Difference between revisions of "User:Mjb/FreeBSD customizations"
(Created page with "==FreeBSD customizations== Here are some of the interesting config files and things I set up on my FreeBSD systems. Some of this may be outdated or edited for security. ===...") |
(→/etc/periodic.conf: sought ruleset is dead) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 40: | Line 40: | ||
After installing the sa-utils port: | After installing the sa-utils port: | ||
| − | * <code>daily_sa_update_flags="-v | + | * <code>daily_sa_update_flags="-v --gpgkey 24F434CE --channel updates.spamassassin.org"</code> |
* <code>daily_sa_quiet="yes"</code> | * <code>daily_sa_quiet="yes"</code> | ||
To ensure verbose output of the daily run of "pkg audit" (so you can see the vulnerability details): | To ensure verbose output of the daily run of "pkg audit" (so you can see the vulnerability details): | ||
| − | * <code> | + | * <code>security_status_pkgaudit_quiet="NO"</code> |
===/etc/ssh/sshd_config=== | ===/etc/ssh/sshd_config=== | ||
Latest revision as of 10:31, 18 October 2019
Contents
FreeBSD customizations
Here are some of the interesting config files and things I set up on my FreeBSD systems.
Some of this may be outdated or edited for security.
Things in root's crontab
This is not a complete list, of course.
# every 5 minutes, run mrtg to update the network traffic graphs */5 * * * * env LANG=C /usr/local/bin/mrtg /usr/local/etc/mrtg/mrtg.cfg # on the 8th day of every month, update the GeoIP databases 50 0 8 * * /usr/local/bin/geoipupdate.sh > /dev/null 2>&1 # every hour, clear out the PHP session cache 10 * * * * /usr/local/adm/clean_up_php_sessions > /dev/null 2>&1
Things in my crontab
This is not a complete list, either.
# nightly learning of spam misfiled as ham by SpamAssassin (I put it in ~/mail/notham) 35 04 * * * [ -s /home/mike/mail/notham ] && /usr/local/bin/sa-learn --spam --mbox /home/mike/mail/notham > /dev/null 2>&1 && rm /home/mike/mail/notham
/usr/local/adm/clean_up_php_sessions
PHP defaults to storing sessions in /tmp or /var/tmp, and has a 1 in 1000 chance of running a garbage collector upon the creation of a new session. The garbage collector will expire ones that are more than 24 minutes old. You can increase the probability of it running, but still you have to wait for a new session to be created, so it's really only useful for sites which get a new session created every 24 minutes or less. Otherwise, you're better off (IMHO) just running a script to clean out the stale session files. I am using the script below, invoked from root's crontab every 20 minutes:
#!/bin/sh echo "Deleting the following stale sess_* files:" find /tmp /var/tmp -type f -name sess_\* -cmin +$(echo `/usr/local/bin/php -i | grep session.gc_maxlifetime | cut -d " " -f 3` / 60 | bc) find /tmp /var/tmp -type f -name sess_\* -cmin +$(echo `/usr/local/bin/php -i | grep session.gc_maxlifetime | cut -d " " -f 3` / 60 | bc) -delete
Of course you can store session data in a database if you want, and the stale file problem is avoided altogether. But then that's just one more thing that can break.
/etc/periodic.conf
After installing the sa-utils port:
daily_sa_update_flags="-v --gpgkey 24F434CE --channel updates.spamassassin.org"daily_sa_quiet="yes"
To ensure verbose output of the daily run of "pkg audit" (so you can see the vulnerability details):
security_status_pkgaudit_quiet="NO"
/etc/ssh/sshd_config
These affect the behavior of the SSH server.
Port #####- Change the listening port from 22 to something else! Eliminates brute-force attacks.GatewayPorts yes- Enable public access to reverse tunnels.ClientAliveInterval 30- Every 30 seconds, check for client response.ClientAliveCountMax 99999- Don't disconnect an unresponsive client until 99999 checks fail.
~/.ssh/config
These are settings to use when connecting with the ssh client to remote hosts (replace ###### as appropriate):
CheckHostIP yes Compression yes Host my.otherhost.com Port ##### Host github.com IdentityFile ~/.ssh/id_dsa_github
/etc/sysctl.conf
These are changes to default kernel settings in multi-user mode.
net.inet.tcp.keepidle=540000- Probably no longer necessary if using the sshd_config customizations above, but just in case, every 9 minutes (instead of every 2 hours), send something to every TCP client, so crappy routers between us and them don't think we've disconnected. I used this because I found that some routers had a 10-minute connection timeout, which kept killing my SSH sessions and tunnels.
/etc/make.conf
These are extra environment variables enabled during 'make' runs, and usually are specially checked-for by the Makefiles in the FreeBSD ports.
## ## options for 'make buildworld' and components thereof: ## # when building top(1), only allocate enough space to handle 75 users, rather than 10000 TOP_TABLE_SIZE=151 # for code with processor-specific optimizations (e.g. base OpenSSL), optimize for my Pentium III CPU (SSE+MMX) CPUTYPE?= pentium3 # when building sendmail(1), enable STARTTLS support (requires security/cyrus-sasl2 port and additional configuration) SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 # I don't remember why the next two lines got commented out! #SENDMAIL_MC= /etc/mail/chilled.skew.org.mc #SENDMAIL_SUBMIT_MC= /etc/mail/chilled.skew.org.submit.mc ## ## options for building ports: ## # I am using the new package system (required now) WITH_PKGNG=yes # my ancient network card does not support IPv6, so don't bother with IPv6 in networking ports WITHOUT_IPV6=yes # networking ports like curl(1) should support HTTPS WITH_HTTPS=yes # don't build or install GUIs, including X11 libraries WITHOUT_GUI=yes WITHOUT_X11=yes OPTIONS_UNSET=X11 # don't waste time on tests when building ImageMagick WITHOUT_IMAGEMAGICK_TESTS=yes # when building FreeType, enable subpixel rendering capability (disabled by default due to patent issues) WITH_LCD_FILTERING=yes # Berkeley DB 5 was the highest version supported by devel/apr1 (Apache dependency) in mid-2014. # This can be removed if db6 is installed (but the apr1 port will not install it for you). WITH_BDB_VER=5 # As required by the /usr/ports/UPDATING entry 20141209: # ensure Linux ports use emulators/linux_base-c6 (CentOS userland), not linux_base-f10 (Fedora 10, unsupported) OVERRIDE_LINUX_BASE_PORT=c6 OVERRIDE_LINUX_NONBASE_PORTS=c6
/etc/syslog.conf
Anything going to /dev/console should also go to a regular file:
console.* /var/log/console.log
If logged in, some users get important messages in their ttys:
!-sm-mta *.notice root,mike !sm-mta *.warning root,mike !*
/etc/rc.local
Here is a bare-bones /etc/rc.local which does nothing:
#!/bin/sh
#
# This file is a deprecated but convenient method of launching additional
# "local daemons" (or just running any other startup tasks) at the very
# end of the boot process. See the rc(8) manual page.
#
# load variables from rc.conf (comment out if not needed)
#
#if [ -z "${source_rc_confs_defined}" ]; then
# if [ -r /etc/defaults/rc.conf ]; then
# . /etc/defaults/rc.conf
# source_rc_confs
# elif [ -r /etc/rc.conf ]; then
# . /etc/rc.conf
# fi
#fi
It runs at the end of the boot process to load any custom daemons and to run anything else you want. Its output is prefaced with "Starting additional daemons: " though, so you want to keep its output to a minimal list, and all on one line if possible. For example:
# load additional firewall rules rules="/etc/ipfw.rules" [ -f $rules ] && echo -n " $rules" && . $rules # make encrypted swap file mkswap="/etc/mkswap.sh" [ -f $mkswap ] && echo -n " $mkswap" && . $mkswap
~/.cshrc
See my tcsh configuration files document.
~/.login
See my tcsh configuration files document.
nano configuration files
See my nano configuration files document.
