[ SDF Public Access UNIX System .. Est. 1987 ]

join welcome faq status members store tour gopher abuse dialup minecraft
social tilde europa webmail gallery usermap irc tutorials telnet git ssh

FreeBSD Setup and Configuration

User Accounts

After your FreeBSD image has been installed and started, connect to the console and log-in as user root with the default password root.

Change the root password using the passwd command. There is no way to recover this password. Don't lose it.

It's standard practice to create a regular user account for general use, using su to acquire root privileges as needed. Create a regular user account with the command adduser, following the setup prompts to create the user. Adding the user to the wheel group during setup will place them in the default administrative group.

If adduser gives a warning that the user "disappeared during update", check the following:

Once the default directory and the symlink are present, run:


    $ /usr/sbin/pwd_mkdb -p /etc/master.password    # sync the databases
    $ rmuser <username>                       # Remove partial user

Run adduser again to create the new user.

Networking

Take note of the HOSTNAME and EXTERNAL_IP from the first line of your vps control panel.



VPS Maintenance Shell for freebsd99 (205.166.94.nnn)
                          ---------  --------------
                          ^          ^
                          |          |
                          |          EXTERNAL_IP
                          HOSTNAME


Open /etc/rc.conf in an editor and make sure that the following lines are present, replacing HOSTNAME and EXTERNAL_IP with the correct values.


    hostname="HOSTNAME"
    ifconfig_xn0="inet EXTERNAL_IP netmask 255.255.255.0"
    defaultrouter="205.166.94.1"

Inspect /etc/resolv.conf and insure that the name server is set to 205.166.94.24.

Run service netif restart && service routing restart to restart network services.

Package Management

FreeBSD uses pkg as a package manager. It can be initialized by running pkg bootstrap -f.

pkg use the "quarterly" repository by default. If you would like to use the "latest" repository do the following:


    $ cp /etc/pkg/FreeBSD.conf /usr/local/etc/pkg/repos/FreeBSD.conf

    # In /usr/local/etc/pkg/repos/FreeBSD.conf change the source of 
    # the repository

    FreeBSD: {
    ...
      url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
    ...
    }

    # Update all

    $ pkg update -f

System Time

Timezone files are found in /usr/share/zoneinfo. Once you've located the correct zone file, set it as the system time using:


    ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

FreeBSD can be prone to clock skew so it's best to setup NTP at this time.


    $ pkg install ca_root_nss           # Make sure certs are up to date.
    $ sysrc ntpd_enable="YES"           # Enable the ntpd service.
    $ sysrc ntpd_sync_on_start="YES"    # Set ntpd to sync during boot.
    $ service ntpd fetch                # Update the leapseconds file.
    $ ntpd -gq                          # Force an update of the system time.
    $ service ntpd start                # Start the service.

If ntpd fails to start with a warning about unknown users or groups run /usr/sbin/pwd_mkdb -p /etc/master.passwd and then retry the previous command.

System Update

The initial FreeBSD image is version 14.0. To upgrade to a newer version run:


    $ freebsd-update -r RELEASE_NAME upgrade

    # This process will take a while, be patient. Answer "yes" to any prompts.
    # When the upgrade configuration is done, run:

    $ freebsd-update install

    # Again, answer "yes" to all the prompts. It will be slow. Be patient and
    # reboot when instructed.

Once the upgrade is complete, clean up the files with find /var/db/freebsd-update/files -type f -exec rm -f {} \; .

Hardening

FreeBSD comes with a few system hardening options which are typically set during install. To check / update those options, run /usr/libexec/bsdinstall/hardening and reboot as needed.

Addiional options can be added to /etc/sysctl.conf. A common configuration might look like this:


    security.bsd.see_other_uids=0
    security.bsd.see_other_gids=0
    security.bsd.see_jail_proc=0
    security.bsd.unprivileged_read_msgbuf=0
    kern.randompid=107
    net.inet.ip.random_id=1
    net.inet.ip.redirect=0
    net.inet.tcp.always_keepalive=0
    net.inet.tcp.blackhole=2
    net.inet.udp.blackhole=1
    net.inet.tcp.path_mtu_discovery=0
    net.inet.icmp.drop_redirect=1
    hw.mds_disable=3
    hw.spec_store_bypass_disable=1
    kern.elf64.allow_wx=0
    security.bsd.allow_destructive_dtrace=0
    hw.ibrs_disable=1
    kern.elf32.aslr.enable=1
    kern.elf32.aslr.pie_enable=1

Kernel security levels are best set in /etc/rc.conf so they don't interfere with running any services. Information on the different security levels can be found in the FreeBSD man pages section on security. To enable kernel security in /etc/rc.conf add the following:


    kern_securelevel_enable="YES"
    kern_securelevel="1" 

SSH Setup

The default image comes with SSH turned off. To turn it on edit /etc/rc.conf and set sshd_enable="YES".

It's best to turn off root SSH login by setting PermitRootLogin no in /etc/ssh/sshd_config. You may also want to consider setting Port to a non-standard port number.

SSH Public Key Authentication

Follow these instructions to create and add a public SSH key to your FreeBSD install. Once done and confirmed working you may disable password based SSH-login by setting UsePasswordAuthentication no in /etc/ssh/sshd_config.

$Id: VPS_FreeBSD.html,v 1.7 2024/03/26 11:31:04 dnielsen Exp $

©1987-2065 SDF Public Access UNIX System, Inc. 501(c)(7)
(this page was generated using ksh, sed and awk)