AFTERBOOT(8) NetBSD System Manager's Manual AFTERBOOT(8)
NAME
afterboot -- things to check after the first complete boot
DESCRIPTION
Starting Out This document attempts to list items for the system administrator to check and set up after the installation and first complete boot of the system. The idea is to create a list of items that can be checked off so that you have a warm fuzzy feeling that something obvious has not been missed. A basic knowledge of UNIX is assumed. Complete instructions for correcting and fixing items is not provided. There are manual pages and other methodologies available for doing that. For example, to view the man page for the ls(1) command, type: man 1 ls Administrators will rapidly become more familiar with NetBSD if they get used to using the manual pages. Security alerts By the time that you have installed your system, it is quite likely that bugs in the release have been found. All significant and easily fixed problems will be reported at http://www.NetBSD.org/support/security/. It is recommended that you check this page regularly. Additionally, you should set ``fetch_pkg_vulnerabilities=YES'' in /etc/daily.conf to allow your system to automatically update the local database of known vulnerable packages to the latest version available on- line. The system will later check, on a daily basis, if any of your installed packages are vulnerable based on the contents of this database. See daily.conf(5) and security.conf(5) for more details. Login On a fresh install with no other user accounts, login as ``root''. You can do so on the console, or over the network using ssh(1). If you have enabled the SSH daemon (see sshd(8)) and wish to allow root logins over the network, edit the /etc/ssh/sshd_config file and set ``PermitRootLogin'' to ``yes'' (see sshd_config(5)). The default is to not permit root logins over the network after fresh install in NetBSD. Upon successful login on the console, you may see the message ``We recommend creating a non-root account...''. For security reasons, it is bad practice to login as root during regular use and maintenance of the system. In fact, the system will only let you login as root on a secure terminal. By default, only the console is considered to be a secure ter- minal. Instead, administrators are encouraged to add a ``regular'' user, add said user to the ``wheel'' group, then use the su(1) command when root privileges are required. This process is described in more detail later. Root password Change the password for the root user. (Note that throughout the docu- mentation, the term ``superuser'' is a synonym for the root user.) Choose a password that has numbers, digits, and special characters (not space) as well as from the upper and lower case alphabet. Do not choose any word in any language. It is common for an intruder to use dictionary attacks. Type the command /usr/bin/passwd to change it. It is a good idea to always specify the full path name for both the passwd(1) and su(1) commands as this inhibits the possibility of files placed in your execution PATH for most shells. Furthermore, the supe- ruser's PATH should never contain the current directory (``.''). System date Check the system date with the date(1) command. If needed, change the date, and/or change the symbolic link of /etc/localtime to the correct time zone in the /usr/share/zoneinfo directory. Examples: date 200205101820 Set the current date to May 10th, 2002 6:20pm. ln -fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime Set the time zone to Eastern Europe Summer Time. Console settings One of the first things you will likely need to do is to set up your key- board map (and maybe some other aspects about the system console). To change your keyboard encoding, edit the ``encoding'' variable found in /etc/wscons.conf. wscons.conf(5) contains more information about this file. Check hostname Use the hostname command to verify that the name of your machine is cor- rect. See the man page for hostname(1) if it needs to be changed. You will also need to change the contents of the ``hostname'' variable in /etc/rc.conf or edit the /etc/myname file to have it stick around for the next reboot. Note that ``hostname'' is supposed include a domainname, and that this should not be confused with YP (NIS) domainname(1). If you are using dhcpcd(8) to configure network interfaces, it might override these local hostname settings if your DHCP server