 simple editor, inspired by Pico%0a%3c neovim-0.3.8 continuation and extension of Vim%0a%3c newsboat-2.15p0 RSS/Atom feed reader for text terminals%0a%3c nghttp2-1.39.2 library for HTTP/2%0a%3c ngircd-25 lightweight irc server%0a%3c node-10.16.3 V8 JavaScript for clients and servers%0a%3c nvi-2.1.3p2 ex/vi text editor with wide character support%0a%3c oath-toolkit-2.6.2p1 toolkit for OATH/HOTP and TOTP%0a%3c openjp2-2.3.1 open-source JPEG 2000 codec library%0a%3c p11-kit-0.23.18.1 library for loading and enumerating PKCS#11 modules%0a%3c pcre-8.41p2 perl-compatible regular expression library%0a%3c php-7.3.12 server-side HTML-embedded scripting language%0a%3c pico-5.09p20 UW text editor%0a%3c pkglocatedb-1.5 database of packages for use with locate(1)%0a%3c png-1.6.37 library for manipulating PNG images%0a%3c profanity-0.7.1 console based XMPP client%0a%3c py-pip-19.1.1 tool for installing Python packages%0a%3c py3-neovim-0.3.2p0 Python plugin support for Neovim%0a%3c py3-pip-19.1.1 tool for installing Python packages%0a%3c python-2.7.16p1 interpreted object-oriented programming language%0a%3c python-3.7.4 interpreted object-oriented programming language%0a%3c quirks-3.182 exceptions to pkg_add rules%0a%3c rhash-1.3.5p0 utility and library for computing hash sums%0a%3c rsync-3.1.3 mirroring/synchronization over low bandwidth links%0a%3c ruby-2.6.5 object oriented script language with threads%0a%3c rust-1.38.0 compiler for Rust Language%0a%3c sacc-1.00 simple console gopher client%0a%3c screen-4.6.2 multi-screen window manager%0a%3c shared-mime-info-1.10p5 shared mime database for desktops%0a%3c sic-1.2p1 simple irc client%0a%3c slrn-1.0.2p2 SLang-based newsreader%0a%3c sqlite3-3.29.0 embedded SQL implementation%0a%3c subversion-1.12.2 subversion revision control system%0a%3c tcsh-6.20.00p1 extended C-shell with many useful features%0a%3c tiff-4.0.10 tools and library routines for working with TIFF images%0a%3c tree-0.62 print ascii formatted tree of a directory structure%0a%3c trn-4.0.77p2 threaded newsreader%0a%3c uim-1.8.8p0 multilingual input method library%0a%3c uim-chewing-0.1.0p2 chewing input method for uim%0a%3c unzip-6.0p12 extract, list & test files in a ZIP archive%0a%3c vim-8.1.2061-no_x11 vi clone, many additional features%0a%3c w3m-0.5.3p8 pager/text-based web browser%0a%3c weechat-2.6 fast, light and extensible chat client%0a%3c wget-1.20.3p1 retrieve files from the web via HTTP, HTTPS and FTP%0a%3c xlsx2csv-20150318p1 convert XLSX files to CSV%0a%3c xz-5.2.4 LZMA compression and decompression tools%0a%3c zh-fonts-kc-1.05p2 extra chinese fonts%0a%3c zh-libchewing-0.5.1p0 intelligent phonetic input method library%0a%3c zip-3.0p1 create/update ZIP files compatible with PKZip(tm)%0a%3c zstd-1.4.3 zstandard fast real-time compression algorithm%0a%3c %3c/code>%0a%3c %0a%3c To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a%3c %0a%3c %3ccode>%0a%3c export PS1="`whoami`$ "%0a%3c %3c/code>%0a%3c %0a%3c %3ccode>%0a%3c # chmod -R o-rx /var/log%0a%3c # chmod o-rx /var/run/utmp%0a%3c # chmod o-r /var/log/wtmp*%0a%3c %3c/code>%0a%3c %0a%3c Seems like there is no way to hide processes from users:%0a%3c %0a%3c http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c %3ccode>%0a%3c # chmod 750 /var/www/logs/%0a%3c # chmod 640 /var/www/logs/*%0a%3c # chmod 750 /var/log%0a%3c # chmod o-rx /var/log/*%0a%3c # chmod -R o-rx /etc/mail%0a%3c %3c/code>%0a%3c %0a%3c to turn accounting on.. only users love making use of it too%0a%3c %0a%3c add login.conf rules%0a%3c %0a%3c For each new user:%0a%3c %0a%3c %3ccode>%0a%3c # adduser%0a%3c # chmod 700 /home/username /home/username/.ssh%0a%3c # chmod 600 /home/username/{.Xdefaults,.cshrc,.cvsrc,.login,.mailrc,.profile}%0a%3c # mkdir /var/www/htdocs/username%0a%3c # ln -s /var/www/htdocs/username /home/username/htdocs%0a%3c # chown username:username /var/www/htdocs/username /home/username/htdocs%0a%3c # edquota username%0a%3c %3c/code>%0a%3c %0a%3c In /etc/httpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c location "/~username/*" {%0a%3c root "/htdocs/username"%0a%3c request strip 1 %0a%3c }%0a%3c %3c/code>%0a%3c %0a%3c In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a%3c %0a%3c any new suid binary's with %0a%3c %3ccode>%0a%3c # find / -perm -4000%0a%3c %3c/code>%0a%3c %0a%3c Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a%3c %0a%3c Create symlinks for users so they don't complain:%0a%3c %0a%3c %3ccode>%0a%3c ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a%3c ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a%3c %3c/code>%0a%3c %0a%3c You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a%3c %0a%3c %3ccode>%0a%3c # mkdir /var/www/etc/%0a%3c # cp /etc/resolv.conf /var/www/etc/%0a%3c # chown -R www:daemon /var/www/etc%0a%3c %3c/code>%0a\ No newline at end of file%0a host:1597239367=38.81.163.143