OpenSeaMap-dev:Server FreeBSD Base

Aus OpenSeaMap-dev
Wechseln zu: Navigation, Suche

Installation

Set timezone to UTC.

cp /usr/share/zoneinfo/UTC /etc/localtime

Disable virtual terminals (ttyv1 .. ttyv8).

vi /etc/ttys
  ttyv1   "/usr/libexec/getty Pc"         cons25  off secure
  ...
  ttyv8   "/usr/libexec/getty Pc"         cons25  off secure

Reduce autoboot delay.

vi /boot/loader.conf
  autoboot_delay="2"

Secure syslogd.

vi /etc/rc.conf
  syslogd_flags="-ss"

/etc/rc.d/syslogd restart

Prevent building ports for X11.

vi /etc/make.conf
  WITHOUT_X11=yes

Redirect mails for root.

vi /etc/aliases
  root: <mail-address>

newaliases

Create an administrator account.

pw groupadd <username>
pw useradd <username> -g <username> -G wheel -m -s /bin/csh
install -d -g <username> -o <username> -m 700 /home/<username>/.ssh
install -g <username> -o <username> -m 400 /dev/null /home/<username>/.ssh/authorized_keys

Permit root login. Be sure to have a non root account which is allowed to login.

vi /etc/ssh/sshd_config
  PermitRootLogin no
  ChallengeResponseAuthentication no

/etc/rc.d/sshd restart

Configure freebsd update.

vi /etc/freebsd-update.conf
  Components world kernel

Update base system.

freebsd-update fetch
freebsd-update install
(reboot)

Fetch and extract port files.

portsnap fetch
portsnap extract

All ports have to be managed with portmaster.

cd /usr/ports/ports-mgmt/portmaster
make install clean
rehash

It is recommended to install ports in screen.

portmaster -d -B sysutils/screen
rehash

Install these ports on every machine.

screen -S ports
portmaster -d -B editors/vim ports-mgmt/portaudit sysutils/ezjail net/openntpd shells/zsh security/sudo
exit

Cronjob for freebsd update and portsnap.

vi /etc/crontab
  0 7 * * * root /usr/sbin/freebsd-update cron
  0 8 * * * root /usr/sbin/portsnap cron

Configure packet filter.

TBD
vi /etc/pf.conf
  nat on $ext_if proto {tcp udp icmp} from lo0 to any -> ($ext_if)
  nat on $int_if proto {tcp udp icmp} from lo0 to any -> ($int_if)

pfctl -f /etc/pf.conf

Configure ntpd.

vi /usr/local/etc/ntpd.conf
  listen on 127.0.0.1
  server 0.nl.pool.ntp.org
  server 1.nl.pool.ntp.org
  server 2.nl.pool.ntp.org
  server 3.nl.pool.ntp.org

vi /etc/rc.conf
  openntpd_enable="YES"

service openntpd start

Install base jail.

ezjail-admin install

Enable ezjail.

vi /etc/rc.conf
  ezjail_enable="YES"

Start ezjail.

service ezjail start

Maintenance

Update base system (world).

screen -S update
freebsd-update fetch
freebsd-update install
exit

Don't forget to update the jails as well (OpenSeaMap-dev:Server_FreeBSD_Jails#Maintenance).

Release change. The install command has to be executed again after a reboot, to remove old files. Keep in mind to update all ports, jails and ports in jails, too.

screen -S update
freebsd-update -r 9.1-RELEASE upgrade
freebsd-update install
exit

(reboot)

screen -S update
freebsd-update install
exit

Add administrator account (host system).

pw groupadd <username>
pw useradd <username> -g <username> -G wheel -m -s /bin/csh
install -d -g <username> -o <username> -m 700 /home/<username>/.ssh
install -g <username> -o <username> -m 400 /dev/null /home/<username>/.ssh/authorized_keys