# Post-Installation Questions



## goosed (Jan 18, 2009)

Hi all, I just have some basic 'noobish' questions about the configuration of BSD. I have recently switched from 5.5 to 7.1 when a friend explained to me that I was "wayyyy" behind. So the initial install is complete, and I wanted to be sure I was taking proper steps in the post-configuration.

I was using cvsup in my older release, and have since switched to portsnap. I created a cron job for portsnap, and did the same for portupgrade and portaudit. Are there any other important things that I should do?

Thanks for any info you can provide.


----------



## anomie (Jan 18, 2009)

A cronjob for portaudit is not necessary. The portaudit port installs a periodic script that can be enabled by adding *daily_status_security_portaudit_enable="yes"* to /etc/periodic.conf. (I can't remember if it is enabled by default.) 

Also, I don't recommend automatically upgrading your packages. It would be better to upgrade only the ones you want, as needed (and after reading /usr/ports/UPDATING). 

What is your goal for this FBSD box? That might make it easier to give advice on what to do next...


----------



## goosed (Jan 19, 2009)

Thanks for the reply anomie. My goal is to learn more on BSD and just to basically have a better understanding of it. My last BSD box ran Nagios, so it was mainly utilized for network monitoring. But essentially just to have a better understanding of how to baseline manage BSD. I know that may be a vague answer, but I hope it helps.


----------



## anomie (Jan 19, 2009)

For any OS, I also compose and document a baseline. There are a number of things I do following any FreeBSD installation, but here are a couple to get you started. 

 I check in (to RCS) config files I will be modifying. 
 I add the following to /etc/sysctl.conf: 

```
kern.coredump=0    # turn off core dumps
net.inet.tcp.blackhole=2 # see man blackhole(4)
net.inet.udp.blackhole=1
```

 I modify /etc/ttys so that console is marked "insecure". 
 I install the ports: portmaster / portaudit / screen. 
 I put a ports supfile and source supfile in /root. 
 I enable ntpd (after modifying /etc/ntp.conf). 
 I put syslogd in secure mode in /etc/rc.conf: 

```
syslogd_flags="-ss"
```

 I set up /etc/mail/aliases to point root's mail to a 'net address.
 I configure the AllowUsers directive in sshd_config. 
 etc. etc. etc.

You get the idea. There are some hardening steps and some ease of package management steps I follow. Set up a server (more than once if you have to) and document your baseline.


----------



## goosed (Jan 19, 2009)

Nice anomie. That's exactly what I've been looking for.

Right now my BSD server is running on my ESX server, so I've been able to create good images of it for base lining, testing, etc.

If you have any more hardening steps, please let me know. Thanks!


----------



## anomie (Jan 19, 2009)

goosed said:
			
		

> If you have any more hardening steps, please let me know. Thanks!



On the general topic of FreeBSD hardening, I can give you two more suggestions: 

 Read the security(7) manpages. This covers a lot of territory. 
 Pick up the book _Mastering FreeBSD and OpenBSD Security_. I wrote a short review of it here if you're interested.


----------

