Table of Contents
====== FreeBSD on SDF VPS ======
FreeBSD Setup and Configuration
User Accounts
After your FreeBSD image has been installed and started, connect to the console and log-in as user root
with the default password root
.
Change the root password using the passwd
command. There is no way to recover this password. Don't lose it.
It's standard practice to create a regular user account for general use, using su
to acquire root privileges as needed. Create a regular user account with the command adduser
, following the setup prompts to create the user. Adding the user to the wheel
group during setup will place them in the default administrative group.
If adduser
gives a warning that the user “disappeared during update”, check the following:
- The default user home directory is present at
/usr/home
and /etc/home
is symlinked to/usr/home
Once the default directory and the symlink are present, run:
$ /usr/sbin/pwd_mkdb -p /etc/master.password # sync the databases $ rmuser <username> # Remove partial user
Run adduser
again to create the new user.
Networking
Take note of the HOSTNAME and EXTERNAL_IP from the first line of your vps control panel.
VPS Maintenance Shell for freebsd99 (205.166.94.nnn) --------- -------------- ^ ^ | | | EXTERNAL_IP HOSTNAME
Open /etc/rc.conf
in an editor and make sure that the following lines are present, replacing HOSTNAME and EXTERNAL_IP with the correct values.
- /etc/rc.conf
hostname="HOSTNAME" ifconfig_xn0="inet EXTERNAL_IP netmask 255.255.255.0" defaultrouter="205.166.94.1"
Inspect /etc/resolv.conf
and insure that the name server is set to 205.166.94.24
.
Run service netif restart && service routing restart
to restart network services.
Package Management
FreeBSD uses pkg
as a package manager. It can be initialized by running pkg bootstrap -f
.
pkg
will use the “quarterly” repository by default. If you would like to use the “latest” repository do the following:
$ cp /etc/pkg/FreeBSD.conf /usr/local/etc/pkg/repos/FreeBSD.conf # In /usr/local/etc/pkg/repos/FreeBSD.conf change the source of # the repository FreeBSD: { ... url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" ... } # Update all $ pkg update -f
System Time
Timezone files are found in /usr/share/zoneinfo
. Once you've located the correct zone file, set it as the system time using:
ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
FreeBSD can be prone to clock skew so it's best to setup NTP at this time.
$ pkg install ca_root_nss # Make sure certs are up to date. $ sysrc ntpd_enable="YES" # Enable the ntpd service. $ sysrc ntpd_sync_on_start="YES" # Set ntpd to sync during boot. $ service ntpd fetch # Update the leapseconds file. $ ntpd -gq # Force an update of the system time. $ service ntpd start # Start the service.
If ntpd
fails to start with a warning about unknown users or groups run /usr/sbin/pwd_mkdb -p /etc/master.passwd
and then retry the previous command.
System Update
The initial FreeBSD image is version 14.0. To upgrade to a newer version run:
$ freebsd-update -r RELEASE_NAME upgrade # This process will take a while, be patient. Answer "yes" to any prompts. # When the upgrade configuration is done, run: $ freebsd-update install # Again, answer "yes" to all the prompts. It will be slow. Be patient and # reboot when instructed.
Once the upgrade is complete, clean up the files with find /var/db/freebsd-update/files -type f -exec rm -f {} \;
.
Hardening
FreeBSD comes with a few system hardening options which are typically set during install. To check /
update those options, run /usr/libexec/bsdinstall/hardening
and reboot as needed.
Addiional options can be added to /etc/sysctl.conf
. A common configuration might look like this:
security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.see_jail_proc=0 security.bsd.unprivileged_read_msgbuf=0 kern.randompid=107 net.inet.ip.random_id=1 net.inet.ip.redirect=0 net.inet.tcp.always_keepalive=0 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.tcp.path_mtu_discovery=0 net.inet.icmp.drop_redirect=1 hw.mds_disable=3 hw.spec_store_bypass_disable=1 kern.elf64.allow_wx=0 security.bsd.allow_destructive_dtrace=0 hw.ibrs_disable=1 kern.elf32.aslr.enable=1 kern.elf32.aslr.pie_enable=1
Kernel security levels are best set in /etc/rc.conf
so they don't interfere with running any services. Information on the different security levels can be found in the FreeBSD man pages section on security. To enable kernel security in /etc/rc.conf
add the following:
kern_securelevel_enable="YES" kern_securelevel="1"
SSH Setup
The default image comes with SSH turned off. To turn it on edit /etc/rc.conf
and set sshd_enable=“YES”
.
It's best to turn off root SSH login by setting PermitRootLogin no
in /etc/ssh/sshd_config
. You may also want to consider setting Port
to a non-standard port number.
SSH Public Key Authentication
Follow these instructions to create and add a public SSH key1) to your FreeBSD install. Once done and confirmed working you may disable password based SSH-login by setting UsePasswordAuthentication no
in /etc/ssh/sshd_config
.
$Id: VPS_FreeBSD.html,v 1.5 2023/09/09 17:14:36 dnielsen Exp $ FreeBSD Setup and Configuration - traditional link (using RCS)