Setting up NetBSD

assuming network is up and running already

Scripted post-installation

This is all provided by those scripts

mkdir -p ~/bin/
cd ~/bin/
ftp -a http://pub.nethence.com/bin/netbsdconf.ksh.txt
ftp -a http://pub.nethence.com/bin/netbsdconfpkg.ksh.txt
cp -i netbsdconf.ksh.txt netbsdconf.ksh
cp -i netbsdconfpkg.ksh.txt netbsdconfpkg.ksh
chmod +x netbsdconf.ksh netbsdconfpkg.ksh
./netbsdconf.ksh > netbsdconf.log
./netbsdconfpkg.ksh > netbsdconfpkg.log

don’t forget to define a trust store

    uname -r
    echo $PKG_PATH
    pkg_add mozilla-rootcerts
    cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/
    mozilla-rootcerts install

and check

    ls -lF /etc/openssl/certs/
    ls -lF /etc/openssl/certs/ca-certificates.crt
    echo Q | openssl -connect somesiteforchecking.tld:443
    curl -I https://os3.su/

Finish-up manually

define a password for root just in case you need a least amount of physical security (by that I mean console login) and avoid getting a warning about it every day

passwd

tune the daily report AT THE END — otherwise you would get sendmail: fatal: root(0): No recipient addresses found in message header

cp -pi /etc/daily /etc/daily.dist
vi /etc/daily

echo

echo BACKUP
echo
time nice /root/backup.ksh
echo

echo UPLOAD
echo
time nice /root/upload.ksh
echo

echo Who\'s who
echo
w -w
echo

echo Routing table
echo
netstat -rn -f inet,inet6
echo

echo ARP table
echo
arp -a
echo

echo Top 10 processes
echo
top -b 10
echo

echo Processes
echo
ps auxww | sort # by user
echo

echo Sockets ip4
echo
sockstat -4 -l
echo

echo Sockets ip6
echo
sockstat -6 -l
echo

echo Connections
echo
netstat -a -f inet,inet6
echo

and eventually

    echo PING SCAN
    /usr/pkg/bin/nmap -sn -oG - SUBNET
arp -a
    echo

    echo TOP 1000 PORTS
    time /usr/pkg/bin/nmap -sTUV -oG - REMOTE-CIDR
    #-Pn -T4 -p0-65535
    echo

tune the weekly report

cp -pi /etc/weekly /etc/weekly.dist
vi /etc/weekly

#self verbose
/usr/pkg/bin/certbot certificates
/usr/pkg/bin/certbot renew && /root/RELOAD-SSL

fix-up cron jobs

crontab -e

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/pkg/bin:/usr/local/bin

#*/10   *       *       *       *       /usr/libexec/atrun
00      0       *       *       *       /usr/bin/newsyslog
30      5       1       *       *       /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | sendmail -t

enable indexing (check /etc/weekly –> rebuild_locatedb)

ls -lF /var/db/locate.database
su -m nobody -c /usr/libexec/locate.updatedb 2>/dev/null

Packages & patching

For patching the base system see patch

For post-installation see netbsd-packages

For maintaining packages see pkgsrc

Operations

make sure you are clean

ps auxww
netstat -an -f inet,inet6
cat /etc/resolv.conf

vi ~/log

tail -F /var/log/messages

chmod +x log

Additional notes

syslog

for easy troubleshooting

cp -pi /etc/syslog.conf /etc/syslog.conf.dist                     
vi /etc/syslog.conf

.err;kern.*;auth.notice;authpriv.none;mail.crit         /dev/console
*.emerg                                                 *
*.info                                                  /var/log/messages

or if this is an mail exchanger, maybe

*.err;kern.*;auth.notice;authpriv.none;mail.crit        /dev/console
*.emerg                                                 *
mail.info                                               /var/log/maillog
*.info;mail.none                                        /var/log/messages

fix the permissions and apply

-rw-------   1 root    wheel    105K May  3 15:15 /var/log/messages

service syslogd restart

ntp

eventually setup ntp – not sure this is needed for xen guests

mv -i /etc/ntp.conf /etc/ntp.conf.dist
sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf
vi /etc/ntp.conf

#server          ntp.obspm.fr
#server          ntp1.online.net
#server          ntp2.online.net

server 0.ru.pool.ntp.org
server 1.ru.pool.ntp.org
server 2.ru.pool.ntp.org
server 3.ru.pool.ntp.org

vi /etc/rc.conf

ntpdate=yes ntpdate_flags="-u -b -s"
ntpd=yes    ntpd_flags=""

grep ^server /etc/ntp.conf
ntpdate -u ...
service ntpd start
ntpq -p

the ntpdate service looks at ^server into /etc/ntp.conf at boot time.

outgoing messages

eventually define a smarthost and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),

cd /etc/postfix/
mv -i main.cf main.cf.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' main.cf.dist > main.cf
vi main.cf

relayhost = SMARTHOST
myhostname = lala.example.net
myorigin = lala.example.net
mydomain = example.net

service postfix restart

and setup an email alias for root,

mv -i /etc/mail/aliases /etc/mail/aliases.dist
sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' /etc/mail/aliases.dist > /etc/mail/aliases
vi /etc/mail/aliases

root:       REAL_EMAIL

newaliases
tail -F /var/log/maillog &
date | mailx -s `hostname` root
mailq

Resources

Setting up NetBSD https://users.ics.aalto.fi/kaip/netbsd.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun