FreeBSD installing

Why FreeBSD? Well, I really like Linux a lot but the lure of FreeBSD is probably
 it's ports system. There's nothing like a fully fledged UNIX-alike which gives 
you ease of use with source code installs. OpenBSD does that as well, but 
FreeBSD seems to have better support for exotic hardware more than any other UNIX. Not only that but my UNIX-geek employers tend to like FreeBSD more than anything else.

These are some install notes for both FreeBSD 4.x and 5.x (which probably apply to 6.x as well)

I tend to like making minimal custom installations of FreeBSD so I don't waste
disk space.

(1) Once you have selected [Choose Custom Installation Options] 
At this point you get a special menu to select various components of the install
to go through.

For one, you can change your editor in the options menu from /usr/bin/ee to 
/usr/bin/vi (use space to select item to change) 
Q quits.

(2) Partitioning under FreeBSD isn't that bad. Unlike Linux where you can spread 
partitions across a disk, FreeBSD has the concept of "slices". You create your
 slice as a a partition and place "Labels" inside it for your mount points.


FreeBSD has a number of booting options, but things can get a bit tricky if you
 have more than one hard disk on your machine, or you dual boot. FreeBSD has it's
 own boot manager, but it pales in comparison to the likes of GRUB. If you have
 GRUB, edit grub.conf to enable it to boot into FreeBSD.

If you stick with FreeBSD's booter, then expect that if you have two hard drives 
(not in RAID) then you have to place the boot loader on both disks.
 

(3) Choosing distributions

When installing FreeBSD you are given a choice of distributions. Typically I like
 to install FreeBSD with the absolute bare minimum needed to get the server up
 and running. The more software installed, the greater chace of security risk 
(and more work needed to maintain). Plus it's a waste of disk space (yes, I know
 hard disks are cheap these days, but we're talking SCSI drives here, and they're
 not that cheap.)

What I tend to do is choose "Custom" distribution and then select the components
 I really need. These components differ between FreeBSD4.x and 5.x:

4.x:
bin, compat4x, crypto, info, man, catman, src, ports

5.x:
base, compat4x, info, man, catman, src, ports, perl

6.x:
base, info, man, catman, src, ports

Sometimes it's better to install PERL from ports rather than from packages 
(such as in cases where you need SUID PERL for qmail-scanner or something). In 
FreeBSD6.x you have to do this by default.

The current FreeBSD6.0 does away with the compat custom options, and also the 
perl option, making for much more streamlined installs, (but also meaning that 
you'll have to compile perl from ports usually)

Naturally we want the ports collection for software installation, and the source 
code because I typically install software from ports. 

(4) media
In most cases, you'll be installing from CDROM. This may not always be the case,
 but it generally is. Unless you're rolling out a hundred servers en masse
 there's no real need to set up your own FTP server for installation.
CVS servers are another matter however.

(5) Commit
 Here, you are asked for user confirmation. After this, your disks get wiped.
 Naturally you don't do an install on a server which has data you wish to keep.
 The installer only asks just to make sure you aren't horribly drunk and to dodge
 responsibility for wiping itself. So hit yes and get the install underway.

(6) Post install
Post install brings up another menu. We've still got important work to do here.
Root Password: Input root password. Ever seen those "Bow down before me for I am root" T-shirts?
Console: It helps here to pick a screen saver and an alternative keymap (if 
you're in a country with it's own keyboard layout.)
Time Zone: Pick a country, any country (the one your in obviously!)
Mouse: Do you really need one for a remotely accessed server?
Networking: Set up your ethernet ports. Obviously very important if your box is 
connected to the net.

(7) Monitoring scripts.

It's a hallmark of a unix system to have management, and monitoring scripts 
working in the background to ensure that the system doesn't fall over in a forest
 without making a sound while you're enjoying your weekend.
 
I have a few homemade ones on another web page.

Some common scripts to run:
* System process monitoring
* Disk partition size monitoring (make sure your logs don't max out one of your
 file systems)
* NTP checking (make sure the drift doesn't drift off into the sunset)
* /var/log/messages checking (ensure there are no weird error messages)
* back up scripts (keep backups of data for safekeeping. Backup your logs for
 forensics.)

for example:

# vi /etc/crontab
------------------------------------
0,30 * * * * root [ -x /usr/local/scripts/pro-check.sh ] && /usr/local/scripts/pro-check.sh


BASIC SETTINGS

(1) Logrotate

You can make a few extra setting changes in newsyslog to adjust how often logs 
are rotated. There's a method to this madness which I won't go into detail on.

