# FreeBSD Server Installation Notes # Overview This document details the steps involved in setting up a mutli-user server on FreeBSD 4.7. This is a guide for me more than anything but hopefully it'll be useful to someone else as well. The guide details the installation and configuration of utilities on a freebsd system quickly from scratch, but doesn't actually include the installation of the system itself. For the record the base installation was done from a FreeBSD 4.7 boot cdrom (disk 1) using a 'custom' install. I partioned a 40gb Maxtor drive into two freebsd partitions, one 5gb for swap and base system and the rest (35gb) for the /home and /var filesystems (ideally each of these fs would be on a separate physical disk, but this isn't practicable for me right now). I opted to install the fbsd boot manager on the next screen in sysinstall. I chose the disklabel option, then created the following slices: ad0s1a / 200MB UFS ad0s1b swap 200MB SWAP ad0s1e /usr 4500MB UFS+S ad0s2e /home 15000MB UFS+S ad0s2f /opt 15000MB UFS+S ad0s2g /var 3000MB UFS+S I selected the 'Kern-Developer' distribution set from the Distribution page in sysinstall and opted to install the FreeBSD ports. No other post isntall configuration was done at this point. All other configuration of the system is covered below. The following features are installed/configured into the system: - IPFilter - Sendmail with support for ASMTP - Kernel rebuild - System rebuild (make world) - Qpopper - ProFTPD - Apache - PHP - mutt - vim - lynx-ssl - urlview - wget - Tcl By convention I've used the C shell which I set with the following line in my .cshrc file: set prompt="%n@%m %/# " which displays the following prompt: root@dev /root# where 'root' is the current user, 'dev' is the hostname and /root is the CWD (current working directory). This makes it easier to follow the guide hopefully, allowing you to check you're in the right directory whilst executing commands. See the section on the .cshrc file as well below about this (and of course man csh!). As mentioned above, this is mainly a personal reference and so I apologize if details are omitted regarding what each command does in tiny detail. Similarly when configuring the system for a rebuild for example, steps are detailed that may include additional information than is necessary at that point in the guide - however that additional info will be used/required at a later point in the guide and so are included to speed things up. I once followed a similar guide and when I read a statement like last one I thought, 'mmm'; rereading the last paragraph, again I find myself thinking, 'mmm' !!!:) I guess it's a long-winded way of saying, 'this ain't straight-forward'! As always, the handbook is your friend: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html. # Login as root! Self explanatory :) **** SET A ROOT PASSWORD!!! (passwd) **** After the next step we will create a 'wheel' group user so we don't have to login as root any more. # rc.conf Create the file rc.conf: # # named? # # Use named?: named_enable="YES" # # inetd? # # Use inetd?: inetd_enable="YES" # # sendmail? # # Use sendmail?: sendmail_enable="YES" # # sshd? # # we use the ports version now: sshd_enable="YES" # # Network # # our name: hostname="dev.munk.me.uk" # are we to be used as a gateway?: gateway_enable="NO" # which is our default router?: defaultrouter="213.152.51.193" # Intel 10/100: ifconfig_fxp0="inet 213.152.51.197 netmask 255.255.255.248" # # Packet filtering: # ipfilter_enable="YES" #ipfilter_rules="/etc/ipf.rules.allow_all" ipfilter_rules="/etc/ipf.rules" # # ip monitoring # # Filtered IP Packet Monitoring / ipmon: ipmon_enable="YES" # # ICMP # # additional icmp filtering: icmp_drop_redirect="YES" # log dodginess! icmp_log_redirect="YES" # # Auxiliary devices # # vid/keybd mode settings: keymap="uk.cp850" keyrate="fast" font8x8="swiss-8x8" allscreens_flags="-h 14500 80x50" # # Syslogd # syslogd_enable="YES" # Run syslog daemon (or NO). syslogd_program="/usr/sbin/syslogd" # path to syslogd, if you want a different one. syslogd_flags="-s" # Flags to syslogd (if enabled). # # Accounting # # set up proc accounting: accounting_enable="YES" # Turn on process accounting (or NO). # # Clear out /tmp # clear_tmp_enable="YES" # # SASL # # use pwcheck: sasl_pwcheck_enable=yes Notes: Named: It is convenient to have the system run named at least as a local caching name server (which the freebsd default configuration is setup to do by default). inetd, sshd and sendmail: These items are actually enabled by default on freebsd 4.7, but by placing 'inetd_enable="YES"' in the rc.conf file we remind ourselves that to disable them we need to change the values from "YES" to "NO"! IPFilter: DO NOT reboot the system until the kernel is rebuilt to enable ipf otherwise errors will occur when the ipfilter lines are read in from the rc.conf file. Network: Obviously these settings are on a per-network basis - if anyone else uses this guide don't use my settings!!! ICMP: The various ICMP lines in rc.conf are for added security. Auxiliar Device setup: These are just personal preference and certainly