WillSquire
9/24/2015 - 6:35 PM

FreeBSD 10.2 server setup

FreeBSD 10.2 server setup

FreeBSD 10.2 server setup

Port or package

Two common options for getting FreeBSD software is to use pkg or ports. Whilst ports may take longer to install software and might also need to have dependancies sourced prior to compiling the port, ports can be configured and optimised for the current system through compiler configuration and version. Pkg on the other had is already compiled so is easier to install. Either can be used, but it is easier to maintain one rather than both, so it might be wise to choose a pattern and stick to it.

User

First show the list of users currently setup on the system to see where your at by entering:

awk -F":" '{print $1}' /etc/passwd

If required, additional users can be step up with a step by step menu by using:

sudo adduser

It's important that the user is setup as password-based when adding SSH keys (as SSH will want to verify the user with the password set here). Fill out the required details and leave the default values as they are, with the exception of if the user is to be a 'super user'. In which case, the user should be invited to the wheels group as in the following:

Login group is [user]. Invite [user] into other groups? []: wheel

Once all the required users are setup, users that extisted previously due to a standard setup (like the default user setup by some hosting providers, i.e. DigitalOcean's freebsd user) can be removed now (but please note, on networked systems this step might be better to take after SSH has been properly configured for the users that will be administering the system, with at least one super user). To do this, enter the following and follow the guided questions on what shall be removed:

sudo rmuser [user]

SSH

Next to setup the SSH access for the new user/s. Note, to add an RSA key remotely the user should be password-based untill the key/s are all added.

On the machine required to login to the FreeBSD system, generate a 4K RSA key by entering the following:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Once this has been created, SSH keys can then be copied over to a remote FreeBSD system with ssh-copy-id. Check if the system being used can do this by entering ssh-copy-id into the command line prompt (if it's not reconised, it can be installed using things like Homebrew, or the RSA key can be copied over manually. To install this independantly with Homebrew, enter brew install ssh-copy-id). To copy over the RSA keys from the current system with ssh-copy-id, enter the following and supply the FreeBSD user password when prompted:

ssh-copy-id [user]@[ip]

Do this for all systems needing access (unless the manual way is preferred) and then login to the system with:

ssh [user]@[ip]

Next step is to remove password authentication from the system in favour of only allowing RSA keyed users access and to change the default SSH port to cut down on SSH attack attempts that target the default port. To do this, edit the SSH config file with:

sudo ee /etc/ssh/sshd_config

First disable password logins by editing the directive called ChallengeResponseAuthentication so that it is uncommented (if commented) by removing the # and set it to no so it reads as follows:

ChallengeResponseAuthentication no

Next add a layer of 'obscurity' to the system's security by using a custom port for SSH to listen on. Edit Port so it is uncommented (if commented) by removing the #, and set this to a desired port number (being careful not to interfere with any other service's ports of operation) like so:

Port [port_number]

For the changes to take effect, the SSH deamon needs to be restarted with:

sudo service sshd restart

After saving a closing the file with esc, enter and enter, and then close the connection with exit. To connect to the system over SSH again, a specific port must now be given by adding a -p arguement followed by the port number, along with the username and address, like so:

ssh -p [port_number] [user]@[ip]

Firewall

Install and configure IPFW: https://gist.github.com/WillSquire/dc07d802833eb2e52f1723223e1fa2c2

Timezone

To enter the timezone configuration setup, use to following and follow the onscreen steps:

sudo tzsetup

Next, setup the Network Time Protocol service to keep the servers time in sync with others. To do this, first open the /etc/rc.conf file:

sudo ee /etc/rc.conf

Add the following lines, save and exit:

ntpd_enable="YES"
ntpd_sync_on_start="YES"

Start the service with:

sudo service ntpd start

Swapfile

Adding swapfile to a system allows the system to move less frequently accessed information in the RAM to the disk instead. Generally a swap file is often double the size of the system's RAM (i.e. 1gb if 512mb RAM). To check if a swapfile is setup, use:

sudo swapinfo -g

If it isn't, add a swapfile with the following (note that size ends in unit type, i.e. 1G for 1 Gigabyte):

sudo truncate -s [swapfile_size] [swapfile_location]

Secure access permissions to the swapfile with:

sudo chmod 0600 [swapfile_location]

Associate to mount on boot by appending the follow echo test to the /etc/fstab file:

sudo sh -c 'echo "md99 none swap sw,file=[swapfile_location],late 0 0" >> /etc/fstab'

Activate the swapfile with (and check this has worked afterward with sudo swapinfo -g again):

sudo swapon -aqL

FreeBSD updates

###Manually update FreeBSD Manual updates can be performed with (and is likely to require a restart of the server afterwards):

sudo freebsd-update fetch install

Restart the system with:

sudo shutdown -r now

During an update FreeBSD copies the current kernel and replaces it with updates, putting the old kernel to /boot/kernel.old. If everything went well after the update, delete the old kernel with:

sudo rm -r /boot/kernel.old

Automaticlly update FreeBSD

Update FreeBSD automatically by added a cron task to the system's crontab. Open up the crontab with:

sudo ee /etc/crontab

Add the following to the bottom of the crontab file (with a helpful little comment to indicate what it's doing), replacing [user] for the user who will receive notifications and manage updates:

