Thoughts on this mainstream after-install guide

[Phishfry]

I came across this after-install guide and I now feel with intermidiate level skills I feel I can rightly critique it.
https://www.tecmint.com/things-to-do-after-installing-freebsd/
This guide is 10 months old.
My beef starts with:
#2) Install Nano and bash. Terrible advice. Neither is needed or desired.

#7) Configure your interface as static IP and defaultrouter="192.168.1.1". Why would the average user override the dhcp server?
If you want a fixed IP on a dhcp network use a static dhcp lease on the dhcp server.

#8) Configure /etc/resolv.conf. This is outdated. /etc/resolv.conf is automatically populated by the resolvconf service.
resolvconf(8)

 

[balanga]

My beef starts with:
#2) Install Nano and bash. Terrible advice. Neither is needed or desired.

If someone is coming to FreeBSD from Linux those two programs may be like crutches in an unknown world. Learning a new editor is always a PITA, I hate vi() - can never remember how to cut 'n paste, and 95% of my editing/viewing is done using mcedit, part of mc(). I think nano() is the preferred editor on Linux.

 

[scottro]

Debian, and therefore, probably Ubuntu, use nano by default. RH based systems, (CentOS, Fedora) use vi.

The author is writing from their own experience, and it may be useful for someone coming from Ubuntu. As for bash, I prefer it. I don't like csh for scripting, am quite used to bash, don't need the features of zsh and find sh somewhat limited. If someone that I haven't met and probably never will meet on the Internet thinks I'm a jerk for preferring bash, having been married more than once, I suspect I'll be able to accept their abuse.

 

[Criosphinx]

Installing nano and bash is a question of preferences.

Look at #3

"open SSH main configuration file and update the line PermitRootLogin from no to yes as illustrated in the below screenshot."

That is terrible advice!

 

[gnath]

I linux nano is poor man editor like ee in FreeBsd.

 

[obsigna]

Installing nano and bash is a question of preferences.

Look at #3

"open SSH main configuration file and update the line PermitRootLogin from no to yes as illustrated in the below screenshot."

That is terrible advice!

Why again is this terrible?

 

[scottro]

If you look at your logs, you'll see that many people will try to log into your machine as root. If, by some chance, they guess your root password, they will have complete control of your machine.

It's better to have a user who can su or use sudo or doas to gain root access. Granted, if they get that user's password they can still reach as root, but first they have to guess the user's name, then their password, whereas with root, they already know the name.

 

[obsigna]

If you look at your logs, you'll see that many people will try to log into your machine as root. If, by some chance, they guess your root password, they will have complete control of your machine.

It's better to have a user who can su or use sudo or doas to gain root access. Granted, if they get that user's password they can still reach as root, but first they have to guess the user's name, then their password, whereas with root, they already know the name.

OK, I only wanted to be sure that this is the only reason. For this, I got a more effective mitigation to bots trying to connect via ssh as root:
1. I run sshd on a non-standard port -> besides my logins, the logs are empty
2. The root password got 24 chars - if I shall remember a 12 char user and a 12 char root password, so I may remember both joined together as well.

In addition I got in sshd_config:
AllowUsers root toor

 

[ShelLuser]

Definitely a blog written by someone coming from Linux.

And someone who seems to have very little notion of anything related to security. Not the kind of blog which advice I would follow.

#2 - Small nitpicking on my end but this will become more important later: vi is the default editor on FreeBSD, not ee. But this advice is incomplete, which sets the tone for the entire blog.

#3 & #4 - This is the kind of advice from a total idiot, pardon the expression. Allowing remote root logins and then calling it "secure SSH on FreeBSD" is a bad joke not to mention bad advice. Then adding insult to injury to suggest that people use keybased authentication yet without passwords and without disabling password logins is a recipe for total disaster. This is just utterly stupid.

At the very least use (strong) passwords on the keys, disable password protection in /etc/sshd_config entirely and if you still insist on allowing direct root logons (dumb, dumb, dumb!) then at least change the SSH port from 22 (= commonly known target) to something else.

Another reason why I think the writer is an idiot?

#6 - Although he fortunately understands that you shouldn't edit /etc/passwd manually but instead should use the chpass command he apparently still thinks that this method will always use vi. Why did he install editors/nano if he isn't going to use it? Maybe because he doesn't know how to? And to add onto #2: if ee is the alleged default editor in FreeBSD then why is vi started here?

So to address #2 and #6: What you do is also set the EDITOR environment variable and point that to the editor of your preference. After that it will be used as default by the system. So even a command such as vipw will open /etc/passwd with your preferred editor, not vi.

In addition I personally recommend not changing the root shell to anything else. Why would you need to make the usage of the root account "easier" when this is an account which is best not used casually anyway? Not to mention that csh is a much better shell for interactive purposes than the others are.

