FreeBSD Installation

From TMB Wiki
Revision as of 09:43, 18 July 2006 by Coptang (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Missing from this guide

  1. NFS
  2. eAccellerator
  3. Configuring apache
  4. Snort


Installing OS

Filesystem explanation

/ - Where everything else goes.

/etc - Config files for apps installed as part of the OS.


swap - The swap file.


/var - Things that change a lot (logs, error logs, databases etc. Ensure you rotate your logs or this will fill very quickly.)

/var/log - The logs.

/var/db - The databases.


/tmp - Temporary storage


/usr - Generally stable files that don't change a lot (apps, static data, config files, home drives)

/usr/ports - Where all the ports (an apps repository) are kept.

/use/bin & /usr/sbin - Compiled apps installed as part of the OS.

/usr/local/bin & /usr/local/sbin - Compiled apps installed at a later date.

usr/local/etc - Config files for apps installed at a later date.

usr/local/etc/rc.d - Startup / shutdown scripts for apps installed at a later date.

usr/local/www/ - Default wwwroot.


Insert CD and boot

Set keyboard uk

Begin a standard installation

Be sure to leave some unallocated space, for an 80GB Drive:

/      2048m - at least
swap   4096m - 2 * memory
/var   8192m - big for mail
/tmp   1024m
/usr   the rest - just big

Install all

Add admin user with group wheel


Configure Kernel

cd /usr/src/sys/i386/conf
cp GENERIC TYPE_YOUR_KERNEL_NAME_HERE
ee TYPE_YOUR_KERNEL_NAME_HERE

Edit:

ident           TYPE_YOUR_KERNEL_NAME_HERE

Add:

# If your machine has more than 1 processor (not HT) the next line is needed.
options         SMP                     # Symmetric MultiProcessor Kernel

Comment out:

#cpu            I486_CPU
#cpu            I586_CPU
#makeoptions    DEBUG=-g                # Build kernel with gdb(1) debug symbols

Add:

# Enable ipfw.
options               IPFIREWALL
options               IPFIREWALL_VERBOSE
# Enable ip6fw too.
options               IPV6FIREWALL
options               IPV6FIREWALL_VERBOSE

Change to:

options         SCHED_ULE               # ULE scheduler
#options        SCHED_4BSD              # 4BSD scheduler

Build and install the new kernel

/usr/sbin/config TYPE_YOUR_KERNEL_NAME_HERE
cd ../compile/TYPE_YOUR_KERNEL_NAME_HERE
make depend
make
make install

If you don't have physical access to the box then be sure to add the following to /etc/rc.conf before you reboot! We can sort out the details later.

firewall_enable="yes"
firewall_type="open"
firewall_quiet="no"


Installing Apps

Install portsnap

Portsnap now comes as part of the system (6.1+) so no need for the next step unless you're using 6.0 or lower.

pkg_add -r portsnap
rehash

Run portsnap for first time

rehash
portsnap fetch
portsnap extract


Install portupgrade

cd /usr/ports/sysutils/portupgrade
make install clean
X use Berkeley DB >=2


Run portupgrade

rehash
portsdb -Uu
OR
cd /usr/ports && make fetchindex
portupgrade -a

If you get the following error message:

Port marked as IGNORE emulators/linux_base-8 
 unsupported by upstream, no security support anymore

Then run this to upgrade that port to fedora code 4.

portupgrade -f -o emulators/linux_base-fc4 linux_base\* 
portupgrade -f -o x11/linux-xorg-libs linux-XFree86-libs 

Options for gettext 0.14.5_2

[ ] EXAMPLES  install example files
[ ] HTMLMAN   install man pages in HTML format


Install webmin

cd /usr/ports/sysutils/webmin
make install clean

Once installed run:

/usr/local/lib/webmin/setup.sh
Config file directory [/usr/local/etc/webmin]: (ENTER)
Log file directory [/var/log/webmin]: (ENTER)
Full path to perl (default /usr/bin/perl): (ENTER)
Web server port (default 10000): 23023 (ENTER)
Login name (default admin): SETTHIS (ENTER)
Login Password: SETTHIS (ENTER)
Use SSL (y/n): y (ENTER)


