User Tools

Site Tools

Trace:
vps_-_freebsd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vps_-_freebsd [2023/09/12 05:08] hc9vps_-_freebsd [2024/04/10 03:55] (current) – [Package Management] {AB hc9
Line 1: Line 1:
 +{{example:example.png?nolink&150|}}\\
 +<nowiki>====== FreeBSD on SDF VPS ======</nowiki>
 +
 +====== FreeBSD Setup and Configuration ======
 +
 +===== User Accounts =====
 +
 +After your FreeBSD image has been installed and started, connect to the console and log-in as user ''root'' with the default password ''root''.
 +
 +Change the //root// password using the ''passwd'' command. There is no way to recover this password. Don't lose it.
 +
 +It's standard practice to create a regular user account for general use, using ''su'' to acquire root privileges as needed. Create a regular user account with the command ''adduser'', following the setup prompts to create the user. Adding the user to the ''wheel'' group during setup will place them in the default administrative group.
 +
 +If ''adduser'' gives a warning that the user "disappeared during update", check the following: 
 +
 +  * The default user home directory is present at ''/usr/home'' and
 +  * ''/etc/home'' is symlinked to ''/usr/home''
 +
 +Once the default directory and the symlink are present, run:
 +
 +<code>
 +
 +  $ /usr/sbin/pwd_mkdb -p /etc/master.password    # sync the databases
 +  $ rmuser <username>                       # Remove partial user
 +
 +</code>
 +
 +Run ''adduser'' again to create the new user.
 +
 +===== Networking =====
 +
 +Take note of the HOSTNAME and EXTERNAL_IP from the first line of your vps control panel.
 +
 +<file>
 +
 +VPS Maintenance Shell for freebsd99 (205.166.94.nnn)
 +                          ---------  --------------
 +                          ^          ^
 +                          |          |
 +                          |          EXTERNAL_IP
 +                          HOSTNAME
 +
 +</file>
 +
 +Open ''/etc/rc.conf'' in an editor and make sure that the following lines are present, replacing HOSTNAME and EXTERNAL_IP with the correct values.
 +
 +<file config /etc/rc.conf>
 +
 +  hostname="HOSTNAME"
 +  ifconfig_xn0="inet EXTERNAL_IP netmask 255.255.255.0"
 +  defaultrouter="205.166.94.1"
 +
 +</file>
 +
 +Inspect ''/etc/resolv.conf'' and insure that the name server is set to ''205.166.94.24''.
 +
 +Run ''service netif restart && service routing restart'' to restart network services.
 +
 +===== Package Management =====
 +
 +FreeBSD uses ''pkg'' as a package manager. It can be initialized by running ''pkg bootstrap -f''.
 +
 +''pkg'' will use the “quarterly” repository by default. If you would like to use the “latest” repository do the following:
 +
 +<code>
 +
 +  $ cp /etc/pkg/FreeBSD.conf /usr/local/etc/pkg/repos/FreeBSD.conf
 +
 +  # In /usr/local/etc/pkg/repos/FreeBSD.conf change the source of 
 +  # the repository
 +
 +  FreeBSD: {
 +  ...
 +    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
 +  ...
 +  }
 +
 +  # Update all
 +
 +  $ pkg update -f
 +
 +</code>
 +
 +===== System Time =====
 +
 +Timezone files are found in ''/usr/share/zoneinfo''. Once you've located the correct zone file, set it as the system time using:
 +
 +<code>
 +
 +  ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
 +
 +</code>
 +
 +FreeBSD can be prone to clock skew so it's best to setup NTP at this time.
 +
 +<file>
 +
 +  $ pkg install ca_root_nss           # Make sure certs are up to date.
 +  $ sysrc ntpd_enable="YES"           # Enable the ntpd service.
 +  $ sysrc ntpd_sync_on_start="YES"    # Set ntpd to sync during boot.
 +  $ service ntpd fetch                # Update the leapseconds file.
