freebsd system admin notes
Table of Contents
- Modify default shell
- Backup the entire UFS based OS
- Fossil
- Inspect system boot log
- Modify default editor
- Check disk space usage by directory
- Expand Partition to Entire Drive
- Reload sshd config
- Edit Crontab
- View traffic on network interfaces
- Manage BSD Jails
- Using fetch fails with ssl auth error
- Starting PostGres12 in jail
- Switch to postgres user
- Setup Jenkins
- Adding more storage
- Enable webdav on nginx
- Sysvipc and jails on bsd
- Rebuild kernel from source
- pf as your firewall
- Send email using bsd
- Limit ssh access by IP in jail
- Enable SSH agent on bsd
- Rsnapshot on BSD
- Nginx - redirect to https
- Rsyslog
- Synology Links
- Logging
Modify default shell
As root
pw usermod buildbot-worker -s /usr/local/bin/bash
Backup the entire UFS based OS
Fossil
$ fossil init -A kb test.fossil # create repo on server fossil clone -v https://kayb@fossil.busilogic.com/test test.fossil # clone on laptop
Inspect system boot log
$ cat /var/run/dmesg.boot
Modify default editor
From vi to nano for C Shell
$ which nano $ setenv EDITOR </path/to/nano>
Check disk space usage by directory
$ du -d1 -h -x / # look for large directories $ du -d1 -h /var # return for specific director
Expand Partition to Entire Drive
When upgrading VPS to a larger instance, the expanded drive is not recognized by the OS. 1
$ gpart recover vtbd0 $ gpart resize -i 2 vtbd0 # 2=what is shown on gpart show vtbd0 $ growfs -y / # Verify extra displace exists $ df -h # Update /etc/fstab
On reboot, goes to mountroot prompt.
Type ? to see available disks
# do a ? to see list of available disks $ ufs:/dev/vtbd0s1
Reload sshd config
I usually change the default ssh port from 22 2
Disable root login by modifying the sshd conf. (not ssh conf)
/etc/rc.d/sshd reload
Edit Crontab
$ crontab -e
View traffic on network interfaces
$ systat -ifstat 1
Manage BSD Jails
Jails have been around years before docker and kubernetes were the rage.3
Using ezjail-admin
# View list of available jails $ jls # or $ jls -v
Log into Jail
$ sudo ezjail-admin console <jailname> # OR use jexec with number parameter where # parameter == JID from jls output $ sudo jexec 2 csh # OR use execute a command in jail $ sudo jexec 1 hostname # show host name of jail with id=1
Jail pre-requisites
Make an alias on your network card with your network settings
$ sudo ifconfig lo10 alias 10.10.10.15 netmask 0xffffff00
Add network alias to /etc/rc.conf so it remembers on reboot
ezjail_enable="YES" jail_sysvipc_allow="YES" # For PostgresSQL gateway_enable="YES" cloned_interfaces="lo10" ifconfig_lo10_alias0="inet 10.10.10.1 netmask 255.255.255.0" ifconfig_lo10_alias1="inet 10.10.10.10 netmask 255.255.255.0" ifconfig_lo10_alias2="inet 10.10.10.11 netmask 255.255.255.0" ifconfig_lo10_alias3="inet 10.10.10.12 netmask 255.255.255.0" ifconfig_lo10_alias4="inet 10.10.10.13 netmask 255.255.255.0" ifconfig_lo10_alias5="inet 10.10.10.14 netmask 255.255.255.0" ifconfig_lo10_alias6="inet 10.10.10.15 netmask 255.255.255.0"
Create jail
Use the ip address created above
sudo ezjail-admin create busilogic-blog 10.10.10.15
To enable networking inside jail, copy the resolv.conf file
sudo cp /etc/resolv.conf /usr/jails/jail-name/etc/
Start the jail
sudo service ezjail start busilogic-blog
Enable networking in jail
# Replace jail name with your jail created $ cp /etc/resolv.conf /usr/jails/<jailname>/etc/
Using fetch fails with ssl auth error
Reason: Certificate verification failed
Install ca and link to root
$ pkg install ca_root_nss $ ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
Starting PostGres12 in jail
$ /usr/local/etc/rc.d/postgresql start
Switch to postgres user
$ psql -U postgres
Setup Jenkins 4
Adding more storage
If you need to upgrade your VPS to get additional storage, follow notes here.
Enable webdav on nginx
- Install nginx from source
- To enable http webdav module, you might have to install libxml2 libs as prerequisite for nginx to compile properly
- Generate htpasswd 5
- Update nginx config file 6
- Restrict access using http basic auth 7
- Use it to host secure items e.g. password manager on webdav with keepass 8
Rebuild kernel from source
Install the source code
svn checkout https://svn.FreeBSD.org/base/releng/10.2 /usr/src
where the 10.2 is your current release
svn.FreeBSD.org will automatically choose a mirror near you 9
Buildworld and kernel 10
pf as your firewall
Firewall is a term originally referring to a wall intended to confine a fire within a building.
In computing, it monitors and controls incoming/outgoing traffic at layer 7. It establishes a barrier between trusted internal network and untrusted external network.
On BSD system, pf (packet filter) is included as part of the base system.
Getting started with PF
Get name of the external interface
$ ifconfig
Enable pf by adding to /etc/rc.conf
pf_enable="YES"
Create config file (/etc/pf.conf)
ext_if="vtnet0" ;; Enternal Interface
# cloned interface for jail
jail_if="lo10"
# Public IP
IP_PUB="xxx.xxx.xx.xxx"
# World wide web jail
IP_JAIL_WWW="11.11.11.11"
NET_JAIL="11.11.11.11/24"
PORT_WWW="{80, 443}"
# "Scrubbing" is the normalization of packets so there are no ambiguities in
# interpretation by the ultimate destination of the packet. The scrub directive
# also reassembles fragmented packets, protecting some operating systems from
# some forms of attack, and drops TCP packets that have invalid flag combinations.
# More on the principle and concepts of scrubbing can be found in the
# Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End
# Protocol Semantics paper.
scrub in all
# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB
# WWW: pass all internet traffic to my webserver jail
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW
Manage pf service
$ service pf status $ service pf start Enabling pf. $ service pf stop Disabling pf.
Optional: Install Fail2Ban and integrate it with pf 11
> pkg install fail2ban
Message from py36-fail2ban-0.10.4:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please do not edit the fail2ban.conf, jail.conf, or any other
files in the distributen as they will be overwritten upon each
upgrade of the port. Instead, create new files named *.local e.g.
fail2ban.local or jail.local.
For more information, see the official manual:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration
If you have custom filters or actions and you are upgrading from
0.9.x please check them.
Users of pf: please read the notes in action.d/pf.conf and the
discussion at https://github.com/fail2ban/fail2ban/pull/1925
Please note that fail2ban will put curly braces '{}' around the
ports in the action so you shouldn't do it yourself.
Fail2Ban configuration lives in /usr/local/etc/fail2ban/jail.conf (not to confuse with bsd jails config file).
The customization and overrides should live in /usr/local/etc/fail2ban/jail.local
# add banned IP addresses to a PF table called fail2ban # which is registered to pf to ban [DEFAULT] bantime = 86400 findtime = 3600 maxretry = 3 banaction = pf # watch for failed logins in ssh [sshd] enabled = true
The banaction refers to /usr/local/etc/fail2ban/action.d/pf.conf.
It adds banned IP addresses to a PF table called fail2ban.
This on its own doesn’t do anything but register the address with PF, so you need to add a rule to pf.conf to block the traffic.
# Add rule to pf.conf to block traffic in fail2ban table table <fail2ban> persist block in quick from <fail2ban>
Enable SSH agent on bsd
eval `ssh-agent -c`
Rsnapshot on BSD
Takes up a lot of diskspace. Looking for alternatives