Install vsftp

cd /usr/ports/ftp/vsftpd
make install clean
X RC_NG install RC_NG script
X VSFTPD_SSL Include support for SSL


Install SNMP

cd /usr/ports/net-mgmt/net-snmp
make install  NET_SNMP_SYS_CONTACT="coptang@f2s.com" clean


Install MRTG

cd /usr/ports/net-mgmt/mrtg
make install clean


Install apache

cd /usr/ports/www/apache22
make install WITH_SSL_OPTIONS=yes clean 

Installs python


Install php5

cd /usr/ports/lang/php5
make install clean
X CLI        Build CLI version
  CGI        Build CGI version
X APACHE     Build Apache module
  DEBUG      Enable debug
  MULTIBYTE  Enable zend multibyte support
X IPV6       Enable ipv6 support
  REDIRECT   Enable force-cgi-redirect support (CGI only)
  DISCARD    Enable discard-path support (CGI only)
  FASTCGI    Enable fastcgi support (CGI only)
  PATHINFO   Enable path-info-check support (CGI only)


Install php5-extensions

cd /usr/ports/lang/php5-extensions
make install clean

GD Installs X11

  BCMATH     bc style precision math functions             
  BZ2        bzip2 library support                         
  CALENDAR   calendar conversion support                   
X CTYPE      ctype functions                               
  CURL       CURL support                                  
  DBA        dba support                                   
  DBASE      dBase library support                         
X DOM        DOM support                                   
  EXIF       EXIF support                                  
  FILEINFO   fileinfo support                              
  FILEPRO    filePro support                               
  FRIBIDI    FriBidi support                               
  FTP        FTP support                                   
X GD         GD library support                            
  GETTEXT    gettext library support                       
  GMP        GNU MP support                                
X ICONV      iconv support                                 
  IMAGICK    ImageMagick support                           
  IMAP       IMAP support                                  
  INTERBASE  Interbase 6 database support (Firebird)       
  LDAP       OpenLDAP support                              
  MBSTRING   multibyte string support                      
  MCRYPT     Encryption support                            
  MHASH      Crypto-hashing support                        
  MING       ming shockwave flash support                  
  MSSQL      MS-SQL database support                       
X MYSQL      MySQL database support                        
X MYSQLI     MySQLi database support                       
  NCURSES    ncurses support (CLI only)                    
  ODBC       unixODBC support                              
  OPENSSL    OpenSSL support                               
  PANDA      panda support                                 
  PCNTL      pcntl support (CLI only)                      
X PCRE       Perl Compatible Regular Expression support    
  PDF        PDFlib support (implies GD)                   
  PGSQL      PostgreSQL database support                   
X POSIX      POSIX-like functions                          
  PSPELL     pspell support                                
  READLINE   readline support (CLI only)                   
  RECODE     recode support                                
X SESSION    session support                               
  SHMOP      shmop support                                 
  SIMPLEXML  simplexml support                             
  SNMP       SNMP support                                  
  SOAP       SOAP support                                  
  SOCKETS    sockets support                               
  SQLITE     sqlite support                                
  SYBASE_CT  Sybase database support                       
  SYSVMSG    System V message support                      
  SYSVSEM    System V semaphore support                    
  SYSVSHM    System V shared memory support                
  TIDY       TIDY support                                  
  TOKENIZER  tokenizer support                             
  WDDX       WDDX support (implies XML)                    
  XML        XML support                                   
  XMLREADER  XMLReader support                             
  XMLRPC     XMLRPC-EPI support                            
  XMLWRITER  XMLWriter support                             
  XSL        XSL support (Implies DOM)                     
  YAZ        YAZ support (ANSI/NISO Z39.50)                
  ZIP        ZIP support                                   
  ZLIB       ZLIB support


