FreeBSD on Vultr

I wanted to spin up a FreeBSD VM and though I remembered that Vultr made that easy to do. These are some notes I made along the way.

Logging in

I added an SSH key when setting up my instance, but wasn't able to authenticate by public key after the install completed. Looking at my instance in the Vultr web interface, I saw I could copy the root password. I used that to authenticate and log in as root.

Add a user

I prefer not to work as root unless necessary, so I created a user.

root@vultr1:~ # adduser
Username: user
Full name: User
Uid (Leave empty for default):
Login group [user]:
Login group is user. Invite user into other groups? []: wheel
Login class [default]:
Shell (sh csh tcsh nologin) [sh]:
Home directory [/home/user]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username   : user
Password   : *****
Full Name  : User
Uid        : 1001
Class      :
Groups     : user wheel
Home       : /home/user
Home Mode  :
Shell      : /bin/sh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (user) to the user database.
Add another user? (yes/no): no
Goodbye!

I added the user to the wheel group. Otherwise, I took the defaults. I added my public SSH key to ~user/.ssh/authorized_keys and checked that I could log in as the new user with public key authentication and switch users to root if necessary.

SSH config

I updated /etc/ssh/sshd_config to deny root logins and allow only public key authentication:

PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no

Then I restarted sshd:

root@vultr1:~ # service sshd restart

After that, I confirmed that I wasn't able to log in as root or use password authentication via ssh.

Mail

By default, Vultr set sendmail_enable="NONE" in /etc/rc.conf. I wanted local delivery so I removed this line. /etc/defaults/rc.conf sets up Sendmail for local delivery (and outbound delivery, but I'll block that with the firewall). I started up the submit and msp_queue daemons:

root@vultr1:~ # service sendmail start
Starting sendmail_submit.
Starting sendmail_msp_queue.

I wanted mail for root to be delivered to my new user, so I added a root: user line to /etc/aliases and ran newaliases.

Quiet down periodic

By default, periodic sends a lot more email than I'd prefer. I added some some lines to turn off reporting I wasn't interested in (and turn on a couple of things I was interested in):

daily_show_success="NO"
daily_status_disks_enable="NO"
daily_status_network_enable="NO"
daily_status_uptime_enable="NO"
daily_status_ntpd_enable="YES"
weekly_show_success="NO"
weekly_noid_enable="YES"
monthly_show_success="NO"
security_show_success="NO"
security_status_loginfail_enable="NO"

Firewall

I thought I'd like to set up the pf firewall. FreeBSD has a few different firewall options, but I was already familiar with pdf from using OpenBSD and it seems like it's a pretty popular and well-supported option on FreeBSD too. I made a new /etc/pf.conf file. I set it up to leave alone the loopback interface, to block new connections by default, but to allow new outgoing connections (except SMTP), and to allow incoming ssh connections as well as incoming ICMP. I can add additional ports to this rule in the future to allow selected other types of incoming connections (http and https come to mind). I turned on fragment reassembly because I think it's needed to do stateful filtering on fragmented packets.

set block-policy return
set skip on lo0
scrub in fragment reassemble
block
pass out
block out proto tcp to any port smtp
pass in proto tcp to any port { ssh }
pass in proto icmp

After checking the new file for errors, I enabled pf and started it.

root@vultr1:~ # pfctl -f /etc/pf.conf -n
root@vultr1:~ # sysrc pf_enable=yes
pf_enable: NO -> yes
root@vultr1:~ # service pf start

I added a security_status_pfdenied_enable="NO" line to /etc/periodic.conf since I wasn't interested in getting emails about denied connections.

In closing

I hope that you found this helpful. If this is the kind of thing you're into, you may also enjoy some of my other articles. If you have any questions or comments, please feel free to drop me an e-mail.

Aaron D. Parks
aparks@aftermath.net