First Try...

My first attempt at blogging...

Posted on: December 31, 2025 at 00:48

moving to the new server... part 1/3

Has mentioned on the previous zfs article i am in the process of moving to a new server and i normally choose to start install from scratch and add/install the software i need for the different services i will have running on it.

The basic setup of the server


In a simple view of the setup for the server i will have mainly the following services running on it:
- mail server (SMTP and IMAP)
- web server (presence in the web and running some web clients)
- time server for my own devices

And that is it. That is and has been the starting point with my servers, and during their lifetime more services will be added and removed as i see the need.

OS and base software/utilities


I have been always a fan of FreeBSD so that will be my base OS for the server as usual and of course the diferent sercices will come from the use of the FreeBSD ports.
As the basis the server will have:
- FreeBSD OS built from source
- OpenSSL from the ports
- OpenSSH from the ports
- NTP server from the ports.

And this is the basic softwate setup that will be used in almost every part of the server going forward.
This setup is based on the recipes/advice from this book:

Building a Server with FreeBSD 7 - A Modular, DIY Guide to Building a FreeBSD Server from No Starch Press

It is based on an old FreeBSD version, 7, and of course the contents will be also based on the ports at that time, but it has helped me building my servers, and i have been using the advice/recipes on it with the adaptations needed for the new versions.
## FreeBSD OS built from source
The installation of the FreeBSD was just getting a img file from freebsd.org and installing it in the server.

Note


---
I am doing it on a dedicated server at OVH and i dont have phisical access to the server, so the installation can be done in a few different special ways as it is to be done remotelly.
OVH no longer has FreeBSD OS on their list of self install, so became a small challenge, but as said there are a few ways, that i will explain on separate article dedicated to a remote OVH installation.
---

After having FreeBSD installed, i always like to build it from source and install what i have built and for that i have followed the following section on the FreeBSD Handbook:

26.6. Updating FreeBSD from Source

Just followed the recipe and rebooted and of we go to the next stuff.

The last thing that needs to be done, as this installation will be focused mostly on the third party software is to modify the default search path for root user to make sure that /usr/local/bin and /usr/local/sbn come first on the search path, as it is where the third party software will be installed. As some of the software will have the same command as the FreeBSD base then we want to make sure that we use the /usr/local dirs first.
That can be easily done by modifying the search path on .cshrc for root user:

# set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME
/bin)
set path = (/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin $HOME/b
in)

I normally comment out the default search path, make a copy of it and modify as needed. The "set path" has to be done in a single line, even if above might be multi line.

OpenSSL from the ports


To install an updated version of OpenSSL from the ports collection is just do the following:

# cd /usr/ports/security/openssl
# make config
# make install clean

And that is it. The second command line is all about checking the config options of OpenSSL port and see if something needs to be changed, but for most of the normal use i keep them as they are.

Then we come into the configuration side of things, and a few things are to be done.

  1. I want to OpenSSL port to be used instead of the base one. For that the following needs to be added to the /etc/make.conf file, or in case if doesn't exist, create the file:

    # echo "DEFAULT_VERSIONS+= ssl=openssl" >> /etc/make.conf

    This will ensure that the ports built in the future will use the OpenSSL files or will be linked to the OpenSSL from the ports.

  2. We should rename the old openssl.conf to make sure we don't make any mistakes on using the OpenSSL from the ports. And we do this by:

    # cd /etc/openssl
    # mv openssl.conf openssl.conf.old
    # cd /usr/local/openssl
    # mv openssl.cnf.dist openssl.cnf



Once again we don't change the defaults in the conf file and everything should work as expected.

OpenSSH from the ports


Similarly to OpenSSL installing the port version of OpenSSH is done the same way. just that in this case the standard version of OpenSSH in the ports is called openssh-portable. So:

# cd /usr/ports/security/openssh-portable
# make config
# make install clean

The same way i did with OpenSSL I always check the config to see if there is something that needs to be changed from my perspective based on past experiences, and if all is ok it is just build, install and clean.
Now that we have the port installed we need to make sure it is used and for that we need to do some changes and configuration updates.