Install mysql

MySQL version 5 is now preferred

cd /usr/ports/databases/mysql41-server
make install BUILD_OPTIMIZED=yes BUILD_STATIC=yes WITH_LINUXTHREADS=yes WITH_CHARSET=latin1 clean

Set root password

/usr/local/bin/mysqladmin -u root password 'newpassword'


Install phpmyadmin

cd /usr/ports/databases/phpmyadmin
make install clean
X BZ2       bzip2 library support                  
X GD        GD library support                     
X MYSQLI    Improved MySQL support                 
X OPENSSL   OpenSSL support                        
X PDF       PDFlib support (implies GD)            
X ZLIB      ZLIB support                           
X MCRYPT    MCrypt library support                 
X MBSTRING  Multi-byte character-set string support


Install postfix

cd /usr/ports/mail/postfix
make install clean

Postfix configuration options

  NOPCRE       DISABLE Perl Compatible Regular Expressions              
  SASL         Cyrus SASLv1 (Simple Authentication and Security Layer)  
X SASL2        Cyrus SASLv2 (Simple Authentication and Security Layer)  
  SASLKRB      If your SASL requires Kerberos select this option        
  SASLKRB5     If your SASL requires Kerberos5 select this option       
  SASLKRB5MIT  If your SASL requires MIT Kerberos5 select this option   
X SPF          SPF support                                              
X TLS          SSL and TLS                                              
  DB3          Berkeley DB3 (required if SASL also built with DB3)      
  DB40         Berkeley DB4.0 (required if SASL also built with DB4.0)  
  DB41         Berkeley DB4.1 (required if SASL also built with DB4.1)  
  DB42         Berkeley DB4.2 (required if SASL also built with DB4.2)  
  DB43         Berkeley DB4.3 (required if SASL also built with DB4.3)  
X MySQL        MySQL map lookups (choose version with WITH_MYSQL_VER)   
  PgSQL        PostgreSQL map lookups (choose with DEFAULT_PGSQL_VER)   
  OpenLDAP     OpenLDAP map lookups (choose ver. with WITH_OPENLDAP_VER)
  CDB          CDB map lookups                                          
  NIS          NIS map lookups                                          
  VDA          VDA (Virtual Delivery Agent)                             
  Test         SMTP/LMTP test server and generator
You need user "postfix" added to group "mail".
Would you like me to add it [y]? y
Would you like to activate Postfix in /etc/mail/mailer.conf [n]?

Install courier-imap

cd /usr/ports/mail/courier-imap
make install clean

Options for courier-imap 4.0.6_1,1

X OPENSSL      Build with OpenSSL support           
  FAM          Build in fam support for IDLE command
  TRASHQUOTA   Include deleted mails in the quota   
  GDBM         Use gdbm db instead of system bdb    
X IPV6         Build with IPv6 support              
  AUTH_LDAP    LDAP support                         
X AUTH_MYSQL   MySQL support                        
  AUTH_PGSQL   PostgreSQL support                   
  AUTH_USERDB  Userdb support                       
  AUTH_VCHKPW  Vpopmail/vchkpw support


Install torrentflux

cd /usr/ports/net/torrentflux
make install clean

Options for adodb 4.68

  TESTS  Install tests

Options for php5-sqlite 5.1.2

X UTF8  Enable UTF-8 support


Install snort=

cd usr/ports/security/snort
make install clean

Options for snort 2.4.3_1

X FLEXRESP    Flexible response to events
X MYSQL       Enable MySQL support
  ODBC        Enable ODBC support
  POSTGRESQL  Enable PostgreSQL support
  PRELUDE     Enable Prelude NIDS integration


