A simple provisioning script to setup a freshly installed FreeBSD server as a jail (container) host, ideal for quick setup of bare metal or VPS from Digital Ocean, Vultr, AWS etc..
fetch https://raw.githubusercontent.com/indgy/freebsd-setup/main/freebsd-setup \
&& chmod 0700 freebsd-setup
./freebsd-setup -h
This is a fairly un-opinionated setup script, it will install the bare minimum choosing, lightweight and performant additional utilities only where absolutely necessary.
- Installs
doas
instead ofsudo
Doas ~100Kb, Sudo ~7,000kb - Installs
BastilleBSD
which has no dependencies other than/bin/sh
and the built in jail commands it is very convenient for it's lightweight size ~195Kb - No Sendmail The built in DMA mailer is used for sending out all system messages
- UTF-8 charset Defaults to UTF-8 only for many, many reasons
- No bash
Bash is great on MacOS (now uses Zsh) or Linux, but the built in
tcsh
is perfectly good for interactive use so we'll stick with that. (If you really need bash justpkg install bash
andchsh -s /usr/local/bin/bash
)
Please use one of the following links to sign up to a VPS provider and we will both get some free credit at no extra cost to you.
Digital Ocean Get $100 free!
A freshly installed FreeBSD server running 11.4-RELEASE or 12.2-RELEASE or higher.
Note This script will replace your existing config files!
The following additional packages will be installed, requiring a tiny (~0.25Mb) additional download
- CA Root NSS - Root certificate bundle from the Mozilla Project, required for encrypted communications
- BastilleBSD (195Kb) - The container (jail) automation framework
- Doas (45Kb) - Simple sudo alternative from OpenBSD to run commands as another user
- Enables AESNI hardware encryption.
- Configures PKG (the package management tool) to use the Latest packages.
- Sets up the timezone, defaults to UTC, override with
--timezone=GB
. - Sets the charset to UTF-8 and locale to C.UTF-8 override with
--locale=en_GB
. - Reduces boot delay to 4 seconds.
- Removes unnecessary ttys.
- Disables Sendmail and removes cruft from /etc/mail.
- Configures the PF firewall to support BastilleBSD jails, Blacklistd and the SSH server.
- Configures the SSH server to accept keys only, deny root logins and deny ssh forwarding.
- Configures the Blacklist daemon to protect SSH.
- Configures the Network Time daemon.
- Configures the DragonFly Mail Agent to send outgoing mail.
- Installs the Root security certificates from Mozilla to enable encrypted communications.
- Installs 'doas' the lightweight and secure 'sudo' alternative.
- Installs 'BastilleBSD' to manage jails (containers).
- Adds daily OS update checks.
- Adds an admin user
--ssh-user
who can SSH in and elevate privileges to root via 'doas'. - Forwards all mail to root to the specified email address
--mail-to
. - Adds some configuration to the default shell
tcsh
to make it easier to live with.
As root on a freshly installed FreeBSD system type the following to fetch the setup script and make it executable:
fetch https://raw.githubusercontent.com/indgy/freebsd-setup/main/freebsd-setup \
&& chmod 0700 freebsd-setup
To see all options:
./freebsd-setup -h
Then provide your config as arguments.
./freebsd-setup \
--ssh-user="admin" \ # the name of the user who will ssh in
--ssh-user-key="ssh-rsa ..." \ # provide a string, a local file or the url of a remote file
--mail-to="admin@yourdomain.com" # all mail will be forwarded to this address
Or generate an editable config file
./freebsd-setup -g setup.conf
edit setup.conf
Reference the config file using the -c
or --config
arguments
# A local file
./freebsd-setup -c=/path/to/setup.conf
# A remote file via http or ftp
./freebsd-setup -c=https://yourdomain.com/setup/setup.conf
The external IP address and default NIC are determined from the first DHCP enabled NIC in /etc/rc.conf.
If the defaults are not correct you may override with the --ext-if
and --ext-ip
arguments
Once you have setup the script and the server has rebooted you have a great setup to build on.
Depending on your requirements you may want to:
- Further lock down your machine.
- Add a monitoring solution (checkout the bin/slack-notify script).
- Take a snapshot of the current state.
- Install apps in jails, see the Bastille Templates repository for pre built apps.
If you're new(ish) to FreeBSD checkout these resources:
- Learn more about FreeBSD at www.freebsd.org
- Refer to the documentation at docs.freebsd.org especially the Handbook
- Refresh your memory with the manual pages at man.freebsd.org
- Further configuration of the firewall is recommended
- Additionally some thought needs to be given to the arrangement and management of the jails
- If you are concerned about the physical security of your virtual machine you may want to set the
console to insecure in
/etc/ttys