Niall Donaghy

OpenBSD sshd hardening with pf and sshguard

Tue, 07 Apr 2026 01:57:29 +0100

Goals:

a sane sshd configuration
a sane pf configuration
optional: add sshguard (but recommended)

setup SSH for your main user

Your main user is not root. :)

Change to your regular user and setup SSH dirs:

su - niall
mkdir -p /home/niall/.ssh
chmod 700 /home/niall/.ssh
chown niall:niall /home/niall/.ssh
# add pubkey(s) you want to be authorised for login
nano /home/niall/.ssh/authorized_keys
<paste in>

Default /etc/ssh/sshd_config has key-based login enabled, so test it now:

Installing OpenBSD 7.8

Tue, 07 Apr 2026 01:33:03 +0100

This guide is VirtualBox-centric, but most everything will translate to your hypervisor or bare metal of choice.

Materials

Installation ISO:

cd78.iso - you will download packages from network
install78.iso - self-contained

Hypervisor

Create a new VM with the required CPU, RAM, and storage specs, and mount the ISO to boot from it and begin installation.

VirtualBox-specific notes:

Network: If using wifi on host, use NAT mode for the NIC; bridge mode performance tanks (does not apply if host is wired).
Storage: make “IDE” type PIIX4, attach ISO there, make “ACHI” type ACHI, enable host IO cache, and attach VDI there.
VDI: Can tick Solid-state drive.
Don’t be tempted by UEFI mode, you will have boot issues.
Don’t be tempted by NVMe mode, disk will deadlock during install; ACHI is faster in Vbox anyway!

Installation

network

Follow instructions to set autoconf(DHCP) or static IP addressing and gateway, DNS, etc. In this doc, in post-install tasks, instructions given to convert DHCP config to static config

OpenBSD httpd Basic Setup With Auto Index and Cgi

Tue, 07 Apr 2026 00:43:38 +0100

Setting up httpd webserver, and you want:

some static html please
display a directory listing autoindex style
try a dumb CGI script because why not?

This is basic tyre-kicking; please read my other posts on making a more complete httpd (and system, for that matter) configuration.

create a basic /etc/httpd.conf

types { include "/usr/share/misc/mime.types" }

server "default" {
        listen on * port 80
        root "/htdocs"

        location "/cgi-bin/*" {
                root "/"
                fastcgi socket "/run/slowcgi.sock"
        }
}

enable slow cgi on boot, start it

rcctl enable slowcgi
rcctl start slowcgi

create our test files

static

echo "Hello from OpenBSD httpd." | tee /var/www/htdocs/index.html

cgi

nano /var/www/cgi-bin/ip.cgi, and paste in:

#!/bin/sh
echo "Content-Type: text/plain"
echo ""
echo "Hello from OpenBSD httpd."
echo "Your IP is ${REMOTE_ADDR:-unknown}."

Note: This is for example only; I don’t endorse serving up #!/bin/sh via your webserver. :)

OpenBSD Disabling Unused Services

Tue, 07 Apr 2026 00:10:44 +0100

Whilst setting up this OpenBSD VPS I trimmed some unused services. Secure by default, but securer when not running. :)

check_quotas

There are disk quota checks at boot, however, I am not using quotas:

doas rcctl disable check_quotas
doas rcctl stop check_quotas

dhcpleased

The DHCP client daemon; this is not needed as I am using a static IP:

doas rcctl disable dhcpleased
doas rcctl stop dhcpleased

slaacd

IPv6 stateless autoconfiguration; disable if you are not using IPv6, I am not:

OpenBSD httpd TLS Certificate

Mon, 06 Apr 2026 23:24:03 +0100

Migrating OpenBSD httpd from HTTP to HTTPS

LetsEncrypt offer free TLS certs and have a nice ACME clients to handle auto-renewal. Here’s how to implement on OpenBSD, assuming you have your httpd server up and running on port 80 already.

For example you might have some basic /etc/httpd:

types { include "/usr/share/misc/mime.types" }

server "ndonaghy.com" { 
	listen on * port 80 
	root "/htdocs" 
	location "/stuff/*" { 
		directory { 
			auto index
		} 
	} 
}

Step 1: Add acme-challenge location

Add this location directive to /etc/httpd.conf:

ZFS on Ubuntu

Sun, 05 Apr 2026 00:44:32 +0100

Goals

Build a NAS on low-power TinyPC (Thinkcentre M910q, i5 6500T, 8GB RAM)
Ubuntu 24.04.4 LTS
ZFS pools and filesystem with auto-snapshots
Serve via NFS and SMB
ZFS snapshots / Previous Versions working on Windows clients
Enable smartd monitoring
Send Telegram alerts for smartd and ZED events
Sensible tuning

Intro

This PC is also my living-room media player, so this is an always-on, low budget, and low power draw (< 15W idle) build. Being a TinyPC, I chose to add storage via USB-attached SCSI caddies (UASP).

Hugo

Sun, 05 Apr 2026 00:23:04 +0100

Hugo: getting started

Install

There are multiple ways to obtain and install - eg: distro package manager, github binary, compile source. Check the docs and choose what works best for you.

I am going with a recent binary:

cd /tmp
wget https://github.com/gohugoio/hugo/releases/download/v0.159.2/hugo_extended_0.159.2_linux-amd64.tar.gz
tar -xzf hugo_extended_0.159.2_linux-amd64.tar.gz
sudo mv hugo /usr/local/bin/
hugo version

Create site

Here I am working in my git repo which has an existing README.md file, so use –force to create despite the directory not being empty:

Forgejo Basic Setup

Sat, 04 Apr 2026 22:00:38 +0100

Setting up local Git server and Forgejo front-end

Guide should be transferable to many systems, but here using Ubuntu 24.04 on both hosts.

Create system account “git”

This will also implicitly create the group “git”:

sudo useradd \
  --system \
  --shell /bin/bash \
  --home /srv/forgejo \
  --comment 'Forgejo Git Service' \
  git

Create ZFS datasets, tune them, set mountpoints

Arguably overkill but I will create separate datasets for repos, data, log. Operationally this is useful to rollback forgejo via ZFS snapshot, but leave repos untouched. For light personal use a single dataset is also fine and perhaps preferable - make your call.

About

Fri, 03 Apr 2026 03:15:12 +0100

# I like computing and networking.
# This is my distributed cognition system.
#
# email: niall@ndonaghy.com