Herr Bischoff

The First 5 Minutes on a New FreeBSD Server

This is inspired by a 2013 blog post by Sol Love.

https://sollove.com/2013/03/03/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers/

It’s in no way a complete guide and when setting up more than one instance at a time, you should probably automate most/all of the steps. For the occasional server setup it’s a good enough checklist to work through.

The snippets are compatible with a basic copy-and-paste approach.

Turn off ZFS access time flag

zfs set atime=off zroot

Disable login messages

touch ~/.hushlogin

Disable sendmail, enable DMA

service sendmail stop && \
sysrc sendmail_enable="NONE" && \
cat << EOF > /etc/mail/mailer.conf
sendmail      /usr/libexec/dma
send-mail     /usr/libexec/dma
mailq         /usr/libexec/dma
newaliases    /usr/libexec/dma
rmail         /usr/libexec/dma
hoststat      /usr/bin/true
purgestat     /usr/bin/true
EOF

Disable legacy SSH host keys and regenerate**

sysrc sshd_enable="YES" && \
sysrc sshd_dsa_enable="NO" && \
sysrc sshd_ecdsa_enable="NO" && \
sysrc sshd_ed25519_enable="YES" && \
sysrc sshd_rsa_enable="YES" && \
rm /etc/ssh/ssh_host_* && \
service sshd keygen && \
service sshd restart

Update base system

freebsd-update fetch install && \
reboot

After the reboot:

freebsd-update install

Install basic software

pkg install doas fish git htop mosh neovim && \
chsh -s /usr/local/bin/fish

Set up doas

cat << EOF > /usr/local/etc/doas.conf
permit nopass :wheel
EOF

Set up PF firewall

cat << EOF > /etc/pf.conf
ext_if = "vtnet0"
tcp_pass = "{ ssh }"
udp_pass = "{ 60000:60010 }"

set block-policy drop
scrub in on $ext_if all fragment reassemble
set skip on lo

# table <jails> persist
# nat on $ext_if from <jails> to any -> ($ext_if:0)
# rdr-anchor "rdr/*"

block in log all
pass out log keep state
antispoof for $ext_if inet
antispoof for $ext_if inet6

pass in log on $ext_if proto tcp from any to any port $tcp_pass flags S/SA modulate state
pass in log on $ext_if proto udp from any to any port $udp_pass
pass inet proto icmp all icmp-type echoreq keep state
pass in quick proto icmp6 all
EOF

sysrc pf_enable="YES" && \
sysrc pflog_enable="YES" && \
service pf start && \
service pflog start

Set up time synchonisation

sysrc ntpd_enable="YES" && \
service ntpd restart

Reboot

reboot