Peter Kieser

Note: This page is currently a draft, and is subject to (drastic) change.

I maintain a number of FreeBSD machines, being it the primary choice of server operating system for my needs. I have been using FreeBSD since early 2000 (version 4), and here are some of the things I do to prepare a machine for production use. Most of my servers provide a Web server (Apache), an FTP daemon (proftpd/pure-ftpd), and an MySQL server. Most of the tuning in this documentation assumes that your machine has 1GB of memory or more.

Security (Network and file system)

By default security on FreeBSD’s local file system (in my opinion) is not fit for a production environment, here are some of the files that I change permissions on to make the machine less visible to prying eyes (users that have shell access on the machines remotely):

600 /etc/rc.local /etc/rc.conf /etc/sysctl.conf /var/log/utmp /var/run/dmesg.boot
701 /root
711 /usr/home

If you are changing the permissions on a log file, you may want to edit /etc/newsyslog.conf to make sure that the rotated log files have the same permissions as you have manually set.

TCP and UDP black holing are favourite features of mine, which save both bandwidth and processing time on FreeBSD in case of a Denial of Service (DoS) attack, or make porting scanning of a machine more difficult, to enable this feature simply add the following to /etc/sysctl.conf:

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

I recommend that you look into using one of FreeBSD’s many firewalls (IP Filter, PF, IPFW), IPFW being my favourite (due to DUMMYNET, which is out of the scope of this page). Some other tunables which I find a sure fire way to keep my machine online are as follows (also added to /etc/sysctl.conf):

kern.ipc.somaxconn=2048
kern.ipc.maxsockbuf=524288
net.inet.tcp.msl=7500
net.inet.tcp.sendspace=131072
net.inet.tcp.recvspace=131072
net.inet.udp.recvspace=131072
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.icmp.icmplim=50

Enabling more send and receive space enables higher transfer rates over high latency links, at the expense of system memory usage. The other options change the route expire timeout, and the amount of ICMP traffic allowable in a given time frame (?) before dropping of ICMP packets occurs by the TCP/IP stack.

Have other users on your system and want to prevent them from poking around (seeing what other users are doing on the system)? Here are some other /etc/sysctl.conf that I use on my systems:

security.bsd.see_other_uids=0
security.bsd.unprivileged_read_msgbuf=0

The first tunable will prevent a user from seeing what other processors a user is running (via ps aux or otherwise), and the second tunable will prevent a user from reading dmesg.

By default, syslogd listens on an external port, to change this behaviour add the following to /etc/rc.conf:

syslogd_flags=”-ss”

Don’t need sendmail to listen on an external interface (eg. you’re not receiving mail on the server), you can disable sendmail and have it listen in local queue only mode by adding the following to /etc/rc.conf:

sendmail_enable=”NO”

General Configuration

Have the machine hosted remotely? Want to make sure that it comes back up from an (unsafe) reboot? The following addition to /etc/rc.conf can help you run an unattended fsck on a downed machine:

fsck_y_enable=”YES”

This will make sure that fsck always answers “Yes” to repairing a file system problem when fsck is run.

Useful Ports

I install a lot of different ports on my FreeBSD machines, but I find these a must have on all of my FreeBSD Machines:

1. /usr/ports/sysutils/screen — Screen is a full-screen window manager that multiplexes a physical terminal between several processes (typically interactive shells).
2. /usr/ports/editors/nano — nano is a small, free and friendly editor which aims to replace Pico, the default editor included in the non-free Pine package.
3. /usr/ports/ftp/wget — GNU wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols.
4. /usr/ports/shells/bash – Bash is the GNU Project’s Bourne Again SHell, a complete implementation of the POSIX.2 shell spec
5. /usr/ports/www/lynx — lynx is a program which allows a user to access World-Wide Web servers and other information servers.
6. /usr/ports/devel/subversion — Subversion is a version control system designed to be as similar to cvs(1) as possible, while fixing many outstanding problems with cvs(1).
7. /usr/ports/net/mtr – mtr combines the functionality of the “traceroute” and “ping” programs into a single network diagnostic tool.
8. /usr/ports/dns/dnstracer — dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data.
9. /usr/ports/ports-mgmt/portupgrade — Portupgrade is a tool to upgrade installed packages via ports or packages.

If you do not know about the FreeBSD ports system, I suggest you check it out. It is one of FreeBSD’s most compelling features (other than a rock-solid kernel, of course.)