FreeBSD Base Configuration
A while back I realized I haven’t been running FreeBSD since almost a decade, when I used it along with CARP for my first HAProxy load balancer pair at work. I’ve always conceptually liked this system, but simply haven’t made room for it in my life in a long time.
Now that I’m working to renew some of my servers, I figured why not revisit this system again, and so I spent a short while to think about some common changes we might want to make from the out-of-the-box configuration.
Install and configure sudo
We’ll start out by installing the sudo package with pkg install sudo. If this is the first time we run pkg we first need to install and initialize the utility.
Second we want to allow the group wheel to use the sudo command.
Run visudo as root, locate the commented-out line that starts with %wheel and remove the comment.
Once this is done, just add users to the wheel group to allow them to elevate their privileges using the sudo command:
pw groupmod wheel myuser
Harden sshd
I don’t like allowing remote logins as the root user. This is the default behavior in FreeBSD, though, so let’s just stop that:
sudo sed -i '' -e 's/#PermitRootLogin/PermitRootLogin/g' /etc/ssh/sshd_config && sudo service sshd restart
Setting up alert emails
The root user receives all kinds of interesting information about the state of a system, but by default you’d have to log on to each separate server you maintain and run the mail command as root to benefit from it. Fortunately it’s dead simple to forward this email to a mailbox you actually read; especially if your domain already runs a mail server or a forwarding mail transfer agent.
Edit the file /etc/mail/aliases and add the following contents:
root: youremail@yourdomain.com
webmaster: root
manager: root
dumper: root
To make the changes stick, run newaliases as root.
Let’s test email functionality:
mail -s "This is a test" root
Will this arrive?
Press Ctrl+D to send the message and check your mailbox to verify it arrived.
Schedule update checks
In FreeBSD, automatic updates are somewhat frowned upon: Things rarely go wrong, but you should understand what will happen during an update. Therefore we’ll follow the advice in the FreeBSD handbook and set up automated and scheduled checking. That lets us know when there are updates to install.
Base system
The base system is updated using the freebsd-update utility. Checking its man page, we see that it has a cron command that does exactly what we want.
Let’s add that to our crontab (/etc/crontab):
@daily root freebsd-update cron
If we get notified that there are updates for our system, we can run freebsd-update install followed by a reboot to lift our system to the latest version.
Package updates
Packages can be audited for security vulnerabilities using the pkg audit -F command. To be honest I’m not sure whether that’s run automatically by default by the system, but let’s just throw it into the crontab.
@daily root pkg audit -F
Similar to our base system, we would run pkg upgrade to fix security vulnerabilities, followed by a restart of the affected service or a reboot of the entire system.
Editor
If we are to use our FreeBSD machines interactively, it’s nice to have a good editor in place. FreeBSD comes with ed and vi, but I’ve gotten old and stuck in my ways, so vim it is:
pkg install vim
sed -i '' -e 's/EDITOR=vi;/EDITOR=vim;/g' .profile