FreeBSD Installation
From TMB Wiki
Contents
- 1 Missing from this guide
- 2 Installing OS
- 3 Installing Apps
- 3.1 Install portsnap
- 3.2 Install portupgrade
- 3.3 Run portupgrade
- 3.4 Install webmin
- 3.5 Install vsftp
- 3.6 Install SNMP
- 3.7 Install MRTG
- 3.8 Install apache
- 3.9 Install php5
- 3.10 Install php5-extensions
- 3.11 Install mysql
- 3.12 Install phpmyadmin
- 3.13 Install postfix
- 3.14 Install courier-imap
- 3.15 Install torrentflux
- 4 Install snort=
- 5 Post Install Configuration
- 5.1 Edit startup scripts
- 5.2 Edit periodic.conf
- 5.3 Add cron jobs
- 5.4 Sort DNS
- 5.5 Configure vsftpd
- 5.6 Configure mysql
- 5.7 Configure mySQL for postfix / courier
- 5.8 Configure postfix
- 5.9 Configure courier-imap
- 5.10 Configure MRTG
- 5.11 Create php.ini
- 5.12 Edit hosts file
- 5.13 Edit apache config file
- 5.14 Edit apache vhosts file
- 5.15 If desired, change ssh port
- 5.16 Edit firewall rules
- 5.17 Edit IPV6 firewall rules
- 5.18 Create SSL Directories
- 5.19 create certificate
- 5.20 set prompt
- 5.21 configure webmin
- 5.22 Configure torrentflux
- 6 Useful Commands
Missing from this guide
- NFS
- eAccellerator
- Configuring apache
- Snort
Installing OS
Filesystem explanation
/ - Where everything else goes.
/etc - Config files for apps installed as part of the OS.
swap - The swap file.
/var - Things that change a lot (logs, error logs, databases etc. Ensure you rotate your logs or this will fill very quickly.)
/var/log - The logs.
/var/db - The databases.
/tmp - Temporary storage
/usr - Generally stable files that don't change a lot (apps, static data, config files, home drives)
/usr/ports - Where all the ports (an apps repository) are kept.
/use/bin & /usr/sbin - Compiled apps installed as part of the OS.
/usr/local/bin & /usr/local/sbin - Compiled apps installed at a later date.
usr/local/etc - Config files for apps installed at a later date.
usr/local/etc/rc.d - Startup / shutdown scripts for apps installed at a later date.
usr/local/www/ - Default wwwroot.
Insert CD and boot
Set keyboard uk
Begin a standard installation
Be sure to leave some unallocated space, for an 80GB Drive:
/ 2048m - at least swap 4096m - 2 * memory /var 8192m - big for mail /tmp 1024m /usr the rest - just big
Install all
Add admin user with group wheel
Configure Kernel
cd /usr/src/sys/i386/conf cp GENERIC TYPE_YOUR_KERNEL_NAME_HERE ee TYPE_YOUR_KERNEL_NAME_HERE
Edit:
ident TYPE_YOUR_KERNEL_NAME_HERE
Add:
# If your machine has more than 1 processor (not HT) the next line is needed. options SMP # Symmetric MultiProcessor Kernel
Comment out:
#cpu I486_CPU #cpu I586_CPU #makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
Add:
# Enable ipfw. options IPFIREWALL options IPFIREWALL_VERBOSE # Enable ip6fw too. options IPV6FIREWALL options IPV6FIREWALL_VERBOSE
Change to:
options SCHED_ULE # ULE scheduler #options SCHED_4BSD # 4BSD scheduler
Build and install the new kernel
/usr/sbin/config TYPE_YOUR_KERNEL_NAME_HERE cd ../compile/TYPE_YOUR_KERNEL_NAME_HERE make depend make make install
If you don't have physical access to the box then be sure to add the following to /etc/rc.conf before you reboot! We can sort out the details later.
firewall_enable="yes" firewall_type="open" firewall_quiet="no"
Installing Apps
Install portsnap
Portsnap now comes as part of the system (6.1+) so no need for the next step unless you're using 6.0 or lower.
pkg_add -r portsnap rehash
Run portsnap for first time
rehash portsnap fetch portsnap extract
Install portupgrade
cd /usr/ports/sysutils/portupgrade make install clean
X use Berkeley DB >=2
Run portupgrade
rehash
portsdb -Uu OR cd /usr/ports && make fetchindex
portupgrade -a
If you get the following error message:
Port marked as IGNORE emulators/linux_base-8 unsupported by upstream, no security support anymore
Then run this to upgrade that port to fedora code 4.
portupgrade -f -o emulators/linux_base-fc4 linux_base\* portupgrade -f -o x11/linux-xorg-libs linux-XFree86-libs
Options for gettext 0.14.5_2
[ ] EXAMPLES install example files [ ] HTMLMAN install man pages in HTML format
Install webmin
cd /usr/ports/sysutils/webmin make install clean
Once installed run:
/usr/local/lib/webmin/setup.sh
Config file directory [/usr/local/etc/webmin]: (ENTER) Log file directory [/var/log/webmin]: (ENTER) Full path to perl (default /usr/bin/perl): (ENTER) Web server port (default 10000): 23023 (ENTER) Login name (default admin): SETTHIS (ENTER) Login Password: SETTHIS (ENTER) Use SSL (y/n): y (ENTER)
Install vsftp
cd /usr/ports/ftp/vsftpd make install clean
X RC_NG install RC_NG script X VSFTPD_SSL Include support for SSL
Install SNMP
cd /usr/ports/net-mgmt/net-snmp make install NET_SNMP_SYS_CONTACT="coptang@f2s.com" clean
Install MRTG
cd /usr/ports/net-mgmt/mrtg make install clean
Install apache
cd /usr/ports/www/apache22 make install WITH_SSL_OPTIONS=yes clean
Installs python
Install php5
cd /usr/ports/lang/php5 make install clean
X CLI Build CLI version CGI Build CGI version X APACHE Build Apache module DEBUG Enable debug MULTIBYTE Enable zend multibyte support X IPV6 Enable ipv6 support REDIRECT Enable force-cgi-redirect support (CGI only) DISCARD Enable discard-path support (CGI only) FASTCGI Enable fastcgi support (CGI only) PATHINFO Enable path-info-check support (CGI only)
Install php5-extensions
cd /usr/ports/lang/php5-extensions make install clean
GD Installs X11
BCMATH bc style precision math functions BZ2 bzip2 library support CALENDAR calendar conversion support X CTYPE ctype functions CURL CURL support DBA dba support DBASE dBase library support X DOM DOM support EXIF EXIF support FILEINFO fileinfo support FILEPRO filePro support FRIBIDI FriBidi support FTP FTP support X GD GD library support GETTEXT gettext library support GMP GNU MP support X ICONV iconv support IMAGICK ImageMagick support IMAP IMAP support INTERBASE Interbase 6 database support (Firebird) LDAP OpenLDAP support MBSTRING multibyte string support MCRYPT Encryption support MHASH Crypto-hashing support MING ming shockwave flash support MSSQL MS-SQL database support X MYSQL MySQL database support X MYSQLI MySQLi database support NCURSES ncurses support (CLI only) ODBC unixODBC support OPENSSL OpenSSL support PANDA panda support PCNTL pcntl support (CLI only) X PCRE Perl Compatible Regular Expression support PDF PDFlib support (implies GD) PGSQL PostgreSQL database support X POSIX POSIX-like functions PSPELL pspell support READLINE readline support (CLI only) RECODE recode support X SESSION session support SHMOP shmop support SIMPLEXML simplexml support SNMP SNMP support SOAP SOAP support SOCKETS sockets support SQLITE sqlite support SYBASE_CT Sybase database support SYSVMSG System V message support SYSVSEM System V semaphore support SYSVSHM System V shared memory support TIDY TIDY support TOKENIZER tokenizer support WDDX WDDX support (implies XML) XML XML support XMLREADER XMLReader support XMLRPC XMLRPC-EPI support XMLWRITER XMLWriter support XSL XSL support (Implies DOM) YAZ YAZ support (ANSI/NISO Z39.50) ZIP ZIP support ZLIB ZLIB support
Install mysql
MySQL version 5 is now preferred
cd /usr/ports/databases/mysql41-server make install BUILD_OPTIMIZED=yes BUILD_STATIC=yes WITH_LINUXTHREADS=yes WITH_CHARSET=latin1 clean
Set root password
/usr/local/bin/mysqladmin -u root password 'newpassword'
Install phpmyadmin
cd /usr/ports/databases/phpmyadmin make install clean
X BZ2 bzip2 library support X GD GD library support X MYSQLI Improved MySQL support X OPENSSL OpenSSL support X PDF PDFlib support (implies GD) X ZLIB ZLIB support X MCRYPT MCrypt library support X MBSTRING Multi-byte character-set string support
Install postfix
cd /usr/ports/mail/postfix make install clean
Postfix configuration options
NOPCRE DISABLE Perl Compatible Regular Expressions SASL Cyrus SASLv1 (Simple Authentication and Security Layer) X SASL2 Cyrus SASLv2 (Simple Authentication and Security Layer) SASLKRB If your SASL requires Kerberos select this option SASLKRB5 If your SASL requires Kerberos5 select this option SASLKRB5MIT If your SASL requires MIT Kerberos5 select this option X SPF SPF support X TLS SSL and TLS DB3 Berkeley DB3 (required if SASL also built with DB3) DB40 Berkeley DB4.0 (required if SASL also built with DB4.0) DB41 Berkeley DB4.1 (required if SASL also built with DB4.1) DB42 Berkeley DB4.2 (required if SASL also built with DB4.2) DB43 Berkeley DB4.3 (required if SASL also built with DB4.3) X MySQL MySQL map lookups (choose version with WITH_MYSQL_VER) PgSQL PostgreSQL map lookups (choose with DEFAULT_PGSQL_VER) OpenLDAP OpenLDAP map lookups (choose ver. with WITH_OPENLDAP_VER) CDB CDB map lookups NIS NIS map lookups VDA VDA (Virtual Delivery Agent) Test SMTP/LMTP test server and generator
You need user "postfix" added to group "mail". Would you like me to add it [y]? y Would you like to activate Postfix in /etc/mail/mailer.conf [n]?
Install courier-imap
cd /usr/ports/mail/courier-imap make install clean
Options for courier-imap 4.0.6_1,1
X OPENSSL Build with OpenSSL support FAM Build in fam support for IDLE command TRASHQUOTA Include deleted mails in the quota GDBM Use gdbm db instead of system bdb X IPV6 Build with IPv6 support AUTH_LDAP LDAP support X AUTH_MYSQL MySQL support AUTH_PGSQL PostgreSQL support AUTH_USERDB Userdb support AUTH_VCHKPW Vpopmail/vchkpw support
Install torrentflux
cd /usr/ports/net/torrentflux make install clean
Options for adodb 4.68
TESTS Install tests
Options for php5-sqlite 5.1.2
X UTF8 Enable UTF-8 support
Install snort=
cd usr/ports/security/snort make install clean
Options for snort 2.4.3_1
X FLEXRESP Flexible response to events X MYSQL Enable MySQL support ODBC Enable ODBC support POSTGRESQL Enable PostgreSQL support PRELUDE Enable Prelude NIDS integration
Post Install Configuration
Edit startup scripts
ee /etc/rc.conf
To the end add
webmin_enable="YES" mysql_enable="YES" apache22_enable="YES" apache22_flags="-DSSL" syslogd_flags="-ss" vsftpd_enable="YES"
# Enable postfix, disable sendmail postfix_enable="YES" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO"
# Enable snmp snmpd_enable="YES" snmpd_flags="-a -p /var/run/snmpd.pid" snmptrapd_enable="YES" snmptrapd_flags="-a -p /var/run/snmptrapd.pid"
# Enable ipfw. firewall_enable="YES" firewall_type="client" # see rc.firewall for what goes here firewall_quiet="NO" # Enable ip6fw. ipv6_firewall_enable="YES" ipv6_firewall_type="client" # see rc.firewall6 for what goes here ipv6_firewall_quiet="NO"
To configure an adaptor
ifconfig_em0="inet 192.168.100.10 subnet 255.255.255.0" defaultrouter="192.168.100.1" hostname="host.yourdomain.lan"
NOTE: em0 is the nic identifier..em0 is the Intel 1000PRO card.. you will need to find what card you have and add the appropriate identifier. (3com = xl0, Intel 10/100 = fxp0, etc )
To configure another ip address
ifconfig_fxp0_alias0="inet 192.168.100.11 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 192.168.100.12 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 192.168.100.23 netmask 255.255.255.255"
Edit periodic.conf
ee /etc/defaults/periodic.conf
Change following to "NO" to disable sendmail
daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"
Add cron jobs
http://www.unixgeeks.org/security/newbie/unix/cron-1.html
ee /car/cron/tabs/root
Setup daily / weekly jobs to maintain server
#Cron file for root #min hour dom mon dow command 56 6 * * * /usr/sbin/portsnap fetch update 47 5 * * * /usr/local/bin/ntpdate ntp2c.mcc.ac.uk
Sort DNS
ee /etc/resolv.conf
Should look something like. Ensure that this DNS server can resolve your hostname.
domain poynter.net nameserver xxx.xxx.xxx.xxx nameserver xxx.xxx.xxx.xxx
Configure vsftpd
ee /usr/local/etc/vsftpd.conf
listen=YES background=YES
Configure mysql
cd /usr/local/share/mysql/ cp my-huge.cnf /etc/my.cnf ee /etc/my.cnf
Uncomment
skip-networking
Edit
thread_concurrency = 4
Configure mySQL for postfix / courier
mysql -p -u root
Type in your password
CREATE DATABASE maildb;
USE maildb;
CREATE TABLE transport ( domain varchar(128) NOT NULL, transport varchar(128) NOT NULL, UNIQUE KEY domain (domain) ) TYPE=MyISAM;
CREATE TABLE users ( id varchar(128) NOT NULL, address varchar(128) NOT NULL, clear varchar(128) NOT NULL, crypt varchar(128) NOT NULL, name varchar(128) NOT NULL default , uid smallint(5) unsigned NOT NULL default 5000, gid smallint(5) unsigned NOT NULL default 5000, home varchar(128) NOT NULL, domain varchar(128) NOT NULL, maildir varchar(255) NOT NULL, quota integer unsigned NOT NULL, imapok tinyint(3) unsigned NOT NULL default '1', PRIMARY KEY (id), UNIQUE KEY id (id), UNIQUE KEY address (address), KEY id_2 (id), KEY address_2 (address) ) TYPE=MyISAM;
CREATE TABLE virtual ( address varchar(255) NOT NULL, goto varchar(255) NOT NULL, UNIQUE KEY address (address) ) TYPE=MyISAM;
GRANT SELECT ON maildb.* TO maildb_user@localhost IDENTIFIED BY '****chose a password here****' ;
Configure postfix
ee /usr/local/etc/postfix/main.cf
Add at the end
#COPK - Allow transport maps
transport_maps=mysql:/usr/local/etc/postfix/mysql_transport.cf
virtual_mailbox_maps=mysql:/usr/local/etc/postfix/mysql_virtual_mbox.cf
virtual_uid_maps=mysql:/usr/local/etc/postfix/mysql_uids.cf
virtual_gid_maps=mysql:/usr/local/etc/postfix/mysql_gids.cf
virtual_mailbox_base=/var/spool/postfix/virtual/
virtual_maps=mysql:/usr/local/etc/postfix/mysql_virtual.cf
mydestination = $mydomain, $myhostname, $transport_maps
# 100 MB
virtual_mailbox_limit=102400000
virtual_minimum_uid=100
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
check_relay_domains
smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /usr/local/share/courier-imap/imapd.pem smtpd_tls_cert_file = /usr/local/share/courier-imap/imapd.pem smtpd_tls_CAfile = /usr/local/share/courier-imap/imapd.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom # allow authentification (e.g. PLAIN/LOGIN) only in TLS mode smtpd_tls_auth_only = yes
Create the following files
ee /usr/local/etc/postfix/mysql_transport.cf
user=maildb_user password=****** dbname=maildb table=transport select_field=transport where_field=domain hosts=localhost
ee /usr/local/etc/postfix/mysql_virtual_mbox.cf
user=maildb_user password=***** dbname=maildb table=users select_field=maildir where_field=address hosts=localhost
ee /usr/local/etc/postfix/mysql_uids.cf
user=maildb_user password=***** dbname=maildb table=users select_field=uid where_field=address hosts=localhost
ee /usr/local/etc/postfix/mysql_gids.cf
user=maildb_user password=***** dbname=maildb table=users select_field=gid where_field=address hosts=localhost
ee /usr/local/etc/postfix/mysql_virtual.cf
user=maildb_user password=****** dbname=maildb table=virtual select_field=goto where_field=address hosts=localhost
Change permissions on postfix files
chown postfix:postfix mysql_* chmod 600 mysql_*
mkdir /var/spool/postfix/virtual chown postfix:postfix virtual
Configure courier-imap
cd /usr/local/etc/courier-imap cp imapd.cnf.dist imapd.cnf ee imapd.cnf
Should look similar to this:
RANDFILE = /usr/local/share/courier-imap/imapd.rand [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=UK ST=LO L=London O=Courier Mail Server OU=Automatically-generated IMAP SSL key CN=localhost emailAddress=postmaster@cupboardy.org [ cert_type ] nsCertType = server
cd /usr/local/etc/authlib ee authdaemonrc
Add after commenting original authmodulelist
#COPK - authmodulelist authmodulelist="authmysql"
ee authmysqlrc
Add / edit the following
MYSQL_SERVER localhost MYSQL_USERNAME maildb_user MYSQL_PASSWORD ***** MYSQL_SOCKET /tmp/mysql.sock MYSQL_DATABASE maildb MYSQL_USER_TABLE users MYSQL_CRYPT_PWFIELD crypt MYSQL_UID_FIELD uid MYSQL_GID_FIELD gid MYSQL_LOGIN_FIELD id MYSQL_HOME_FIELD home MYSQL_NAME_FIELD name MYSQL_MAILDIR_FIELD maildir MYSQL_QUOTA_FIELD quota MYSQL_WHERE_CLAUSE imapok=1
Make certificate
/usr/local/share/courier-imap/mkimapdcert
ee /usr/local/lib/sasl2/smtpd.conf
pwcheck_method:auxprop mech_list: plain login mysql_user: maildb_user mysql_passwd: ******* mysql_hostnames: localhost mysql_database: maildb mysql_statement: select clear from users where id = '%u' # mysql_verbose: 1
Set permissions
chmod 400 /usr/local/lib/sasl2/smtpd.conf
Change permissions on certificate
cd /usr/local/share/courier-imap chmod 400 imapd.pem
Configure MRTG
http://mrtg.hdl.com/unix-guide.html
cfgmaker --global 'WorkDir: /home/httpd/mrtg' \
--global 'Options[_]: bits,growright' \
--output /home/httpd/mrtg/mrtg.cfg \
community@router.abc.xyz
Create php.ini
cd /usr/local/etc cp php.ini-recommended php.ini
Edit php.ini
ee /usr/local/etc/php.ini
Change to
short_open_tag = On
Edit hosts file
ee /etc/hosts
Change all uncommented my.domain's to e.g. poynter.net
At the end add
# Set my hostname 10.0.23.1 killingtime.poynter.net killingtime
Edit apache config file
ee /usr/local/etc/apache22/httpd.conf
Change the line
ServerAdmin you@example.com
Change the line
ServerName you.example.com:80
Change the line
DirectoryIndex index.html index.php
Add (near other AddType's)
# # Add php file type handlers AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps
Add
Alias /sqladmin/ "/usr/local/www/phpMyAdmin/" <Directory "/usr/local/www/phpMyAdmin"> AllowOverride None Order allow,deny Allow from all </Directory>
After the main doc root directory definition
Edit apache vhosts file
ee /usr/local/etc/apache22/extra/httpd-vhosts.conf
Define more virtual hosts if required:
<VirtualHost *:80> ServerAdmin webmaster@poynter.net DocumentRoot /www/anewdocroot ServerName www.test.net/testing </VirtualHost>
If desired, change ssh port
ee /etc/ssh/sshd_config
Edit firewall rules
ee /etc/rc.firewall
In client section add
# COPK - Allow webmin
${fwcmd} add pass tcp from any to ${ip} 23023 setup
# COPK - Allow ssh in on 22222
${fwcmd} add pass tcp from any to ${ip} 22222 setup
# COPK - Allow web
${fwcmd} add pass tcp from any to ${ip} 80 setup
${fwcmd} add pass tcp from any to ${ip} 443 setup
# COPK - ICMP section # Pass 'ping' add pass icmp from any to any icmptypes 8 keep-state # Pass error messages generated by 'traceroute' add pass icmp from any to any icmptypes 3 add pass icmp from any to any icmptypes 11
Edit IPV6 firewall rules
ee /etc/rc.firewall6
Create SSL Directories
mkdir /usr/local/etc/apache22/ssl.key mkdir /usr/local/etc/apache22/ssl.crt chmod 0700 /usr/local/etc/apache2/ssl.key chmod 0700 /usr/local/etc/apache2/ssl.crt
create certificate
cd ~ openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt
cp ~/server.key.old /usr/local/etc/apache22/ssl.key/ cp ~/server.crt /usr/local/etc/apache22/ssl.crt/
Decrypt the key so that server will not stop at boot
openssl rsa -in server.key.old -out server.key
set prompt
ee /usr/home/username/.cshrc
in the if add
set prompt="%{\e[0;32m%}`whoami`@%m%{\e[m%}:%{\e[1;32m%}%~%{\e[m%}%B> %b"
configure webmin
/usr/local/lib/webmin/setup.sh
Configure torrentflux
ee /usr/local/etc/tfconfig.php
bind? webmin vpn? setup proftpd create cron job cvsup -g -L 2 ~/ports-supfile portsdb -Uu
cvsup3.uk.freebsd.org
ee php.ini add pear to path /usr/local/share/pear/ + alias + edit config.inc.php
Useful Commands
- cd
- Change directory (use 'cd..' to go up a directory)
- ls
- List directory (Same as dir. Use 'ls -l' to get more info)
- mkdir
- Make directory
- shutdown -r now
- Reboot (Although I think you can now just use 'reboot')
- ee
- Edit a file
- /usr/local/etc/rc.d/apache22.sh restart
- r
