FreeBSD Setup and Basics
========================

These are general notes on hardening and maintaining FreeBSD.

Sept 2015



## Documentation ##

- The man pages are good, significantly better than Linux man pages.
- The _FreeBSD Handbook_ is good, and kept up to date:
    https://www.freebsd.org/doc/handbook/

Subscribe to these mailing lists to keep abreast of releases and security alerts:

https://lists.freebsd.org/mailman/listinfo/freebsd-announce
https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications



## -RELEASE vs. -STABLE vs. -CURRENT ##

http://www.bsdnow.tv/tutorials/stable-current

-CURRENT is the bleeding edge. Analogous the Debian Unstable. Don't use it unless we know why we need it (e.g. we're doing FreeBSD development).

-STABLE is the main branch. It gets security updates, and some changes that have passed testing in CURRENT. Roughly analogous to Debian Testing.

-RELEASE is a snapshot STABLE that gets stamped as a point release (e.g. 10.1).**This is usually what we want to use.**  Roughly analogous to Debian Stable. RELEASE gets security updates and critical fixes, and gets them as packaged binaries through `freebsd-update`.

Binary updates (i.e. `freebsd-update`) are only available for RELEASE.

Note: unlike Debian, on FreeBSD the base system and ports collection are separate, and updated/maintained separately. Also, home is located in /usr/home.



## Updating FreeBSD Base ##

https://www.freebsd.org/doc/handbook/updating-upgrading.html

Assuming we're using the stock kernel, we can do binary updates for our current version like:

    # freebsd-update fetch
    # freebsd-update install

If the kernel gets updated, restart the system.

If anything goes wrong, roll back the most recent updates with:

    # freebsd-update rollback

Upgrade to a new version like:

    # freebsd-update -r 10.2-RELEASE upgrade
    # freebsd-update install

It's strongly recommended to upgrade all packages/ports after a major version upgrade (kernel ABI changes tend to break third-party applications):

    # pkg-static upgrade -f
    # portmaster -af
    # freebsd-update install



## Binary Packages (finding, installing, updating, removing) ##

(If `pkg` is not already installed, run `/usr/sbin/pkg` and then `pkg update`.)

    # pkg search foo
    # pkg info foo
    # pkg install foo
    # pkg delete foo
    # pkg autoremove

Updates:

    # pkg update
    # pkg upgrade
    # pkg audit -F



## Source Ports (finding, installing, updating, removing) ##

(Download and extract the ports collection for the first time with `portsnap fetch` and `postsnap extract`.)

Keep the ports collection up to date with portsnap:

    # portsnap fetch
    # portsnap update

Find a port:

    # whereis foo
     foo: /usr/ports/whatever/foo
    # cd /usr/ports
    # make search name=foo

Install or de-install a port:

    # cd /usr/ports/whatever/foo
    # make config-recursive; make install; make clean
    # make deinstall

Upgrade installed ports using portmaster:

    # cd /usr/ports/port-mgmt/portmaster
    # make install clean
    # portmaster -a

Read the latest warnings `/usr/ports/UPDATING` before updating ports (the latest entries are at the top of the file).



## Firewall ##

FreeBSD offers several option. Use IPFW.
https://www.freebsd.org/doc/handbook/firewalls-ipfw.html

Turn it on in `/etc/rc.conf`:

    firewall_enable="YES"

It offers a number of pre-defined firewall profiles. See `/etc/rc.firewall`. A reasonable choice for a stand-alone server is the `client` profiles; put this in `/etc/rc.conf` and customize `/etc/rc.firewall`:

    firewall_type="client"

Alternately, we can write our own rule set by setting this in `/etc/rc.conf`:

    firewall_script="/etc/ipfw.rules"

Our `/etc/ipfw.rules` might look like this (see ipfw(8)):

    add="ipfw -q add"
    ipfw -q -f flush
    pubip="10.0.1.55"
    $add 10 pass all from any to any via lo0
    $add 20 deny all from any to 127.0.0.0/8
    $add 30 deny ip from 127.0.0.0/8 to any
    $add 40 deny ip from any to ::1
    $add 50 deny ip from ::1 to any
    $add 100 pass tcp from any to any established
    $add 110 pass all from any to any frag
    $add 1000 pass tcp from any to $pubip 22 keep-state
    $add 1200 pass tcp from any to any 80 out keep-state
    $add 1300 pass tcp from any to any 443 out keep-state
    $add 2000 pass udp from me to any 53 keep-state
    $add 2050 pass tcp from me to any 53 keep-state
    $add 2100 pass udp from me to any 123 keep-state
    $add 2200 pass tcp from me to any 25
    $add 65000 deny all from any to any

(We may want to use specific networks for some of these, particularly the rules for ssh and smtp.)

Restart ipfw and load the new rules like:

    # service ipfw restart

We check the rules with:

    # ipfw list

We may want to throttle logging by adding this to `/etc/sysctl.conf`:

    net.inet.ip.fw.verbose_limit=5



## Securing ssh ##

Add our client key to ~/.ssh/authorized_keys.

Make sure root logins are disabled in /etc/ssh/sshd_config:

    PermitRootLogin no

We don't want password-only authentication. Use key-based auth or (on newer versions of sshd) key _and_ password. Edit /etc/ssh/sshd_config:

    PasswordAuthentication no

or

    AuthenticationMethods publickey,password

Restart sshd:

    # service sshd restart

We may also want to install sshguard (like fail2ban but with fewer dependencies):

    # pkg install sshguard-ipfw

Add to /etc/rc.conf:

    sshguard_enable="YES"

Start sshguard:

    # service sshguard start



## Time ##

If we did not enable and configure ntp during install, do it now.

Configure the time zone:

    # tzsetup

Add this to /etc/rc.conf:

    ntpd_enable="YES"
    ntpd_sync_on_start="YES"

Start ntpd:

    # service ntpd start



## Notifications/Mail ##

https://www.freebsd.org/doc/handbook/mail.html

FreeBSD ships Sendmail. Its default config is reasonable.

If we don't often log into this box as root, we must send important notifications to another email address that we do read.

Edit /etc/mail/aliases and add:

    root: me@example.com

Run `newaliases` to update the aliases database.



## Jails ##

See http://paulgorman.org/technical/freebsd-jails.txt



------------------------ Personal Preferences ------------------------

## Packages I Like to Install ##

vim-lite
sudo
tmux
git-lite
curl

## Shell ##

Use tcsh. Here's a minimal .tcshrc:

    set promptchars="%#"
    set prompt = "--- %m %h %c %# "
    setenv EDITOR vim
    setenv VISUAL vim
    setenv PAGER less
    set autolist
    alias l 'ls -FG'
    alias la 'ls -FGa'
    alias ll 'ls -FGlha'
    alias h 'history 60 | sort -k2 | uniq -f2 | sort -bn'
    setenv LSCOLORS "gxfxcxdxbxxggdabagacad"
    bindkey "^W" backward-delete-word

## sudo ##

After installing sudo, do `visudo`, and uncomment this line:

    %wheel ALL=(ALL) NOPASSWD: ALL

Make sure our user account is a member of the wheel group.