Setting up a NetBSD system

network setup on serial console

assuming a blind install, you now need to choose your shell,

chpass -s /bin/ksh root
useradd -D -s /bin/ksh

setup network,

ifconfig -a
cd /etc
vi ifconfig.NETIF
#inet IP/PREFIX up
vi mygate
vi myname
cp -pi hosts hosts.dist
vi hosts
vi /etc/resolv.conf # new file
service network restart

eventually setup the SSH daemon,

cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist
cat >> /etc/sysctl.conf <<-EOF
#net.inet.ip.forwarding=1
kern.securelevel=1
EOF

cp -pi /etc/rc.conf /etc/rc.conf.dist
vi /etc/rc.conf

securelevel=1
sshd=yes

cd /etc/ssh/
cp -pi sshd_config sshd_config.dist
vi sshd_config

Port XXX
AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no

/etc/rc.d/sshd start
#passwd

make it accessible from your workstation,

mkdir ~/.ssh/
chmod 700 ~/.ssh/
cd ~/.ssh/
vi authorized_keys

YOUR WORKSTATION PUBLIC KEY IN OPENSSH FORMAT HERE
#cat ~/.ssh/id_ecdsa.pub
##cat ~/.ssh/id_ed25519.pub

chmod 600 authorized_keys

now check that your server is reachable remotely and finally exit the serial console,

^D

now remotely

define your timezone,

ll /etc/localtime
ln -sf ../usr/share/zoneinfo/Europe/Moscow /etc/localtime
#ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime

remove skeletons for FTP users,

ls -alhF /etc/skel/
mv /etc/skel/ /etc/skel.dist/
mkdir /etc/skel/

note. NetBSD complains if non existing /etc/skel/.

tweak your PDKSH env e.g. some handy aliases to add into the existing case condition,

mv -i /etc/shrc /etc/shrc.dist
vi /etc/shrc

export PATH=/usr/local/bin:/usr/local/sbin:/usr/pkg/bin:/usr/pkg/sbin:/bin:/sbin:/usr/bin:/usr/sbin:$HOME/bin
export PASSIVE_FTP=yes

case "$-" in *i*)
    #http://ftp.fr.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/
    #export PKG_PATH="http://cdn.NetBSD.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r|cut -f '12' -d.)/All/"
    export PKG_PATH="http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/All/"
    [[ -z $HOST ]] && HOST=`uname -n`
    (( `id -u` == 0 )) && PS1='${HOST%%\.*}# ' || PS1='${HOST%%\.*}> '
    set -o emacs
    ( set -o tabcomplete 2>/dev/null ) && set -o tabcomplete
    bind -m '^L'='clear^M'
    alias ll='ls -alhF'
    alias l='ls -altrhF'
    alias cp='cp -i'
    alias mv='mv -i'
    alias rm='rm -i'
    alias reboot='echo THIS IS NOT A GNU SYSTEM'
    alias halt='echo THIS IS NOT A GNU SYSTEM'
    alias netstata='netstat -an -f inet -f inet6'
    alias runq='postfix flush'
    export TERM=xterm
    ;;
esac

. /etc/shrc

enable it at login,

cp -pi /etc/profile /etc/profile.dist
echo 'export ENV=/etc/shrc' >> /etc/profile

tail /etc/profile

install a few packages (list here),

echo $PKG_PATH

clean-up

echo `pkg_info | awk '{print $1}'`
pkg_delete `pkg_info | awk '{print $1}'`
pkg_info

for a router/gateway

pkg_add \
    alpine \
    curl \
    dsniff-nox11 \
    iftop \
    iperf3 \
    mozilla-rootcerts \
    netcat \
    nmap \
    screen \
    trafshow \
    wget

    #tmux \

cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl
ll /etc/openssl/certs/
mozilla-rootcerts install
ll /etc/openssl/certs/ca-certificates.crt
curl -I https://os3.su/

and for a rather full-featured server environment, add

pkg_add \
    e2fsprogs \
    git \
    lftp \
    lynx \
    mc \
    pwgen

    #vim \

first shot indexing,

/usr/libexec/locate.updatedb

eventually disable super-server

/etc/rc.d/inetd stop
vi /etc/rc.conf

inetd=no

enable package daily audits,

ll /usr/pkg/etc/audit-packages.conf
mkdir -p /usr/pkg/etc/
cat > /usr/pkg/etc/audit-packages.conf <<-EOF
VUL_SOURCE="ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"
EOF

/usr/sbin/pkg_admin fetch-pkg-vulnerabilities
/usr/sbin/pkg_admin check-pkg-vulnerabilities /var/db/pkg/pkg-vulnerabilities
/usr/sbin/pkg_admin audit
#/usr/pkg/sbin/pkg_admin #gnu/linux

grep run_security /etc/defaults/daily.conf
grep vulnerabilities /etc/daily.conf
cat >> /etc/daily.conf <<-EOF
fetch_pkg_vulnerabilities=YES
check_pkg_vulnerabilities=YES
EOF

tail /etc/daily
cp -pi /etc/daily /etc/daily.dist
cat >> /etc/daily <<-EOF

w
echo

who
echo

top -b
echo

ps auxww
echo

netstat -an -f inet,inet6
echo

netstat -rn -f inet,inet6
echo

arp -a
echo
EOF

cron jobs fixup

crontab -e

#*/10   *       *       *       *       /usr/libexec/atrun
0       3       *       *       *       /usr/bin/newsyslog
30      5       1       *       *       /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | sendmail -t

there is no need for this as we have enabled it in daily.conf already

#0 3 * * * /usr/sbin/pkg_admin fetch-pkg-vulnerabilities && /usr/sbin/pkg_admin audit

Additional Sections

ntp

eventually setup ntp – not sure this is needed for xen guests

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf
vi /etc/ntp.conf

#server          ntp.obspm.fr
#server          ntp1.online.net
#server          ntp2.online.net

server 0.ru.pool.ntp.org
server 1.ru.pool.ntp.org
server 2.ru.pool.ntp.org
server 3.ru.pool.ntp.org

vi /etc/rc.conf

ntpdate=yes ntpdate_flags="-u -b -s"
ntpd=yes    ntpd_flags=""

grep ^server /etc/ntp.conf
ntpdate -u ...
service ntpd start
ntpq -p

the ntpdate service looks at ^server into /etc/ntp.conf at boot time.

outgoing messages

eventually define a smarthost and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),

cd /etc/postfix/
mv -i main.cf main.cf.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' main.cf.dist > main.cf
vi main.cf

relayhost = SMARTHOST
myhostname = lala.example.net
myorigin = lala.example.net
mydomain = example.net

service postfix restart

and setup an email alias for root,

mv -i /etc/mail/aliases /etc/mail/aliases.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' /etc/mail/aliases.dist > /etc/mail/aliases
vi /etc/mail/aliases

root:       REAL_EMAIL

newaliases
tail -F /var/log/maillog &
date | mailx -s `hostname` root
mailq

easy troubleshooting

for easy troubleshooting (revert back to the defaults for production), setup syslog daemon,

cp -pi /etc/syslog.conf /etc/syslog.conf.dist                     
vi /etc/syslog.conf

#*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none       /var/log/messages
#kern.debug                                             /var/log/messages
*.*     /var/log/messages

service syslogd restart

otherwise

vi log

#!/bin/ksh
for f in `ls -1 /var/log/* | grep -v \.gz$`; do
        tail -n0 -F $f &
done; unset f
ps auxww | grep tail

chmod +x log
Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml