A while back I realized I haven’t been running FreeBSD since almost a decade, when I used it along with CARP for my first HAProxy load balancer pair at work. I’ve always conceptually liked this system, but simply haven’t made room for it in my life in a long time.
Now that I’m working to renew some of my servers, I figured why not revisit this system again, and so I spent a short while to think about some common changes we might want to make from the out-of-the-box configuration.
Install and configure sudo
We’ll start out by installing the sudo package with
pkg install sudo. If this is the first time we run pkg we first need to install and initialize the utility.
Second we want to allow the group
wheel to use the sudo command.
visudo as root, locate the commented-out line that starts with
%wheel and remove the comment.
Once this is done, just add users to the
wheel group to allow them to elevate their privileges using the sudo command:
pw groupmod wheel myuser
I don’t like allowing remote logins as the root user. This is the default behavior in FreeBSD, though, so let’s just stop that:
sudo sed -i '' -e 's/#PermitRootLogin/PermitRootLogin/g' /etc/ssh/sshd_config && sudo service sshd restart
Setting up alert emails
The root user receives all kinds of interesting information about the state of a system, but by default you’d have to log on to each separate server you maintain and run the mail command as root to benefit from it. Fortunately it’s dead simple to forward this email to a mailbox you actually read; especially if your domain already runs a mail server or a forwarding mail transfer agent.
Edit the file
/etc/mail/aliases and add the following contents:
root: email@example.com webmaster: root manager: root dumper: root
To make the changes stick, run
newaliases as root.
Let’s test email functionality:
mail -s "This is a test" root Will this arrive?
Ctrl+D to send the message and check your mailbox to verify it arrived.
Schedule update checks
In FreeBSD, automatic updates are somewhat frowned upon: Things rarely go wrong, but you should understand what will happen during an update. Therefore we’ll follow the advice in the FreeBSD handbook and set up automated and scheduled checking. That lets us know when there are updates to install.
The base system is updated using the
freebsd-update utility. Checking its man page, we see that it has a
cron command that does exactly what we want.
Let’s add that to our crontab (
@daily root freebsd-update cron
If we get notified that there are updates for our system, we can run
freebsd-update install followed by a reboot to lift our system to the latest version.
Packages can be audited for security vulnerabilities using the
pkg audit -F command. To be honest I’m not sure whether that’s run automatically by default by the system, but let’s just throw it into the crontab.
@daily root pkg audit -F
Similar to our base system, we would run
pkg upgrade to fix security vulnerabilities, followed by a restart of the affected service or a reboot of the entire system.
If we are to use our FreeBSD machines interactively, it’s nice to have a good editor in place. FreeBSD comes with
vi, but I’ve gotten old and stuck in my ways, so vim it is:
pkg install vim sed -i '' -e 's/EDITOR=vi;/EDITOR=vim;/g' .profile