assuming network is up and running already
This is all provided by those scripts
mkdir -p ~/bin/ cd ~/bin/ ftp -a http://pub.nethence.com/bin/netbsdconf.ksh.txt ftp -a http://pub.nethence.com/bin/netbsdconfpkg.ksh.txt cp -i netbsdconf.ksh.txt netbsdconf.ksh cp -i netbsdconfpkg.ksh.txt netbsdconfpkg.ksh chmod +x netbsdconf.ksh netbsdconfpkg.ksh ./netbsdconf.ksh > netbsdconf.log ./netbsdconfpkg.ksh > netbsdconfpkg.log
don’t forget to define a trust store
uname -r
echo $PKG_PATH
pkg_add mozilla-rootcerts
cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/
mozilla-rootcerts install
and check
ls -lF /etc/openssl/certs/
ls -lF /etc/openssl/certs/ca-certificates.crt
echo Q | openssl -connect somesiteforchecking.tld:443
curl -I https://os3.su/
define a password for root just in case you need a least amount of physical security (by that I mean console login) and avoid getting a warning about it every day
passwd
tune the daily report AT THE END — otherwise you would get sendmail: fatal: root(0): No recipient addresses found in message header
cp -pi /etc/daily /etc/daily.dist vi /etc/daily echo echo BACKUP echo time nice /root/backup.ksh echo echo UPLOAD echo time nice /root/upload.ksh echo echo Who\'s who echo w -w echo echo Routing table echo netstat -rn -f inet,inet6 echo echo ARP table echo arp -a echo echo Top 10 processes echo top -b 10 echo echo Processes echo ps auxww | sort # by user echo echo Sockets ip4 echo sockstat -4 -l echo echo Sockets ip6 echo sockstat -6 -l echo echo Connections echo netstat -a -f inet,inet6 echo
and eventually
echo PING SCAN
/usr/pkg/bin/nmap -sn -oG - SUBNET
arp -a
echo
echo TOP 1000 PORTS
time /usr/pkg/bin/nmap -sTUV -oG - REMOTE-CIDR
#-Pn -T4 -p0-65535
echo
tune the weekly report
cp -pi /etc/weekly /etc/weekly.dist vi /etc/weekly #self verbose /usr/pkg/bin/certbot certificates /usr/pkg/bin/certbot renew && /root/RELOAD-SSL
fix-up cron jobs
crontab -e PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/pkg/bin:/usr/local/bin #*/10 * * * * /usr/libexec/atrun 00 0 * * * /usr/bin/newsyslog 30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | sendmail -t
enable indexing (check /etc/weekly –> rebuild_locatedb)
ls -lF /var/db/locate.database su -m nobody -c /usr/libexec/locate.updatedb 2>/dev/null
For patching the base system see patch
For post-installation see netbsd-packages
For maintaining packages see pkgsrc
make sure you are clean
ps auxww netstat -an -f inet,inet6 cat /etc/resolv.conf vi ~/log tail -F /var/log/messages chmod +x log
for easy troubleshooting
cp -pi /etc/syslog.conf /etc/syslog.conf.dist vi /etc/syslog.conf .err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console *.emerg * *.info /var/log/messages
or if this is an mail exchanger, maybe
*.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console *.emerg * mail.info /var/log/maillog *.info;mail.none /var/log/messages
fix the permissions and apply
-rw------- 1 root wheel 105K May 3 15:15 /var/log/messages service syslogd restart
eventually setup ntp – not sure this is needed for xen guests
mv -i /etc/ntp.conf /etc/ntp.conf.dist sed '/^$/d;/^#/d;' /etc/ntp.conf.dist > /etc/ntp.conf vi /etc/ntp.conf #server ntp.obspm.fr #server ntp1.online.net #server ntp2.online.net server 0.ru.pool.ntp.org server 1.ru.pool.ntp.org server 2.ru.pool.ntp.org server 3.ru.pool.ntp.org vi /etc/rc.conf ntpdate=yes ntpdate_flags="-u -b -s" ntpd=yes ntpd_flags="" grep ^server /etc/ntp.conf ntpdate -u ... service ntpd start ntpq -p
the ntpdate service looks at ^server into /etc/ntp.conf at boot time.
eventually define a smarthost and fix your origin so the bounces are also sent to your MX (assuming you have setup an FQDN in /etc/myname, otherwise fix with myhostname = or mydomain =),
cd /etc/postfix/ mv -i main.cf main.cf.dist sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' main.cf.dist > main.cf vi main.cf relayhost = SMARTHOST myhostname = lala.example.net myorigin = lala.example.net mydomain = example.net service postfix restart
and setup an email alias for root,
mv -i /etc/mail/aliases /etc/mail/aliases.dist sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d' /etc/mail/aliases.dist > /etc/mail/aliases vi /etc/mail/aliases root: REAL_EMAIL newaliases tail -F /var/log/maillog & date | mailx -s `hostname` root mailq
Setting up NetBSD https://users.ics.aalto.fi/kaip/netbsd.html