# Automatically fetch updates for FreeBSD daily
@daily root freebsd-update -t [user] cron

The given user can then periodically check for updates that have been downloaded by checking their mail with:

mail

To install any given updates (which is likely to require a restart of the server afterwards) use:

sudo freebsd-update install

Again, to restart:

sudo shutdown -r now

Manually update FreeBSD source code

Get SVN with ports (or take the pkg approach if preferred):

cd /usr/ports/net/svnup
sudo make config-recursive install clean

Note down the FreeBSD version installed with the FreeBSD version command:

freebsd-version

Configure the SVN config:

sudo ee /usr/local/etc/svnup.conf

Select the closest mirror region. I.e. if you live in europe, uncomment #host=svn0.eu.freebsd.org, so it looks like this:

host=svn0.eu.freebsd.org

Now configure what branch the system should sync with from the OS version details given by the freebsd-version command earlier (i.e. if 10.2-RELEASE-p4, then replace [branch] below for release and [version] for 10.2):

[[branch]]
branch=base/releng/[version]
target=/usr/src

To update, use (which is what will be inputted each time from now on to be updated):

sudo svnup release

Update packages & ports

To fetch/initialise the ports tree that records all of the ports (software) on the system, use the follow command (note that this doesn't nessarily need to be done more than once, and after the initial fetch sudo portsnap fetch update can be used in it's place to update the port tree hereafter):

sudo portsnap fetch extract

If there are packages installed, the same update packages information:

sudo pkg update

Using the information retrieved for ports, show what ports need updating with (note that the equivalent command for showing what packages need updating is pkg version -vRL=):

pkg version -vIL=

One 'standard' way of managing and update ports is to use portmaster. Note that installing portmaster might need other ports to be updated prior to its installation. Updating these ports can be done through re-installation, by going to their directory (cd <path/to/port>) and entering the un-install then re-install command sudo make deinstall reinstall, a port can be updated. To install portmaster using ports (which can alternatively be installed using pkg instead), use:

cd /usr/ports/ports-mgmt/portmaster
sudo make install clean

Portmaster can show all ports and packages that have newer updates version avalible. To retrieve the list of installed software and if it needs an unpdate, enter portmaster -L. This list will give you everything that needs updating, as well as things that don't. Another (perhaps more usage friendly) command is one that will only list the software that needs updating, like so:

sudo portmaster -L --index-only| egrep '(ew|ort) version|total install'

Known vulnerabilities with any software installed on the system can be detected and shown with FreeBSD by using:

sudo pkg audit -F

Before updating software, use the following command to see what breaking changes might affect the system, and decide what to install accordingly with less /usr/ports/UPDATING. Or better yet, filter out the ones that are only applicable since the last update was carried out with:

date -r `pkg query %t | sort | tail -n1` "+%Y%m%d"

Next is to carry out the updates. If using just packages or a combination of packages and ports, then updating using ports can cause version issues with software that depends on other peices of software to be too high a version (as ports are usually much 'fresher' as they come from the source files, where as packages need to get compiled then distributed). If this is the case, then there is a method of updating different to this that might be better, otherwise if just using ports the update can be done with (WARNING: This may take a very long time, anticipate this prior. Advised not do do this over SSH and instead do this directly on the system's terminal or virtual console if VPS):

sudo portmaster -a

sshguard

Download and install SSHGuard: https://gist.github.com/WillSquire/b0546bb8ab901f16555aba2e953767d9

Kernel

Kernel configuration is be dictated mainly by what the system will be used for, i.e. things like joystick support are unlikely to be required on systems used as web servers. See refernces "Customising the kernel" and "FreeBSD's kernel configuration handbook" for more. Kernel building requires the FreeBSD source code to be downloaded on the system, using either subversion or svnup (as done above).

Find the relevant kernal config folder for the current system (i.e. if using Digital Ocean, their systems use amd64, so cd /usr/src/sys/amd64/conf):

cd /usr/src/sys/<architecture>/conf

Create and open a kernal config file with the desired name (by convention, this should be all caps):

sudo ee <kernal_config_name>

Fill in the kernel config file to the desired settings (it my be good to look at other kernal configs, like FreeBSD's default GENERIC kernal config or Digital Ocean's config file in the references below (note it might be nice to remove the splash screen directive from this if a splash screen isn't needed). Most settings largely depend on the system usage and hardware, and no setting is best for all systems). Remember to change the ident directive value in the config to the kernel config name given above (again, all caps):

ident <kernal_config_name>

Save and exit the config file. Then use the following command to build the new kernel (Note: make.conf can be edited to exempt particular modules from the complation using MODULES_OVERRIDE, WITHOUT_MODULES or even WITHOUT_MODULES. This mean the kernel has resources from these modules statically compiled rather than referenced):

cd /usr/src && sudo make buildkernel KERNCONF=<kernal_config_name>

Once built, install the new kernel:

sudo make installkernel KERNCONF=<kernal_config_name>

Shutdown and reboot to load the system with the new kernel:

sudo shutdown -r now

Check the new kernel is being used once rebooted (this command should display ident <kernal_config_name>):

sysctl kern.conftxt | grep ident

Move into the boot directory:

/boot

Here the current kernel can be found as the kernel folder and the old kernel/s will be labled as kernel.old or kernel.old1, kernel.old2, etc. Size comaprisions can be made using du -sh /boot/kernel. If sure the system is stable, then the old kernel's can be deleted with:

sudo rm -r /boot/kernel.old

Future notes

Future edit will include configuring /boot/loader.conf and /etc/sysctl.conf to make the most of the specific hardware setup.

References