not required. The 'allscreens' flag is particularly nice though, setting the 'resolution' of the default console to over twice it's usual setting - note though you do need to load a font that supports this setting however, hence the 'font' line above. Syslogd: Another set of rc.conf flags that are actually set by default, doesn't harm to add them here though in rc.conf. Accounting: On a system with limited /var/ fs space and a high number of users it is unwise to set process accounting on. SASL: The SASL option will be used to start up the pwcheck daemon to allow users to use authentication over SMTP. # Install /etc/resolv.conf Create a file /etc/resolv.conf with the one line: nameserver 127.0.0.1 in it. REBOOT MACHINE FOR SETTINGS TO TAKE EFFECT. Some errors will occur because we have yet to install items such as 'pwcheck' # pw configuration pw is a utility for creating, removing, modifying and displaying system users and groups. By default no pw.conf file is installed in /etc/, therefor we need to create the file /etc/pw.conf file using the pw utility with the '-D' switch to pw. Create the /etc/pw.conf file: root@dev /root# pw useradd -D This creates the file /etc/pw.conf with default values reasonable for freebsd. We make one minor change so that after issuing 'pw useradd user', a random password will be dumped to the screen as well. This is useful for creating passwords from within auxiliary adduser scripts we will create and use on the system for automating the registration of new users and delivery of these user's user/password details. Modify the following lines in /etc/pw.conf to read: defaultpasswd = "random" defaultshell = "csh" All other settings should be left alone. # Skeleton files The skeleton files in /usr/share/skel are copied into a user's home directory when it's created by the pw utility with the -m switch. ******************************************************* NOTE ALL THESE FILES ARE TAR'D UP AT: http://munk.me.uk/sysinstall/skel.tar.gz if not mail me munk@munk.me.uk for an up to date copy. You can use: fetch http://munk.me.uk/sysinstall/skel.tar.gz to grab the file (since wget etc is not installed yet). ******************************************************* Modify the skel directory to include: - a log file directory (for user's web logs) - a web directory (for user's html files) - a .vimrc file - a .muttrc file - a .cshrc file (modified to include some useful aliases) Commands to be carried out: root@dev /root# cd /usr/share/skel root@dev /usr/share/skel# mkdir logs root@dev /usr/share/skel# mkdir web Edit/create the following files: syn on set autoindent set tabstop=4 set history=1000 set ignorecase set shiftwidth=4 set sc set wmnu set ls=2 set ruler set comments=b:#,:%,fb:-,n:>,n:),sr:/*,mb:*,ex:*/,b:// set hidden # .muttrc file # mutt startup file set folder=~/Mail set alias_file=~/.mail_aliases source ~/.mail_aliases set attribution="On %d, %n wrote:" set autoedit set noconfirmappend set confirmcreate set copy=yes set edit_headers set editor="vim" set index_format="%4C [%2M] %Z %{%c} %-15.15L (%6c) %s" set help set history=200 set hostname="munk.me.uk" set include set indent_string="> " set nomark_old set mail_check=10 set mbox=+mbox set mime_forward set move=yes set pager=less set pager_index_lines=10 set postponed=+postponed set post_indent_string='---end quoted text---' set print_command=/bin/false set noprompt_after set read_inc=25 set record=+outbox set reply_to set reverse_name #set signature="~/.signature" set sort=threads set sort_browser=reverse-date set spoolfile=$MAIL set status_format="-%r-Mutt: %f [Msgs:%?M?%M/?%m%?n? New:%n?%?d? Del:%d?%?F? Flag:%F?%?t? Tag:%t?%?p? Post:%p?%?b? Inc:%b? %l]---(%s)-%>-(%P)---" set tilde set nouse_domain set pgp_verify_sig=no set visual=vim set write_inc=25 ignore * unignore from: subject to cc mail-followup-to \ date x-mailer x-url #color normal white default color hdrdefault red default color quoted brightblue default color signature red default color indicator brightyellow red color error brightred default color status yellow blue color tree magenta default color tilde magenta default color message brightcyan default color markers brightcyan default color attachment brightmagenta default color search default green color header brightred default ^From: color header brightblue default ^Subject: color body magenta default "(ftp|http)://[^ ]+" color body magenta default [-a-z_0-9.]+@[-a-z_0-9.]+ color underline brightgreen default mono quoted bold bind generic "\e<" first-entry bind generic \e> last-entry bind generic { top-page bind generic } bottom-page bind generic \177 last-entry macro index \cb |urlview\n macro index S s+spam\n macro pager S s+spam\n bind pager G bottom unhdr_order * # forget the previous settings hdr_order date from subject to cc auto_view application/x-gunzip auto_view application/x-gzip # Place your personal settings after this line: # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # set this to your preferred choice, example given: #my_hdr From: Jez Hancock # Specify default filename when saving messages # # save-hook [!] # # is provided as default when saving messages from # two examples to get you going. for help google for: # manual.txt mutt # ! save-hook "~C [mM]utt" +/lists/mutt-users-list save-hook "~C bugtraq" +/lists/bugtraq-list # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # # Aliases # # alias
[ ,
