読者です 読者をやめる 読者になる 読者になる

さくらVPS FreeBSDセットアップメモ

管理者権限を付与

-- /etc/group
wheel:*:0:root,[username]

shellをbashへ変更

# cd /usr/ports/shells/bash
# make config-recursive
# make install clean
# chsh -s /usr/local/bin/bash

時間を合わせる

-- /etc/rc.conf
ntpd_enable="YES"

ntpサーバーを指定。

-- /etc/ntp.conf
server -4 ntp1.jst.mfeed.ad.jp
server -4 ntp2.jst.mfeed.ad.jp
server -4 ntp3.jst.mfeed.ad.jp
restrict default ignore
restrict 127.0.0.1
restrict 210.173.160.27 nomodify nopeer noquery notrap
restrict 210.173.160.57 nomodify nopeer noquery notrap
restrict 210.173.160.87 nomodify nopeer noquery notrap

Run:

# /etc/rc.d/ntpd restart
# ntpq -p

Firewallを設定

-- /etc/rc.conf
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

たちまちはssh, http, ntpのポートを空けておく。

-- /usr/local/etc/ipfw.rules
#! /bin/sh
IPF="ipfw -q add"
ipfw -q -f flush

# loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# ssh
$IPF 110 allow tcp from any to any 443 in
$IPF 115 allow tcp from any to any 443 out
# http
$IPF 120 allow tcp from any to any 80 in
$IPF 125 allow tcp from any to any 80 out
# ntp
$IPF 130 allow udp from any to any 123 in
$IPF 135 allow udp from any to any 123 out

# deny and log everything
$IPF 500 deny log all from any to any

Run:

# /etc/rc.d/ipfw start

sshdを設定

  • portを変更
  • 公開鍵認証へ変更

Edit:

-- /etc/rc.conf
sshd_enable="YES"

scpなどでアップロードしておいたssh鍵を登録。

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

Edit:

-- /etc/ssh/sshd_config
Port 443
PasswordAuthentication no
ChallengeResponseAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

Run:

# /etc/rc.d/sshd restart

ssh鍵を生成

一応作っておく。

$ ssh-keygen -t rsa -C "email@example.com"