Lock Down Your Laptop With OpenBSD
In today's hyper-connected world, it grows increasingly important to have all devices that have an internet connection locked down- not for hiding data but to protect from having day-to-day life completely sabotaged. One may have already locked down their accounts and data about them online, but what if they want to “amp it up” to the next level?
It's known that by using Windows or MacOS, you have agreed to Terms of Service that include the upload of their private files to their infrastructure- even if you didn't want it to go on the internet. In Microsoft-Land, this means all your files are scanned and uploaded to Microsoft's infrastructure where they can build a profile on you. Apple happens to engage in similar practices. On top of this, Windows is known for having the most viruses and rootkits in the world while MacOS currently has the record for the most adware in the world. Viruses and rootkits are basically system exploits, while adware is an attack on the web browser, forcing ads to pop up even if you have an ad blocker.
To add further discomfort, the leaks made by ex-CIA/NSA official Edward Snowden from years past verified that there is something called FISA court- a top secret US-based court of law that issues warrants for surveillance. Snowden took huge issues when he learned that the CIA and NSA built this program named XKeyScore, which behaves like a search engine that collects ALL information about people, including private things like Social Security Numbers and text messages. To do this, the FISA courts “rubber-stamped” (and still do) every surveillance request made by the CIA or NSA- allowing them to spy on U.S. Citizens without due process. Nowadays, laws have since been passed where FISA courts are irrelevant and the CIA and NSA can continue to do this.... And if the CIA and NSA are capable of gathering all the info you'd rather keep private, so is the stalker... or the creepy person next door... or the angry ex-husband/ex-wife...
OpenBSD began in 1995, where the founder Theo De Raadt took issue with the design approach of NetBSD- which traces it's ancestral roots all the way back to the original UNIX from the early 1980's. De Raadt was (and still is) a firm believer in correctness of code, extensive auditing of the code, and extreme levels of security. OpenBSD is widely considered to be the most secure Operating System on the planet, with the most bleeding edge technologies in cryptography and so on- to the point where some countries ban the OS for import even though that's unenforceable thanks to the internet. It is known for having sane and secure defaults in the installation, and several audits of the entire system's source code yearly. They are responsible for the invention of the applications
pledge(). If familiar with any Linux/Unix command line, it's easy enough to notice that they invented some of the most common protocols utilized in locking down a system.
So let's get this set up on a laptop!
What You'll Need
- A laptop with an Intel CPU that you don't mind wiping the hard drive of, ideally with an Intel Wireless AC 7260 wireless card or older
- A 2 gb or larger flash drive
- A wired and wireless network connection (We'll be messing with both)
- An ethernet adapter if your laptop doesn't have an ethernet jack
For this installation, I used a Thinkpad T460 which has a 6th gen Intel i7 and (actually) an Intel Wireless AC 8260 WiFi Card.
Note: This tutorial is relevant to OpenBSD 6.7 and probably works for 6.6 as well. Because OpenBSD changes, the install method is subject to change over time as well.
Making The Install USB
First things first, we need to fetch a copy of the OpenBSD installer and flash it to our thumb drive. On Linux and MacOS, connect to the internet and run this command to download the image to your Downloads folder:
cd ~/Downloads && curl -OJ https://cdn.openbsd.org/pub/OpenBSD/6.7/amd64/install67.fs
Now for Linux, use
lsblk to verify what the disk name is, or on MacOS use
diskutil list to do the same.
Now run the command
sudo dd if=~/Downloads/install67.fs of=/dev/<DISK> bs=1M, replacing
<disk> with the name of the disk as recognized by the system. This will create the USB installer on these systems.
On Windows, download Win32DiskImager and download the OpenBSD image at curl -OJ https://cdn.openbsd.org/pub/OpenBSD/6.4/amd64/install64.fs. Use Win32DiskImager to flash OpenBSD to your thumb drive.
Booting The Installer
Great, we have our install USB. Now we need to power off, plug our Ethernet adapter in, connect the device via wired network, and plug our USB thumb drive in (while the machine is still off). Once this is done, pressing the power button again will show the boot screen and there's a key to spam to “Enter Setup”. Commonly this is F12 or Delete. Here's an idea of what to look for:
A BIOS Boot Menu.