... ] # alias mutt- Mutt User List # again two examples to get you going: alias mutt-users Mutt User List alias bugtraq Bugtraq List [ ... ] # again two examples to get you going: lists mutt-users@mutt.org \ bugtraq@securityfocus.com subscribe mutt-users@mutt.org \ bugtraq@securityfocus.com # set the inboxes to check: mailboxes `echo $HOME/Mail/IN.*` # .cshrc file # csh/tcsh startup file alias ls ls -F alias h history 25 alias j jobs -l alias la ls -a alias lf ls -FA alias ll ls -lA # A righteous umask umask 22 set path = ($HOME/bin /sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin) setenv EDITOR vi setenv PAGER less setenv BLOCKSIZE K setenv MAIL /var/mail/$USER if ($?prompt) then # An interactive shell -- set some stuff up set prompt="[%P] %n@%m %/# " set autolist set filec set history = 1000 set savehist = 1000 set mail = (/var/mail/$USER) bindkey "^N" insert-last-word endif # Useful Aliases alias psgrep "ps auxww | grep " alias untargz tar zxvf alias lh "last | head" alias lsh "ls -alt | head" alias vi vim # Set a $DATE vbl: setenv DATE `date "+%Y%m%d%H%M%S"` # Create a new user in the wheel group Execute the following command to add the user 'munk' to the system (create whatever user you want to be able to su to root on your own system): pw useradd munk -m Add the user 'munk' to the 'wheel' group. Modify the following line in /etc/group to read: wheel:*:0:root,munk Notes: The '-m' option to pw copies all the files from /usr/share/skel into the user's home directory under /home. A password is dumped to the screen, this can be changed using 'passwd munk' into something more memorable. By adding the user munk to the wheel group, munk will be able to 'su' to root and execute super user commands. This is not strictly necessary, but saves having to login as root everytime administrative commands have to be executed. In general it's best only to su to root and never login as root at a console (this is disabled in the default sshd_config file, however even on the server console itself it's best not to login as root if you can avoid it - things are more likely to break when you're logged in as root;)). From now on, substitute all references to the user 'munk' with whatever user you just created above. # Switch users and su to root Now the wheel user munk has been created, we can use the munk account and just su to root to complete the additional steps. Logout of root account NOW and login as munk (or whoever you just created in previous step). Note to change the shell to /bin/csh using csh after you log back in! If you need to reboot below, always log back in as 'munk' and then su to root before continuing. This step should take no explaining, login as munk and then su to root... mmm how else can you explain that, welcome to freebsd for dummies? IMPORTANT: You will get an error about 'vim: Command not found' if you try and use vi with the .cshrc file copied into munk's /home dir. This is because vi is aliased to 'vim' in the default skeleton dot.cshrc file. To remedy this just 'unset' the vi alias: root@dev /home/munk# unalias vi Also you may want to create a symbolic link to /home/munk/.cshrc file pointing at /root/.cshrc: rm /root/.cshrc ln -s /home/munk/.cshrc /root/.cshrc This means that root will use munk's .cshrc file. Also a couple of *very* useful items to add to /home/munk/.cshrc at this point are: alias precmd date alias installscript "script -a /home/munk/installscript.scp" The precmd line will have the effect of issuing the 'date' command before every command prompt and the installscript line allows you to type 'installscript' at the command prompt and have everything you type in the console thereafter appended to the file /home/munk/installscript.scp (until you press ^D or 'exit'). This is very useful for tracking down errors, especially if you have to cut and paste error messages when asking for help. # ipfilter This step is important because once we rebuild and boot the new kernel below, support for ipf will be built in but by default all network traffic will be blocked. Obviously this is a problem! In this section we will quote two ipf rulesets which can be loaded via rc.conf using the 'ipfilter_rules' directive. It should be noted here that ipf is not a trivial system utility to configure correctly. Fully mastering the workings of ipf and it's related rules can take a while but is certainly worth the effort. The following guides should help: http://www.obfuscation.org/ipf/ - this is a definitive list of ipf resources but was down for a few months at one point. Mirrors are available at the following locations: http://www.unixcircle.com/ipf/ [San Jose, CA, USA] http://www.pir.net/pir/ipf/ [Boston, MA, USA] http://www.openlysecure.org/content/html/www.obfuscation.org/ipf [Surrey, UK] http://mirrors.sunroot.de/www.obfuscation.org/ipf [Kerpen, Germany] http://www.grunta.com/ipf/ [Melbourne, Victoria, AU] http://www.darkart.com/mirrors/www.obfuscation.org/ipf/ [Oakland, CA, USA] http://www.obfuscation.org/ipf/ipf-howto.txt - the most comprehensive guide to ipf, additional mirrors are available to html browseable formats of this doc, just follow the links from the main ipf site above. # ipfilter ruleset Listed here is the simplest of rulesets that allows absolutely everything in and out of the system and adds absolutely nothing to the security of a system. This should only ever be used on a temporary basis, for example when setting the system up for the first time with default ipfilter block lines in your kernel config (covered below) or in the case that you want to test that a network problem isn't caused by your firewall. pass out all pass in all # Rebuild the system It is adviseable to rebuild at least the kernel after a fresh install. In this guide we will rebuild and install both a new kernel and a new world (ie the whole base system). By rebuilding the kernel we can reduce the size of the kernel and the number of kernel modules loaded at boot, hence making the system faster. The 'world' will be rebuilt so that any late breaking security fixes are implemented. Importantly though, we want to allow users to send mail via our SMTP server using authenticated SMTP (ASTMP). To do this we will install the Cyrus SASL libraries from the ports collection and then rebuild sendmail to include support for ASMTP - by rebuilding the world, sendmail is also rebuilt. To make world successfully we need to do the following: * Make sure the source distribution set is installed in /usr/src * Install the cvsup utility so we can obtain the latest 'fixes' to the source amongst other things * Obtain the latest source patches via cvsup * Build a new world * Install a new kernel * Install a new world # Install the source distribution set from CD-ROM Run /stand/sysinstall and navigate to 'Configure' on the menu. Select 'Distributions' from the Configuration menu. Select 'src' from the Distributions menu. Select 'All' from the 'src' menu. Select exit, exit and then select 'CDROM' from the 'Installation Media' menu. The sources will be installed from CDROM. # cvsup Install cvsup from the ports: root@dev /root # cd /usr/ports/net/cvsup-without-gui/ root@dev /usr/ports/net/cvsup-without-gui # make && make install This will install the cvsup utility WITHOUT THE X WINDOW SYSTEM DEPENDENCIES. This cuts down the size of the installation and also the time it'll take to install cvsup. cvsup will VERY happily without X thank you very much :) As it turns out we'll install the X libs when we install vim, but never mind. THIS TAKES A WHILE SO DON'T HOLD YOUR BREATH WHILST IT INSTALLS Next create 3 'supfiles' which will be used when we use cvsup to update the system: Note: All the supfiles are in http://munk.me.uk/sysinstall/ *default host=cvsup.uk.FreeBSD.org *default base=/usr/local/etc/cvsup *default prefix=/usr *default release=cvs tag=RELENG_4_7 *default delete use-rel-suffix *default compress src-all *default host=cvsup.uk.FreeBSD.org *default base=/usr/local/etc/cvsup *default prefix=/usr *default release=cvs tag=. *default delete use-rel-suffix *default compress ports-all *default host=cvsup.uk.FreeBSD.org *default base=/usr/local/etc/cvsup *default prefix=/usr *default release=cvs tag=. *default delete use-rel-suffix *default compress doc-all Notes: Make sure you use the cvsup server that is closest to you to speed up the cvsup process. A list can be found here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html#CVSUP-MIRRORS Next create the fs hierarchy for the cvsup tree in /usr/local/: root@dev /root # mkdir -p /usr/local/etc/cvsup/sup/ The -p switch will create any parent directories for us if they do not already exists. Next create a 'refuse' file in /usr/local/etc/cvsup/sup. This file is a list of files which cvsup should 'refuse' to retrieve (such as foreign documentation and any parts of the cvs tree we just don't want): Note this refuse file is at http://munk.me.uk/sysinstall Notice that a lot of ports are excluded here such as astro and audio etc - we won't be needing any astro or audio etc programs, so there's no point in updating them. This will save us time when cvsupping. We can continue to cvsup the system now. # cvsup'ing the system We will use a slightly different method for updating our system. We will use the system 'make' method which involves creating an /etc/make.conf file, adding directives to that file to tell the system how to update and then running 'make update' from the /usr/src directory. In effect this simply carries out multiple 'cvsup' calls using the supfiles specified in /etc/make.conf. First create the make.conf file: Note this file is at http://munk.me.uk/sysinstall/make.conf SUP_UPDATE= yes SUP= /usr/local/bin/cvsup SUPFLAGS= -g -L 2 SUPHOST= cvsup.uk.FreeBSD.org SUPFILE= /etc/supfile-src-stable PORTSSUPFILE= /etc/supfile-ports-all DOCSUPFILE= /etc/supfile-doc-all SENDMAIL_CFLAGS+=-I/usr/local/include/sasl1 -DSASL SENDMAIL_LDFLAGS+=-L/usr/local/lib SENDMAIL_LDADD+=-lsasl SENDMAIL_MC=/etc/mail/dev.munk.me.uk.mc