specifies client's hostname with other network configurations. Verify network interface configuration The first thing to do is an ifconfig -a to see if the network interfaces are properly configured. Correct by editing /etc/ifconfig.interface or the corresponding ``ifconfig_interface'' variable in rc.conf(5) (where interface is the interface name, e.g., ``le0'') and then using ifconfig(8) to manually configure it if you do not wish to reboot. Alternatively, you can configure interfaces automatically via DHCP with dhcpcd(8) if you have a DHCP server running somewhere on your network. To get dhcpcd(8) to start automatically on boot, you will need to have this line in /etc/rc.conf: dhcpcd=YES See dhcpcd(8) and dhcpcd.conf(5) for more information on setting up a DHCP client. You can add new ``virtual interfaces'' by adding the required entries to /etc/ifconfig.interface. Read the ifconfig.if(5) man page for more information on the format of /etc/ifconfig.interface files. The loopback interface will look something like: lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972 inet 127.0.0.1 netmask 0xff000000 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 an Ethernet interface something like: le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255 inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1 and a PPP interface something like: ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000 See mrouted(8) for instructions on configuring multicast routing. Check routing tables Issue a netstat -rn command. The output will look something like: Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.4.254 UGS 0 11098028 - le0 127 127.0.0.1 UGRS 0 0 - lo0 127.0.0.1 127.0.0.1 UH 3 24 - lo0 192.168.4 link#1 UC 0 0 - le0 192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0 192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0 Internet6: Destination Gateway Flags Refs Use Mtu Interface ::/96 ::1 UGRS 0 0 32972 lo0 => ::1 ::1 UH 4 0 32972 lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0 fc80::/10 ::1 UGRS 0 0 32972 lo0 fe80::/10 ::1 UGRS 0 0 32972 lo0 fe80::%le0/64 link#1 UC 0 0 1500 le0 fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0 ff01::/32 ::1 U 0 0 32972 lo0 ff02::%le0/32 link#1 UC 0 0 1500 le0 ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0 The default gateway address is stored in the ``defaultroute'' variable in /etc/rc.conf, or in the file /etc/mygate. If you need to edit this file, a painless way to reconfigure the network afterwards is to issue service network restart Or, you may prefer to manually configure using a series of route add and route delete commands (see route(8)). If you run dhcpcd(8) you will have to kill it by running service dhcpcd stop before you flush the routes. If you wish to route packets between interfaces, add one or both of the following directives (depending on whether IPv4 or IPv6 routing is required) to /etc/sysctl.conf: net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 As an alternative, compile a new kernel with the ``GATEWAY'' option. Packets are not forwarded by default, due to RFC requirements. Device nodes By default, nodes are created in /dev for a fairly typical number of devices. However, if this system has a large number of devices connected (e.g. for large scale storage), you may want to enable devpubd(8) to ensure a suf- ficient number of nodes are available. Set ``devpubd=YES'' in /etc/rc.conf to create nodes automatically during system runtime. You can also run the node creation script by hand: cd /dev && sh MAKEDEV Secure Shell (SSH) By default, all services are disabled in a fresh NetBSD installation, and SSH is no exception. You may wish to enable it so you can remotely con- trol your system. Set ``sshd=YES'' in /etc/rc.conf and then starting the server with the command service sshd start The first time the server is started, it will generate a new keypair, which will be stored inside the directory /etc/ssh. Host names and DNS The system resolves host names according the rules for hosts in the name service switch configuration at /etc/nsswitch.conf. By default, it will query /etc/hosts first, and then the DNS resolver specified in /etc/resolv.conf. Multicast DNS and DNS Service Discovery are usually not enabled by default on a fresh NetBSD system, and can be enabled by setting ``mdnsd=YES'' in /etc/rc.conf, and either rebooting or running the fol- lowing command: service mdnsd start If your network does not have a usable DNS resolver, e.g. one provided by DHCP, you can run a local caching recursive resolver by setting ``named=YES'' in /etc/rc.conf and either rebooting or running the follow- ing command: service named start named(8) is configured in /etc/named.conf by default to run as a local caching recursive resolver. Then, to make the system use it, put the following in /etc/resolv.conf: nameserver 127.0.0.1 Wireless networking To configure the system to connect to a wireless network with a password using WPA: wpa_passphrase networkname password >> /etc/wpa_supplicant.conf To to configure the system to connect to an open wireless network with no password, edit /etc/wpa_supplicant.conf instead of using wpa_passphrase(8): network={ ssid="Public-WiFi" key_mgmt=NONE priority=100 } Then bring up the interface and start the necessary daemons: ifconfig iwm0 up service wpa_supplicant onestart service dhcpcd onestart To automatically connect at boot, add the following to /etc/rc.conf: ifconfig_iwm0="up" dhcpcd=YES wpa_supplicant=YES While using wpa_supplicant(8), you can easily retrieve network scan results with wpa_cli(8): wpa_cli scan_results Or trigger a rescan: wpa_cli scan RPC-based network services Several services depend on the RPC portmapper rpcbind(8) - formerly known as portmap - being running for proper operation. This includes YP (NIS) and NFS exports, among other services. To get the RPC portmapper to start automatically on boot, you will need to have this line in /etc/rc.conf: rpcbind=YES YP (NIS) Setup Check the YP domain name with the domainname(1) command. If necessary, correct it by editing the /etc/defaultdomain file or by setting the ``domainname'' variable in /etc/rc.conf. The /etc/rc.d/network script reads this file on bootup to determine and set the domain name. You may also set the running system's domain name with the domainname(1) command. To start YP client services, simply run ypbind, then perform the remain- ing YP activation as described in passwd(5) and group(5). In particular, to enable YP passwd support, you'll need to update /etc/nsswitch.conf to include ``nis'' for the ``passwd'' and ``group'' entries. A traditional way to accomplish the same thing is to add fol- lowing entry to local passwd database via vipw(8): +:*:::::::: Note this entry has to be the very last one. This traditional way works with the default nsswitch.conf(5) setting of ``passwd'', which is ``compat''. There are many more YP man pages available to help you. You can find more information by starting with nis(8). Check disk mounts Check that the disks are mounted correctly by comparing the /etc/fstab file against the output of the mount(8) and df(1) commands. Example: # cat /etc/fstab /dev/sd0a / ffs rw 1 1 /dev/sd0b none swap sw /dev/sd0e /usr ffs rw 1 2 /dev/sd0f /var ffs rw 1 3 /dev/sd0g /tmp ffs rw 1 4 /dev/sd0h /home ffs rw 1 5 # mount /dev/sd0a on / type ffs (local) /dev/sd0e on /usr type ffs (local) /dev/sd0f on /var type ffs (local) /dev/sd0g on /tmp type ffs (local) /dev/sd0h on /home type ffs (local) # df Filesystem 1024-blocks Used Avail Capacity Mounted on /dev/sd0a 22311 14589 6606 69% / /dev/sd0e 203399 150221 43008 78% /usr /dev/sd0f 10447 682 9242 7% /var /dev/sd0g 18823 2 17879 0% /tmp /dev/sd0h 7519 5255 1888 74% /home # pstat -s Device 512-blocks Used Avail Capacity Priority /dev/sd0b 131072 84656 46416 65% 0 Edit /etc/fstab and use the mount(8) and umount(8) commands as appropri- ate. Refer to the above example and fstab(5) for information on the for- mat of this file. You may wish to do NFS mounts now too, or you can do them later. Concatenated disks (ccd) If you are using ccd(4) concatenated disks, edit /etc/ccd.conf. You may wish to take a look to ccdconfig(8) for more information about this file. Use the ccdconfig -U command to unload and the ccdconfig -C command to create tables internal to the kernel for the concatenated disks. You then mount(8), umount(8), and edit /etc/fstab as needed. Automounter daemon (AMD) To use the amd(8) automounter, create the /etc/amd directory, copy exam- ple config files from /usr/share/examples/amd to /etc/amd and customize them as needed. Alternatively, you can get your maps with YP. Clock synchronization In order to make sure the system clock is synchronized to that of a pub- licly accessible NTP server, make sure that /etc/rc.conf contains the following: ntpdate=YES ntpd=YES See