FreeBSDwiki - User contributions [en]

Complete Workstation

2005-08-17T06:18:56Z

Sether: /* Installing common applications */ Text-browsers and introductory info

==Installing FreeBSD==

For this particular write-up, we'll be using FreeBSD 5.3 -- the 4.x series might be better for you if you've got old hardware, or if you're setting up a server, but for a workstation, we want the latest and greatest.

So, go get your FreeBSD CD -- ISO images available from ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/ -- login as anonymous and use your email address as your password and get the first disk's ISO, burn it and boot from it.

Not much will be different from the [[Installing_FreeBSD_-_Standard_Installation]], but you want to be sure to:
give /usr/home a lot of space -- /home is really a link to /usr/home
install the ports collection
create a group for your user
create a user and place the account in wheel
install and configure X
test the mouse daemon

==Choosing a desktop and booting into it==

Here you've got some choices, you can use a heavy desktop like [[Gnome]] or [[KDE]] -- ideal if you want an environment that's closer to the Microsoft Windows or Apple Macintosh approach to graphical user interfaces, but they can be slower to load and use on slower PCs -- or user a lighter desktop environment like [[Windowmaker]], [[xfce]] or [[blackbox]], which are less user friendly but much more responsive on machines with limited resources.

Once installed, you can start the X Window System with [[startx]]. This will launch [[twm]] if no other graphical user interface is specified in your [[.xinitrc]]. To start your GUI through a graphical login manager such as [[xdm]], [[gdm]], or [[kdm]], launch the one of your choice with root privileges. To make one of these login managers start when you first boot your system, modify this line in /etc/ttys:

ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure

Change "off" to "on" and change "/usr/X11R6/bin/xdm" to the path to the executable of the login manager you want to use.

==Installing common applications==
If you have installed KDE or Gnome, chances are many common workstation applications have been pre-installed for you. If you don't prefer these pre-installed applications, or if you are not running a large desktop environment with many applications, these are some suggestions.

'''Internet -- browsers, ftp, etc.'''
I like the Firefox browser; Opera's good and Mozilla isn't bad either, but they're both a bit heavy for my AMD Duron laptop. I don't need a whole lot of special stuff in it -- the only real customizations I add are my own bookmarks and some plugins, so I usually install via the [[pkg_add]] utility and I usually add the flash plugin while I'm at it:
pkg_add -r firefox flashplugin-firefox
Alternatively, you can use a text browser such as [[lynx]], [[links]], [[elinks]], [[w3m]], etc. if your workstation does not have the X Window System installed, or if you want an alternative browser with good keyboard control and faster browsing speeds. I recommend elinks as a text browser because of its active development, support for CSS, Javascript, tabbed browsing, and other improvements over links.

'''Email'''
[[Thunderbird]] is the GUI app of choice for me, or [[mutt]] if I want to check my mail from the CLI. If you really want something that's Outlook-esque, check Evolution out. /usr/ports/mail/gmail-notifier/ has something that [[http://gmail.com gmail]] users will want to check out (if you're also a Firefox user, you want to use "make -DWITH_MOZILLA=firefox install clean" to install it).

'''Productivity applications'''
If all you need is some sort of word processing, consider using an app that does just that -- abiword. If you really will need the full Office-type suite, OpenOffice.org seems to be a bit better than KOffice, although if you're running KDE, KOffice's integration with KDE is not to be discounted. If you get a fair amount of MS Word documents, you may want to look into the antiword port -- it converts .doc files into ASCII text. Xpdf is my PDF reader of choice.

'''Audio'''
I like XMMS, but amarok is pretty good too. Both are installable from ports. If you install amarok, you want to install via ports instead of pkg_add'ing it since there are some build-time customizations that you may want to look into. If you want to install the Real player, be sure and install it from /usr/ports/multimedia/linux-realplayer/ -- don't even bother trying to download it (BBC or otherwise).

'''Video'''
'''Graphics'''

==Security==

==Networking==

[[Category:FreeBSD for Workstations]] [[Category:Installation]]

Complete Workstation

2005-08-17T06:11:03Z

Sether: /* Choosing a desktop and booting into it */ Removed startx/.xinitrc/graphical login manager placeholder and filled in section

==Installing FreeBSD==

For this particular write-up, we'll be using FreeBSD 5.3 -- the 4.x series might be better for you if you've got old hardware, or if you're setting up a server, but for a workstation, we want the latest and greatest.

So, go get your FreeBSD CD -- ISO images available from ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/ -- login as anonymous and use your email address as your password and get the first disk's ISO, burn it and boot from it.

Not much will be different from the [[Installing_FreeBSD_-_Standard_Installation]], but you want to be sure to:
give /usr/home a lot of space -- /home is really a link to /usr/home
install the ports collection
create a group for your user
create a user and place the account in wheel
install and configure X
test the mouse daemon

==Choosing a desktop and booting into it==

Here you've got some choices, you can use a heavy desktop like [[Gnome]] or [[KDE]] -- ideal if you want an environment that's closer to the Microsoft Windows or Apple Macintosh approach to graphical user interfaces, but they can be slower to load and use on slower PCs -- or user a lighter desktop environment like [[Windowmaker]], [[xfce]] or [[blackbox]], which are less user friendly but much more responsive on machines with limited resources.

Once installed, you can start the X Window System with [[startx]]. This will launch [[twm]] if no other graphical user interface is specified in your [[.xinitrc]]. To start your GUI through a graphical login manager such as [[xdm]], [[gdm]], or [[kdm]], launch the one of your choice with root privileges. To make one of these login managers start when you first boot your system, modify this line in /etc/ttys:

ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure

Change "off" to "on" and change "/usr/X11R6/bin/xdm" to the path to the executable of the login manager you want to use.

==Installing common applications==
'''Internet -- browsers, ftp, etc.'''
I like the FireFox browser; Opera's good and Mozilla isn't bad either, but they're both a bit heavy for my AMD Duron laptop. I don't need a whole lot of special stuff in it -- the only real customizations I add are my own bookmarks and some plugins, so I usually install via the [[pkg_add]] utility and I usually add the flash plugin while I'm at it:
pkg_add -r firefox flashplugin-firefox

'''Email'''
[[Thunderbird]] is the GUI app of choice for me, or [[mutt]] if I want to check my mail from the CLI. If you really want something that's Outlook-esque, check Evolution out. /usr/ports/mail/gmail-notifier/ has something that [[http://gmail.com gmail]] users will want to check out (if you're also a Firefox user, you want to use "make -DWITH_MOZILLA=firefox install clean" to install it).

'''Productivity applications'''
If all you need is some sort of word processing, consider using an app that does just that -- abiword. If you really will need the full Office-type suite, OpenOffice.org seems to be a bit better than KOffice, although if you're running KDE, KOffice's integration with KDE is not to be discounted. If you get a fair amount of MS Word documents, you may want to look into the antiword port -- it converts .doc files into ASCII text. Xpdf is my PDF reader of choice.

'''Audio'''
I like XMMS, but amarok is pretty good too. Both are installable from ports. If you install amarok, you want to install via ports instead of pkg_add'ing it since there are some build-time customizations that you may want to look into. If you want to install the Real player, be sure and install it from /usr/ports/multimedia/linux-realplayer/ -- don't even bother trying to download it (BBC or otherwise).

'''Video'''
'''Graphics'''

==Security==

==Networking==

[[Category:FreeBSD for Workstations]] [[Category:Installation]]

Startx

2005-08-17T06:03:56Z

Sether: Fixed internal link

the command that you would use from the CLI to actually ''start'' the X windowing system GUI. Note that this doesn't start your [[desktop]], just the [[GUI]] itself. If you want to start [[gnome]], [[KDE]], [[xfce]] you'll have to find the command that runs that particular desktop; most of the time this is put in your [[.xinitrc]] file.

[[Category: Common Tasks]]
[[Category: FreeBSD for Workstations]]

Securing servers

2005-08-17T05:20:44Z

Sether: man security

Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See http://www.taosecurity.com/keeping_freebsd_up-to-date.html or [http://www.freebsd.org/cgi/man.cgi?query=security&apropos=0&sektion=0&manpath=FreeBSD+5.4-stable&format=html the security man page] for ways to keep your system secure.

==First Impressions Are Everything==

Login banners are useful sometimes, but since you'll likely already know what system you're logging into and what you're going to be using it for, will probably be unnecessary, and any extraneous information that they give when you login will usually be worthless to you but potentially useful to an attacker. If you want to change it (or remove it,) you'll need to:
1. edit /etc/motd (make it blank or put in a warning like "you're being logged" or "authorized
access ONLY" or something)
2. [[touch]] /etc/COPYRIGHT and
3. add ''update_motd="NO"'' to /etc/rc.conf.
4. reboot to verify that the changes are made and effective.

==Security in a local user context==

If your system has multiple users that have access to the box, you might want to restrict who can log on locally as well as over the network.

First, let's block anyone from logging into the machine as root -- this is default when logging in via [[ssh]] but let's make local users (at the console) log in with a regular account and then [[su]] to [[root]] if they want [[root]] access. Edit /etc/ttys and replace all the values marked "secure" with "insecure" in the tty sections. You can do this with [[sed]] if you like, but be ''very careful'' with this file, as a typo means you'll break logins. Consider making a backup of it, using something like this:
samizdata# sed s/secure/insecure/ /etc/ttys > /etc/ttys_new
samizdata# mv /etc/ttys /etc/ttys.bak && mv /etc/ttys_new /etc/ttys

You can also disallow logins from non-local consoles, or logins that are not from a specific domain or IP by editing the very well commented /etc/login.access file.

There is another way to disallow logins. Let's say you have a user that left, and you don't want to keep their account open because it's a potential hole (or just because you don't trust them), but you don't want to delete the account or its files just yet. Go to [[ /etc/master.passwd]] and change their password -- the second field, right after their '''username:''' field -- and delete it, replacing it with "*". Since no password hash will ever match "*", they'll never be able to login by authenticating against the password. However, you also have to be careful to either delete or move their [[ssh]] keys, since if you have [[sshd]] running, a user may still be able to authenticate against the '''keys''' without ever having to type in a password. Since we're going to be blocking the user, we might as well run [[chsh]] and change their shell from a valid login shell to something that you can't login with, like /sbin/nologin or another [[invalid shell]]. Note that this will break some programs -- some ftp daemons will not let you connect if you don't have a valid login shell, for example. (Also note that for this reason, if you need a lot of ftp-only users, it's best to pick an FTP daemon that can be configured to avoid this behavior.)

For more about controlling logins (locally or over the network), check /etc/login.access and see the excellent article by Michael W. Lucas at http://www.onlamp.com/pub/a/bsd/2001/06/28/Big_Scary_Daemons.html

'''things needed here:'''(cover common gotchas and SNAFUs concerning local security; ie preventing valid shell users from obtaining privileges they aren't supposed to have or doing damage they shouldn't be able to do. [[sudo]] is clearly a must with this one, as is some discussion of running daemons under special user accounts, and the dangers of overusing "nobody" to run daemons. a quick rundown of system files that permissions should be double-checked on, like /etc/passwd, /etc/master.passwd, /etc/group, and the databases associated with them should also be covered.)

==Security in an internet context==

'''what's listening?'''
We'll want to know what ports are open and listening. If you didn't follow the installation instructions and installed IPv6 support when you installed the system (like me), you'll want to check for IPv6 sockets as well as IPv4; become [[root]] and run [[sockstat]] with -46 as an argument; this will let you know the socket status for both IPv4 and IPv6 sockets (in this context, a socket = port + protocol). For more details, see the [[sockstat]] entry's section on security. Any services that don't ''need'' to be running should be disabled or uninstalled completely, if possible.

'''who's connecting?'''
Consider allowing only specific machines to connect to your system at all, or trusted networks only. Make changes in your hosts.allow and hosts.deny files as appropriate. Consider securing what users can log in at all by altering which shells they can use -- see [[chsh]] for how to do this.

==Authentication, Encryption and You==
FreeBSD encrypts passwords. Unfortunately, it doesn't do it the strongest way possible by default. The reason being that stronger encryption takes more effort to perform and can sometimes be slow. But if you're serious about making your machine harder to crack, you'll want to switch your password encryption from md5 to the blowfish algorithm. Blowfish has the benefit of being both fast and strong (military-grade strong.) This is a 4-step process.

1. edit /etc/login.conf and change the passwd_format entry to
:passwd_format=blf:\
2. rebuild the login.conf database with
samizdata# '''cap_mkdb /etc/login.conf'''
3. change all your user's passwords (or get them to change 'em by [[expiring_passwords|expiring their passwords]]) by running passwd for everyone (''INCLUDING ROOT''):
samizdata# passwd
4. you'll want to change the configuration file that the [[adduser]] program calls to use blowfish automagically. Do this by changing the ''crypt_default=md5'' line in [[/etc/auth.conf]] to ''crypt_default=blf'' so that any new accounts you make on the system use it from the get-go.

==Security in a local area network context==

(probably the shortest of the categories - specific things to watch for in an un-firewalled and extremely-high-bandwidth mostly-trusted environment.)

==Security through better logging==

(keeping time up to date with [[ntpd]] or regularly scheduled [[ntpdate]] - and it's worth noting that I've NEVER personally been able to get ntpd to actually update the damn system time, all it seems to do is maintain a drift file for me - but anyway, importance of keeping system time precise down to milliseconds for coordination of system logs with logs at ISPs and other servers involved in network attacks, use of [[tripwire]] or built-in daily root emails to monitor for changes in important system files, and also the benefits of either maintaining a separate log server or REGULARLY moving logs off-system to a machine that doesn't trust the server it's getting the logs from one damn bit. this topic may actually need to be moved to its own separate subarticle.)

----
----
----
----

Of course, each of these sections can themselves spawn entire new subsections / subarticles of their own. There's a ''reason'' entire books have been published on computer security! =)

Try to remember, when writing these articles, that "short and sweet" is best, when it comes to a single article. If at all possible, try to limit the scope of any given article to a page or two of text; if you need to refer to something that is going to run a few pages all by itself, consider writing a separate article for that topic and hyperlinking it for people who need it. For example, obviously [[firewall]]s need discussion in any internet-context security article, but instead of trying to go over setting one up in the midst of the internet security article itself, it's better to write one article about firewalls and another about the big picture, and just link them.

[[Category:Common Tasks]]
[[Category:Configuring FreeBSD]]
[[Category:Securing FreeBSD]]
[[Category:FreeBSD for Servers]]

Security (Why FreeBSD?)

2005-08-17T05:19:11Z

Sether: Reminder to see securing servers

:''[[Security]] redirects to this article about FreeBSD's security record. For information on securing FreeBSD, see [[Securing servers]].''

FreeBSD has a significantly better security record—particularly out-of-the-box security—than most Linux distributions. For example, a default FreeBSD installation includes OpenSSH configured to disallow root logins—a potential attacker must first know the account name of a user in the [[wheel]] group (because only users in group [[wheel]] can use [[su]]), log in as that user, and then [[su]] to root. Most Linux distributions instead install OpenSSH configured to allow root logins, which is more insecure because it allows a cracker to use an [http://www.k-otik.com/exploits/08202004.brutessh2.c.php automated program] to attempt dictionary or brute-force attacks against the root account.

