User:Mjb/FreeBSD customizations

From Offset
< User:Mjb
Revision as of 10:31, 18 October 2019 by Mjb (talk | contribs) (/etc/periodic.conf: sought ruleset is dead)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

FreeBSD customizations

Here are some of the interesting config files and things I set up on my FreeBSD systems.

Some of this may be outdated or edited for security.

Things in root's crontab

This is not a complete list, of course.

# every 5 minutes, run mrtg to update the network traffic graphs
*/5 * * * * env LANG=C /usr/local/bin/mrtg /usr/local/etc/mrtg/mrtg.cfg

# on the 8th day of every month, update the GeoIP databases
50 0 8 * *  /usr/local/bin/geoipupdate.sh > /dev/null 2>&1

# every hour, clear out the PHP session cache
10 * * * *  /usr/local/adm/clean_up_php_sessions > /dev/null 2>&1

Things in my crontab

This is not a complete list, either.

# nightly learning of spam misfiled as ham by SpamAssassin (I put it in ~/mail/notham)
35 04 * * * [ -s /home/mike/mail/notham ] && /usr/local/bin/sa-learn --spam --mbox /home/mike/mail/notham > /dev/null 2>&1 && rm /home/mike/mail/notham

/usr/local/adm/clean_up_php_sessions

PHP defaults to storing sessions in /tmp or /var/tmp, and has a 1 in 1000 chance of running a garbage collector upon the creation of a new session. The garbage collector will expire ones that are more than 24 minutes old. You can increase the probability of it running, but still you have to wait for a new session to be created, so it's really only useful for sites which get a new session created every 24 minutes or less. Otherwise, you're better off (IMHO) just running a script to clean out the stale session files. I am using the script below, invoked from root's crontab every 20 minutes:

#!/bin/sh
echo "Deleting the following stale sess_* files:"
find /tmp /var/tmp -type f -name sess_\* -cmin +$(echo `/usr/local/bin/php -i | grep session.gc_maxlifetime | cut -d " " -f 3` / 60 | bc)
find /tmp /var/tmp -type f -name sess_\* -cmin +$(echo `/usr/local/bin/php -i | grep session.gc_maxlifetime | cut -d " " -f 3` / 60 | bc) -delete

Of course you can store session data in a database if you want, and the stale file problem is avoided altogether. But then that's just one more thing that can break.

/etc/periodic.conf

After installing the sa-utils port:

  • daily_sa_update_flags="-v --gpgkey 24F434CE --channel updates.spamassassin.org"
  • daily_sa_quiet="yes"

To ensure verbose output of the daily run of "pkg audit" (so you can see the vulnerability details):

  • security_status_pkgaudit_quiet="NO"

/etc/ssh/sshd_config

These affect the behavior of the SSH server.

  • Port ##### - Change the listening port from 22 to something else! Eliminates brute-force attacks.
  • GatewayPorts yes - Enable public access to reverse tunnels.
  • ClientAliveInterval 30 - Every 30 seconds, check for client response.
  • ClientAliveCountMax 99999 - Don't disconnect an unresponsive client until 99999 checks fail.

~/.ssh/config

These are settings to use when connecting with the ssh client to remote hosts (replace ###### as appropriate):

CheckHostIP yes
Compression yes
Host my.otherhost.com
  Port #####
Host github.com
  IdentityFile ~/.ssh/id_dsa_github

/etc/sysctl.conf

These are changes to default kernel settings in multi-user mode.

  • net.inet.tcp.keepidle=540000 - Probably no longer necessary if using the sshd_config customizations above, but just in case, every 9 minutes (instead of every 2 hours), send something to every TCP client, so crappy routers between us and them don't think we've disconnected. I used this because I found that some routers had a 10-minute connection timeout, which kept killing my SSH sessions and tunnels.

/etc/make.conf

These are extra environment variables enabled during 'make' runs, and usually are specially checked-for by the Makefiles in the FreeBSD ports.

##
## options for 'make buildworld' and components thereof:
##
# when building top(1), only allocate enough space to handle 75 users, rather than 10000
TOP_TABLE_SIZE=151
# for code with processor-specific optimizations (e.g. base OpenSSL), optimize for my Pentium III CPU (SSE+MMX)
CPUTYPE?=       pentium3
# when building sendmail(1), enable STARTTLS support (requires security/cyrus-sasl2 port and additional configuration)
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
# I don't remember why the next two lines got commented out!
#SENDMAIL_MC=   /etc/mail/chilled.skew.org.mc
#SENDMAIL_SUBMIT_MC=    /etc/mail/chilled.skew.org.submit.mc

##
## options for building ports:
##
# I am using the new package system (required now)
WITH_PKGNG=yes

# my ancient network card does not support IPv6, so don't bother with IPv6 in networking ports
WITHOUT_IPV6=yes

# networking ports like curl(1) should support HTTPS
WITH_HTTPS=yes

# don't build or install GUIs, including X11 libraries
WITHOUT_GUI=yes
WITHOUT_X11=yes
OPTIONS_UNSET=X11

# don't waste time on tests when building ImageMagick
WITHOUT_IMAGEMAGICK_TESTS=yes

# when building FreeType, enable subpixel rendering capability (disabled by default due to patent issues)
WITH_LCD_FILTERING=yes

# Berkeley DB 5 was the highest version supported by devel/apr1 (Apache dependency) in mid-2014.
# This can be removed if db6 is installed (but the apr1 port will not install it for you).
WITH_BDB_VER=5

# As required by the /usr/ports/UPDATING entry 20141209:
# ensure Linux ports use emulators/linux_base-c6 (CentOS userland), not linux_base-f10 (Fedora 10, unsupported)
OVERRIDE_LINUX_BASE_PORT=c6
OVERRIDE_LINUX_NONBASE_PORTS=c6

/etc/syslog.conf

Anything going to /dev/console should also go to a regular file:

console.*                   /var/log/console.log

If logged in, some users get important messages in their ttys:

!-sm-mta
*.notice                    root,mike
!sm-mta
*.warning                   root,mike
!*

/etc/rc.local

Here is a bare-bones /etc/rc.local which does nothing:

#!/bin/sh
#
# This file is a deprecated but convenient method of launching additional
# "local daemons" (or just running any other startup tasks) at the very
# end of the boot process. See the rc(8) manual page.
#

# load variables from rc.conf (comment out if not needed)
#
#if [ -z "${source_rc_confs_defined}" ]; then
#    if [ -r /etc/defaults/rc.conf ]; then
#        . /etc/defaults/rc.conf
#        source_rc_confs
#    elif [ -r /etc/rc.conf ]; then
#        . /etc/rc.conf
#    fi
#fi

It runs at the end of the boot process to load any custom daemons and to run anything else you want. Its output is prefaced with "Starting additional daemons: " though, so you want to keep its output to a minimal list, and all on one line if possible. For example:

# load additional firewall rules
rules="/etc/ipfw.rules"
[ -f $rules ] && echo -n " $rules" && . $rules

# make encrypted swap file
mkswap="/etc/mkswap.sh"
[ -f $mkswap ] && echo -n " $mkswap" && . $mkswap

~/.cshrc

See my tcsh configuration files document.

~/.login

See my tcsh configuration files document.

nano configuration files

See my nano configuration files document.