Notes: Again change the cvsup server to one nearest to you. See above. The latter part of the make.conf file relating to sendmail are not applicable to the 'update' process, however we add them here since they will be used when we rebuild the world. IMPORTANT - the presence of /etc/make.conf sometimes make other 'make' processes bork up. I saw this when a user couldn't 'make' their eggdrop because they didn't have permissions to read from /etc/make.conf. I'm not totally sure why the eggdrop make insisted on reading from /etc/make.conf and instead of changing the permissions on make.conf I just moved it to a private location (ie /root/). This is a bit of a pain really, I should have probably checked to see if the eggdrop make would have run if I'd just set chmod o+r /etc/make.conf. Ho hum... # Install the sources from the cdrom: Insert the FreeBSD install disk1. Run /stand/sysinstall. Select 'Configure', 'Distributions' from the menus, and then select the 'src' entry from the distributions menu. Select to install 'All' sources, exit out from the src and distributions menus and then choose to install from cdrom. # Run cvsup for first time: Now we can cvsup using the system make mechanism: root@dev /root# cd /usr/src root@dev /usr/src# make update This will update the system src, docs and ports trees. This takes 30 minutes on a 512k ADSL connection. 20mins on athlon 1900+. We are now ready to rebuild the world! First though we need to install the Cyrus SASL port, which will be needed by sendmail when we rebuild the world. # Cyrus SASL Install cyrus sasl from the ports: root@dev /root# cd /usr/ports/security/cyrus-sasl root@dev /usr/ports/security/cyrus-sasl# make && make install When prompted with a menu to select additional SASL options to use, select only 'PWCHECK'. We want to allow our users to authenticate over SMTP using the system password database (/etc/passwd etc) and the pwcheck utility does this for us. After cyrus has been installed, ensure that the file /usr/local/lib/sasl/Sendmail.conf looks like this (create it if it doesn't exist): pwcheck_method: pwcheck This tells the sasl libs to use the system password db to authenticate users for sendmail. Cyrus SASL also installs some rc startup files in /usr/local/etc/rc.d, pwcheck.sh and saslauthd1.sh. The default is to use pwcheck and this is reflected in the sasl lines in /etc/rc.conf above. the saslauthd1.sh script can be removed or renamed to saslauthd1.sh.norun (so it doesn't run at boot) -??note to self, check this though? Also an error about the kerberos lib occurs if ?? Notes: The following URLs contain more information on installing support for ASTMP: http://www.sendmail.org/~ca/email/auth.html http://www.sendmail.org/~ca/email/cyrus/sysadmin.html http://veldt.com/archives/000111.html#000111 I found the last article the most straight forward, more of a HOWTO than anything else. # building world Notes: Rebuilding your system is a large step and knowing the territory is important. I'd recommend reading through this chapter of the handbook AT LEAST TWICE(!) before attempting to rebuild your system completely: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cutting-edge.html We can now build a new world using the sources we just cvsup'd above: root@dev /root# cd /usr/src root@dev /usr/src# make buildworld Notes: This can take a LONG time (on my K6-2 400 machine this takes about 3hrs), so go complain about all that spam mail whilst you're waiting ;) Make sure you followed the instructions for creating an /etc/make.conf file, otherwise the sendmail SASL options will not be built into sendmail here. This takes 1 hour(!) on an AMD Athlon 1900+. # Modifying the kernel config file We need to build a new kernel, even if it's only the GENERIC kernel - many aspects of the new base system which will get installed when we 'make installworld' may not work with the kernel we currently have and in any case this is a chance to streamline the kernel config. As mentioned above rebuilding the system/kernel is a large step and depends largely on your own system setup. This is a guide only (mainly to help me remember in future how I did it!), so the kernel configuration file here should under no circumstance be used on your own system without modification. The best advice I can give is to first create a copy of the GENERIC kernel configuration file in /usr/src/sys/i386/conf with a name suitable for your system (I used MUNKBOXEN-DEV for mine) - by convention kernel configuration files are named all upper-case. Then create a directory, /root/kernel, and create soft links to each the newly named config file and to the LINT file in /root/kernel (LINT is a comprehensive list of all kernel configuration directives you could possible use, a reference file only). This way whilst first altering your kernel configuration you can switch easily between the LINT and MUNKBOXEN-DEV config files, checking allowable settings in LINT as you go. root@dev /root # cp /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/MUNKBOXEN-DEV root@dev /root # mkdir kernel root@dev /root # cd kernel root@dev /root/kernel # ln -s /usr/src/sys/i386/conf/LINT LINT root@dev /root/kernel # ln -s /usr/src/sys/i386/conf/MUNKBOXEN-DEV MUNKBOXEN-DEV You can now alter the kernel configuration directives in the MUNKBOXEN-DEV file whilst having a backup GENERIC file in /usr/src/sys/i386/conf. Make all the changes to your personal kernel config file as needed: machine i386 cpu I586_CPU ident MUNKBOXEN-DEV ### # IMPORTANT ### # Change this according to your own needs, 80 is quite a lot # if you set it to 0 then it will assign system resources # according to your system. maxusers 80 #makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options UFS_DIRHASH #Improve performance on big directories options MFS #Memory Filesystem options MD_ROOT #MD is a potential root device options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, NFS required options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI options UCONSOLE #Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM #Rate limit bad replies options KBD_INSTALL_CDEV # install a CDEV entry in /dev # To make an SMP kernel, the next two are needed #options SMP # Symmetric MultiProcessor Kernel #options APIC_IO # Symmetric (APIC) I/O device isa device eisa device pci # Floppy drives device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 device fd1 at fdc0 drive 1 # # If you have a Toshiba Libretto with its Y-E Data PCMCIA floppy, # don't use the above line for fdc0 but the following one: #device fdc0 # ATA and ATAPI devices device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID #Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? flags 0x100 options SC_HISTORY_SIZE=1000 # number of history buffer lines # Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver #device vt0 at isa? #options XSERVER # support for X server on a vt console #options FAT_CURSOR # start with block cursor # If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines #options PCVT_SCANSET=2 # IBM keyboards are non-std # Floating point support - do not disable. device npx0 at nexus? port IO_NPX irq 13 # Power management support (see LINT for more options) device apm0 at nexus? disable flags 0x20 # Advanced Power Management # PCCARD (PCMCIA) support device card device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000 device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable # Serial (COM) ports device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 device sio2 at isa? disable port IO_COM3 irq 5 device sio3 at isa? disable port IO_COM4 irq 9 # Parallel port device ppc0 at isa? irq 7 device ppbus # Parallel port bus (required) device lpt # Printer device plip # TCP/IP over parallel device ppi # Parallel port interface device #device vpo # Requires scbus and da # PCI Ethernet NICs. device de # DEC/Intel DC21x4x (``Tulip'') device em # Intel PRO/1000 adapter Gigabit Ethernet Card (``Wiseman'') device txp # 3Com 3cR990 (``Typhoon'') device vx # 3Com 3c590, 3c595 (``Vortex'') # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device dc # DEC/Intel 21143 and various workalikes device fxp # Intel EtherExpress PRO/100B (82557, 82558) device pcn # AMD Am79C97x PCI 10/100 NICs device rl # RealTek 8129/8139 device sf # Adaptec AIC-6915 (``Starfire'') device sis # Silicon Integrated Systems SiS 900/SiS 7016 device ste # Sundance ST201 (D-Link DFE-550TX) device tl # Texas Instruments ThunderLAN device tx # SMC EtherPower II (83c170 ``EPIC'') device vr # VIA Rhine, Rhine II device wb # Winbond W89C840F device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') device bge # Broadcom BCM570x (``Tigon III'') # ISA Ethernet NICs. # 'device ed' requires 'device miibus' device ed0 at isa? port 0x280 irq 10 iomem 0xd8000 device ex device ep device fe0 at isa? port 0x300 # Xircom Ethernet device xe # PRISM I IEEE 802.11b wireless NIC. device awi # WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really # exists only as a PCMCIA device, so there is no ISA attachment needed # and resources will always be dynamically assigned by the pccard code. device wi # Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will # work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP # mode (the factory default). If you set the switches on your ISA # card for a manually chosen I/O address and IRQ, you must specify # those parameters here. device an # The probe order of these is presently determined by i386/isa/isa_compat.c. device ie0 at isa? port 0x300 irq 10 iomem 0xd0000 #device le0 at isa? port 0x300 irq 5 iomem 0xd0000 device lnc0 at isa? port 0x280 irq 10 drq 0 device cs0 at isa? port 0x300 device sn0 at isa? port 0x300 irq 10 # Pseudo devices - the number indicates how many units to allocate. pseudo-device loop # Network loopback pseudo-device ether # Ethernet support pseudo-device sl 1 # Kernel SLIP pseudo-device ppp 1 # Kernel PPP pseudo-device tun # Packet tunnel. pseudo-device pty # Pseudo-ttys (telnet etc) pseudo-device md # Memory "disks" pseudo-device gif # IPv6 and IPv4 tunneling pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation) # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter pseudo-device snp 4 #Snoop device - to look