Axeorcat.com

Would you prefer to be an axe or a cat? That is the question. // I Code. I Sysadmin. I Beer.
April 15, 2010

FreeBSD Server Guide

Notes on setting up a FreeBSD box.

Base FreeBSD Setup

Install from CD

During the CD install don’t select anything to install - use ports which are more up to date.

Setup main config files

Basically, setup your network & security, and serial console asap.

/etc/groups 

# Add user myuser to wheel.

/boot.config

# Create this file in the root directory of the a partition on the boot drive
# To setup the serial console, the file just needs one line and should read:
-h -D -S115200

/etc/ttys

ttyd0   "/usr/libexec/getty std.115200" vt100   on secure

/boot/loader.conf

boot_multicons="YES"
boot_serial="YES"
comconsole_speed="115200"
console="comconsole,vidconsole"

/etc/login.conf

:minpasswordlen=8:  # does not seem to work??

/etc/login.access

# edit this to restrict console logins
# only allow logins by wheel group to this server
-:ALL EXCEPT wheel:ALL

/etc/rc.conf

hostname="s01.example.com"
ifconfig_fxp0="inet 10.2.1.1 netmask 255.0.0.0"
ifconfig_fxp1="inet 80.80.13.71  netmask 255.255.255.224"
inetd_enable="NO"
keymap="uk.iso"
linux_enable="YES"
sshd_enable="YES"
pf_enable="YES"
pflog_enable="YES"

/etc/ssh/sshd_config

UseDNS no
PermitRootLogin no

Setup a quick firewall

ext_if="fxp1"
int_if="fxp0"
set skip on lo
scrub in all
block drop in all
pass out
antispoof quick for { lo $int_if }
pass in inet proto icmp all keep state
pass in quick proto tcp from any to port 22 flags S/SA synproxy state
block drop in log all

Install Ports Collection

# takes about 470MB of disk space)
portsnap fetch
portsnap extract

# then in crontab
portsnap cron

# when you like, you can run
portsnap fetch
portsnap update # NB (you must run this or ports tree will not be updated)!!

# NOTE: you may need to run the fetch command a couple of times

Install Portaudit

portaudit installs a periodic job

# portaudit
# -F: Fetch the current database from the FreeBSD servers.
# -d: Print the creation date of the database.
# -a: Print a vulnerability report for all installed packages
cd /usr/ports/ports-mgmt/portaudit
make install clean

Setup NTP

Nice to have our clocks in sync.

rc.conf: 

ntpd_enable="YES"

/etc/ntp.conf:

logfile /var/log/ntpd.log
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
restrict 127.0.0.1

Install useful applications

# install bash
cd /usr/ports/shells/bash
make install clean

# install postgres CLIENT
# (do this first - the right way round to get the 8.3 client)
[root@s20 /usr/ports/databases/postgresql83-client]# make install
[root@s20 /usr/ports/databases/postgresql-contrib]# make

# then install php5
lang/php5
lang/php5-extensions

Regular patching & maintenance commands

pkg_info  # shows installed packages
pkg_version -v # shows versions
portsnap update # get latest port updates
portaudit -a # show security info
# use portmaster to manage ports - portmanager is very slow
portmaster -a -b -d # will upgrade all ports, backup old package (-b) and -d remove stale files

Networking Commands

#add an alias
ifconfig em1 alias <NEW_IP> netmask 255.255.255.255

# remove alias
ifconfig em1 inet 40.8.17.8 -alias

# check open ports
sockstat

# restart IFs and routing
/etc/rc.d/netif restart
/etc/rc.d/routing stop
/etc/rc.d/routing start

# pfctl -sn                 Show the current NAT rules
# pfctl -sr                 Show the current filter rules
# pfctl -ss                 Show the current state table
# pfctl -si                 Show filter stats and counters
# pfctl -sa                 Show EVERYTHING it can show

Example more complex PF firewall

#-------------------------------
# macros
#-------------------------------
office="8.1.2.1"
int_nw="192.168.0.0/16"
ext_if="fxp1"
int_if="fxp0"
icmp_types="echoreq"
office_tcp_ports="{ 22, 80, 443 }"

#-------------------------------
# options
#-------------------------------
set skip on lo
#set block-policy return
#set block-policy drop

#-------------------------------
# scrub
#-------------------------------
scrub in all

#-------------------------------
# filter
#-------------------------------

# COMMON
block in
pass out
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types keep state

# EXTERNAL PUBLIC services
#pass in on $ext_if inet proto tcp from any to ($ext_if) port 80 flags S/SA synproxy sta
te

# EXTERNAL RESTRICTED services
pass in quick on $ext_if inet proto tcp from $office to ($ext_if) port $office_tcp_ports

# INTERNAL PUBLIC services
pass in quick on $int_if inet proto tcp to ($int_if) port 22

# INTERNAL RESTRICTED services

# LOGGING
block in log inet proto tcp to port 22