Setting up the FreeBSD host system

From JonDonym Wiki
Jump to: navigation, search

JonDos GmbH thanks www.secure-internet.org for the right to publish the following article. We made some changes in it but the original text was provided by www.secure-internet.org

navigation: Main Page | FreeBSD and Jails

Setting up the FreeBSD host system

The most common way to set up FreeBSD is just having a FreeBSD CDROM in the CDROM drive. You can get the ISO image from www.freebsd.org and then burn it on a standard CDROM (or have your provider doing so for you).

Make sure the machine will boot from the CDROM drive through checking the BIOS settings. Then reboot into the installer program from CDROM.

By the way: If you have more than one hard disc it it best NOT to change the disc order in the BIOS since FreeBSD will not follow the BIOS settings. Use the original disc order and you'll avoid another pitfall.

Once you have booted from the CDROM and started up the installer program („sysinstall“, the notoriously ugly installer of FreeBSD) you need to know that the installer program is a bit old fashioned:

  • use the <tab> key to jump between options
  • use the arrow keys to navigate through lists
  • use the <spacebar> key to mark any option
  • use the <enter> key to go ahead

Your mouse will not work at this point.

There are very limited options to navigate back to previous screens so better be a bit slower than usual when hitting <enter>. If you got the wrong option you might need to restart the installation process.

The installer program first wants you to enter your keyboard layout (will not effect the installer program language but merely the keyboard layout). Select with arrow keys, mark with the <spacebar> key and go ahead with <enter> (of course you can change all those settings later via Shell but you might have a hard time using the Shell until you could change the settings).

The next screen lets you choose among installation types. Just select „Standard Installation“ here. The following warning from fdisk usually can be ignored (read it nonetheless because you'll now run into disc partitioning).

If you have more than one disc (remember the notes on BIOS disc order) select the first disc (arrow keys, mark with <spacebar> and hit <enter> after correct selection) to edit the discs partition table. Device names of the discs might appear strange to you if you are used to Linux disc device names. Something like „ad10“ or „ad8“ is no reason to worry. Depending on the disc type also other device names could be displayed. Some hard drives will flash up a scary looking warning about disc geometry at this point. This is not a concern on most modern hardware so usually you can confirm with <enter>.

The next screen lets you split the disc into slices.

According to the partitioning proposal mentioned above you now need to create two slices. The first slice must be marked as „bootable“. It needs to be around 60GB. The second slice needs to be around 100GB (remember, we have a 160GB disc).

Sysinstall probably already proposed a standard disc usage but this is not suitable to our needs. You need to delete that proposal and enter your own data here. Type „D“ to delete the slice proposal. Then enter your own data for the two slices using „C“ and make sure the first slice is really bootable (use „S“). You can toggle size units with „Z“.

Doublecheck your settings! If you're done, finish with „Q“.

You will be asked now whether to write a boot manager or master boot record to the disc. At least you of course need a master boot record, so arrow to that option, mark it (<spacebar>) and hit <enter>.

Next you will have to split up the two slices into the actual partitions. Enter the data from our table above here. Please make sure you have „UFS2“ as the filesystem type (that's the standard FreeBSD filesystem), „S“ for Soft-Updates, „Y“ for partition type and correct size and mountpoint. Doublecheck your settings here too! If you're done finish with „Q“ again.

The trickiest part now is already behind you. The rest is easier.

The next screen will ask you from where to install FreeBSD. You have various options. My best experience has been using the FTP option. For the FTP method you just need to enter a certain FTP server. You can find FTP servers through the installer program itself or you also could previously find one checking the FreeBSD website (this would allow you to test the servers in advance). Just take one near to you. In some cases FTP servers can be under stress. Then just select another.

You now will get asked what in fact you'd like to install. Choose „User“ as the distribution set. This will not bring you everything we need but we will correct that later.

When asked whether you want to install the ports collection too answer YES. Then exit with <enter>.

If you are sure everything you entered is correct, confirm. The installer then will start formatting the hard drive.

You are now asked some more questions. First you need to determine which interface should be used for your network connection. Mark the interface adapter entry appearing right to you (should of course be the one really connected by your provider).

Decline if you're asked for IPv6 and DHCP.

  • Now enter the details of your network configuration:
  • hostname
  • domain
  • IPv4 gateway IP address (you got from your provider)
  • nameserver (the first of the nameserver addresses you got from your provider, or alternatively another nameserver you prefer)
  • IPv4 address you'd like to assign to your FreeBSD host system (one of the IP addresses you got from your provider)
  • netmask (as you got from your provider)
  • usually no extra options to ifconfig

Doublecheck your entries before proceeding with <enter>.

You now will get asked for various network services to install (or not). The only network you need is SSH. Make sure you will confirm installation of the SSH daemon. It is recommended NOT to install further daemons at this point since this could cause you headache with configuring the jails later on. Please also remember that we install „only“ the host system here. Most programs lateron should run within jails – not on the host systems BSD.