#7 - Should at least have mentioned that if you're using a DHCP setup then setting up a static IP address is not a good idea. Especially not if you're using an address in the DHCP range. Why? Simple: all the DHCP server will know is that you didn't apply for a lease, so the lease to your IP address is still open.

Meaning that if more people start to use your network (who most likely will use DHCP) there's now a potential chance for 2 clients to start using the same IP address. You with your static address and someone else who got your address through a lease.

Great thinking here (not!).

Anyway, the rest is pretty mediocre advice and stuff I personally wouldn't bother mentioning as stuff to do after an installation. #8 to #10 can be easily exchanged with: also pay some attention to the FreeBSD handbook.

(edit): Re-reading I'm actually surprised that they didn't advice the readers to pick and set up a firewall. Something which I'd deem pretty important, and considering that FreeBSD provides 3 it's not an obvious choice to make.

Not the kind of blog I'd soon advice people to read. If they're this bad with the topic of FreeBSD then I can only shudder at thinking about the quality of the other stuff.

(edit2): Disclaimer: I'm expressing a very critical opinion about the blog author in a rather direct way. That's not because the author apparently doesn't know several aspects about FreeBSD administration, but more so because he presents it as if he does. Worse yet: while the target audience are obviously less experienced admins. That's just bad.

 

[ShelLuser]

1. I run sshd on a non-standard port -> besides my logins, the logs are empty
2. The root password got 24 chars - if I shall remember a 12 char user and a 12 char root password, so I may remember both joined together as well.

First... using a different port helps but only for so much. If you still leave it open then it's also easily found using a portscan.

You found nothing in your log. Here's hoping that's because there were no login attempts instead of people exploiting a flaw to circumvent all that.

Allowing root to log on directly is a horrible idea for a multitude of reasons. Summing up: no matter what you do it will always be a security risk which simply isn't worth taking. As mentioned: one flaw in the daemon could be enough for people to get direct root access on your system, and that's where everything will stop.

 

[scottro]

I didn't read the article, but if they said change the root shell to bash, I would definitely disagree STRONGLY. I have an old post on that on daemon forums, that I'm too lazy to find right now. I thought you meant use bash as the shell for a normal user.'

A quick glance through the article indicates that they don't advocate changing root's shell, that's a good thing.

 

[ralphbsz]

If an experienced administrator, who knows what they are doing and has evaluated the pros and cons, wants to do something like make bash the default shell (for root even), or install and use nano, or allow root login via ssh, or make the root password the empty string, that's perfectly acceptable. There are situations where all of these things apply. Some of these situations are rare, and most of them don't apply to typical end-user desktop machines with open connections to the worldwide internet.

But the problem here is that the writer of the original blog post is clearly not "an experienced administrator who knows what they are doing".

P.S. The machine with no root password is at my house. It's a RPi3 sitting on the work bench, without any network connection. To log into it, you have to site down, turn the power on, and use the keyboard and screen. I'm too lazy to set up any passwords or accounts on it, because the current OS setup is likely to be wiped soon. If a hacker has gained access the the machine, they have also broken into my house, and there are much worse things to worry about than hacking into a tiny little prototype that is intended to monitor battery voltages.

 

[Phishfry]

If someone is coming to FreeBSD from Linux those two programs may be like crutches in an unknown world.

I disagree. I used this silly splint when I started and I wish I had never wasted my time.
Truth is if you can't figure out ee you shouldn't be using FreeBSD.
You think vi is hard try ed.

I used Nano in the beginning, I found it totally hamstrung me if my ethernet connect was not working correctly.
With no pkg I was lost. No editor because no internet. How stupid of me. Use what is in front of you.

My advice, Learn any base editor right from the beginning. Otherwise you end up writing guides like the above.

 

[balanga]

Truth is if you can't figure out ee you shouldn't be using FreeBSD.

Bit elitist don't you think?

 

[scottro]

I do remember how I learned (the basics) of vi. It was my first IT job and I knew pico (which I think was the predecessor of nano). My boss asked me to do something on the AIX box. I logged in and typed pico <filename> and got pico not found. I said, they don't have pico on there. He said, you don't know how to use vi? Nevermind, I 'll do it.
That night I went home and got enough vi basics to be able to use it.

I would agree that one should definitely learn enough vi or ee to get around--I think vi is best because it's going to be on almost any system, though Debian's default is nano, and I think the early Gentoo didn't come with vi either. (Don't know if it does now). I think ee is a FreeBSD only thing, so vi would be more useful.

I would have to argue the statement if you can't do this or that, don't use FreeBSD. One has to start somewhere, and some of us pick up things more quickly than others. I'm of the attitude that anything worth doing is worth doing badly. I did martial arts, despite being clumsy, and while I was never very good, it probably made me a bit less clumsy, and if I'd had the attitude if I can't do this, I shouldn't even try, I would be even clumsier.