Post Install Configuration

Edit startup scripts

ee /etc/rc.conf

To the end add

webmin_enable="YES"
mysql_enable="YES"
apache22_enable="YES"
apache22_flags="-DSSL"
syslogd_flags="-ss"
vsftpd_enable="YES"
# Enable postfix, disable sendmail
postfix_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# Enable snmp
snmpd_enable="YES"
snmpd_flags="-a -p /var/run/snmpd.pid"
snmptrapd_enable="YES"
snmptrapd_flags="-a -p /var/run/snmptrapd.pid"
# Enable ipfw.
firewall_enable="YES"
firewall_type="client"             # see rc.firewall for what goes here
firewall_quiet="NO"

# Enable ip6fw.
ipv6_firewall_enable="YES"
ipv6_firewall_type="client"        # see rc.firewall6 for what goes here
ipv6_firewall_quiet="NO"

To configure an adaptor

ifconfig_em0="inet 192.168.100.10 subnet 255.255.255.0"
defaultrouter="192.168.100.1"
hostname="host.yourdomain.lan" 

NOTE: em0 is the nic identifier..em0 is the Intel 1000PRO card.. you will need to find what card you have and add the appropriate identifier. (3com = xl0, Intel 10/100 = fxp0, etc )

To configure another ip address

ifconfig_fxp0_alias0="inet 192.168.100.11 netmask 255.255.255.255"
ifconfig_fxp0_alias1="inet 192.168.100.12 netmask 255.255.255.255"
ifconfig_fxp0_alias2="inet 192.168.100.23 netmask 255.255.255.255"


Edit periodic.conf

ee /etc/defaults/periodic.conf

Change following to "NO" to disable sendmail

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"


Add cron jobs

http://www.unixgeeks.org/security/newbie/unix/cron-1.html

ee /car/cron/tabs/root

Setup daily / weekly jobs to maintain server

#Cron file for root
#min    hour    dom     mon     dow     command
56      6       *       *       *       /usr/sbin/portsnap fetch update
47      5       *       *       *       /usr/local/bin/ntpdate ntp2c.mcc.ac.uk


Sort DNS

ee /etc/resolv.conf

Should look something like. Ensure that this DNS server can resolve your hostname.

domain          poynter.net
nameserver      xxx.xxx.xxx.xxx
nameserver      xxx.xxx.xxx.xxx


Configure vsftpd

ee /usr/local/etc/vsftpd.conf
listen=YES
background=YES


Configure mysql

cd /usr/local/share/mysql/
cp my-huge.cnf /etc/my.cnf
ee /etc/my.cnf

Uncomment

skip-networking

Edit

thread_concurrency = 4


Configure mySQL for postfix / courier

mysql -p -u root

Type in your password

CREATE DATABASE maildb;
USE maildb;
CREATE TABLE transport (
   domain varchar(128) NOT NULL,
   transport varchar(128) NOT NULL,
   UNIQUE KEY domain (domain)
 ) TYPE=MyISAM;
CREATE TABLE users (
   id varchar(128) NOT NULL,
   address varchar(128) NOT NULL,
   clear varchar(128) NOT NULL,
   crypt varchar(128) NOT NULL,
   name varchar(128) NOT NULL default ,
   uid smallint(5) unsigned NOT NULL default 5000,
   gid smallint(5) unsigned NOT NULL default 5000,
   home varchar(128) NOT NULL,
   domain varchar(128) NOT NULL,
   maildir varchar(255) NOT NULL,
   quota integer unsigned NOT NULL,
   imapok tinyint(3) unsigned NOT NULL default '1',
   PRIMARY KEY  (id),
   UNIQUE KEY id (id),
   UNIQUE KEY address (address),
   KEY id_2 (id),
   KEY address_2 (address)
   ) TYPE=MyISAM;
CREATE TABLE virtual (
   address varchar(255) NOT NULL,
   goto varchar(255) NOT NULL,
   UNIQUE KEY address (address)
   ) TYPE=MyISAM;
GRANT SELECT
  ON maildb.*
  TO maildb_user@localhost
  IDENTIFIED BY '****chose a password here****'
  ;


