Set up a FreeBSD server - Part 2: Add user and firewall setup
Last time I stopped when my new droplet was initialized. Next, I will do some initial setup work like adding a user, properly configuring SSH access and adding a firewall.
I added my SSH public key to the droplet when I created it, so I can now login by typing:
~ $ ssh -l root <droplet-ip>
and then providing my passphrase.
First, I will update existing packages. (Sidenote: Since the DO-droplets are not the most heavy-lifting machines, at least in my version, I will install everything as precompiled packages instead of using ports.)
root@pioneer-3:~ # pkg upgrade Updating FreeBSD repository catalogue... Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 Fetching packagesite.txz: 100% 6 MiB 6.4MB/s 00:01 Processing entries: 100% FreeBSD repository update completed. 31140 packages processed. All repositories are up to date. New version of pkg detected; it needs to be installed first. The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED: pkg: 1.10.1 ->1.10.5
Number of packages to be upgraded: 1
3 MiB to be downloaded.
Proceed with this action? [y/N]: y [1/1] Fetching pkg-1.10.5.txz: 100% 3 MiB 3.0MB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Upgrading pkg from 1.10.1 to 1.10.5... Extracting pkg-1.10.5: 100% Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Checking for upgrades (42 candidates): 100% Processing candidates (42 candidates): 100% The following 47 package(s) will be affected (of 0 checked):
New packages to be INSTALLED: py27-asn1crypto: 0.22.0 oniguruma: 6.8.1 e2fsprogs-libuuid: 1.44.2 e2fsprogs-libblkid: 1.44.2 e2fsprogs-libss: 1.44.2
root@pioneer-3:~ # adduser Username: tobi Full name: Tobias Barth Uid (Leave empty for default): Login group [tobi]: Login group is tobi. Invite tobi into other groups? : wheel Login class [default]: Shell (sh csh tcsh nologin) [sh]: Home directory [/home/tobi]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Usean empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: Enter password again: Lock out the account after creation? [no]: Username : tobi Password : ***** Full Name : Tobias Barth Uid : 1002 Class : Groups : tobi wheel Home : /home/tobi Home Mode : Shell : /bin/sh Locked : no OK? (yes/no): yes adduser: INFO: Successfully added (tobi) to the user database. Add another user? (yes/no): no Goodbye!
Notably, I added my new user to the group “wheel” to enable the use of “sudo” for this user. To make that work, I have to edit the file /usr/local/etc/sudoers. This is not done directly, but with help from the command visudo:
root@pioneer-3:~ # visudo
Now, uncomment the line
%wheel ALL=(ALL) ALL
At this point, I can login per SSH as the user “tobi” with my password. That is a step in the right direction (I want to disable root logins), but not ideal. Authentication with public/private key pairs is more secure than using a password. So I will configure that. My public key is already on the server, but within the home directory of root. I can just copy it over to my home folder:
I can now login with my SSH-Key and a passphrase as the unprivileged user “tobi”. Next, I edit the SSH config in /etc/ssh/sshd_config
I change it so that it contains the following lines and values:
1 2 3 4
PasswordAuthenticationno ChallengeResponseAuthentication no PubkeyAuthentication yes PermitRootLogin no
With this root is excluded from remote and users can only authenticate with a key.
I have sneaked in a different shell prompt and not only that – it’s an entire different shell: ZSH. I installed it with pkg install zsh and then made it the default shell for both, the root user and the user “tobi”. Changing the shell is as easy as:
chsh -s zsh
while “being” the user I want to change. Alternatively, I can append the username to the command. Additionally I provided an absolute basic .zshrc configuration file for both users:
1 2 3 4 5 6 7 8 9 10
# Lines configured by zsh-newuser-install setopt appendhistory autocd extendedglob nomatch notify unsetopt beep # End of lines configured by zsh-newuser-install autoload -Uz promptinit compinit compinit promptinit prompt redhat
alias l="ls -al"
This post is already long enough and firewall configuration is a complete new topic. So I will end just here and continue in part 3 of this series.