Most of my online stuff (including this web log) is hosted on a dedicated server at OVH running FreeBSD.
Hopefully, I'll be posting more stuff about the services I configured later on. This post aim to guide you to the very first steps that you might want to take (regardless of what your server is going to do in the end).
0. Remove the SSH backdoor
As far as I know, all OVH dedicated servers come with some
customizations. The first one is a pair of SSH keys
allowing root access to your machine from cache.ovh.net. The cure
1. Secure sshd
On a fresh install,
sshd will allow both password
authentication and root login. Before changing theses parameters
you'll obviously need to create a new user in order to stay able to
Add it to the
wheel group so it can su -l root
without trouble and install your SSH key. Test both remote SSH login
with your new user and that you can su(8)
Now you can edit sshd configuration.
Finally, kindly ask sshd to reload its configuration:
2. Fix the network configuration
The default FreeBSD template from OVH has a very
broken IPv6 configuration. After hours of searching and learning about
IPv6, I've finally managed to get it working (earning a nice
certification at ipv6.he.net).
Here is what you will need in your /etc/rc.conf. Be sure to adapt both the IP address and the default router IP. To make it easier, the default OVH configuration commented out at the end.
On a beautiful day of spring, IPv6 suddenly stopped to work. After trying
to fix it without success, I wrote to the OVH support to ask if they did
change something in the router configuration because my server did not
receive Router Advertisement anymore. Although I provided a lot of
informations, their answer was that there was no solution at the time and
disable IPv6 from my OS.
After a few research I've found out that you can send a
Router Solicitation with rtsol(8). I
believe that the router should send Advertisement each ten minutes but I'm
just asking every five minutes for it (adapt for your network interface,
Now that you just had a look the system's crontab, you might have noticed
that there is an unusual line.
Welcome to Wonderland, Alice.
3. Remove the crap
OVH has written its own tool of
Real Time Monitoring and it is
installed and running by default on their servers. What it does is
gathering data about your system and running process. The data then
sent to OVH (to an IP defined in
If, like me, you want to nuke it, start by either remove or commenting out the vicious line in the system's crontab.
Now remove or move the whole rtm directory:
Finally just kick out the ovh user:
4. REMOVE ALL THE CRAP!
You'll notice that some packages are already installed. A quick pkg info will show them all (if that is the first time that you run pkg(8) it will ask if it can bootstrap. Just say yes and let the magic happen).
Depending on your personal taste, you might want to keep some of them (like smartmontools) and you might want to kick some of them out (the GNUish stuff like bash and wget).
5. The End™
Now we're finally close to a secure, vanilla FreeBSD setup. From there you can finally start the real business like configuring Packet Filter or add Journaling Softupdates. Note that if you're using OVH's default partition schema you have two different partitions: /root and /home. My server's /root is only 10 Go so I have to keep it in mind when installing new stuff, like PostgreSQL (because pgsql's home is /usr/local/pgsql) or web applications in /usr/local/www.
that's all, drop a comment if this post has been useful for you or any remark or question :)