Furthermore, because only users in group [[wheel]] can [[su]] to root, even if a remote attacker knows root's password, the attacker is powerless if he cannot access the account of a user in group [[wheel]].
[[Category:Why FreeBSD?]]

Rm

2005-08-17T04:50:25Z

Sether: How to alias a command (other than rm) to moving files to a "trash can"

Short for '''remove'''. Seriously, be careful when using this. There is no undelete once you've unlinked a file unless you've aliased [[rm]] to a [[mv]] script that moves files to a trash folder. This practice is not recommended because you will eventually find yourself on a system that doesn't have that alias and make a mistake. However, you can alias a different command to do this task by putting something like this in your startup file:

alias del "mv */! .trash"

==Common flags==

-r recursive -- same as -R
-f force -- do it and damn the consequences
-d directories
-i confirm before delete
-P overwrite files (with 0xFF's, 0x00's, and 0xFF's again) before deleting them
-v be verbose

==About the -P argument==

Use this argument with extreme care! If you use '''rm -P''' to remove a file that has hard links, the file will be immediately overwritten and its contents will be lost, thus not accessible via the links. For example :

$ '''echo 'Hello World' > foo'''
$ '''ln -h foo bar'''
$ '''cat foo bar'''
Hello World
Hello World
$ '''rm -P foo'''
$ '''cat bar'''
$ '''Hey !! where is bar contents ??'''
Hey, command not found

See also [[rmdir]]
[[Category:System Commands]]

User:Sether

2005-08-12T10:49:15Z

Sether:

My name is '''Seth'''. I'm currently a student at the University of California, Berkeley. I've been playing around with Unix-like operating systems for about 3 years now and I have about 2 years of experience with FreeBSD and other BSD descendants.

I've been doing the wiki thing for a little bit. You can find me on [[Wikipedia]] as [http://en.wikipedia.org/wiki/User:Sether Sether].

''There's {{NUMBEROFARTICLES}} articles on this wiki. ''

User:Sether

2005-08-12T10:43:56Z

Sether:

Gotchas, Linux

2005-08-12T10:32:35Z

Sether: Sun's licensing

==Things you should know if you're coming to FreeBSD from Linux==
# The kernels are different -- monolithic instead of microkernels, although FreeBSD does allow dynamic loading of modules (see [[kldstat]], [[kldload]], [[kldunload]].)
# You need to be a member of the wheel group to allow you to su to root.
# No iptables/netfilter: ipfw packet filter takes it's place, but you have to recompile your kernel to include it
# Init scripts: you're going to be doing it [[BSD]] style, not [[SysV]] style as in Linux. Translation: [[runlevels]] mean different things in BSD and [[init scripts]] are handled differently.
# No /[[proc]] tree. If you're used to banging around /proc to find system info, man [[sysctl]]. If you installed linux-compatibility, see /usr/compat/linux/proc
# You don't '''have''' to compile everything from ports, it's usually better for your particular system if you ''do''. See [[pkg_add]] and the other pkg tools.
# If in doubt, read the Handbook (or ask here).
# Different filesystems: linux uses ext2/ext3/reiserfs by default (usually) and FreeBSD uses UFS. It does not do journaling, but instead uses a system called soft-updates. Have a look [[http://www.usenix.org/publications/library/proceedings/usenix2000/general/seltzer.html here]] if you would like to know what this means. It seems that [[http://www.freebsd.org/projects/summerofcode.html Google]] might be helping to change this though.
# Java's a tough nut to install due to Sun's licensing restrictions. Deal.
# /stand/sysinstall will be quite useful to you at first.
# [[bash]] is not the default shell, [[csh]] or [[tcsh]] is. If you want to change that, see [[chsh]].
# Most linux distros use [[vim]], FreeBSD uses [[nvi]] by default. You can change this if it matters to you. Use /usr/ports/editors/vim-lite if you do not want to install the [[X windowing system]] else use /usr/ports/editors/vim.
# Your NIC is no longer eth0 or eth0 or whatever. FreeBSD names it's interfaces by the driver they use; you'll see rl0, ed0, hme0, etc.
# /etc/mtab doesn't show you mounts. [[mount]] and [[df]] do.
# Your hard disks are no longer /dev/hda or /dev/sda. Now they are /dev/ad0s1a. See [[partitions]].
# [[devinfo]] and [[swapinfo]] will do a lot of [[sysctl]] magic for you.
# Software RAID? See [[vinum]].
# Bandwidth limiting/traffic shaping? See [[dummynet]]
# Disk encryption? [[http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html It's in the Handbook]]
# Shell scripts do not use '''seq 1 10'''. They use '''jot 10 1''' instead.
# /boot/loader.conf is where you set which kernel modules to load at boot time. /etc/rc.conf is where you set which system daemons to load at boot time. Or you can edit the startup scripts manually in /etc/rc.d (Some say this is the only way to do it, some say it doesn't matter. Your choice.)
# [[wget]] is replaced by [[fetch]]. Feel free to install wget if you don't want to learn another program, but they're very similar.
[[Category : Linux Equivalents]]

Linux

2005-08-12T10:31:03Z

Sether: Fuller article link

A Unix-like operating system. Many distributions exist; the closest analogue to FreeBSD being the Gentoo distribution: It has a ports system and places an emphasis on building packages and the system itself from source.

FreeBSD has a Linux compatibility layer that allows it to run Linux binaries (ELF) as if they were native FreeBSD programs; this may be useful if you find yourself needing to run a program that's only available as a linux binary. This is rare, but it happens.

See [http://www.onlamp.com/pub/a/bsd/2004/11/11/FreeBSD_Basics.html this excellent article by Dru Lavigne at ONLamp] [http://www.onlamp.com/pub/a/bsd/2005/01/13/FreeBSD_Basics.html or this other article (also by Dru Lavigne at ONLamp)] for more information on Linux and BSD differences. [[Matt Fuller]] has also written a good introduction to FreeBSD for Linux users which is available [http://www.over-yonder.net/~fullermd/rants/bsd4linux/bsd4linux1.php here].

[[Category:FreeBSD Terminology]]

GNU/Linux

2005-08-12T10:27:13Z

Sether: redirect to Linux

#REDIRECT [[Linux]]

Ports

2005-08-12T10:23:21Z

Sether: Created disambig

This is a disambiguation page for '''Ports'''-related articles.

*[[Ports tree]]
*[[Ports Tree, Updating]]
*[[Ports, searching]]
*[[Ports, Installing]]
*[[Ports Tree, Installing]]

Script to install common packages

2005-08-12T10:19:30Z

Sether: mention of instant-workstation

Here's a script that will install common stuff you might want on a workstation. Comment out the things you don't want and uncomment the things you ''do'' want -- this is just my preference.

#!/bin/sh
#
#install desktop stuff
#
pkg_add -r xorg
pkg_add -r xfce4 rox rox-mime-editor rox-session
#pkg_add -r windowmaker
#pkg_add -r gnome
#pkg_add -r kde
pkg_add -r xscreensaver
pkg_add -r gdm
#
# teh interwebaolnetslice stuff
pkg_add -r firefox thunderbird flashplugin-firefox
pkg_add -r curl wget
#pkg_add -r mozilla flashplugin-mozilla
pkg_add -r gaim gaim-encryption
#pkg_add -r gdesklets
#
#
# multimedia majicking stuff
pkg_add -r xmms
pkg_add -r cdparanoia
pkg_add -r grip
pkg_add -r lame
#
# various
#pkg_add -r filezilla
pkg_add -r rdesktop grdesktop
pkg_add -r sharity-light
pkg_add -r bash3
#
# file utilities
pkg_add -r unrar
pkg_add -r unzip
#
# file reading/office stuff
pkg_add -r xpdf
#pkg_add -r openofficeorg

You might also want to consider installing /misc/instant-workstation.

[[Category:FreeBSD for Workstations]]