This blog post covers the procedure to configure a FreeBSD virtual machine located in a Hetzner (a German ISP) datacenter:
- install a baseline of packages (git sudo bash vim rsync)
- place /etc under revision control (git)
- create a non-root user
- lock down ssh (keys only)
This blog post does not cover the initial FreeBSD installation; that’s covered quite adequately here: http://wiki.hetzner.de/index.php/FreeBSD_installieren/en (except for the IPv6 portion, which didn’t appear to work properly, so I configured the IPv6 differently (see below for details)).
Hetzner is a cost-effective alternative to Amazon AWS. In addition, it offers native IPv6, which Amazon only offers on its ELBs (Elastic Load Balancers).
Basic information on my Hetzner FreeBSD virtual machine:
- virtual server hostname: shay.nono.com (DNS A records already created)
- IPv4 address: 78.47.249.19
Let’s talk about the .gitignore entries: these are for security purposes because I plan to publish /etc to a public github repo. The first two entries (master.passwd and spwd.db) contain hashed passwords, which are vulnerable to dictionary attacks. Even though further down we will eliminate the use of passwords to connect via ssh, you don’t want hackers to know your account/password combination.
The remaining .gitignore entries are related to ssh keys. IMHO, the security risk medium-to-low. Admittedly, knowing the keys will allow a hacker to decrypt ssh traffic between the FreeBSD server and your machine, but only if he has the ability to snoop the packets (e.g. only if he has compromised, say, the Cisco switch to which your workstation is connected to).
ssh root@shay.nono.com
mkdir ~/.ssh
chmod 700 ~/.ssh
pkg_add -r git sudo bash vim rsync
bash
cd /etc
git init
cat > .gitignore <<-EOF
master.passwd
spwd.db
ssh/ssh_host_dsa_key
ssh/ssh_host_dsa_key.pub
ssh/ssh_host_ecdsa_key
ssh/ssh_host_ecdsa_key.pub
ssh/ssh_host_key
ssh/ssh_host_key.pub
ssh/ssh_host_rsa_key
ssh/ssh_host_rsa_key.pub
EOF
git add .
git config --global user.name "Brian Cunnie"
git config --global user.email brian.cunnie@gmail.com
git commit -m"Initial Commit"
Now let’s create a user with appropriate privileges:
sysinstall- Configure → User Management → Group
- Group name: cunnie
- GID: 2000
- Configure → User Management → User
- Login ID: cunnie
- UID: 2000
- Group: cunnie
- Full name: Brian Cunnie
- Member groups: wheel
- Home directory: /home/cunnie
- Login shell: /usr/local/bin/bash
- Exit / OK → Exit / OK → Exit Install
visudo- uncomment this line:
%wheel ALL=(ALL) NOPASSWD: ALL
- uncomment this line:
exit
Now let’s log in as the new user and set the IPv6 address based on the information in the IPs tab of the Hetzner web interface. Note that we set the ::2 address of our /64 to be our server’s IP address, and the ::1 address to be our default route.
ssh cunnie@shay.nono.com
git config --global user.name "Brian Cunnie"
git config --global user.email brian.cunnie@gmail.com
git config --global color.diff auto
git config --global color.status auto
git config --global color.branch auto
git config --global core.editor vim
# I need the correct pager to see colors
vim ~/.profile
PAGER=less; export PAGER
sudo -e /etc/rc.conf # append the following
# IPv6
ipv6_default_interface="re0"
ifconfig_re0_ipv6="inet6 2a01:4f8:d12:148e::2/64"
# Set a static route using the xxx::1 address
ipv6_defaultrouter="2a01:4f8:d12:148e::1"
mkdir ~/.ssh
chmod 700 ~/.ssh
sudo shutdown -r now
copy ssh keys in place:
# from non-Hetzner machine
for ID in cunnie root; do
scp ~/.ssh/id_nono.pub $ID@shay.nono.com:.ssh/authorized_keys
ssh $ID@shay.nono.com "id; echo does not require password"
done
Now we lock down ssh. First, we don’t allow root to log in directly. Secondly, we require an ssh-key to log in:
ssh cunnie@shay.nono.com
# prevent root from logging in
# require keys to log in
sudo vim /etc/ssh/sshd_config
:%s/^PermitRootLogin yes/PermitRootLogin no/g
:%s/.*#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/
:wq!
sudo /etc/rc.d/sshd restart
# test your changes from another window
# whatever you do, don't close your existing ssh connection
# the following should fail with `Permission denied (publickey).`
ssh not_a_real_user@shay.nono.com
# the following should succeed because you have a key
ssh cunnie@shay.nono.com
# check in the changes
cd /etc
sudo git add -u
sudo -E git commit -m"sshd is locked down"
Publish my /etc/ repo to a public repo on github. If you decide to publish to a github repo, use a private repo (unless you are confident that nothing you publish will compromise the security of your server):
sudo git remote add origin git@github.com:cunnie/shay.nono.com-etc.git
sudo -E git push -u origin master
If you see a message saying Permission denied (publickey) when you try to push to github, you need to enable ssh agent forwarding. This is what my ~/.ssh/config file looks like on my home machine:
Host shay shay.nono.com
User cunnie
IdentityFile ~/.ssh/id_nono
ForwardAgent yes
Future posts will cover configuring a DNS nameserver and an NTP stratum 3 server.
About the Author