For example, here are some additions for logging ipfilter's log:

# vi /etc/newsyslog.conf
------------------------------
/var/log/ipf/ipf.log                    600  100   *    @T00  Z /var/run/ipmon.pid

# cd /var/log
# mkdir ipf
# cd ipf
# touch ipf.log

Here's a stunt you can pull, by hiding /var/log/messages into a directory!

# vi /etc/syslog.conf
--------------------------------
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err		/var/log/messages/messages

# cd /var/log
# rm messages
# mkdir messages
# cd messages
# touch messages

(2) rc.conf

FreeBSD just wouldn't be FreeBSD without rc.conf
It contains some sytem start defaults that no self-respecting server should be
 without.

# vi /etc/rc.conf
------------------------------------
hostname="host.domain.com"
ifconfig_bge0="inet 192.168.1.1 media auto mediaopt full-duplex netmask 255.255.255.0"
defaultrouter="192.168.1.254"
kern_securelevel_enable="NO"
keymap="jp.106"
moused_enable="NO"
moused_type="NO"
nfs_reserved_port_only="YES"
saver="logo"

inetd_enable="NO"
sshd_enable="YES"
sshd_flags="-f /etc/ssh/sshd_config"
usbd_enable="YES"
sendmail_enable="NONE"
sendmail_flags="-bd"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"
ntpdate_enable="YES"
ntpdate_flags="-s -b timeserver01.domain.com"
xntpd_enable="YES"
xntpd_flags="-c /etc/ntp.conf -p /var/run/ntpd.pid"

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags="-l nomatch"
ipmon_enable="YES"
ipmon_flags="-D /var/log/ipf/ipf.log"

(3) setting up basic ntp (when you already have an NTP server at hand.)

NTP can be set up in /etc/rc.conf

timeserver01.domain.com (192.168.1.20)
timeserver02.domain.com (192.168.1.21)

# vi /etc/ntp.conf
---------------------------------------------------------
driftfile /etc/ntp.drift

server 192.168.1.20      #timeserver01.domain.com
server 192.168.1.21      #timeserver02.domain.com
restrict default nomodify notrust ignore
restrict 127.0.0.1
restrict 192.168.1.20 mask 255.255.255.255
restrict 192.168.1.21 mask 255.255.255.255

That ensures that our timeservers are used exclusively, without any other server
 trying to snoop on our client's ntp settings.

(4) ssh settings

The below 3 settings are the most important.
Disbale protocol 1 (which in insecure thanks to our man in the middle)
Also we don't want root logging in over ssh. Root can go take a hike, unless he
 logs in as a normal user and uses sudo (but I'm getting ahead of myself.)

# vi /etc/ssh/sshd_config
-------------------------
Protocol 2
PermitRootLogin no
PasswordAuthentication yes

(5) DNS settings

/etc/resolv.conf holds the information for where our server should make DNS
 queries. It needs a DNS server or lookups to www.google.com are going to fail wonderfully.

(6) resolv.conf

# vi /etc/resolv.conf
-------------------------------------------
domain	domain.com
nameserver	192.168.1.30
nameserver	192.168.1.31

(7) ipfilter settins

Here's a sample ipfilter ruleset. I haven't got to the bit where I rebuild the 
kernel with ipfilter settings, so this won't work yet.

# vi /etc/ipf.rules
------------------------------
#pass out quick all
#pass in quick all
#I'm going to set the kernel with implicit deny, so accept all is here for testing.

block out all
block in all

#Pretty much log everything.
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short

# LoopBack
pass in on lo0
pass out on lo0

# Set some groups up for inbound/outbound packets
pass out on bge0 all head 250
pass in on bge0 all head 200

#log everything plus kitchen sink
block out log from 127.0.0.0/8 to any group 250
block out log from any to 127.0.0.0/8 group 250
block out log from any to 192.168.1.1/32 group 250
block out log from 192.168.1.1/32 to any group 250
block in log from 127.0.0.0/8 to any group 200
block in log from any to 127.0.0.0/8 group 200
block in log from 192.168.1.1/32 to any group 200
block in log from any to 192.168.1.1/32 group 200

# Tell Windows machines to nick off and stop trying to find shares
block return-rst in log quick proto tcp from any to any port = 113 group 200
block in log quick proto udp from any to any port = 113 group 200