Configure postfix

ee /usr/local/etc/postfix/main.cf

Add at the end

#COPK - Allow transport maps
transport_maps=mysql:/usr/local/etc/postfix/mysql_transport.cf
virtual_mailbox_maps=mysql:/usr/local/etc/postfix/mysql_virtual_mbox.cf
virtual_uid_maps=mysql:/usr/local/etc/postfix/mysql_uids.cf
virtual_gid_maps=mysql:/usr/local/etc/postfix/mysql_gids.cf
virtual_mailbox_base=/var/spool/postfix/virtual/
virtual_maps=mysql:/usr/local/etc/postfix/mysql_virtual.cf
mydestination = $mydomain, $myhostname, $transport_maps

# 100 MB
virtual_mailbox_limit=102400000
virtual_minimum_uid=100

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_unknown_sender_domain,
       reject_unauth_pipelining,
       reject_unknown_recipient_domain,
       reject_non_fqdn_sender,
       reject_non_fqdn_recipient,
       reject_non_fqdn_hostname,
       check_relay_domains
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_cert_file = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_CAfile = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# allow authentification (e.g. PLAIN/LOGIN) only in TLS mode
smtpd_tls_auth_only = yes

Create the following files

ee /usr/local/etc/postfix/mysql_transport.cf
user=maildb_user
password=******
dbname=maildb
table=transport
select_field=transport
where_field=domain
hosts=localhost
ee /usr/local/etc/postfix/mysql_virtual_mbox.cf
user=maildb_user
password=*****
dbname=maildb
table=users
select_field=maildir
where_field=address
hosts=localhost
ee /usr/local/etc/postfix/mysql_uids.cf
user=maildb_user
password=*****
dbname=maildb
table=users
select_field=uid
where_field=address
hosts=localhost
ee /usr/local/etc/postfix/mysql_gids.cf
user=maildb_user
password=*****
dbname=maildb
table=users
select_field=gid
where_field=address
hosts=localhost
ee /usr/local/etc/postfix/mysql_virtual.cf
user=maildb_user
password=******
dbname=maildb
table=virtual
select_field=goto
where_field=address
hosts=localhost

Change permissions on postfix files

chown postfix:postfix mysql_*
chmod 600 mysql_*
mkdir /var/spool/postfix/virtual
chown postfix:postfix virtual


Configure courier-imap

cd /usr/local/etc/courier-imap
cp imapd.cnf.dist imapd.cnf
ee imapd.cnf

Should look similar to this:

RANDFILE = /usr/local/share/courier-imap/imapd.rand
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=UK
ST=LO
L=London
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key
CN=localhost
emailAddress=postmaster@cupboardy.org
[ cert_type ]
nsCertType = server
cd /usr/local/etc/authlib
ee authdaemonrc

Add after commenting original authmodulelist

#COPK - authmodulelist
authmodulelist="authmysql"
ee authmysqlrc

Add / edit the following

MYSQL_SERVER            localhost
MYSQL_USERNAME          maildb_user
MYSQL_PASSWORD          *****
MYSQL_SOCKET            /tmp/mysql.sock
MYSQL_DATABASE          maildb
MYSQL_USER_TABLE        users
MYSQL_CRYPT_PWFIELD     crypt
MYSQL_UID_FIELD         uid
MYSQL_GID_FIELD         gid
MYSQL_LOGIN_FIELD       id
MYSQL_HOME_FIELD        home
MYSQL_NAME_FIELD        name
MYSQL_MAILDIR_FIELD     maildir
MYSQL_QUOTA_FIELD       quota
MYSQL_WHERE_CLAUSE      imapok=1

Make certificate

/usr/local/share/courier-imap/mkimapdcert
ee /usr/local/lib/sasl2/smtpd.conf
pwcheck_method:auxprop
mech_list: plain login
mysql_user: maildb_user
mysql_passwd: *******
mysql_hostnames: localhost
mysql_database: maildb
mysql_statement: select clear from users where id = '%u'
# mysql_verbose: 1