date(1), ntpdate(8), ntpd(8), rdate(8), and timed(8) for more infor- mation on setting the system's date. CHANGING /etc FILES The system should be usable now, but you may wish to do more customizing, such as adding users, etc. Many of the following sections may be skipped if you are not using that package (for example, skip the Kerberos section if you won't be using Kerberos). We suggest that you cd /etc and edit most of the files in that directory. Note that the /etc/motd file is modified by /etc/rc.d/motd whenever the system is booted. To keep any custom message intact, ensure that you leave two blank lines at the top, or your message will be overwritten. Add new users To add new users and groups, there are useradd(8) and groupadd(8); see also user(8) for further programs for user and group manipulation. You may use vipw(8) to add users to the /etc/passwd file and edit /etc/group by hand to add new groups. The manual page for su(1), tells you to make sure to put people in the `wheel' group if they need root access (non- Kerberos). For example: wheel:*:0:root,myself Follow instructions for kerberos(8) if using Kerberos for authentication. System boot scripts and /etc/rc.local /etc/rc and the /etc/rc.d/* scripts are invoked at boot time after single user mode has exited, and at shutdown. The whole process is controlled by the master script /etc/rc. This script should not be changed by administrators. The directory /etc/rc.d contains a series of scripts used at startup/shutdown, called by /etc/rc. /etc/rc is in turn influenced by the configuration variables present in /etc/rc.conf. The script /etc/rc.local is run as the last thing during multiuser boot, and is provided to allow any other local hooks necessary for the system. rc.conf To enable or disable various services on system startup, corresponding entries can be made in /etc/rc.conf. You can take a look at /etc/defaults/rc.conf to see a list of default system variables, which you can override in /etc/rc.conf. Note you are not supposed to change /etc/defaults/rc.conf directly, edit only /etc/rc.conf. See rc.conf(5) for further information. X Display Manager If you've installed X, you may want to turn on xdm(1), the X Display Man- ager. To do this, set ``xdm=YES'' in /etc/rc.conf. Printers Edit /etc/printcap and /etc/hosts.lpd to get any printers set up. Con- sult lpd(8) and printcap(5) if needed. Tighten up security In /etc/inetd.conf comment out any extra entries you do not need, and only add things that are really needed. Note that by default all ser- vices are disabled for security reasons. Kerberos If you are going to use Kerberos for authentication, see kerberos(8) and ``info heimdal'' for more information. If you already have a Kerberos master, change directory to /etc/kerberosV and configure. Remember to get a srvtab from the master so that the remote commands work. Mail Aliases Check /etc/mail/aliases and update appropriately if you want e-mail to be routed to non-local addresses or to different users. Run newaliases(1) after changes. Postfix NetBSD uses Postfix as its MTA. Postfix is started by default, but its initial configuration does not cause it to listen on the network for incoming connections. To configure Postfix, see /etc/postfix/main.cf and /etc/postfix/master.cf. If you wish to use a different MTA (e.g., send- mail), install your MTA of choice and edit /etc/mailer.conf to point to the proper binaries. DHCP server If this is a DHCP server, edit /etc/dhcpd.conf and /etc/dhcpd.interfaces as needed. You will have to make sure /etc/rc.conf has ``dhcpd=YES'' or run dhcpd(8) manually. Bootparam server If this is a Bootparam server, edit /etc/bootparams as needed. You will have to turn it on in /etc/rc.conf by adding ``bootparamd=YES''. NFS server If this is an NFS server, make sure /etc/rc.conf has: nfs_server=YES mountd=YES rpcbind=YES Edit /etc/exports and get it correct. After this, you can start the server by issuing: service rpcbind start service mountd start service nfsd start which will also start dependencies. HP remote boot server Edit /etc/rbootd.conf if needed for remote booting. If you do not have HP computers doing remote booting, do not enable this. Daily, weekly, monthly scripts Look at and possibly edit the /etc/daily.conf, /etc/weekly.conf, and /etc/monthly.conf configuration files. You can check which values you can set by looking to their matching files in /etc/defaults. Your site specific