# out -> in
pass in quick proto tcp all flags A/A group 200
# allow icmp pings (or not, up to you)
pass in quick proto icmp all icmp-type 8 keep state group 200
# allow our management at 192.168.0.0/24 to use ssh only
pass in quick proto tcp from 192.168.0.0/24 to 192.168.1.1/32 port = 22 flags S/SA group 200
# allow cvs updates from our cvsup server
pass in quick proto tcp from 192.168.0.0/16 to 192.168.1.100/32 port = 5999 keep state group 200
# This line is needed for outgoing FTP access
pass in quick proto tcp from any to 192.168.1.1/32 port = 20 flags S keep state group 200

# in -> out
pass out quick proto tcp all flags A/A group 250
pass out quick proto icmp all icmp-type 8 keep state group 250
pass out quick proto tcp from 192.168.1.1/32 to 192.168.0.0/24 port = 22 keep state group 250
#Here is a line that allows our server to send system mail to our 
#ficticious mail server at 192.168.1.50
pass out quick proto tcp from 192.168.1.1/32 to 192.168.1.50/32 port = 25 keep state group 250
#allow access out to our DNS servers
pass out quick proto udp from 192.168.1.1/32 to 192.160.1.20/32 port = 53 keep state group 250
pass out quick proto udp from 192.168.1.1/32 to 192.160.1.21/32 port = 53 keep state group 250
#allow ntp updates from anywhere we ask in ntp.conf
pass out quick proto udp from 192.168.1.1/32 to any port = 123 keep state group 250
#allow up to update source and ports from cvs
pass out quick proto tcp from 192.168.1.1/32 to any port = 5999 keep state group 250
# for outgoing FTP access
pass out quick proto tcp from 192.168.1.1/32 to any port = 21 flags S keep state group 250
pass out quick proto tcp from 192.168.1.1/32 to any port > 1024 flags S keep state group 250
# for HTML access
pass out quick proto tcp from 192.168.1.1/32 to any port = 80 flags S keep state group 250

Installing typical server management software

(1) First, before we install any software or update the kernel to the latest patch release, we need to create make.conf in /etc
There is a templatefor this in a defaults directory. Where this directory is depends on your version of FreeBSD

# cp /etc/defaults/make.conf /etc

or in the case of FreeBSD 5.x, I think it's at:

# cp /usr/share/examples/deafults/etc/make.conf /etc

You need to edit make.conf

# vi /etc/make.conf

It helps to uncomment CFLAGS and COPTFLAGS for extra compile optimizations. I've
 never encountered problems doing this.

USA_RESIDENT=NO

I don't live in the US, thank you very much.

NOPROFILE=true

We don't require games on a production server, unless you intend to play nethack
 on it (not a good idea if you want to keep your job)

NOGAMES=true

(2) cvsup

We need cvsup in orser to sync our ports collection and system source code with
 the FreeBSD mirrors. This is vitally important because we may need to upgrade
 software packages, or even the whole base operating system in response to
 security vulnerabilites.

First, since we already installed the ports tree during install, is to get cvsup
 from it.
Ports are great considering that manually compiling source code is not always a
 simple affair. You will see eventually.

# cd /usr/ports/net/cvsup-without-gui
# make install
# make clean
# rehash

Note that we need the above "rehash" command if we want to be able to use cvsup immediately after installing it. FreeBSD won't be able to find it in it's PATH unless it gets updated. You could easily log out and back in again too to get the same effect (but of course, that's more time consuming)

Cvsup creates a few sample configuration files, so we'll move them to where we 
can use them.

# mkdir /usr/local/etc/cvsup
# cd /usr/share/examples/cvsup
# cp -p ports-supfile stable-supfile /usr/local/etc/cvsup
# cd /usr/local/etc/cvsup/

There are two cvsup files that interest us: stable-supfile (for kernel and system
 code updates), and ports-supfile (for updating the ports collection data)

Here's the part where we adjust the config files to pull sources from the cvsup
 mirror we have selected. You can find a list of mirrors on the FreeBSD webpage.
Setting ports is relatively easy.