Set permissions

chmod 400 /usr/local/lib/sasl2/smtpd.conf

Change permissions on certificate

cd /usr/local/share/courier-imap
chmod 400 imapd.pem


Configure MRTG

http://mrtg.hdl.com/unix-guide.html

cfgmaker --global 'WorkDir: /home/httpd/mrtg'  \
         --global 'Options[_]: bits,growright' \
         --output /home/httpd/mrtg/mrtg.cfg    \
          community@router.abc.xyz


Create php.ini

cd /usr/local/etc
cp php.ini-recommended php.ini

Edit php.ini

ee /usr/local/etc/php.ini

Change to

short_open_tag = On


Edit hosts file

ee /etc/hosts

Change all uncommented my.domain's to e.g. poynter.net

At the end add

# Set my hostname
10.0.23.1               killingtime.poynter.net killingtime


Edit apache config file

ee /usr/local/etc/apache22/httpd.conf

Change the line

ServerAdmin you@example.com

Change the line

ServerName you.example.com:80

Change the line

DirectoryIndex index.html index.php

Add (near other AddType's)

#
# Add php file type handlers
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Add

Alias /sqladmin/ "/usr/local/www/phpMyAdmin/"

<Directory "/usr/local/www/phpMyAdmin">
   AllowOverride None
   Order allow,deny
   Allow from all
</Directory>

After the main doc root directory definition


Edit apache vhosts file

ee /usr/local/etc/apache22/extra/httpd-vhosts.conf

Define more virtual hosts if required:

<VirtualHost *:80>
   ServerAdmin webmaster@poynter.net
   DocumentRoot /www/anewdocroot
   ServerName www.test.net/testing
</VirtualHost>


If desired, change ssh port

ee /etc/ssh/sshd_config


Edit firewall rules

ee /etc/rc.firewall

In client section add

# COPK - Allow webmin
${fwcmd} add pass tcp from any to ${ip} 23023 setup
# COPK - Allow ssh in on 22222
${fwcmd} add pass tcp from any to ${ip} 22222 setup
# COPK - Allow web
${fwcmd} add pass tcp from any to ${ip} 80 setup
${fwcmd} add pass tcp from any to ${ip} 443 setup
# COPK - ICMP section
# Pass 'ping'
add pass icmp from any to any icmptypes 8 keep-state
# Pass error messages generated by 'traceroute'
add pass icmp from any to any icmptypes 3
add pass icmp from any to any icmptypes 11


Edit IPV6 firewall rules

ee /etc/rc.firewall6


Create SSL Directories

mkdir /usr/local/etc/apache22/ssl.key
mkdir /usr/local/etc/apache22/ssl.crt
chmod 0700 /usr/local/etc/apache2/ssl.key
chmod 0700 /usr/local/etc/apache2/ssl.crt


create certificate

cd ~
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt
cp ~/server.key.old /usr/local/etc/apache22/ssl.key/
cp ~/server.crt /usr/local/etc/apache22/ssl.crt/

Decrypt the key so that server will not stop at boot

openssl rsa -in server.key.old -out server.key


set prompt

ee /usr/home/username/.cshrc

in the if add

set prompt="%{\e[0;32m%}`whoami`@%m%{\e[m%}:%{\e[1;32m%}%~%{\e[m%}%B> %b"


configure webmin

/usr/local/lib/webmin/setup.sh


Configure torrentflux

ee /usr/local/etc/tfconfig.php


bind? webmin vpn? setup proftpd create cron job cvsup -g -L 2 ~/ports-supfile portsdb -Uu

cvsup3.uk.freebsd.org

ee php.ini add pear to path /usr/local/share/pear/ + alias + edit config.inc.php


Useful Commands

cd 
Change directory (use 'cd..' to go up a directory)
ls 
List directory (Same as dir. Use 'ls -l' to get more info)
mkdir 
Make directory
shutdown -r now 
Reboot (Although I think you can now just use 'reboot')
ee 
Edit a file
/usr/local/etc/rc.d/apache22.sh restart 
r