Post-Installation Questions

goosed · #1 January 18th, 2009, 23:02

Hi all, I just have some basic 'noobish' questions about the configuration of BSD. I have recently switched from 5.5 to 7.1 when a friend explained to me that I was "wayyyy" behind. So the initial install is complete, and I wanted to be sure I was taking proper steps in the post-configuration.

I was using cvsup in my older release, and have since switched to portsnap. I created a cron job for portsnap, and did the same for portupgrade and portaudit. Are there any other important things that I should do?

Thanks for any info you can provide.

anomie · #2 January 19th, 2009, 00:05

A cronjob for portaudit is not necessary. The portaudit port installs a periodic script that can be enabled by adding daily_status_security_portaudit_enable="yes" to /etc/periodic.conf. (I can't remember if it is enabled by default.)

Also, I don't recommend automatically upgrading your packages. It would be better to upgrade only the ones you want, as needed (and after reading /usr/ports/UPDATING).

What is your goal for this FBSD box? That might make it easier to give advice on what to do next...

goosed · #3 January 19th, 2009, 03:52

Thanks for the reply anomie. My goal is to learn more on BSD and just to basically have a better understanding of it. My last BSD box ran Nagios, so it was mainly utilized for network monitoring. But essentially just to have a better understanding of how to baseline manage BSD. I know that may be a vague answer, but I hope it helps.

anomie · #4 January 19th, 2009, 06:52

For any OS, I also compose and document a baseline. There are a number of things I do following any FreeBSD installation, but here are a couple to get you started.

I check in (to RCS) config files I will be modifying.

I add the following to /etc/sysctl.conf:

Code:

kern.coredump=0    # turn off core dumps
net.inet.tcp.blackhole=2 # see man blackhole(4)
net.inet.udp.blackhole=1

I modify /etc/ttys so that console is marked "insecure".
I install the ports: portmaster / portaudit / screen.
I put a ports supfile and source supfile in /root.
I enable ntpd (after modifying /etc/ntp.conf).
I put syslogd in secure mode in /etc/rc.conf:
Code:
```
syslogd_flags="-ss"
```
I set up /etc/mail/aliases to point root's mail to a 'net address.
I configure the AllowUsers directive in sshd_config.
etc. etc. etc.

You get the idea. There are some hardening steps and some ease of package management steps I follow. Set up a server (more than once if you have to) and document your baseline.

goosed · #5 January 19th, 2009, 07:52

Nice anomie. That's exactly what I've been looking for.

Right now my BSD server is running on my ESX server, so I've been able to create good images of it for base lining, testing, etc.

If you have any more hardening steps, please let me know. Thanks!

anomie · #6 January 20th, 2009, 00:13

Quote:

Originally Posted by goosed

If you have any more hardening steps, please let me know. Thanks!

On the general topic of FreeBSD hardening, I can give you two more suggestions:

Read the security(7) manpages. This covers a lot of territory.
Pick up the book Mastering FreeBSD and OpenBSD Security. I wrote a short review of it here if you're interested.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] Answering questions in the forum	cliedo	Off-Topic	6	March 9th, 2009 07:56
Questions on cvsup, tags, and such	tgphelps	Installing & Upgrading	5	January 16th, 2009 00:27
Archlinux user want to give FreeBSD a try and has some questions	Army	System Hardware	27	January 9th, 2009 14:38
ipfw questions	miketodd	General	1	January 6th, 2009 00:44
Remove components post-installation	edogawaconan	General	3	December 26th, 2008 05:30

The Following 2 Users Say Thank You to anomie For This Useful Post:
goosed (January 19th, 2009), paulfrottawa (February 4th, 2009)