After your FreeBSD image has been installed and started, connect to the console and log-in as user root with the default password root.

Change the root password using the passwd command. There is no way to recover this password. Don't lose it.

It's standard practice to create a regular user account for general use, using su to acquire root privileges as needed. Create a regular user account with the command adduser, following the setup prompts to create the user. Adding the user to the wheel group during setup will place them in the default administrative group.

If adduser gives a warning that the user “disappeared during update”, check the following:

• The default user home directory is present at /usr/home and
• /etc/home is symlinked to /usr/home

Once the default directory and the symlink are present, run:

  $ /usr/sbin/pwd_mkdb -p /etc/master.password    # sync the databases
  $ rmuser <username>                       # Remove partial user

Run adduser again to create the new user.

Take note of the HOSTNAME and EXTERNAL_IP from the first line of your vps control panel.

VPS Maintenance Shell for freebsd99 (205.166.94.nnn)
                          ---------  --------------
                          ^          ^
                          |          |
                          |          EXTERNAL_IP
                          HOSTNAME

Open /etc/rc.conf in an editor and make sure that the following lines are present, replacing HOSTNAME and EXTERNAL_IP with the correct values.

/etc/rc.conf

  hostname="HOSTNAME"
  ifconfig_xn0="inet EXTERNAL_IP netmask 255.255.255.0"
  defaultrouter="205.166.94.1"

Inspect /etc/resolv.conf and insure that the name server is set to 205.166.94.24.

Run service netif restart && service routing restart to restart network services.

FreeBSD uses pkg as a package manager. It can be initialized by running pkg bootstrap -f.

pkg will use the “quarterly” repository by default. If you would like to use the “latest” repository do the following:

  $ cp /etc/pkg/FreeBSD.conf /usr/local/etc/pkg/repos/FreeBSD.conf

  # In /usr/local/etc/pkg/repos/FreeBSD.conf change the source of 
  # the repository

  FreeBSD: {
  ...
    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
  ...
  }

  # Update all

  $ pkg update -f

Timezone files are found in /usr/share/zoneinfo. Once you've located the correct zone file, set it as the system time using:

  ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

FreeBSD can be prone to clock skew so it's best to setup NTP at this time.

  $ pkg install ca_root_nss           # Make sure certs are up to date.
  $ sysrc ntpd_enable="YES"           # Enable the ntpd service.
  $ sysrc ntpd_sync_on_start="YES"    # Set ntpd to sync during boot.
  $ service ntpd fetch                # Update the leapseconds file.
  $ ntpd -gq                          # Force an update of the system time.
  $ service ntpd start                # Start the service.

If ntpd fails to start with a warning about unknown users or groups run /usr/sbin/pwd_mkdb -p /etc/master.passwd and then retry the previous command.

The initial FreeBSD image is version 14.0. To upgrade to a newer version run:

  $ freebsd-update -r RELEASE_NAME upgrade

  # This process will take a while, be patient. Answer "yes" to any prompts.
  # When the upgrade configuration is done, run:

  $ freebsd-update install

  # Again, answer "yes" to all the prompts. It will be slow. Be patient and
  # reboot when instructed.

Once the upgrade is complete, clean up the files with find /var/db/freebsd-update/files -type f -exec rm -f {} \; .

FreeBSD comes with a few system hardening options which are typically set during install. To check / update those options, run /usr/libexec/bsdinstall/hardening and reboot as needed.

Addiional options can be added to /etc/sysctl.conf. A common configuration might look like this:

  security.bsd.see_other_uids=0
  security.bsd.see_other_gids=0
  security.bsd.see_jail_proc=0
  security.bsd.unprivileged_read_msgbuf=0
  kern.randompid=107
  net.inet.ip.random_id=1
  net.inet.ip.redirect=0
  net.inet.tcp.always_keepalive=0
  net.inet.tcp.blackhole=2
  net.inet.udp.blackhole=1
  net.inet.tcp.path_mtu_discovery=0
  net.inet.icmp.drop_redirect=1
  hw.mds_disable=3
  hw.spec_store_bypass_disable=1
  kern.elf64.allow_wx=0
  security.bsd.allow_destructive_dtrace=0
  hw.ibrs_disable=1
  kern.elf32.aslr.enable=1
  kern.elf32.aslr.pie_enable=1

Kernel security levels are best set in /etc/rc.conf so they don't interfere with running any services. Information on the different security levels can be found in the FreeBSD man pages section on security. To enable kernel security in /etc/rc.conf add the following:

  kern_securelevel_enable="YES"
  kern_securelevel="1" 

The default image comes with SSH turned off. To turn it on edit /etc/rc.conf and set sshd_enable=“YES”.

It's best to turn off root SSH login by setting PermitRootLogin no in /etc/ssh/sshd_config. You may also want to consider setting Port to a non-standard port number.

Follow these instructions to create and add a public SSH key¹⁾ to your FreeBSD install. Once done and confirmed working you may disable password based SSH-login by setting UsePasswordAuthentication no in /etc/ssh/sshd_config.

$Id: VPS_FreeBSD.html,v 1.5 2023/09/09 17:14:36 dnielsen Exp $ FreeBSD Setup and Configuration - traditional link (using RCS)