Security

2025

• Keeping OpenBSD Up To Date

  Dec 24

  NOTE: Feel Free To Skip Ahead

  OpenBSD Release Model Explained

  OpenBSD uses a strict, time-based release model focused on predictability and continuous development. OpenBSD releases new versions on a fixed six-month cycle.

  Flavors

  OpenBSD maintains three distinct “flavors” of the operating system simultaneously:

  -release: The official, static version of the OS released every six months (e.g., 7.5, 7.6). It is intended for users who prioritize stability and do not need the absolute latest features.

• Useful Links

  Apr 29

  An eclectic collection of useful URLs

  I highly recommend reading official documentation first. I have provided a curated list of websites which I personally consider useful.

  OpenBSD

  Main OpenBSD Sites

  • OpenBSD Main Site https://www.openbsd.org
  • OpenBSD FAQs https://www.openbsd.org/faq/index.html
  • OpenBSD Manpages https://man.openbsd.org
  • OpenBSD Patches https://www.openbsd.org/errata76.html
  • OpenBSD Download https://www.openbsd.org/faq/faq4.html#Download

  OpenBSD Projects

  • OpenSSH https://www.openssh.com
  • LibreSSL https://www.libressl.org
  • OpenBGPD https://www.openbgpd.org
  • OpenNTPD https://www.openntpd.org
  • OpenSMTPD https://www.opensmtpd.org

  Keeping OpenBSD Alive

  • The OpenBSD Foundation https://www.openbsdfoundation.org

  Other OpenBSD Related Sites

  Hosting

• Sysctl Hardening

  Apr 29

  /etc/sysctl.conf - hardening

  Official OpenBSD Documentation

  sysctl(8) manpage - https://man.openbsd.org/sysctl.8

  sysctl.conf(5) manpage - https://man.openbsd.org/sysctl.conf.5

  malloc(3) manpage - https://man.openbsd.org/free

  Sysctl Parameter	Description
  ddb.panic=0	Reboot on a panic, instead of dropping into the debugger.
  ddb.console=0	Prevent entry into the kernel debugger.
  net.inet.ip.forwarding=0	Prevent inet4 forwarding for standalone workstations ( unless needed ).
  machdep.allowaperature=0	For systems that don’t run X.
  vm.malloc_conf=CFGU	Individual arguments explained below.
  C ( Cache disabled )	Reduces the chance that sensitive data ( like passwords, keys, etc ) remains in memory after being freed.
  F ( Free junking )	Easier to detect user-after-free bugs ( access to freed memory ), and prevents old data from leaking if memory is later misused.
  G ( Guard pages )	Helps catch buffer overflows immediately by causing a segmentation fault when memory writes go past their bounds.
  U ( Use junking )	Helps catch bugs where programs wrongly assume newly allocated memory.

  Server Example - /etc/sysctl.conf

  ddb.panic=0
  ddb.console=0
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=0
  machdep.allowaperature=0
  

  Firewall Example - /etc/sysctl.conf

  ddb.panic=0
  ddb.console=0
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=1
  machdep.allowaperature=0
  

  Workstation Example - /etc/sysctl.conf

  ddb.panic=1
  ddb.console=1
  vm.malloc_conf=CFGU
  net.inet.ip.forwarding=0
  machdep.allowaperature=1
  

  Thanks to the author of the following page for teaching me about the malloc stuff: