OVH: First steps with FreeBSD

FreeBSD Logo

Most of my online stuff (including this web log) is hosted on a dedicated server at OVH running FreeBSD.

Hopefully, I'll be posting more stuff about the services I configured later on. This post aim to guide you to the very first steps that you might want to take (regardless of what your server is going to do in the end).

0. Remove the SSH backdoor

As far as I know, all OVH dedicated servers come with some customizations. The first one is a pair of SSH keys allowing root access to your machine from cache.ovh.net. The cure is simple: 

# rm /root/.ssh/authorized_keys2

1. Secure sshd

Puffy!

On a fresh install, sshd will allow both password authentication and root login. Before changing theses parameters you'll obviously need to create a new user in order to stay able to login.

Add it to the wheel group so it can su -l root without trouble and install your SSH key. Test both remote SSH login with your new user and that you can su(8) to root.

Now you can edit sshd configuration.

/etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Finally, kindly ask sshd to reload its configuration: 

# service sshd reload

2. Fix the network configuration

The default FreeBSD template from OVH has a very broken IPv6 configuration. After hours of searching and learning about IPv6, I've finally managed to get it working (earning a nice Sage certification at ipv6.he.net).

Here is what you will need in your /etc/rc.conf. Be sure to adapt both the IP address and the default router IP. To make it easier, the default OVH configuration commented out at the end.

/etc/rc.conf

# IPv6 configuration
ipv6_activate_all_interfaces="YES"
ipv6_network_interfaces="auto"
ip6addrctl_policy="ipv6_prefer"
ifconfig_re0_ipv6="inet6 accept_rtadv 2001:41d0:1:5db0::1 prefixlen 64"
ipv6_defaultrouter="2001:41d0:1:5dff:ff:ff:ff:ff"

# IPv6 configuration (default OVH: not working)
#ipv6_enable="YES"
#ipv6_network_interfaces="re0"
#ifconfig_re0_ipv6="inet6 2001:41d0:1:5db0::1 prefixlen 64"
#ipv6_static_routes="ovhgw"
#ipv6_route_ovhgw="2001:41d0:1:5dff:ff:ff:ff:ff -prefixlen 128 -interface re0"
#ipv6_defaultrouter="2001:41d0:1:5dff:ff:ff:ff:ff"

On a beautiful day of spring, IPv6 suddenly stopped to work. After trying to fix it without success, I wrote to the OVH support to ask if they did change something in the router configuration because my server did not receive Router Advertisement anymore. Although I provided a lot of informations, their answer was that there was no solution at the time and suggested to disable IPv6 from my OS.

After a few research I've found out that you can send a Router Solicitation with rtsol(8). I believe that the router should send Advertisement each ten minutes but I'm just asking every five minutes for it (adapt for your network interface, mine is re0).

/etc/crontab

*/5 *   *   *   *   root    rtsol -d re0

Now that you just had a look the system's crontab, you might have noticed that there is an unusual line. Welcome to Wonderland, Alice.

3. Remove the crap

OVH has written its own tool of Real Time Monitoring and it is installed and running by default on their servers. What it does is gathering data about your system and running process. The data then sent to OVH (to an IP defined in /usr/local/rtm/etc/rtm-ip).

If, like me, you want to nuke it, start by either remove or commenting out the vicious line in the system's crontab.

/etc/crontab

*/1 * * * * root /usr/local/rtm/bin/rtm 30 > /dev/null 2> /dev/null

Now remove or move the whole rtm directory: 

# mv /usr/local/rtm /root/usr.local.rtm

Finally just kick out the ovh user: 

# rmuser ovh

4. REMOVE ALL THE CRAP!

x ALL the y

You'll notice that some packages are already installed. A quick pkg info will show them all (if that is the first time that you run pkg(8) it will ask if it can bootstrap. Just say yes and let the magic happen).

Depending on your personal taste, you might want to keep some of them (like smartmontools) and you might want to kick some of them out (the GNUish stuff like bash and wget).

5. The End™

Now we're finally close to a secure, vanilla FreeBSD setup. From there you can finally start the real business like configuring Packet Filter or add Journaling Softupdates. Note that if you're using OVH's default partition schema you have two different partitions: /root and /home. My server's /root is only 10 Go so I have to keep it in mind when installing new stuff, like PostgreSQL (because pgsql's home is /usr/local/pgsql) or web applications in /usr/local/www.

that's all, drop a comment if this post has been useful for you or any remark or question :)