network setup on serial console

assuming a blind install, you now need to choose your shell,

chpass -s /bin/ksh root
useradd -D -s /bin/ksh

setup network,

ifconfig -a
cd /etc
vi ifconfig.NETIF
#inet IP/PREFIX up
vi mygate
vi myname
cp -pi hosts hosts.dist
vi hosts
vi /etc/resolv.conf # new file
service network restart

setup the SSH daemon,

cd /etc/
cp -pi rc.conf rc.conf.dist
vi rc.conf


cd /etc/ssh/
cp -pi sshd_config sshd_config.dist
vi sshd_config

Port XXX
AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no

/etc/rc.d/sshd start

make it accessible from your workstation,

mkdir ~/.ssh/
chmod 700 ~/.ssh/
cd ~/.ssh/
vi authorized_keys

#cat ~/.ssh/
##cat ~/.ssh/

chmod 600 authorized_keys

now check that your server is reachable remotely and finally exit the serial console,


now remotely

define your timezone,

ll /etc/localtime
ln -sf ../usr/share/zoneinfo/Europe/Moscow /etc/localtime
#ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime

remove skeletons for FTP users,

ls -alhF /etc/skel.dist/
mv /etc/skel/ /etc/skel.dist/
mkdir /etc/skel/

note. NetBSD complains if non existing /etc/skel/.

tweak your administration env,

cp -pi /etc/profile /etc/profile.dist
vi /etc/profile

export ENV=/etc/shrc

    . /etc/profile

some handy aliases to add into the existing case condition,

cp -pi /etc/shrc /etc/shrc.dist
vi /etc/shrc

export PATH=/usr/local/bin:/usr/local/sbin:/usr/pkg/bin:/usr/pkg/sbin:/bin:/sbin:/usr/bin:/usr/sbin:$HOME/bin
export PKG_PATH="$(uname -s)/$(uname -m)/$(uname -r|cut -f '1 2' -d.)/All/"
export PASSIVE_FTP=yes

    (( `id -u` == 0 )) && PS1='${HOST%%\.*}# ' || PS1='${HOST%%\.*}> '

bind -m '^L'='clear^M'
    alias ll='ls -alhF'
    alias l='ls -altrhF'
    alias cp='cp -i'
    alias mv='mv -i'
    alias rm='rm -i'
    alias reboot='echo THIS IS NOT A GNU SYSTEM, use shutdown -r now'
    alias halt='echo THIS IS NOT A GNU SYSTEM, use shutdown -h or -p now'
    alias netstata='netstat -an -f inet -f inet6'
    alias runq='postfix flush'

. /etc/shrc

install a few packages (list here),

pkg_add \
    alpine \
    curl \
    e2fsprogs \
    git \
    iftop \
    iperf3 \
    lftp \
    lynx \
    mc \
    netcat \
    nmap \
    pwgen \
    screen \
    tmux \
    trafshow \
    vim \



disable atrun and enable the monthly cron job for root,

crontab -e

setup the outgoing messages,

cd /etc/postfix/
mv -i
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' >

eventually define a smarthost,

relayhost = SMARTHOST

and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),

mydomain = YOUR_DOMAIN
myorigin = $mydomain

service postfix restart

and setup an email alias for root,

vi /etc/mail/aliases

root:       REAL_EMAIL

tail -F /var/log/maillog &
date | mailx -s `hostname` root

enable package daily audits,

cd ~/
ftp -a
rm -f pkg-vulnerabilities

cat /usr/pkg/etc/audit-packages.conf
mkdir -p /usr/pkg/etc/
cat > /usr/pkg/etc/audit-packages.conf <<-EOF

pkg_admin fetch-pkg-vulnerabilities
pkg_admin audit
echo "fetch_pkg_vulnerabilities=yes" >> /etc/daily.conf


not needed for xen guests (clock synced with dom0)

setup ntp,

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf
vi /etc/ntp.conf



vi /etc/rc.conf

ntpdate=yes ntpdate_flags="-u -b -s"
ntpd=yes    ntpd_flags=""

ntpdate -u ...
service ntpd start
ntpq -p

TODO. does ntpdate at boot time look for the server in ntp.conf?


for easy troubleshooting (revert back to the defaults for production), setup syslog daemon,

cp -pi /etc/syslog.conf /etc/syslog.conf.dist                     
vi /etc/syslog.conf

#*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none       /var/log/messages
#kern.debug                                             /var/log/messages
*.*     /var/log/messages

service syslogd restart