- install a baseline of packages (git sudo bash vim rsync)
- place /etc under revision control (git)
- create a non-root user
- lock down ssh (keys only)
This blog post does not cover the initial FreeBSD installation; that’s covered quite adequately here: http://wiki.hetzner.de/index.php/FreeBSD_installieren/en (except for the IPv6 portion, which didn’t appear to work properly, so I configured the IPv6 differently (see below for details)).
Hetzner is a cost-effective alternative to Amazon AWS. In addition, it offers native IPv6, which Amazon only offers on its ELBs (Elastic Load Balancers).
Basic information on my Hetzner FreeBSD virtual machine:
- virtual server hostname: shay.nono.com (DNS A records already created)
- IPv4 address: 220.127.116.11
Let’s talk about the .gitignore entries: these are for security purposes because I plan to publish /etc to a public github repo. The first two entries (master.passwd and spwd.db) contain hashed passwords, which are vulnerable to dictionary attacks. Even though further down we will eliminate the use of passwords to connect via ssh, you don’t want hackers to know your account/password combination.
The remaining .gitignore entries are related to ssh keys. IMHO, the security risk medium-to-low. Admittedly, knowing the keys will allow a hacker to decrypt ssh traffic between the FreeBSD server and your machine, but only if he has the ability to snoop the packets (e.g. only if he has compromised, say, the Cisco switch to which your workstation is connected to).
ssh email@example.com mkdir ~/.ssh chmod 700 ~/.ssh pkg_add -r git sudo bash vim rsync bash cd /etc git init cat > .gitignore <<-EOF master.passwd spwd.db ssh/ssh_host_dsa_key ssh/ssh_host_dsa_key.pub ssh/ssh_host_ecdsa_key ssh/ssh_host_ecdsa_key.pub ssh/ssh_host_key ssh/ssh_host_key.pub ssh/ssh_host_rsa_key ssh/ssh_host_rsa_key.pub EOF git add . git config --global user.name "Brian Cunnie" git config --global user.email firstname.lastname@example.org git commit -m"Initial Commit"
Now let’s create a user with appropriate privileges:
- Configure → User Management → Group
- Group name: cunnie
- GID: 2000
- Configure → User Management → User
- Login ID: cunnie
- UID: 2000
- Group: cunnie
- Full name: Brian Cunnie
- Member groups: wheel
- Home directory: /home/cunnie
- Login shell: /usr/local/bin/bash
- Exit / OK → Exit / OK → Exit Install
- uncomment this line:
%wheel ALL=(ALL) NOPASSWD: ALL
- uncomment this line:
Now let’s log in as the new user and set the IPv6 address based on the information in the IPs tab of the Hetzner web interface. Note that we set the ::2 address of our /64 to be our server’s IP address, and the ::1 address to be our default route.
ssh email@example.com git config --global user.name "Brian Cunnie" git config --global user.email firstname.lastname@example.org git config --global color.diff auto git config --global color.status auto git config --global color.branch auto git config --global core.editor vim # I need the correct pager to see colors vim ~/.profile PAGER=less; export PAGER sudo -e /etc/rc.conf # append the following # IPv6 ipv6_default_interface="re0" ifconfig_re0_ipv6="inet6 2a01:4f8:d12:148e::2/64" # Set a static route using the xxx::1 address ipv6_defaultrouter="2a01:4f8:d12:148e::1" mkdir ~/.ssh chmod 700 ~/.ssh sudo shutdown -r now
copy ssh keys in place:
# from non-Hetzner machine for ID in cunnie root; do scp ~/.ssh/id_nono.pub $ID@shay.nono.com:.ssh/authorized_keys ssh $ID@shay.nono.com "id; echo does not require password" done
Now we lock down ssh. First, we don’t allow root to log in directly. Secondly, we require an ssh-key to log in:
ssh email@example.com # prevent root from logging in # require keys to log in sudo vim /etc/ssh/sshd_config :%s/^PermitRootLogin yes/PermitRootLogin no/g :%s/.*#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/ :wq! sudo /etc/rc.d/sshd restart # test your changes from another window # whatever you do, don't close your existing ssh connection # the following should fail with `Permission denied (publickey).` ssh firstname.lastname@example.org # the following should succeed because you have a key ssh email@example.com # check in the changes cd /etc sudo git add -u sudo -E git commit -m"sshd is locked down"
Publish my /etc/ repo to a public repo on github. If you decide to publish to a github repo, use a private repo (unless you are confident that nothing you publish will compromise the security of your server):
sudo git remote add origin firstname.lastname@example.org:cunnie/shay.nono.com-etc.git sudo -E git push -u origin master
If you see a message saying
Permission denied (publickey) when you try to push to github, you need to enable ssh agent forwarding. This is what my ~/.ssh/config file looks like on my home machine:
Host shay shay.nono.com User cunnie IdentityFile ~/.ssh/id_nono ForwardAgent yes
Future posts will cover configuring a DNS nameserver and an NTP stratum 3 server.
About the Author