private-schrijfsels-en-notities/2022/FreeBSD notes.markdown

# FreeBSD notes

## VIM

**Disable mouse**

`echo "set mouse-=a" >> ~/.vimrc`

**Mac keyboard backspace fix**

`set backspace=indent,eol,start`

## OpenSSH faster connection dropping

Restricting users by not allowing explicit ssh access can improve your ssh server connections.
In the default FreeBSD `/etc/ssh/sshd_config` configuration the `MaxAuthTries` is `3`. Which means all system users can try up to 3 times before the connection is gracefull dropped. 

We will create an explicit `ssh` group to have fine control over who may login over ssh and who is directly disconnected. By enabling this, an attacker could guess user account names if there are authentication tries or not.

SSH for the root user is always a bad idea, but in some setups it is necessary. For the truely paranoid root user access can be further restricted based on IP address and ssh-key only.

The normal behaviour when ssh to a machine wil look like this even with `PermitRootLogin no` set:

```
jerry@jerrys-MacBook-Pro ~ % ssh 192.168.2.100 -lroot
Password for root@pineapple.xor-gate.org:
Password for root@pineapple.xor-gate.org:
Password for root@pineapple.xor-gate.org:
root@192.168.2.100: Permission denied (publickey,keyboard-interactive).
```

When the global `MaxAuthTries 0` and a match block is used then the connection is immediatelly dropped:

```
jerry@jerrys-MacBook-Pro ~ % ssh 192.168.2.100 -lroot
Received disconnect from 192.168.2.100 port 22:2: Too many authentication failures
Disconnected from 192.168.2.100 port 22
```

```
MaxAuthTries 0

Match Group ssh
        MaxAuthTries 3
```

## Protecting SSH with sshguard on pf

Install ssh guard

```
# pkg install sshguard
```

Modify (or create) `/etc/pf.conf` with the `sshguard`  firewall table. First we block all traffic. Also double check you don't have a rule before the SSHGuard rule that allows access.

```
ext_if = igb0

table <sshguard> persist

block all

block drop in log quick on $ext_if inet from <sshguard> to any

pass in
```

Enable pf firewall in the `rc.conf`
```
pf_enable="YES"
pf_rules="/etc/pf.conf"
```

```
# service pf reload
Reloading pf rules.
pfctl: /dev/pf: No such file or directory
```

The pf kernel device node doesn't exist so it is not loaded

```
# kldload pf
```

Or start pf using the rc script:

```
# /etc/rc.d/pf start
```

To show the blocked IPs use pfctl show on the sshguard table:

```
pfctl -t sshguard -T show
```

This slows down brute-force attacks:

```
Mar 25 07:44:29 pineapple sshd[87092]: Disconnecting invalid user pi 118.161.193.40 port 54511: Too many authentication failures [preauth]
Mar 25 07:45:07 pineapple sshd[87166]: error: maximum authentication attempts exceeded for root from 118.161.193.40 port 54556 ssh2 [preauth]
Mar 25 07:45:07 pineapple sshd[87166]: Disconnecting authenticating user root 118.161.193.40 port 54556: Too many authentication failures [preauth]
Mar 25 07:45:29 pineapple sshd[87808]: Invalid user oracle from 118.161.193.40 port 54563
Mar 25 07:45:29 pineapple sshd[87808]: error: maximum authentication attempts exceeded for invalid user oracle from 118.161.193.40 port 54563 ssh2 [preauth]
Mar 25 07:45:29 pineapple sshd[87808]: Disconnecting invalid user oracle 118.161.193.40 port 54563: Too many authentication failures [preauth]
Mar 25 07:45:44 pineapple sshd[88058]: Invalid user sFTPUser from 118.161.193.40 port 54598
```

See also https://forums.freebsd.org/threads/howto-set-up-and-configure-security-sshguard-pf.39196/

## User management

### Set default shell

For existing users, use the chsh command (“change shell”):

```
chsh -s SHELL USER
chsh -s /usr/local/bin/bash root
```
For future users:

Edit `/etc/pw.conf` defaultshell keywords
When use `adduser()`, choose necessary shell

### Add new group and add user to group

```
root@pineapple:/home/jerry # pw group add ssh
root@pineapple:/home/jerry # pw user mod jerry -G wheel,ssh,jerry
root@pineapple:/home/jerry # groups jerry
jerry wheel jerry ssh
```

### Changing user information (interactive)

`chfn`
or
`chpass`

## Securing

* <https://fleximus.org/howto/secure-freebsd>

## Networking

* <https://www.cyberciti.biz/faq/freebsd-unix-force-dhcp-client-to-get-a-new-lease/>

## Hardware info

<https://www.cyberciti.biz/tips/freebsd-display-information-about-the-system.html>

* `dmidecode`
* `sysctl -a hw.model`
* `uname -mrs`
* `pciconf -lv`
* `usbconfig`
* `camcontrol devlist`

Disk

<https://linuxhint.com/list-disks-freebsd/>

* `geom disk list`
* `sysctl kern.disks`
* `gpart show ada0`

# Jails on ZFS

We run Jails on ZFS subvolumes to easily create, destory and manage the jails

See also https://docs.freebsd.org/en/books/handbook/jails/

```
zfs create zpool/jails
zfs set mountpoint=/data/jails zpool/jails
zfs create zpool/jails/<jailname>
```

Create `/etc/jail.conf` (see `man jail.conf`)

```
# Typical static defaults:
# Use the rc scripts to start and stop jails.  Mount jail's /dev.
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.clean;
mount.devfs;

# Dynamic wildcard parameter:
# Base the path off the jail name.
path = "/data/jails/$name";

gitea {
	ip4.addr = 192.168.2.200;
}
```

Enable jail service `/etc/rc.conf`
```
jail_enable="YES"
```

Use `bsdinstall` to download a FreeBSD installation. NOTE for installation FTP client (proxy) must be allowed in the firewall. Or a HTTP mirror must be selected...

```
# bsdinstall jail /here/is/the/jail
```

Start all jails or single
```
service jail start
service jail start <jailname>
```

Don't forget to install SSH for easy management to the jail (instead of chrooting into the folder)

```
chroot /here/is/the/jail
pkg install ssh
```

Enable ssh in `/etc/rc.conf` 
```
sshd_enable="YES"
```

```
vi /etc/ssh/sshd_config
# change the PermitRootLogin line to "yes" and remove the comment sign at the start
sysrc sshd_enable="YES"
service sshd start
passwd
# enter root password for your jail's root user
```

Restart jail

```
service jail restart <jailname>
```

# PF firewall enable FTP client using ftpproxy

Install ftp proxy

```
pkg install ftpproxy
```