at pty/vty/etc.. # Security: options RANDOM_IP_ID #randomize ID field in IP packets options ICMP_BANDLIM #Rate limit bad replies options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_DEFAULT_BLOCK #block all packets by default Notes: The 'ident' line determines what will show up when you run 'uname -a'. For example after installing a kernel built with the above kernel config, uname -a displays the following: root@dev /usr/src# uname -a FreeBSD dev.munk.me.uk 4.7-STABLE FreeBSD 4.7-STABLE #0: Tue Oct 29 14:28:04 GMT 2002 root@dev.munk.me.uk:/usr/obj/usr/src/sys/MUNKBOXEN-DEV i386 The inclusion of a line for the 'snp' snoop device allows you to 'snoop' on your users using the watch utility! This is very useful for watching over what users do in a tty, and also for helping users out interactively on the command line. A useful URL detailing this is here: http://bsdvault.net/sections.php?op=viewarticle&artid=66 The last few lines of the kernel config file above add support to the kernel for IPFilter, the comments above are adequate, but it should be mentioned here that by using the line: options IPFILTER_DEFAULT_BLOCK in the kernel config file, your system will not be able to communicate at all across a network if ipfilter is enabled and a set of ipf rules are not loaded at boot time. See above in the ipfilter section for details on creating a simple default 'allow all' ipfilter policy/ruleset. # Enable the watch utility To setup the snoop devices to that the watch utility will work, execute the following commands: root@dev /root# cd /dev root@dev /dev# ./MAKEDEV snp0 root@dev /dev# ./MAKEDEV snp1 root@dev /dev# ./MAKEDEV snp2 root@dev /dev# ./MAKEDEV snp3 root@dev /dev# ./MAKEDEV snp4 # Rebuilding and installing the kernel Now the kernel configuration has been fine tuned to your system's requirements, you can build and install the new kernel and related modules. We will use the 'new' method of building and installing a kernel. As always check the freebsd handbook for info on this step: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html. As mentioned above you should read the file /usr/src/Makefile whilst on the command-line - full instructions are in there and they're only regurgitated here: root@dev /root# cd /usr/src root@dev /usr/src# make buildkernel KERNCONF=MUNKBOXEN-DEV (This step takes around 30 minutes on a K6-2 400) root@dev /root # make installkernel KERNCONF=MUNKBOXEN-DEV root@dev /root # reboot This process took 25 minutes on my K6-2 400 machine. At this point if all is well the system should reboot ok using the newly installed kernel. If things do go wrong refer here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html#Q21.4.15.6. # Run mergemaster The mergemaster tool is used to check the files in /etc/ against files in /usr/src/etc when upgrading a system from one version to another. After you've installed a new kernel and before you install a new world you should run mergemaster to merge the old and new system's /etc file system hierarchies: root@dev /root # mergemaster -p Follow the instructions on screen and when prompted whether to merge or install new files, choose to install new files (presuming this is a freshly installed machine - obviously if you're upgrading an older system then you would probably want to merge the files by hand/manuall and just use mergemaster as an indicator of what needs to be changed/merged). Notes: On my system I didn't have to do anything at all, just say 'yes' to delete the /var/tmp/temproot directories that mergemaster creates to do it's stuff. This should be the same for you if you're following this guide to the letter. # Installing the new world Finally you can install the new world you built above: root@dev /root# cd /usr/src root@dev /usr/src# make installworld This will install the newly built base system. # Run mergemaster Run the mergemaster script again, this time without the -p option. Notes: I opted to install all the suggested new files ('i' when prompted) since this is a fresh install anyway and nothing should break - with the exception of the ./root/.cshrc file, which I left ('d' when prompted to just deleted the suggested tmp file). Things might 'break' if you'd run mergemaster after an upgrade from a system that you'd modified a lot - in that case you probably wouldn't want to blindly choose to 'i' (install) the newer files. Also I opted to run the newly installed 'MAKEDEV' script when prompted to recreate the devices in /dev. Reboot again. # Vim Install vim-lite from ports: root@dev /root# cd /usr/ports/editors/vim root@dev /usr/ports/editors/vim# make && make install Notes: The vim-lite installation is a lot lot smaller than the regular vim install, which includes support for X windows which we don't need. Vim is a wierdo installation with literally hundreds of patches that need to be made to the vim base code (300+ patches I think need to be downloaded?). Just be patient. ;) # Configure sendmail to use ASTMP If all went well the new system should include sendmail support for SASL. We now need to customize the sendmail .mc file to include m4 directives for sasl authentication