  1. We want to make sure that the port is used instead of the OpenSSH from the base system, and for that we need to add to the make.conf file a flag to tell FreeBSD base should not use OpenSSH, like this:

    # cd /etc
    # echo “WITHOUT_OPENSSH=YES” >> make.conf


  2. We also want for the OpenSSH server from the ports to start when the system boots, so we need to modify /etc/rc.conf file to achieve this. We need to change sshd_enable to no to not use the base SSH server

    sshd_enable="NO"

    and add the following to lines to use the OpenSSH server from the ports:

    openssh_enable="YES"
    openssh_flags=""

    the openssh_flags is just added to remind me it can be used in the future if needed.
    With the file saved with the new modifications we can issue the following commands:

    # /etc/rc.d/sshd stop
    # /usr/local/etc/rc.d/openssh start

    The first command stops the base SSH server and the second command start the OpenSSH server from the ports.

  3. A simple way to check on the machine if everything is working as expected, you can:

    # telnet localhost 22
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_10.2 FreeBSD-openssh-portable-10.2.p1_1,1

    And you should get something like about, please note version might be different.


NTP from the ports


The last item on the basic stuff is to have a NTP server to make sure time is synchronized and also to serve as a time server for my other devices and systems.
And the recipe is more or less the same, just the location for the port is different:

# cd /user/ports/net/ntp
# make config
# make install clean

Same approach as before, and after installation is done, we need to configure a few things. A side not here as we mentioned above, we have modified the search path to make sure that the in case the commands had the same name, the order change in the search will pick the commands installed but the ports first, and ntp as a few commands that are named the same way as the base system ntp.
So lets move onto the configuration needs:

  1. It is advised to have a drift file as the clock the server will not be accurate. A drift file in a simple way stores the frequency offset of the server clock allowing ntpd to learn and correct this drift and with this making a faster and more accurate synchronization with NTP servers. This creates a file in /etc/ntp location:

    # touch /etc/ntp/drift


  2. the installed ntp.conf in /etc will already contain a selection of default NTP servers that are good enough, and the only thing we need to do is to add the following options at the end of the file:

    logfile /var/log/ntpd.log
    driftfile /etc/ntp/drift

    The above options just set a log file for the ntp server and set the location to the drift file just created above.

  3. We want the ntp server to start automatically when the server boots, so another modification to the /etc/rc.conf is needed by adding the following options:

    ntpd_enable="YES"
    ntpd_program="/usr/local/sbin/ntpd"
    ntpdate_program="/usr/local/sbin/ntpdate"

    The first one enables the running of the ntp server, and the second and third just make sure we are using the programs that are part of the ntp port

  4. To start checking we should start the ntp server:

    # /etc/rc.d/ntpd start

    We should wait around 10 minutes and run:

    # ntpq -p localhost

    And you should see something similar to:

    remote refid st t when poll reach delay offset jitter
    ==============================================================================
    0.freebsd.pool. .POOL. 16 p - 64 0 0.000 +0.000 0.000
    2.freebsd.pool. .POOL. 16 p - 64 0 0.000 +0.000 0.000
    *109.190.177.205 .PPS. 1 u 780 1024 377 12.030 +0.130 7.065
    -vps1.websters-c 253.98.235.249 2 u 620 1024 377 1.690 +0.567 0.192
    +27.ip-51-68-44. 164.173.60.33 3 u 4 1024 377 1.740 -0.219 0.130
    +time.cloudflare 10.228.8.4 3 u 707 1024 377 10.684 +0.080 0.052



One final note/advice/reminder is that a simple way of checking things are not broken has been to reboot the server every time I have installed a port and checking that things are running as expected, in addition to the checks while installng a port and setting configuration options.
Now we have the basic setup in place we can move on to starting adding the services I want to run on this server.