# vi ports-supfile

  *default host=cvsup.FreeBSD.somewhere
  *default base=/usr/local/etc/cvsup

make sure that you set "ports-all" down on the configuration.
I guess if we really wanted to be pedantic we could remove port information for
 games, and all the foreign langauge ports. I can't be bothered. There's not much
 to gain from doing so (disk space is cheap these days)

Here's where we set the source tree information. The most important thing to set
 here is the cvs tag. It should correspond to the version of FreeBSD that we are
 running. You could aways set it to RELENG_4 in this case to ensure you get the
 latest in the 4.x tree. I usually only change this setting when I'm preparing a
 minor version upgrade.

# vi /usr/local/etc/cvsup/stable-supfile
  *default host=cvs02.domain.com
  *default base=/usr/local/etc/cvsup
  *default release=cvs tag=RELENG_4_11

Make sure you select src-all too.


Updating the ports and sources. 

Jut do the following and the ports collection and sorce tree gets an update from 
a cvs server.

# cvsup -g -L 2 ./ports-supfile
# cvsup -g -L 2 ./stable-supfile

You can place these commands in cron so that your source and ports tree gets
 updated regularly.

# vi /etc/crontab

0 1 * * * root /usr/local/bin/cvsup -g -L 2 /usr/local/etc/cvsup/stable-supfile
0 2 * * * root /usr/local/bin/cvsup -g -L 2 /usr/local/etc/cvsup/ports-supfile
0 3 * * * root /usr/local/sbin/portsdb -Uu

Also note that there are options in the make.conf file where you can add SUP information. Doing this in make.conf will allow you to simply update the source tree and port collection with just a simple "make update" from /usr/src

Recompiling the kernel.

First, we want to try modifying the kernel so we get more functionality out of
 it. In this case, the ip packet filter.
First backup the GENERIC configuration.

# cd /usr/src/sys/i386/conf
# cp GENERIC IP-FILTER
# vi IP-FILTER

Make the following changes:
first, change the kernel name.

ident           GENERIC
ident           IP-FILTER

Add the following options for ip filtering in the kernel.

options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN
options         IPFILTER                #ipfilter support
options         IPFILTER_LOG            #ipfilter logging
options         IPFILTER_DEFAULT_BLOCK  #block all packets by default

You can also add SMP functionality. The following line add it to a 5.x kernel:

options		  SMP				   #SMP

The are some options you an remove. For example, you can remove some of the old
 architectures (i386,i486,i586), and remove the eisa option (who on earth has
 boards with these on them anymore?)

Make sure you add your KERNCONF into your make.conf

# echo 'KERNCONF=IP-FILTER' >> /etc/make.conf


(3) portupgrade

Portupgrade is an indispensible commandline tool for upgrading packages. Make
sure you install it from ports.

# cd /usr/ports/sysutils/portupgrade
# make
# make install
# make clean
# rehash

I'm going to make this directory so I can store portupgrade logs.

# mkdir /var/log/ports

9.2.2 portaudit

Portaudit is a security program that can detect packages in your system which 
contain known security vulnerabilities. It has it's own security database which 
you can fetch off the internet.

# cd /usr/ports/security/portaudit
# make
# make install
# make clean
# rehash

Fetch your first portaudit databse with the following command:

# /usr/local/sbin/portaudit -Fda

Make the following setting in if you'd like the database to get updated regularly:

0	4	*	*	*	root	/usr/local/sbin/portaudit -F

9.2.3 sudo

sudo is the preferred way of logging into a system as root. It is much safer.

# cd /usr/ports/security/sudo
# make
# make install
# make clean
# rehash

I like to get bash on the system. I dislike other shells generally. Bash has
 cooler features. Sudo-ing into bash is nice.

# cd /usr/ports/shells/bash
# make
# make install
# make clean
# rehash

First, make a group for users who are allowed to use sudo.
For this example, I'll call it the "superu" group.

# pw groupadd superu

Now to add my admin user to the group. As a security precaution, it's a good idea
 to have usernames which aren't easily guessed.

# pw groupmod superu -M sysxnathy

now to adjust the sudoers file to allow the superu group to use sudo:
You should only use the visudo command to edit the sudoers file.

# visudo

ADD:
-------------
%super ALL=(ALL)	ALL


(x) Recomiple the kernel:
Lastly I'll recompile the kernel to finish the install. On rebooting I should
 have IPFILTER capability.
make buildkernel and installkernel do the trick. We don't need to specify
 KERNCONF here. It's in /etc/make.conf !

# cd /usr/src
# make buildkernel && make installkernel

once all the processing is complete, we can re-boot the machine.

# shutdown -r now

Upon re-booting, we can check for the new kernel with the following command.
# uname -a