UP | HOME

freebsd system admin notes

Table of Contents


Modify default shell

As root

pw usermod buildbot-worker -s /usr/local/bin/bash

Backup the entire UFS based OS

Fossil

$ fossil init -A kb test.fossil # create repo on server
fossil clone -v https://kayb@fossil.busilogic.com/test test.fossil # clone on laptop

Inspect system boot log

$ cat /var/run/dmesg.boot

Modify default editor

From vi to nano for C Shell

$ which nano
$ setenv EDITOR </path/to/nano>

Check disk space usage by directory

$ du -d1 -h -x /  # look for large directories
$ du -d1 -h /var  # return for specific director

Expand Partition to Entire Drive

When upgrading VPS to a larger instance, the expanded drive is not recognized by the OS. 1

$ gpart recover vtbd0
$ gpart resize -i 2 vtbd0  # 2=what is shown on gpart show vtbd0
$ growfs -y /

# Verify extra displace exists
$ df -h

# Update /etc/fstab

On reboot, goes to mountroot prompt.

Type ? to see available disks

# do a ? to see list of available disks
$ ufs:/dev/vtbd0s1

Reload sshd config

I usually change the default ssh port from 22 2

Disable root login by modifying the sshd conf. (not ssh conf)

/etc/rc.d/sshd reload

Edit Crontab

$ crontab -e

View traffic on network interfaces

$ systat -ifstat 1

Manage BSD Jails

Jails have been around years before docker and kubernetes were the rage.3

Using ezjail-admin

# View list of available jails
$ jls
# or
$ jls -v

Log into Jail

$ sudo ezjail-admin console <jailname>

# OR use jexec with number parameter where
# parameter == JID from jls output
$ sudo jexec 2 csh

# OR use execute a command in jail
$ sudo jexec 1 hostname    # show host name of jail with id=1

Jail pre-requisites

Make an alias on your network card with your network settings

$ sudo ifconfig lo10 alias 10.10.10.15 netmask 0xffffff00

Add network alias to /etc/rc.conf so it remembers on reboot

ezjail_enable="YES"
jail_sysvipc_allow="YES"    # For PostgresSQL
gateway_enable="YES"

cloned_interfaces="lo10"
ifconfig_lo10_alias0="inet 10.10.10.1 netmask 255.255.255.0"
ifconfig_lo10_alias1="inet 10.10.10.10 netmask 255.255.255.0"
ifconfig_lo10_alias2="inet 10.10.10.11 netmask 255.255.255.0"
ifconfig_lo10_alias3="inet 10.10.10.12 netmask 255.255.255.0"
ifconfig_lo10_alias4="inet 10.10.10.13 netmask 255.255.255.0"
ifconfig_lo10_alias5="inet 10.10.10.14 netmask 255.255.255.0"
ifconfig_lo10_alias6="inet 10.10.10.15 netmask 255.255.255.0"

Create jail

Use the ip address created above

sudo ezjail-admin create busilogic-blog 10.10.10.15

To enable networking inside jail, copy the resolv.conf file

sudo cp /etc/resolv.conf /usr/jails/jail-name/etc/

Start the jail

sudo service ezjail start busilogic-blog

Enable networking in jail

# Replace jail name with your jail created
$ cp /etc/resolv.conf /usr/jails/<jailname>/etc/

Using fetch fails with ssl auth error

Reason: Certificate verification failed

Install ca and link to root

$ pkg install ca_root_nss
$ ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

Starting PostGres in jail

$ su pgsql
$ pg_ctl -D /usr/local/pgsql/data initdb /usr/local/bin/pg_ctl -D /usr/local/pgsql/data -l /usr/local/pgsql/postgresql.log start

Setup Jenkins 4

Adding more storage

If you need to upgrade your VPS to get additional storage, follow notes here.

Enable webdav on nginx

  • Install nginx from source
  • To enable http webdav module, you might have to install libxml2 libs as prerequisite for nginx to compile properly
  • Generate htpasswd 5
  • Update nginx config file 6
  • Restrict access using http basic auth 7
  • Use it to host secure items e.g. password manager on webdav with keepass 8

Sysvipc and jails on bsd

Rebuild kernel from source

Install the source code

svn checkout https://svn.FreeBSD.org/base/releng/10.2 /usr/src

where the 10.2 is your current release

svn.FreeBSD.org will automatically choose a mirror near you 9

Buildworld and kernel 10

pf as your firewall

Firewall is a term originally referring to a wall intended to confine a fire within a building.

In computing, it monitors and controls incoming/outgoing traffic at layer 7. It establishes a barrier between trusted internal network and untrusted external network.

On BSD system, pf (packet filter) is included as part of the base system.

Getting started with PF

Get name of the external interface

$ ifconfig

Enable pf by adding to /etc/rc.conf

pf_enable="YES"

Create config file (/etc/pf.conf)

ext_if="vtnet0"     ;; Enternal Interface

# cloned interface for jail
jail_if="lo10"

# Public IP
IP_PUB="xxx.xxx.xx.xxx"

# World wide web jail
IP_JAIL_WWW="11.11.11.11"
NET_JAIL="11.11.11.11/24"

PORT_WWW="{80, 443}"

# "Scrubbing" is the normalization of packets so there are no ambiguities in
# interpretation by the ultimate destination of the packet. The scrub directive
# also reassembles fragmented packets, protecting some operating systems from
# some forms of attack, and drops TCP packets that have invalid flag combinations.
# More on the principle and concepts of scrubbing can be found in the
# Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End
# Protocol Semantics paper.
scrub in all

# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB

# WWW: pass all internet traffic to my webserver jail
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW

Manage pf service

$ service pf status
$ service pf start
Enabling pf.
$ service pf stop
Disabling pf.

Optional: Install Fail2Ban and integrate it with pf 11

> pkg install fail2ban
Message from py36-fail2ban-0.10.4:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please do not edit the fail2ban.conf, jail.conf, or any other
files in the distributen as they will be overwritten upon each
upgrade of the port. Instead, create new files named *.local e.g.
fail2ban.local or jail.local.

For more information, see the official manual:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration

If you have custom filters or actions and you are upgrading from
0.9.x please check them.

Users of pf: please read the notes in action.d/pf.conf and the
discussion at https://github.com/fail2ban/fail2ban/pull/1925
Please note that fail2ban will put curly braces '{}' around the
ports in the action so you shouldn't do it yourself.

Fail2Ban configuration lives in /usr/local/etc/fail2ban/jail.conf (not to confuse with bsd jails config file).

The customization and overrides should live in /usr/local/etc/fail2ban/jail.local

# add banned IP addresses to a PF table called fail2ban
# which is registered to pf to ban
[DEFAULT]
bantime = 86400
findtime = 3600
maxretry = 3
banaction = pf

# watch for failed logins in ssh
[sshd]
enabled = true

The banaction refers to /usr/local/etc/fail2ban/action.d/pf.conf.

It adds banned IP addresses to a PF table called fail2ban.

This on its own doesn’t do anything but register the address with PF, so you need to add a rule to pf.conf to block the traffic.

# Add rule to pf.conf to block traffic in fail2ban table
table <fail2ban> persist
block in quick from <fail2ban>

Send email using bsd

Limit ssh access by IP in jail

Enable SSH agent on bsd

eval `ssh-agent -c`

Rsnapshot on BSD

Takes up a lot of diskspace. Looking for alternatives

Nginx - redirect to https

Rsyslog

Synology Links

Logging

Footnotes: