Setting up NetBSD

assuming network has already been setup

scripted setup

ftp -a http://pub.nethence.com/bin/netbsdconf.ksh
chmod +x netbsdconf.ksh
./netbsdconf.ksh

in short:

then finish-up

define a password for root just in case you need the true console some day

passwd

enable package daily audits,

ll /usr/pkg/etc/audit-packages.conf #no exist
mkdir -p /usr/pkg/etc/
cat > /usr/pkg/etc/audit-packages.conf <<-EOF
VUL_SOURCE="ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"
EOF

/usr/sbin/pkg_admin fetch-pkg-vulnerabilities
/usr/sbin/pkg_admin check-pkg-vulnerabilities /var/db/pkg/pkg-vulnerabilities
/usr/sbin/pkg_admin audit
#/usr/pkg/sbin/pkg_admin #gnu/linux

grep run_security /etc/defaults/daily.conf
grep vulnerabilities /etc/daily.conf
cat >> /etc/daily.conf <<-EOF
fetch_pkg_vulnerabilities=YES
check_pkg_vulnerabilities=YES
EOF

tail /etc/daily
cp -pi /etc/daily /etc/daily.dist
cat >> /etc/daily <<-EOF

w
echo

who
echo

top -b
echo

ps auxww
echo

netstat -an -f inet,inet6
echo

netstat -rn -f inet,inet6
echo

arp -a
echo
EOF

cron jobs fixup

crontab -e

#*/10   *       *       *       *       /usr/libexec/atrun
0       3       *       *       *       /usr/bin/newsyslog
30      5       1       *       *       /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | sendmail -t

there is no need for this as we have enabled it in daily.conf already

#0 3 * * * /usr/sbin/pkg_admin fetch-pkg-vulnerabilities && /usr/sbin/pkg_admin audit

for easy troubleshooting

cp -pi /etc/syslog.conf /etc/syslog.conf.dist                     
vi /etc/syslog.conf

.err;kern.*;auth.notice;authpriv.none;mail.crit         /dev/console
*.emerg                                                 *
*.info                                                  /var/log/messages

or if this an mail exchanger, maybe

*.err;kern.*;auth.notice;authpriv.none;mail.crit        /dev/console
*.emerg                                                 *
mail.info                                               /var/log/maillog
*.info;mail.none                                        /var/log/messages

fix the permissions and apply

-rw-------   1 root    wheel    105K May  3 15:15 /var/log/messages

service syslogd restart

ready to go

make sure you are clean

ps auxww
netstat -an -f inet,inet6
cat /etc/resolv.conf

operations

vi ~/log

tail -F /var/log/messages

chmod +x log

Additional Sections

more on packages

see pkgsrc

ntp

eventually setup ntp – not sure this is needed for xen guests

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf
vi /etc/ntp.conf

#server          ntp.obspm.fr
#server          ntp1.online.net
#server          ntp2.online.net

server 0.ru.pool.ntp.org
server 1.ru.pool.ntp.org
server 2.ru.pool.ntp.org
server 3.ru.pool.ntp.org

vi /etc/rc.conf

ntpdate=yes ntpdate_flags="-u -b -s"
ntpd=yes    ntpd_flags=""

grep ^server /etc/ntp.conf
ntpdate -u ...
service ntpd start
ntpq -p

the ntpdate service looks at ^server into /etc/ntp.conf at boot time.

outgoing messages

eventually define a smarthost and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),

cd /etc/postfix/
mv -i main.cf main.cf.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' main.cf.dist > main.cf
vi main.cf

relayhost = SMARTHOST
myhostname = lala.example.net
myorigin = lala.example.net
mydomain = example.net

service postfix restart

and setup an email alias for root,

mv -i /etc/mail/aliases /etc/mail/aliases.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' /etc/mail/aliases.dist > /etc/mail/aliases
vi /etc/mail/aliases

root:       REAL_EMAIL

newaliases
tail -F /var/log/maillog &
date | mailx -s `hostname` root
mailq

resources


Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml