Setting Up a New FreeBSD Server for Easy Maintenance

I’ve been a big fan of using FreeBSD for a server platform for a very long time. Since about 1995 or so, I would guess. This blog is running on FreeBSD, and I’ve always found it to be an incredibly well performing, robust, stable and easy to manage platform for servers.  But there are several pieces of software that can make your life much easier in keeping a system up-to-date, and I figured I’d document them for new FreeBSD users as I go through setting up a new system.

A big part of that flexibility is the ports and packages system.  I won’t go into what it is in extreme depth, but suffice it to say that it allows you to easily install software from binary packages if you don’t have a specific need to compile them, or to alternatively easily configure and compile applications from source to fit your unique needs.  The ports system allows you to configure every little detail about how software will be built, and you can do that configuration only once in /etc/make.conf. Any subsequent builds or upgrades will automatically use those same configuration parameters.  But I digress.

Before you do anything else, you should setup an alternate user account for yourself. It goes without saying that you should NEVER use the root account except for individual tasks for which you explicitly need it.  But even after all these years, I still see admins logging in as root all the time. Don’t do it. Install sudo.  For more details, check out this article on Softpanorama.

Portsnap

The ports collection is distributed as a massive hierarchy of directories and Makefiles that are used to configure the 20,207 (as of May 18, 2009) pieces of software offered through the ports system. You can install the ports tree during your initial FBSD install, which many people do, or you can install it after the fact. Keeping that hierarchy up-to-date is critical to maintaining a secure system.  In the old days, we used cvsup and synced to the ports repository.  Now, you should be using portsnap.

Since FreeBSD 6.0, portsnap has been included by default.  When first setting up your ports tree, portsnap can download and install everything for you.  It’s as simple as:

hostname59826# portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... 3 mirrors found.
Fetching public key from portsnap2.FreeBSD.org... done.
Fetching snapshot tag from portsnap2.FreeBSD.org... done.
Fetching snapshot metadata... done.
Fetching snapshot generated at Sun May 17 20:06:01 CDT 2009:
3df0dd0aa6718a7ab040d0f48b789d2170ed64adf142a2100% of   56 MB 4674 kBps 00m00s
Extracting snapshot... done.
Verifying snapshot integrity... done.
Fetching snapshot tag from portsnap2.FreeBSD.org... done.
Fetching snapshot metadata... done.
Updating from Sun May 17 20:06:01 CDT 2009 to Mon May 18 16:29:58 CDT 2009.
Fetching 3 metadata patches.. done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 88 patches.....10....20....30....40....50....60....70....80.... done.
Applying patches... done.
Fetching 5 new ports or files... done.
hostname59826# portsnap extract
/usr/ports/.cvsignore
/usr/ports/CHANGES
/usr/ports/COPYRIGHT
/usr/ports/GIDs
/usr/ports/KNOBS
[... whole bunch of output deleted here ...]
/usr/ports/x11/yakuake/
/usr/ports/x11/yalias/
/usr/ports/x11/yeahconsole/
/usr/ports/x11/yelp/
/usr/ports/x11/zenity/
Building new INDEX files... done.
hostname59826#

And that’s it. When you’re updating it during routine times, you just use the fetch and update commands, as follows (note that you can combine them into a single command line):

hostname59826# portsnap fetch update
Looking up portsnap.FreeBSD.org mirrors... 3 mirrors found.
Fetching snapshot tag from portsnap1.FreeBSD.org... done.
Fetching snapshot metadata... done.
Updating from Mon May 18 01:46:40 EDT 2009 to Mon May 18 17:29:58 EDT 2009.
Fetching 3 metadata patches.. done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 88 patches.....10....20....30....40....50....60....70....80.... done.
Applying patches... done.
Fetching 2 new ports or files... done.
Removing old files and directories... done.
Extracting new files:
/usr/ports/CHANGES
/usr/ports/KNOBS
[... whole bunch of output deleted here ...]
/usr/ports/x11/gdm/
/usr/ports/x11/kde4/
/usr/ports/x11/kdelibs3/
/usr/ports/x11/xfce4-clipman-plugin/
Building new INDEX files... done.
hostname59826#

Seems like it would be a good command to toss into cron, right? Well, in order to avoid the servers getting assaulted on a daily basis, ‘portsnap fetch’ won’t run from cron. Instead, you have to run ‘portsnap cron’ which waits a random amount of time, up to one hour, before syncing. You also shouldn’t cron the update portion, as you could run into problems if the tree attempts to update while you’re doing something with the ports tree. And if you’ve ever had to pull an all-nighter fixing something, you know this kind of thing can really confuse you at 3:00am when strange things start happening. Instead, add the following entry to cron:

0       4       *       *       *       portsnap -I cron update && pkg_version -vIL'=>'

This will download changes to ports, as well as the compiled index files. The pkg_version command will list all out of date ports, the output of which will be e-mailed to you. Then you can update them using portupgrade.

Portupgrade

Much has been written about portupgrade, ONLamp and the FreeBSDwiki have some good reviews. I won’t go into depth here, save for installing it, and reviewing the single command you can use to upgrade all of your installed ports.