things should go into /etc/daily.local, /etc/weekly.local, and /etc/monthly.local. These scripts have been limited so as to keep the system running without filling up disk space from normal running processes and database updates. (You probably do not need to understand them.) Other files in /etc Look at the other files in /etc and edit them as needed. (Do not edit files ending in .db -- like pwd.db, spwd.db, nor localtime, nor rmt, nor any directories.) Crontab (background running processes) Check what is running by typing crontab -l as root and see if anything unexpected is present. Do you need anything else? Do you wish to change things? For example, if you do not like root getting standard output of the daily scripts, and want only the security scripts that are mailed internally, you can type crontab -e and change some of the lines to read: 30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out 30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out 30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out See crontab(5). Next day cleanup After the first night's security run, change ownerships and permissions on files, directories, and devices; root should have received mail with subject: "<hostname> daily insecurity output.". This mail contains a set of security recommendations, presented as a list looking like this: var/mail: permissions (0755, 0775) etc/daily: user (0, 3) The best bet is to follow the advice in that list. The recommended set- ting is the first item in parentheses, while the current setting is the second one. This list is generated by mtree(8) using /etc/mtree/special. Use chmod(1), chgrp(1), and chown(8) as needed. Packages Install your own packages. The NetBSD packages collection, pkgsrc, includes a large set of third-party software. A lot of it is available as binary packages that you can download from https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/ or a mirror. For most users, using pkgin to manage binary packages is recommended. To install pkgin, if it was not done by the installer: export PKG_PATH=https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r | cut -d_ -f1)/All pkg_add pkgin pkgin update pkgin install bash mpg123 fluxbox ... See https://www.NetBSD.org/docs/pkgsrc/ and pkgsrc/doc/pkgsrc.txt for more details. Copy vendor binaries and install them. You will need to install any shared libraries, etc. (Hint: man -k compat to find out how to install and use compatibility mode.) There is also other third-party software that is available in source form only, either because it has not been ported to NetBSD yet, because licensing restrictions make binary redistribution impossible, or simply because you want to build your own binaries. Sometimes checking the mailing lists for past problems that people have encountered will result in a fix posted. Check the running system You can use ps(1), netstat(1), and fstat(1) to check on running pro- cesses, network connections, and opened files, respectively. Other tools you may find useful are systat(1) and top(1).
SYSTEM TESTING
At this point, the system should be fully configured to your liking. It is now a good time to ensure that the system behaves according to its specifications and that it is stable on your hardware. Please refer to tests(7) for details on how to do so.
SEE ALSO
chgrp(1), chmod(1), config(1), crontab(1), date(1), df(1), domainname(1), fstat(1), hostname(1), make(1), man(1), netstat(1), newaliases(1), passwd(1), pkg_add(1), ps(1), ssh(1), su(1), systat(1), top(1), xdm(1), ccd(4), aliases(5), crontab(5), dhcpcd.conf(5), exports(5), fstab(5), group(5), hosts(5), ifconfig.if(5), mailer.conf(5), named.conf(5), nsswitch.conf(5), passwd(5), printcap(5), rc.conf(5), resolv.conf(5), sshd_config(5), wpa_supplicant.conf(5), wscons.conf(5), hier(7), hostname(7), pkgsrc(7), tests(7), amd(8), ccdconfig(8), chown(8), devpubd(8), dhcpcd(8), dhcpd(8), dmesg(8), groupadd(8), ifconfig(8), inetd(8), kerberos(8), lpd(8), mdnsd(8), mount(8), mrouted(8), mtree(8), named(8), nis(8), ntpd(8), ntpdate(8), rbootd(8), rc(8), rdate(8), rmt(8), route(8), rpc.bootparamd(8), rpcbind(8), sshd(8), timed(8), umount(8), useradd(8), vipw(8), wpa_cli(8), wpa_supplicant(8), yp(8), ypbind(8)
HISTORY
This document first appeared in OpenBSD 2.2. It has been adapted to NetBSD and first appeared in NetBSD 2.0. NetBSD 9.4 October 5, 2020 NetBSD 9.4
Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.