Post-Installation Questions

Installing and upgrading FreeBSD.

Post-Installation Questions

Postby goosed » 18 Jan 2009, 22:02

Hi all, I just have some basic 'noobish' questions about the configuration of BSD. I have recently switched from 5.5 to 7.1 when a friend explained to me that I was "wayyyy" behind. So the initial install is complete, and I wanted to be sure I was taking proper steps in the post-configuration.

I was using cvsup in my older release, and have since switched to portsnap. I created a cron job for portsnap, and did the same for portupgrade and portaudit. Are there any other important things that I should do?

Thanks for any info you can provide.
goosed
Junior Member
 
Posts: 23
Joined: 11 Jan 2009, 04:45
Location: South Carolina

Postby anomie » 18 Jan 2009, 23:05

A cronjob for portaudit is not necessary. The portaudit port installs a periodic script that can be enabled by adding daily_status_security_portaudit_enable="yes" to /etc/periodic.conf. (I can't remember if it is enabled by default.)

Also, I don't recommend automatically upgrading your packages. It would be better to upgrade only the ones you want, as needed (and after reading /usr/ports/UPDATING).

What is your goal for this FBSD box? That might make it easier to give advice on what to do next...
User avatar
anomie
Member
 
Posts: 783
Joined: 17 Nov 2008, 04:37
Location: Texas

Postby goosed » 19 Jan 2009, 02:52

Thanks for the reply anomie. My goal is to learn more on BSD and just to basically have a better understanding of it. My last BSD box ran Nagios, so it was mainly utilized for network monitoring. But essentially just to have a better understanding of how to baseline manage BSD. I know that may be a vague answer, but I hope it helps.
goosed
Junior Member
 
Posts: 23
Joined: 11 Jan 2009, 04:45
Location: South Carolina

Postby anomie » 19 Jan 2009, 05:52

For any OS, I also compose and document a baseline. There are a number of things I do following any FreeBSD installation, but here are a couple to get you started.
  • I check in (to RCS) config files I will be modifying.
  • I add the following to /etc/sysctl.conf:
    Code: Select all
    kern.coredump=0    # turn off core dumps
    net.inet.tcp.blackhole=2 # see man blackhole(4)
    net.inet.udp.blackhole=1
  • I modify /etc/ttys so that console is marked "insecure".
  • I install the ports: portmaster / portaudit / screen.
  • I put a ports supfile and source supfile in /root.
  • I enable ntpd (after modifying /etc/ntp.conf).
  • I put syslogd in secure mode in /etc/rc.conf:
    Code: Select all
    syslogd_flags="-ss"
  • I set up /etc/mail/aliases to point root's mail to a 'net address.
  • I configure the AllowUsers directive in sshd_config.
  • etc. etc. etc.

You get the idea. There are some hardening steps and some ease of package management steps I follow. Set up a server (more than once if you have to) and document your baseline.
User avatar
anomie
Member
 
Posts: 783
Joined: 17 Nov 2008, 04:37
Location: Texas

Postby goosed » 19 Jan 2009, 06:52

Nice anomie. That's exactly what I've been looking for.

Right now my BSD server is running on my ESX server, so I've been able to create good images of it for base lining, testing, etc.

If you have any more hardening steps, please let me know. Thanks!
goosed
Junior Member
 
Posts: 23
Joined: 11 Jan 2009, 04:45
Location: South Carolina

Postby anomie » 19 Jan 2009, 23:13

goosed wrote:If you have any more hardening steps, please let me know. Thanks!


On the general topic of FreeBSD hardening, I can give you two more suggestions:
  • Read the security(7) manpages. This covers a lot of territory.
  • Pick up the book Mastering FreeBSD and OpenBSD Security. I wrote a short review of it here if you're interested.
User avatar
anomie
Member
 
Posts: 783
Joined: 17 Nov 2008, 04:37
Location: Texas


Return to Installing & Upgrading

Who is online

Users browsing this forum: No registered users and 1 guest