{{example:example.png?nolink&150|}}\\
====== FreeBSD on SDF VPS ======
====== FreeBSD Setup and Configuration ======
===== User Accounts =====
After your FreeBSD image has been installed and started, connect to the console and log-in as user ''root'' with the default password ''root''.
Change the //root// password using the ''passwd'' command. There is no way to recover this password. Don't lose it.
It's standard practice to create a regular user account for general use, using ''su'' to acquire root privileges as needed. Create a regular user account with the command ''adduser'', following the setup prompts to create the user. Adding the user to the ''wheel'' group during setup will place them in the default administrative group.
If ''adduser'' gives a warning that the user "disappeared during update", check the following:
* The default user home directory is present at ''/usr/home'' and
* ''/etc/home'' is symlinked to ''/usr/home''
Once the default directory and the symlink are present, run:
$ /usr/sbin/pwd_mkdb -p /etc/master.password # sync the databases
$ rmuser # Remove partial user
Run ''adduser'' again to create the new user.
===== Networking =====
Take note of the HOSTNAME and EXTERNAL_IP from the first line of your vps control panel.
VPS Maintenance Shell for freebsd99 (205.166.94.nnn)
--------- --------------
^ ^
| |
| EXTERNAL_IP
HOSTNAME
Open ''/etc/rc.conf'' in an editor and make sure that the following lines are present, replacing HOSTNAME and EXTERNAL_IP with the correct values.
hostname="HOSTNAME"
ifconfig_xn0="inet EXTERNAL_IP netmask 255.255.255.0"
defaultrouter="205.166.94.1"
Inspect ''/etc/resolv.conf'' and insure that the name server is set to ''205.166.94.24''.
Run ''service netif restart && service routing restart'' to restart network services.
===== Package Management =====
FreeBSD uses ''pkg'' as a package manager. It can be initialized by running ''pkg bootstrap -f''.
''pkg'' will use the “quarterly” repository by default. If you would like to use the “latest” repository do the following:
$ cp /etc/pkg/FreeBSD.conf /usr/local/etc/pkg/repos/FreeBSD.conf
# In /usr/local/etc/pkg/repos/FreeBSD.conf change the source of
# the repository
FreeBSD: {
...
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
...
}
# Update all
$ pkg update -f
===== System Time =====
Timezone files are found in ''/usr/share/zoneinfo''. Once you've located the correct zone file, set it as the system time using:
ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
FreeBSD can be prone to clock skew so it's best to setup NTP at this time.
$ pkg install ca_root_nss # Make sure certs are up to date.
$ sysrc ntpd_enable="YES" # Enable the ntpd service.
$ sysrc ntpd_sync_on_start="YES" # Set ntpd to sync during boot.
$ service ntpd fetch # Update the leapseconds file.
$ ntpd -gq # Force an update of the system time.
$ service ntpd start # Start the service.
If ''ntpd'' fails to start with a warning about unknown users or groups run ''/usr/sbin/pwd_mkdb -p /etc/master.passwd'' and then retry the previous command.
===== System Update =====
The initial FreeBSD image is version 14.0. To upgrade to a newer version run:
$ freebsd-update -r RELEASE_NAME upgrade
# This process will take a while, be patient. Answer "yes" to any prompts.
# When the upgrade configuration is done, run:
$ freebsd-update install
# Again, answer "yes" to all the prompts. It will be slow. Be patient and
# reboot when instructed.
Once the upgrade is complete, clean up the files with ''find /var/db/freebsd-update/files -type f -exec rm -f {} \;'' .
===== Hardening =====
FreeBSD comes with a few system hardening options which are typically set during install. To check ''/'' update those options, run ''/usr/libexec/bsdinstall/hardening'' and reboot as needed.
Addiional options can be added to ''/etc/sysctl.conf''. A common configuration might look like this:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
kern.randompid=107
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.tcp.always_keepalive=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.tcp.path_mtu_discovery=0
net.inet.icmp.drop_redirect=1
hw.mds_disable=3
hw.spec_store_bypass_disable=1
kern.elf64.allow_wx=0
security.bsd.allow_destructive_dtrace=0
hw.ibrs_disable=1
kern.elf32.aslr.enable=1
kern.elf32.aslr.pie_enable=1
Kernel security levels are best set in ''/etc/rc.conf'' so they don't interfere with running any services. Information on the different security levels can be found in the [[https://man.freebsd.org/cgi/man.cgi?query=security&sektion=7&manpath=freebsd-release-ports|FreeBSD man pages section on security]]. To enable kernel security in ''/etc/rc.conf'' add the following:
kern_securelevel_enable="YES"
kern_securelevel="1"
===== SSH Setup =====
The default image comes with SSH turned off. To turn it on edit ''/etc/rc.conf'' and set ''sshd_enable="YES"''.
It's best to turn off root SSH login by setting ''PermitRootLogin no'' in ''/etc/ssh/sshd_config''. You may also want to consider setting ''Port'' to a non-standard port number.
==== SSH Public Key Authentication ====
Follow [[using_ssh_for_connections_transfer_to_from_sdf|these instructions]] to create and add a public SSH key((The basic concepts of [[ssh_public_key_authentication|SSH Public Key Authentication]].)) to your FreeBSD install. Once done and confirmed working you may disable password based SSH-login by setting ''UsePasswordAuthentication no'' in ''/etc/ssh/sshd_config''.
----
$Id: VPS_FreeBSD.html,v 1.5 2023/09/09 17:14:36 dnielsen Exp $ [[http://sdf.org/?tutorials/VPS_FreeBSD|FreeBSD Setup and Configuration]] - traditional link (using [[wp>Revision_Control_System|RCS]])