Downloaded the FreeBSD 11.0 .iso file and created an .xml file for the VM with the .iso file in the virtual CD/DVD-drive
VM has 1 CPU, 10 GB diskspace and 1GB memory. VNC is enabled. Hostname will be freya11
- On the server:
virsh create xml/ini-freya11.xml
- Open a VNC session
- Select all the defaults; set hostname appropriately
- Optional system components to install: lib32, ports, src, test
- Then select the network interface for IPv4/DHCP and aqcuire a lease; skip IPv6
- Pick a mirror
- Choose guided disk set-up entire disk, GPT partition scheme, accept all the defaults
- ...wait...
- Set a
root
password - Set the timezone
- Services to be started at boot: sshd, ntpd, dumpdev
- System hardening options: enable all except options hiding PIDs
- Add a superuser: invite into group
wheel
; accept all defaults and set a password - Drop into the shell to check internet connectivity
ping google.com
should work - Exit and Reboot
On the server: stop the VM using virsh destroy freya11
Edit the XML-file and remove the <disk type="file" device="cdrom"> ... </disk>
section.
If VNC support can be dropped, then also remove the <graphics type='vnc' port='-1' autoport="yes" listen='0.0.0.0'/>
Save the XML file as xml/freya11.xml
virsh create xml/freya11.xml
virsh destroy freya11
Since this is a headless server we will be connecting to it via SSH. Use of VNC should be avoided because my VNC-app does not provide scrolling. Also the text console is terrible under VNC.
- Remove any previous keys from your local SSH configuration:
ssh-keygen -t rsa -b 4096 -f "$HOME/.ssh/known_hosts" -R freya11.lan
- Copy your public key to the VM:
ssh-copy-id admin@freya11.lan
(assuming you created an additional user calledadmin
);- yes you're sure; then enter the password for the remote user (here:
admin
); - it should then be possible to login using
ssh admin@freya11.lan
A place to store my scripts:
$ mkdir bin
Clean the ports tree (call me paranoid):
$ su -
# cd /usr/ports
# make clean
Do some initialising stuff:
# periodic monthly; periodic weekly; periodic daily
To install stuff easier I use portmaster
:
# cd /usr/ports/ports-mgmt/portmaster
# make install clean
To prevent having to su -
and forget to exit
I will install sudo
# cd /usr/ports/security/sudo
# make install clean
sudo
- options: audit, disable_root_sudo, insults, nls
gettext-tools
options: threads
I hate vi
(m
) so I get nano
:
# cd /usr/ports/editors/nano
# make install clean
Now, I still need sudo
rights:
# nano /etc/sudoers
uncomment this line:
%wheel ALL=(ALL) NOPASSWD: ALL
(I know this is supposed to be done using visudo
, but because I only uncomment a line the additional checks by visudo
won't be needed)
then save & exit and exit the root shell
# exit
bash
is my preferred shell
cd /usr/ports/shells/bash
sudo make instal clean
bash
- options: colonbreakswords, help, implicitcd, nls, syslog
bison
options: nlsm4
options: -
chsh -s /usr/local/bin/bash
sudo nano /etc/fstab
Add this line to /etc/fstab
:
fdesc /dev/fd fdescfs rw 0 0
And perform the mount now:
sudo mount -t fdescfs fdesc /dev/fd
Using my script mkbin.sh
(see below) I install these:
lsof
- options: -
bash-completion
- options: -
portmaster
- options: bash, zsh
- next also run:
portmaster -L; pkg update
rsync
- options: ssh, flags
git
- options: contrib, curl, cvs, iconv, nls, p4, perl
xmlto
options: -getopt
options: nlslibxml2
options: schema, threads, validlibxslt
options: cryptolibgcrypt
options: -libgpg-error
options: nlsdocbook-xsl
options: allxmlcatmgr
options: -w3m
options: -python27
options: ipv6, libffi, nls, pymalloc, sem, threads, ucs4libffi
options: -readline
options: termcap
tree
- options: -
FreeBSD has two tmp locations (/tmp
and /var/tmp
). Combine these into one:
sudo mv /var/tmp/* /tmp/
sudo rm -rf /var/tmp
sudo ln -s /tmp /var/tmp
Disable local root access:
sudo sed 's/ secure/ insecure/' /etc/ttys
Make some changes to SSH configuration
sudo nano /etc/ssh/sshd_config
Uncomment the line reading #Protocol 2
Uncomment the lines starting with #HostKey
and containing rsa
, dsa
, ecdsa
or ed25519
Uncomment the line #X11Forwarding yes
and change it to X11Forwarding no
Uncomment the line #VersionAddendum
and remove the OS identifier after it
Add a line AllowGroups wheel
(your user must be part of the group wheel
; check using id
)