Use the arrow keys to highlight your USB and press “Enter” to boot from the OpenBSD Installer.
Performing The Installation
You should now be greeted by a terminal-based prompt asking you to
(I)nstall, (U)pgrade, (A)utoinstall, or (S)hell:. We are going to type
I here and press the enter key. Before we continue, it's important to note that the entire installation process is relatively simple in the sense that all the user needs to do is type the correct things in and the installer will do the rest.
First hurdle is the network connection- assuming you have an Intel wired network card (most laptops do), the ethernet device should be labelled
em1. Configure this with dhcp. We cannot use wifi at the moment since the firmware isn't installed. It will also ask you if you wish to enable ssh, say no (this is a laptop) and don't allow root SSH login. Enable Xenodm- that's critical for a desktop, which can be configured later. You'll also be asked for the root user password and if you want to create additional users. for additional user creation, type your username and type a password.
We're almost done with the install! It will promptly ask what disk is your root disk. Since we're unsure, press
? and press enter. It should list something like
sd0: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 254.3 G sd1: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 15.6 G
Note: I redacted the names of my hard drives for privacy protection, but you will see the hard drive name and a little additional info in place of the X'es.
Awesome! Since we know we want to install to
sd0 now, we type that in and press enter.
The last thing the installer needs is information on the “Location of Sets”. This is BSD speak for where to find the files to install to the disk are. Since we have a network connection, let's use it and type
http. It will promptly ask for a mirror, so type
1 and press enter (this will select the fastest mirror for you). Then press enter again.
There's a prompt to deselect sets you don't wish to install. This is for a more advanced installation and unnecessary as the default install is only 500-600 mb anyway. Proceed and continue with the install and it will fetch the latest and greatest OpenBSD software for your OS and install it for you. When done, the user just needs to hit “reboot” and remove the thumb drive.
Getting WiFi Working
All firmware will automatically install if you left the ethernet cable in after rebooting from the installer. Before rebooting to use the new firmware, let's apply the latest and greatest security patches for our system to finish the installation. Login as the “root” user and open a terminal. Now type
syspatch and wait a few minutes for this to complete. When done, we can type
halt -p to poweroff the system. From here, we can remove the ethernet cable and power back on.
Once the bootup is completed, we need to log in the “root” user once more to build our wireless configuration file, called
hostname.if. First things first, run
ifconfig in the terminal to verify the wireless card's name. The 3 most common ones to encounter are
ath with a number following them. In my case, my wireless card is recognized as
iwm0 and will use that for the rest of my examples. From here on out, replace
iwm0 with the name of your WiFi card.
Let's scan for WiFi Networks by running the following commands in the terminal:
ifconfig iwm0 up ifconfig iwm0 scan
The first command gives the WiFi card some juice, the other scans for networks and returns the results. Read these results and look for something saying
BSSID. This is the name of the network to connect to. Make a note of this.
Now, we need to put contents in
/etc/hostname.iwm0 (again, replace iwm0 with the name of your card!) Type
vi /etc/hostname.iwm0 and a text editor will open, called vi.
I key to enter “insert mode”, and type the following:
# This Config File Designed by c0ffee.net join "YOUR_SSID" wpakey "YOUR_PASSPHRASE" # Swap with Your WiFi # you can specify other networks here too, in order of priority: # join "WORK_SSID" wpakey "WORK_PASSPHRASE" # join "OPEN_COFFEE_SHOP" dhcp inet6 autoconf up powersave
When done, press the
Esc key then type in sequence
:wq to save and exit. What we just did was told OpenBSD to automatically attempt connecting to the wireless hotspot you specified, then attempt to get an IP (network) address and give the card some juice. You can add more WiFi hotspots as time goes on to this config as well and it will attempt to connect in order of first to last.
With this done, reboot the system and during boot you should see mention of “Lease Accepted” for your WiFi card.
With the basic installation out of the way, stick around for part 2 where we configure a desktop to go with this nice new OpenBSD installation.
Liked This Content? Check Out Our Discord Community and Become an email subscriber!