My New FreeBSD Server Checklist

Below are the steps I take to personalise new FreeBSD servers which I run on my home network. The steps could easily be automated, I just don’t deploy new FreeBSD servers at home often enough to justify it.

# Update the base system:

$ freebsd-update fetch
$ freebsd-update install
# If kernel was patched don't forget to:
$ shutdown -r now

# Schedule future security updates to be applied daily:

$ printf '@daily                                  root    freebsd-update cron' >> /­­etc/­cron

# Map the root account to your email address and send a test mail:

$ printf 'root: your@email.com' >> /­­etc/­­aliases
$ newaliases
$ service restart sendmail
$ printf 'test\n' | mail -s "test message" root

# Set the timezone:

$ tzsetup

# Now the timezone is set, we need to enable the NTP daemon so that our servers time stays in sync. I use the default FreeBSD servers in /­etc/ntp.conf:

$ printf 'ntpd_enable="YES"\nntpd_sync_on_start="YES"' >> /­etc/rc.conf

# Now start the NTP daemon:

$ service ntpd start

# Configure the firewall to only allow SSH:

$ printf 'firewall_enable="YES"\nfirewall_quiet="YES"\nfirewall_type="workstation"\nfirewall_myservices="22/tcp"\nfirewall_allowservices="any"\nfirewall_logdeny="YES"' >> /­etc/rc.conf

# Limit the number of logs per IP address, to prevent the logs filling up with traffic from a single persistent user:

$ printf 'net.inet.ip.fw.verbose_limit=5' >> /­etc/sysctl.conf
$ sysctl net.inet.ip.fw.verbose_limit=5

# Start the firewall:

$ service ipfw start

# Install subversion using pkg and then pull down the ports tree:

$ pkg install subversion
$ svn checkout https://svn.FreeBSD.org/ports/head /usr/ports

# Install some tools I can’t live without:

$ cd /­usr/ports/shells/zsh && make install clean
$ zsh
$ cd /­usr/ports/*/vim-lite && make install clean
$ cd /­usr/ports/*/git && make install clean
$ cd /­usr/ports/*/screen && make install clean

# Change the default shell for your user to zsh – note, you need to be careful here, as using a shell from ports could get bricked, you might want to compile zsh statically and then transfer it into /bin/ if you are concerned about this. Otherwise, do this and don’t forget to change the username:

$ chsh -s usr/local/bin/zsh YOUR_USER

# Alias vi -> vim because old habits die hard, we also want to set the variable WITHOUT_X11 to try and stop X11/graphical components finding their way onto our server:

$ printf 'alias vi=vim\nexport WITHOUT_X11=YES' >> ~/.zshrc

# Create a .vimrc file with mouse support disabled (who uses a mouse in vim?!) and with the background set to dark, so we don’t get dark blue comments:

$ printf 'set background=dark\nset mouse-=a' >> ~/.vimrc

# Install oh-my-zsh, a handy tool for enhancing your zsh command-line experience.

$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

# Change the theme and plugins for oh-my-zsh:

$ sed -i '.bak' 's/ZSH_THEME=\".*\"/ZSH_THEME=\"pygmalio\"/;s/plugins=\(.*\)/plugins=\(git screen nyan vi-mode\)/' "$HOME/.zshrc"

That’s about it to get what I consider my ‘baseline’.

Published by

Guy Tabrar

*NIX Admin.