First, install it:

hostname59826# cd /usr/ports/ports-mgmt/portupgrade
hostname59826# make install clean

Accept the default options (or change them if you wish), and let it compile and install. Before using it, you’ll want to setup /etc/make.conf to contain whatever options you prefer. Here’s what I typically use on new boxes:

# It's a server.  We don't need GUIs... except Cairo needs to generate a single lib header that gtk needs..
.if ${.CURDIR:M*/graphics/cairo}
.else
WITHOUT_GUI=yes
WITHOUT_X11=yes
.endif

All it does is ensure ports doesn’t try to build in X11 support for any ports.

To use portupgrade, the commands are simply:

hostname59826# portupgrade -varR

You can omit the ‘v’ for less verbose output. I typically issue the command whenever I get daily e-mails from pkg_version about updated ports being available.

Portaudit

Portaudit is an awesome little utility. It compares your installed port versions to its regularly updated database of known vulnerabilities. It can quickly and easily alert you to any insecure software that you have on your system. The whole thing can be set to run from cron, so all you have to do is look at an e-mail once a day and make any necessary updates. There’s no excuse to not be running it on a FreeBSD box.

Install it from ports:

hostname59826# cd /usr/ports/ports-mgmt/portaudit
hostname59826# make install clean
===>  Vulnerability check disabled, database not found
===>  Extracting for portaudit-0.5.12
===>  Patching for portaudit-0.5.12
===>  Configuring for portaudit-0.5.12
===>  Building for portaudit-0.5.12
===>  Installing for portaudit-0.5.12
===>   Generating temporary packing list
===>  Checking if ports-mgmt/portaudit already installed
 
===>  To check your installed ports for known vulnerabilities now, do:
 
      /usr/local/sbin/portaudit -Fda
 
===>   Compressing manual pages for portaudit-0.5.12
===>   Registering installation for portaudit-0.5.12
===>  Cleaning for portaudit-0.5.12
hostname59826# /usr/local/sbin/portaudit -Fda
auditfile.tbz                                 100% of   55 kB  205 kBps
New database installed.
Database created: Mon May 18 20:10:02 CDT 2009
0 problem(s) in your installed packages found.

Done. Then anytime you want to check for vulnerabilities, just issue the command

hostname59826# portaudit   
0 problem(s) in your installed packages found.

Once installed, portaudit will be automatically run every day from FreeBSD’s periodic function, which is called from the default crontab in /etc. So your job is almost done. Now, you should be sure that somebody is receiving and reviewing the daily security run output. And all your daily root mail. If you aren’t, edit /etc/mail/aliases and add a line like the following:

root: me@mydomain.com

Then run

hostname59826# newaliases

So now not only are you notified daily of any security issues, portaudit will also notify and prevent you from installing any ports with known vulnerabilities in them. The ports collection is aware of it, and will automatically call it before building or installing software.

FreeBSD-update

Keeping FreeBSD up to date used to be a real pain, as you had to either continually rebuild everything from source or update using install CDs. It. Was. Awful. Then Colin Percival wrote a nice little utility called freebsd-update, which provided the ability to do binary diff updates for security updates, and life got a whole lot easier.

Now, freebsd-update is distributed as part of the base FBSD install and it’s to your advantage to use it. Security patches can be downloaded by:

hostname59826# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching public key from update5.FreeBSD.org... done.
Fetching metadata signature for 7.1-RELEASE from update5.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 32 patches.....10....20....30. done.
Applying patches... done.
 
The following files will be updated as part of updating to 7.1-RELEASE-p5:
/boot/kernel/kernel
/boot/kernel/kernel.symbols
/lib/libc.so.7
/lib/libcrypto.so.5
/rescue/[
[... lots of extraneous junk deleted ...]
/usr/src/sys/kern/kern_environment.c
/usr/src/sys/kern/kern_time.c

and then installed:

hostname59826# freebsd-update install
Installing updates... done.
hostname59826#

If any kernel patches were installed, you’ll have to reboot the box. You can cron the check for and download of new updates by adding the following to /etc/crontab:

@daily                                  root    freebsd-update cron

When run from cron, freebsd-update will only download updates and it won’t install them. It will e-mail you to notify you that updates are ready to be installed. This is a good thing. (You did configure your system to send root mail to you, right?)

For more information, including all the various configuration options for freebsd-update and how to use it to do minor or major version upgrades (from 7.1 to 7.2, or from 6.0 to 7.0, for example), read the FreeBSD Handbook entry on freebsd-update.

Feel free to leave comments with any other things you’d recommend be done when setting up a new FreeBSD box!

Update: For some strange reason, FreeBSD 7.1 is still shipping with perl 5.6 as the default. Meanwhile, the 5.6 version is scheduled to be removed by the end of May, 2009. You’ll have to replace it with either 5.8 or 5.10: the choice is yours, do some research – some people claim 5.10 isn’t stable or is not a “true” release, merely a path to perl 6. Others have no qualms and use 5.10 on production machines.

You can use portupgrade to replace perl5.6 with either of the two as follows:

hostname59826# portupgrade -o lang/perl5.8 perl

or

hostname59826# portupgrade -o lang/perl5.10 perl

Be Sociable, Share!

•