 +  $ ntpd -gq                          # Force an update of the system time.
 +  $ service ntpd start                # Start the service.
 +
 +</file>
 +
 +If ''ntpd'' fails to start with a warning about unknown users or groups run ''/usr/sbin/pwd_mkdb -p /etc/master.passwd'' and then retry the previous command.
 +
 +===== System Update =====
 +
 +The initial FreeBSD image is version 14.0. To upgrade to a newer version run:
 +
 +<code>
 +
 +  $ freebsd-update -r RELEASE_NAME upgrade
 +
 +  # This process will take a while, be patient. Answer "yes" to any prompts.
 +  # When the upgrade configuration is done, run:
 +
 +  $ freebsd-update install
 +
 +  # Again, answer "yes" to all the prompts. It will be slow. Be patient and
 +  # reboot when instructed.
 +
 +</code>
 +
 +Once the upgrade is complete, clean up the files with ''find /var/db/freebsd-update/files -type f -exec rm -f {} \;'' .
 +
 +===== Hardening =====
 +
 +FreeBSD comes with a few system hardening options which are typically set during install. To check ''/'' update those options, run ''/usr/libexec/bsdinstall/hardening'' and reboot as needed.
 +
 +Addiional options can be added to ''/etc/sysctl.conf''. A common configuration might look like this: 
 +
 +<file>
 +
 +  security.bsd.see_other_uids=0
 +  security.bsd.see_other_gids=0
 +  security.bsd.see_jail_proc=0
 +  security.bsd.unprivileged_read_msgbuf=0
 +  kern.randompid=107
 +  net.inet.ip.random_id=1
 +  net.inet.ip.redirect=0
 +  net.inet.tcp.always_keepalive=0
 +  net.inet.tcp.blackhole=2
 +  net.inet.udp.blackhole=1
 +  net.inet.tcp.path_mtu_discovery=0
 +  net.inet.icmp.drop_redirect=1
 +  hw.mds_disable=3
 +  hw.spec_store_bypass_disable=1
 +  kern.elf64.allow_wx=0
 +  security.bsd.allow_destructive_dtrace=0
 +  hw.ibrs_disable=1
 +  kern.elf32.aslr.enable=1
 +  kern.elf32.aslr.pie_enable=1
 +
 +</file>
 +
 +Kernel security levels are best set in ''/etc/rc.conf'' so they don't interfere with running any services. Information on the different security levels can be found in the [[https://man.freebsd.org/cgi/man.cgi?query=security&sektion=7&manpath=freebsd-release-ports|FreeBSD man pages section on security]]. To enable kernel security in ''/etc/rc.conf'' add the following:
 +
 +<file>
 +
 +  kern_securelevel_enable="YES"
 +  kern_securelevel="1" 
 +
 +</file>
 +
 +===== SSH Setup =====
 +
 +The default image comes with SSH turned off. To turn it on edit ''/etc/rc.conf'' and set ''sshd_enable="YES"''.
 +
 +It's best to turn off root SSH login by setting ''PermitRootLogin no'' in ''/etc/ssh/sshd_config''. You may also want to consider setting ''Port'' to a non-standard port number. 
 +
 +==== SSH Public Key Authentication ====
 +
 +Follow [[using_ssh_for_connections_transfer_to_from_sdf|these instructions]] to create and add a public SSH key((The basic concepts of [[ssh_public_key_authentication|SSH Public Key Authentication]].)) to your FreeBSD install. Once done and confirmed working you may disable password based SSH-login by setting ''UsePasswordAuthentication no'' in ''/etc/ssh/sshd_config''.
 +
 +----
 +
 + $Id: VPS_FreeBSD.html,v 1.5 2023/09/09 17:14:36 dnielsen Exp $ [[http://sdf.org/?tutorials/VPS_FreeBSD|FreeBSD Setup and Configuration]] - traditional link (using [[wp>Revision_Control_System|RCS]])