Setting up a NetBSD system

network setup on serial console

assuming a blind install, you now need to choose your shell,

chpass -s /bin/ksh root
useradd -D -s /bin/ksh

setup network,

ifconfig -a
cd /etc
vi ifconfig.NETIF
#inet IP/PREFIX up
vi mygate
vi myname
cp -pi hosts hosts.dist
vi hosts
vi /etc/resolv.conf # new file
service network restart

setup the SSH daemon,

cd /etc/
cp -pi rc.conf rc.conf.dist
vi rc.conf

#no_swap=yes
#savecore=no
sshd=yes

cd /etc/ssh/
cp -pi sshd_config sshd_config.dist
vi sshd_config

Port XXX
AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no

/etc/rc.d/sshd start
#passwd

make it accessible from your workstation,

mkdir ~/.ssh/
chmod 700 ~/.ssh/
cd ~/.ssh/
vi authorized_keys

YOUR WORKSTATION PUBLIC KEY IN OPENSSH FORMAT HERE
#cat ~/.ssh/id_ecdsa.pub
##cat ~/.ssh/id_ed25519.pub

chmod 600 authorized_keys

now check that your server is reachable remotely and finally exit the serial console,

^D

now remotely

define your timezone,

ll /etc/localtime
ln -sf ../usr/share/zoneinfo/Europe/Moscow /etc/localtime
#ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime

remove skeletons for FTP users,

ls -alhF /etc/skel.dist/
mv /etc/skel/ /etc/skel.dist/
mkdir /etc/skel/

note. NetBSD complains if non existing /etc/skel/.

tweak your administration env,

cp -pi /etc/profile /etc/profile.dist
vi /etc/profile

export ENV=/etc/shrc

some handy aliases to add into the existing case condition,

cp -pi /etc/shrc /etc/shrc.dist
vi /etc/shrc

export PATH=/usr/local/bin:/usr/local/sbin:/usr/pkg/bin:/usr/pkg/sbin:/bin:/sbin:/usr/bin:/usr/sbin:$HOME/bin
export PASSIVE_FTP=yes

case "$-" in *i*)
    #export PKG_PATH="http://cdn.NetBSD.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r|cut -f '12' -d.)/All/"
    export PKG_PATH="http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/All/"
    [[ -z $HOST ]] && HOST=`uname -n`
    (( `id -u` == 0 )) && PS1='${HOST%%\.*}# ' || PS1='${HOST%%\.*}> '
    set -o emacs
    ( set -o tabcomplete 2>/dev/null ) && set -o tabcomplete
    bind -m '^L'='clear^M'
    alias ll='ls -alhF'
        alias l='ls -altrhF'
    #alias cp='cp -i'
    #alias mv='mv -i'
    #alias rm='rm -i'
    alias reboot='echo THIS IS NOT A GNU SYSTEM, use shutdown -r now'
    alias halt='echo THIS IS NOT A GNU SYSTEM, use shutdown -h or -p now'
    alias netstata='netstat -an -f inet -f inet6'
    alias runq='postfix flush'
    ;;
esac

    . /etc/profile
#. /etc/shrc

install a few packages (list here),

pkg_add \
    alpine \
    curl \
    e2fsprogs \
    git \
    iftop \
    iperf3 \
    lftp \
    lynx \
    mc \
    netcat \
    nmap \
    pwgen \
    screen \
    tmux \
    trafshow \
    vim \
    wget

indexing,

/usr/libexec/locate.updatedb

disable atrun, new log every day and enable the monthly cron job for root,

crontab -e

setup the outgoing messages,

cd /etc/postfix/
mv -i main.cf main.cf.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' main.cf.dist > main.cf
vi main.cf

eventually define a smarthost,

relayhost = SMARTHOST

and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),

mydomain = YOUR_DOMAIN
myorigin = $mydomain

service postfix restart

and setup an email alias for root,

vi /etc/mail/aliases

root:       REAL_EMAIL

newaliases
tail -F /var/log/maillog &
date | mailx -s `hostname` root
mailq

enable package daily audits,

cd ~/
ftp -a ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities
rm -f pkg-vulnerabilities

cat /usr/pkg/etc/audit-packages.conf
mkdir -p /usr/pkg/etc/
cat > /usr/pkg/etc/audit-packages.conf <<-EOF
VUL_SOURCE="ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"
EOF

pkg_admin fetch-pkg-vulnerabilities
pkg_admin audit

cat >> /etc/daily.conf <<-EOF
fetch_pkg_vulnerabilities=YES
check_pkg_vulnerabilities=YES
EOF

which pkg_admin
crontab -e

#NOT piping to mailx nor redirecting to /dev/null
0 3 * * * /usr/sbin/pkg_admin fetch-pkg-vulnerabilities
9 3 * * * /usr/sbin/pkg_admin audit
#0 3 * * * /usr/pkg/sbin/pkg_admin fetch-pkg-vulnerabilities
#9 3 * * * /usr/pkg/sbin/pkg_admin audit

not needed for xen guests (clock synced with dom0)

setup ntp,

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf
vi /etc/ntp.conf

#server          ntp.obspm.fr
#server          ntp1.online.net
#server          ntp2.online.net

#server 0.ru.pool.ntp.org
#server 1.ru.pool.ntp.org
#server 2.ru.pool.ntp.org
#server 3.ru.pool.ntp.org

vi /etc/rc.conf

ntpdate=yes ntpdate_flags="-u -b -s"
ntpd=yes    ntpd_flags=""

grep ^server /etc/ntp.conf
ntpdate -u ...
service ntpd start
ntpq -p

Note. the ntpdate service looks at ^server into /etc/ntp.conf at boot time.

testing

for easy troubleshooting (revert back to the defaults for production), setup syslog daemon,

cp -pi /etc/syslog.conf /etc/syslog.conf.dist                     
vi /etc/syslog.conf

#*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none       /var/log/messages
#kern.debug                                             /var/log/messages
*.*     /var/log/messages

service syslogd restart

Last update: 2018-09-15 | home | html | css