So, since I’ve had to mess around with Arigeitsu so much anyway, I decided to take the next 48 hours or so real slow, and just relax and make sure everything’s done right. I’ve finally gotten over the stress of making Murmur work on FreeBSD so now it’s time to get down to some good old fashioned sysadmin stuff. I thought I’d post about it here as a list of good things to do to a new FreeBSD box – who knows when I might need to consult it myself to jog my memory. 
So, since the machine came equipped with 1TB of disk space over two identical drives, and I decided I didn’t need that much space, we elected to configure the machine in a RAID-1 mirror. We haven’t yet had the joy of having a drive crash in a mission critical server (though I’ve lost a couple of drives in my Windows desktops over the years!) and while we do maintain off-site backups, RAID-1 will help us prevent outages in the event of a drive failure.
RAID is of course no use whatsoever unless you actually monitor the disks, so I installed sysutils/smartmontools to keep an eye on things. David Andrzejewski has a much better howto than I could ever write so go consult that instead.
Next up, I live by the rule of “if it ain’t broke, don’t fix it” when it comes to software and while I try to be subscribed to the security mailing list of every piece of software we use, sometimes things slip by. ports-mgmt/portaudit is a good way to keep an extra eye on things, and you can configure periodic to run a daily check of it:
echo 'daily_status_security_portaudit_enable="YES"' >> /etc/periodic.conf
Now this next bit tripped me up once when we had to reboot Zubat: If you mis-configure an SSL certificate on Apache, it can hang the boot process while it waits for you to enter the pass phrase. The bad part is, by default, Apache tries to start before the SSH daemon. So I edit the /usr/local/etc/rc.d/apache22 script and add sshd to the REQUIRE line, like so:
# REQUIRE: LOGIN cleanvar sshd
Finally, we enable the stock FTP daemon on localhost. We simply enable inetd, ensuring that the built in ftpd is the only thing listed, and leave the rule allowing it out of the firewall. This way we still enforce SFTP/SCP for our users, but things like auto-updates for WordPress work.
That’s about all I can think of right now, I’ll edit this post and add more as I go along.
Tags: freebsd