Nethence Newdoc Olddoc Lab Your IP BBDock  

Setting up a NetBSD system

post-installation

assuming a blind install, you now need to choose your shell,

chpass -s /bin/ksh root
useradd -D -s /bin/ksh

setup network,

ifconfig -a
cd /etc
vi ifconfig.NETIF
#inet IP/PREFIX up
vi mygate
vi myname
service network restart

setup SSH,

cd /etc
cp -pi rc.conf rc.conf.dist
vi rc.conf

sshd=yes

rc.d/sshd start
passwd

enhance SSH,

cd /etc/ssh
cp -pi sshd_config sshd_config.dist
vi sshd_config

Port 2222
AllowGroups wheel
PermitRootLogin without-password

/etc/rc.d/sshd restart

make it accessible from your workstation (and take the chance to also generate key pairs on the server, that might help sooner or later),

ssh-keygen -t ecdsa
#ssh-keygen -t ed25519
cd .ssh/
vi authorized_keys

YOUR WORKSTATION PUBLIC KEY IN OPENSSH FORMAT HERE
#cat ~/.ssh/id_ecdsa.pub
##cat ~/.ssh/id_ed25519.pub

now check that you can connect remotely,

ssh SERVER -p 2222 -l root

and finally exit the serial console,

^D

and define your timezone,

ll /etc/localtime
ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime

indexing,

/usr/libexec/locate.updatedb

remove skeletons for FTP users,

ls -alhF /etc/skel.dist/
mv /etc/skel/ /etc/skel.dist/
mkdir /etc/skel/

note. NetBSD complains if non existing /etc/skel/.

tweak your administration env,

cp -pi /etc/profile /etc/profile.dist
vi /etc/profile

export PKG_PATH="http://cdn.NetBSD.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r|cut -f '1 2' -d.)/All/"
export PASSIVE_FTP=yes
export ENV=/etc/shrc

    . /etc/profile

some handy aliases to ad into the existing case condition,

cp -pi /etc/shrc /etc/shrc.dist
vi /etc/shrc

    (( `id -u` == 0 )) && PS1='$HOST# ' || PS1='$HOST> '

bind -m '^L'='clear^M'
    alias ll='ls -alhF'
    alias cp='cp -i'
    alias mv='mv -i'
    alias rm='rm -i'
    alias reboot='echo THIS IS NOT A GNU SYSTEM, use shutdown -r now'
    alias halt='echo THIS IS NOT A GNU SYSTEM, use shutdown -h or -p now'
    alias netstata='netstat -an -f inet -f inet6'
    alias runq='postfix flush'

. /etc/shrc

install a few packages (list here),

pkg_add \
    alpine \
    curl \
    e2fsprogs \
    git \
    iftop \
    iperf3 \
    lftp \
    lynx \
    mc \
    nmap \
    pwgen \
    screen \
    tmux \
    trafshow \
    vim \
    wget

enable package daily audits,

cd ~/
ftp -a ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities
rm -f pkg-vulnerabilities

cat /usr/pkg/etc/audit-packages.conf
mkdir -p /usr/pkg/etc/
cat > /usr/pkg/etc/audit-packages.conf <<-EOF
VUL_SOURCE="ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"
EOF

pkg_admin fetch-pkg-vulnerabilities
pkg_admin audit
echo "fetch_pkg_vulnerabilities=yes" >> /etc/daily.conf

refs.

disable atrun and enable the monthly cron job for root,

crontab -e

and setup the outgoing messages,

cd /etc/postfix/
mv -i main.cf main.cf.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' main.cf.dist > main.cf
vi main.cf

eventually define a smarthost,

relayhost = SMARTHOST

and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),

mydomain = YOUR_DOMAIN
myorigin = $mydomain

service postfix restart

and setup an email alias for root,

vi /etc/mail/aliases

root:       REAL_EMAIL

newaliases
tail -F /var/log/maillog &
date | mailx -s `hostname` root
mailq

testing

for easy troubleshooting (revert back to the defaults for production), setup syslog daemon,

cp -pi /etc/syslog.conf /etc/syslog.conf.dist                     
vi /etc/syslog.conf

#*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none       /var/log/messages
#kern.debug                                             /var/log/messages
*.*     /var/log/messages

service syslogd restart

not needed for xen guests (clock synced with dom0)

setup ntp,

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf
vi /etc/ntp.conf

#server         0.netbsd.pool.ntp.org
#server         1.netbsd.pool.ntp.org
#server         2.netbsd.pool.ntp.org
#server         3.netbsd.pool.ntp.org
server          ntp.obspm.fr
#server          ntp1.online.net
#server          ntp2.online.net
#server 0.ru.pool.ntp.org
#server 1.ru.pool.ntp.org
#server 2.ru.pool.ntp.org
#server 3.ru.pool.ntp.org

vi /etc/rc.conf

ntpdate=yes ntpdate_flags="-u -b -s"
ntpd=yes    ntpd_flags=""

service ntpd start
ntpq -p

TODO. does ntpdate at boot time look for the server in ntp.conf?

netbsd/xen guest specifics

tune some shit out there,

vi /etc/rc.conf

wscons=NO

vi /etc/ttys

and put all terminals to off but the console.

ref. https://wiki.xenproject.org/wiki/How_to_install_a_NetBSD_PV_domU_on_a_Debian_Squeeze_host_(Xen_4.0.1)

additional nodes

yes, I am being lazy here,

git config --global http.sslVerify false

Home | GitHub | Docker Hub | Donate | Contact