Enter then your machine's timezone or leave it at UTC.

You do not need the „Linux Mode“ and you do not need a mouse working on your server.

When asked for additional packages to be installed the answer depends on you are familiar with the VI editor or not. If your are okay with VI you do not need any further packages. If you need another editor you should use your chance to get it easily installed here. You can easily find editors like „joe“ or „nano“ browsing through the list of packages here. Use the arrow keys, <spacebar> and <tab> and <enter> as usual.

Do in no case miss to add a new user to the system. You otherwise were not able to SSH into the machine since you can't SSH directly into the root acount. Add the „login ID“, the „Password“ and the „Full name“ and confirm all other proposals (Shell can be changed later to meet your specific needs, so please for now also confirm the Shell proposed). Please use a pretty good password for the new user. You lateron can implement various additional hurdles against bruteforce attacks to your SSH daemon but those measures get installed later and will not be in effect at once. Good passwords are vital !

Very important: In any case you MUST add your new user to an additional usergroup named „wheel“. If you do not do this, the user will not be allowed to get root rights after login and this means that you could not get root right at all via SSH-ing into the server. Adding the user to the „wheel“ group enables the user to get root rights. After finishing with the new user, proceed to the next screen.

Carefully enter the password for the root account now. You need to type it twice (as usual with Unices).

If you were run through the sysinstall program up to this point you may reboot by exiting the installer program (it will announce that it's done and announce the option to reboot).

Use now your newly added user (not the root account) to SSH into the machine. After SSH login you will be that user. To get root rights use „su“ and enter the root password. „sudo“ would need to get installed before you could use it, so really type in „su“ and not „sudo“.

The Shell you get is by default a CSH. We can change that later.

Your FreeBSD host system now in general works but we need to do some further things to optimize it. First of all let us implement some security measures.

Use your favorite editor (VI or the one you additionally installed through the installer program) to edit /etc/hosts.allow

# vi /etc/hosts.allow

FreeBSD only has a hosts.allow file and no additional hosts.deny file. So all clauses need to get inserted in the hosts.allow file (including the clauses which on Linux systems would need to get added to hosts.deny).

First of all, check all not commented clauses already present in the file. Comment the ones out you do not want and take care not to forget some of them. Do not save the file until you made sure that you yourself still can SSH into the machine.

Proposal to enable only very few IP addresses to log in via SSH (including the IP addresses used by your internet access provider of course):

ALL : localhost 127.0.0.1	: ALLOW
sshd : 217.83. : ALLOW
ALL : ALL : DENY

The example above would allow SSH-ing only to IP addresses having 217.83. in the first two blocks. This is weak security measure since attackers could spoof their addresses but it helps a bit to something very quickly. For most dictionary attack running script kiddies this might be enough to block them but not for black hats. Further measures are strongly recommended. Some will be named lateron. Save the file only when you are sure that everything is correct. This will be in effect at once so be sure not to block yourself.

Now edit /etc/resolv.conf and check the nameserver entry and add additional nameservers.

# vi /etc/resolv.conf

Edit /etc/hosts to add hostnames and IP addresses there if needed as an additional resolver.

# vi /etc/hosts

Check your machines clock by typing

# date

and correct it if needed by typing something like

# date 8506131627

The above example would set the date to June 13, 1985, 4:27 PM Otherwise use

# man date

If you want to add additional users, use

# adduser

You will be lead through questions on how to configure the new user. If the new user should get root rights on request (via „su“) do not forget to add him to the „wheel“ group.

Now edit /etc/fstab

# vi /etc/fstab

You now should comment out all lines regarding the two partitions we created for the jails. We do this because we do not want the boot process to try to mount those partitions. Since these partitions will get encrypted later on a mount trial during the boot process would fail and through this the machine would not come up once the partitions are encrypted. So it's important to do this.

Also comment out the line for the /tmp partition on your hard drive. It will be replaced by a memory disc (RAM disc).

To get a shell prompt you probably will like more:

# vi /etc/passwd

Change the Shell for root and your new users to /bin/csh

# vi /root/.cshrc

Change the prompt line to:

set prompt = „%n@`/bin/hostname -s`:%~ # “

Do the same for /usr/home/yournewuser/.cshrc

You need to log out and log in to get that to work actually.

You should insert an A record for your host systems FQDN. To check the hostname again before doing so just type

  1. hostname

Then add the hostname and IP address of your host as A record the way you manage your domain administration (probably in your domain providers extranet).

Run ifconfig to check how your network adapter(s) currently are configured. Note the values displayed.

Now edit /etc/rc.conf

# vi /etc/rc.conf

This file is the center of FreeBSDs boot process configuration. It controls the processes starting during the boot process. The order of the entries is not important. FreeBSD sorts it automatically at execution time (not the lines in this file but it sorts what to run in which order).

First check the most important entries:

You should have something like the following example

defaultrouter="96.137.211.245"
hostname="myhostname.mydomainname.org"
ifconfig_em0="inet 96.137.211.228/27"

to configure your gateway (defaultrouter), hostname and network („em0“ in this example is the device name of the network adapter in this machine but it of course could differ from „em0“).

Now add entries for the two IP addresses you have reserved for the two jails. Here is an example:

ifconfig_em0_alias0="inet 96.137.211.229/32"
ifconfig_em0_alias1="inet 96.137.211.230/32"

This will run an ifconfig command during the boot process and bring up the additional virtual IP addresses. Please note that the number after the word „alias“ has to start with a „0“ for the first virtual IP address and strictly needs to get incremented by 1 for each further virtual IP address. Do not leave anything when increasing the numbers. Replace „em0“ by your network adapters device name. And of course replace the example IP addresses by your own IP addresses. For all virtual IP addresses „/32“ need to get added to indicate a sole IP address in CIDR format. Please note: If you use two or more network adapters then replace the adapter's device name here where appropriated.

Make sure you have

sshd_enable=“YES“

inserted to the file. This will ensure that the SSH daemon will get started when booting the machine.

Add the following lines:

sendmail_enable="NO"                    
sendmail_submit_enable="YES"     
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
sendmail_outbound_enable="YES"          
sendmail_outbound_flags="-L sm-queue -q30m" 
sendmail_msp_queue_enable="YES"         

This will configure sendmail not to listen outside but still be available to send you emails about the machines status.

Then add

syslogd_flags="-ss -b 96.137.211.228"

This will limit the syslog daemon to the 228 address (which is needed because the IPs of the jails otherwise got confused).

Add now:
tmpmfs="YES"
tmpsize="512m"
tmpmfs_flags="-S"

Those three lines will create a memory disc of 512MB in RAM at next boot and use it as the /tmp directory instead of the /tmp partition we created earlier (512MB is okay for 2GB of RAM). This will speed up the system but it also has another advantage: The system will forget everything what otherwise was left in the standard /tmp directory on the hard disc after a shutdown. This is an improvement regarding security.

Check now again that there are no lines with double assigned values to any parameter. If you find any, clarify and leave only one of those lines to get clear commands to the boot process.

Check also if you find lines enabling any daemons you do not want to get started (such as NFS or RPC). If you find any with the „YES“ parameter change it to „NO“. Then save the file and close it.

We now need to configure the SSH daemon to listen only on the host systems IP address (and not on further IP addresses). Edit /etc/ssh/sshd_config

# vi /etc/ssh/sshd_config

Add the following line there:

ListenAddress 96.137.211.228:22

Of course you need to replace the example IP address by the IP address of your host. But leave the port number („:22“) behind the IP address to make the daemon listening on port 22. Save and exit the file.

Edit /etc/mail/aliases

vi /etc/mail/aliases

Make sure you have an entry at least for root such as root: youraddress@yourmailprovider.tld. Otherwise you will not get the status emails sent by your system. Save and exit the file. Now run

newaliases

to update the mailaddress database.

Now reboot the machine

shutdown -r now

Wait two minutes. Then log in again via SSH, run „su“ to become root.

Now check whether the virtual IP addresses and the network adapter is configured correctly:

ifconfig

Compare the values displayed with your plan on how to configure the host system and jails. All IP addresses should now be assigned and get displayed.

Enter:

sockstat -4

This will display on which IP addresses daemons are listening. To know about this is important since daemons may not listen at IP addresses dedicated to a jail. The jails must have their IP addresses exclusively. If daemons despite of this requirement listen to a jail's IP address the jail can't work properly. So, sockstat is used to check about this.

If you find a daemon listening on an IP address dedicated to a jail (reserved for a jail at this point) you must manage to stop that daemon listening at that IP address. This usually can be done by entering further entries into /etc/rc.conf. But we of course cannot provide all possible configuration lines for all possible daemons here. Usually there should not be any daemon behaving wrong as long as you entered the entries into rc.conf as mentioned above.

Now run

mount

and check that the two partitions for the jails (you did comment them out in /etc/fstab) are NOT mounted. They may NOT get mounted for certain reasons mentioned above.

Also check in the output of „mount“ that we use a memory disc /tmp directory now. The line for /tmp should look as the following example: /dev/md0 on /tmp (ufs, local)

Your host system is already working in general, now. Before we can go ahead we need to update the operating system to the most recent version, make the ports collection available, install some of the ports, then encrypt the two jail partitions, set some kernel options important for the jail thing, compile some stuff to get the binaries for the jails and finally setup the jails and the mixes in the jails.

Personal tools