Our great sponsors
-
bastille
Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
1. .hushlogin - I guess just personal preference - if you log in often it's nice to have
2. patches - update the box - same as apt-get update && apt-get upgrade on linux. doing this on fresh install is always a good idea.
3. atime=off - atime = access time is another metadata write on read and it's often not required and therefore disabled. There are some applications that depend of atime but it's a common performance improvement because you don't want to have writes when reading something - even if it's just metadata.
4. a list of tools the author uses.
5. make the shell nicer, also subjective
6. same as setting up sudo in linux but doas is more modern. You don't want to work as root all the time to reduce fatal errors and for security.
7. there are some theoretic attacks on dsa/ecdsa algorithms and I guess that's why these are disabled. Probably a good idea but there are millions of hosts with dsa/ecdsa ssh keys and nothing has happenend as far as I know.
8. default deny firewall rule that only allows ssh is always a good idea on a host that is on the internet. Automatic bots exploit anything pretty fast and quite a lot of software is reachable via internet by default without any security measures.
9. metrics - monitoring is always a good idea it's much easier to know what's going on and you can analyse / pinpoint problems much easier using some graphs. i.e. when did the network-traffic/cpu exploded - when did the disk fill up? node-exporter is pretty much the weapon of choice nowadays for that. Additional collectors for time (ntp) and disk stats are useful i.e. to alert if ntp doesn't work and to get some idea about device-utilisation.
10. bastille looks a tool for container deployments? https://bastillebsd.org/
b1. microcode has some relavance to security/cpu-bugs always a good idea for servers.
b2. correct time is super important. Lot's of stuff will break in subtle ways if the time is off - i.e. SAML/Kerberos etc.pp
b3. if your ssd/hdd is dying you will get an email if configured correctly.