freebsd hetzner labs

Setting up a FreeBSD Server on Hetzner, Part 1: Base Install and ssh

This blog post covers the procedure to configure a FreeBSD virtual machine located in a Hetzner (a German ISP) datacenter:

  • install a baseline of packages (git sudo bash vim rsync)
  • place /etc under revision control (git)
  • create a non-root user
  • lock down ssh (keys only)

This blog post does not cover the initial FreeBSD installation; that’s covered quite adequately here: http://wiki.hetzner.de/index.php/FreeBSD_installieren/en (except for the IPv6 portion, which didn’t appear to work properly, so I configured the IPv6 differently (see below for details)).

Hetzner is a cost-effective alternative to Amazon AWS. In addition, it offers native IPv6, which Amazon only offers on its ELBs (Elastic Load Balancers).

Basic information on my Hetzner FreeBSD virtual machine:

  • virtual server hostname: shay.nono.com (DNS A records already created)
  • IPv4 address: 78.47.249.19

Let’s talk about the .gitignore entries: these are for security purposes because I plan to publish /etc to a public github repo. The first two entries (master.passwd and spwd.db) contain hashed passwords, which are vulnerable to dictionary attacks. Even though further down we will eliminate the use of passwords to connect via ssh, you don’t want hackers to know your account/password combination.

The remaining .gitignore entries are related to ssh keys. IMHO, the security risk medium-to-low. Admittedly, knowing the keys will allow a hacker to decrypt ssh traffic between the FreeBSD server and your machine, but only if he has the ability to snoop the packets (e.g. only if he has compromised, say, the Cisco switch to which your workstation is connected to).

ssh [email protected]
mkdir ~/.ssh
chmod 700 ~/.ssh
pkg_add -r git sudo bash vim rsync
bash
cd /etc
git init
cat > .gitignore <<-EOF
master.passwd
spwd.db
ssh/ssh_host_dsa_key
ssh/ssh_host_dsa_key.pub
ssh/ssh_host_ecdsa_key
ssh/ssh_host_ecdsa_key.pub
ssh/ssh_host_key
ssh/ssh_host_key.pub
ssh/ssh_host_rsa_key
ssh/ssh_host_rsa_key.pub
EOF
git add .
git config --global user.name "Brian Cunnie"
git config --global user.email [email protected]
git commit -m"Initial Commit"

Now let’s create a user with appropriate privileges:

  • sysinstall
  • Configure → User Management → Group
    • Group name: cunnie
    • GID: 2000
  • Configure → User Management → User
    • Login ID: cunnie
    • UID: 2000
    • Group: cunnie
    • Full name: Brian Cunnie
    • Member groups: wheel
    • Home directory: /home/cunnie
    • Login shell: /usr/local/bin/bash
  • Exit / OK → Exit / OK → Exit Install
  • visudo
    • uncomment this line: %wheel ALL=(ALL) NOPASSWD: ALL
  • exit

Now let’s log in as the new user and set the IPv6 address based on the information in the IPs tab of the Hetzner web interface. Note that we set the ::2 address of our /64 to be our server’s IP address, and the ::1 address to be our default route.

ssh [email protected]
git config --global user.name "Brian Cunnie"
git config --global user.email [email protected]
git config --global color.diff auto
git config --global color.status auto
git config --global color.branch auto
git config --global core.editor vim
 # I need the correct pager to see colors
vim ~/.profile
    PAGER=less;     export PAGER
sudo -e /etc/rc.conf # append the following
    # IPv6
    ipv6_default_interface="re0"
    ifconfig_re0_ipv6="inet6 2a01:4f8:d12:148e::2/64"
    # Set a static route using the xxx::1 address
    ipv6_defaultrouter="2a01:4f8:d12:148e::1"
mkdir ~/.ssh
chmod 700 ~/.ssh
sudo shutdown -r now

copy ssh keys in place:

 # from non-Hetzner machine
for ID in cunnie root; do
  scp ~/.ssh/id_nono.pub [email protected]:.ssh/authorized_keys
  ssh [email protected] "id; echo does not require password"
done

Now we lock down ssh. First, we don’t allow root to log in directly. Secondly, we require an ssh-key to log in:

ssh [email protected]
 # prevent root from logging in
 # require keys to log in
sudo vim /etc/ssh/sshd_config
  :%s/^PermitRootLogin yes/PermitRootLogin no/g
  :%s/.*#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/
  :wq!
sudo /etc/rc.d/sshd restart
 # test your changes from another window
 # whatever you do, don't close your existing ssh connection
 # the following should fail with `Permission denied (publickey).`
ssh [email protected]
 # the following should succeed because you have a key
ssh [email protected]
 # check in the changes
cd /etc
sudo git add -u
sudo -E git commit -m"sshd is locked down"

Publish my /etc/ repo to a public repo on github. If you decide to publish to a github repo, use a private repo (unless you are confident that nothing you publish will compromise the security of your server):

sudo git remote add origin [email protected]:cunnie/shay.nono.com-etc.git
sudo -E git push -u origin master

If you see a message saying Permission denied (publickey) when you try to push to github, you need to enable ssh agent forwarding. This is what my ~/.ssh/config file looks like on my home machine:

Host shay shay.nono.com
        User cunnie
        IdentityFile ~/.ssh/id_nono
        ForwardAgent yes

Future posts will cover configuring a DNS nameserver and an NTP stratum 3 server.