and then create a sendmail.cf file from this .mc file. First copy the freebsd.mc file to a custom filename (change this to yourhostname.mc): root@dev /root# cd /etc/mail root@dev /etc/mail# cp freebsd.mc dev.munk.me.uk.mc At this point you should also modify your /etc/make.conf file (if not already done) to include the line: SENDMAIL_MC=/etc/mail/dev.munk.me.uk.mc This ensures that this file is not clobbered when upgrading the system in future and tells the system make process to use 'dev.munk.me.uk.mc' and not the default .mc file when making the sendmail cf files. Modify the dev.munk.me.uk.mc file in /etc/mail/ to include the following lines: dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl The complete file look similar to this: divert(-1) # # Copyright (c) 1983 Eric P. Allman # Copyright (c) 1988, 1993 # The Regents of the University of California. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. All advertising materials mentioning features or use of this software # must display the following acknowledgement: # This product includes software developed by the University of # California, Berkeley and its contributors. # 4. Neither the name of the University nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # This is a generic configuration file for FreeBSD 4.X and later systems. # If you want to customize it, copy it to a name appropriate for your # environment and do the modifications there. # # The best documentation for this .mc file is: # /usr/share/sendmail/cf/README or # /usr/src/contrib/sendmail/cf/README # divert(0) VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.16 2002/05/22 16:39:14 gshapiro Exp $') OSTYPE(freebsd4) DOMAIN(generic) FEATURE(access_db, `hash -o -T /etc/mail/access') FEATURE(blacklist_recipients) FEATURE(local_lmtp) FEATURE(mailertable, `hash -o /etc/mail/mailertable') FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') dnl Uncomment to allow relaying based on your MX records. dnl NOTE: This can allow sites to use your server as a backup MX without dnl your permission. dnl FEATURE(relay_based_on_MX) dnl DNS based black hole lists dnl -------------------------------- dnl DNS based black hole lists come and go on a regular basis dnl so this file will not serve as a database of the available servers. dnl For that, visit http://dmoz.org/Computers/Internet/Abuse/Spam/Blacklists/ dnl Uncomment to activate Realtime Blackhole List dnl information available at http://www.mail-abuse.com/ dnl NOTE: This is a subscription service as of July 31, 2001 dnl FEATURE(dnsbl) dnl Alternatively, you can provide your own server and rejection message: dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr}') dnl Dialup users should uncomment and define this appropriately dnl define(`SMART_HOST', `your.isp.mail.server') dnl Uncomment the first line to change the location of the default dnl /etc/mail/local-host-names and comment out the second line. dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw') define(`confCW_FILE', `-o /etc/mail/local-host-names') dnl Uncomment both of the following lines to listen on IPv6 as well as IPv4 dnl DAEMON_OPTIONS(`Name=IPv4, Family=inet') dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6') define(`confBIND_OPTS', `WorkAroundBrokenAAAA') define(`confMAX_MIME_HEADER_LENGTH', `256/128') define(`confNO_RCPT_ACTION', `add-to-undisclosed') define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy') dnl set SASL options TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl MAILER(local) MAILER(smtp) Next, create the sendmail cf file by running the freebsd make util in /etc/mail: root@dev /etc/mail# make /usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/ /usr/share/sendmail/cf/m4/cf.m4 /etc/mail/dev.munk.me.uk.mc > /etc/mail/dev.munk.me.uk.cf This creates the sendmail cf file, /etc/mail/dev.munk.me.uk.cf. Copy dev.munk.me.uk.cf to /etc/sendmail.cf: root@dev /etc/mail# cp dev.munk.me.uk.cf sendmail.cf Now finally restart sendmail: root@dev /etc/mail# kill -HUP `head -n 1 /var/run/sendmail.pid ` If all has gone well, you should be able to telnet to localhost on port 25 and check the response from the EHLO command for the presence of an 'AUTH' line: root@dev /etc/mail# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.munk.me.uk. Escape character is '^]'. 220 dev.munk.me.uk ESMTP Sendmail 8.12.6/8.12.6; Thu, 31 Oct 2002 19:25:25 GMT EHLO localhost 250-dev.munk.me.uk Hello localhost.munk.me.uk [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP quit 221 2.0.0 dev.munk.me.uk closing connection Connection closed by foreign host. Here we see that the system is ready to authenticate users over SMTP using the 'LOGIN' or 'PLAIN' authentication schemes (these are the two main schemes used by netscape and outlook express, for a full list see here: http://www.sendmail.org/~ca/email/mel/SASL_ClientRef.html). Notes: Errors may occur in the files /var/log/auth.log: Nov 9 18:09:04 dev sm-mta[99]: KERBEROS_V4: can't access srvtab file /etc/srvtab: No such file or directory Nov 9 18:09:04 dev sm-mta[99]: add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic failure Nov 9 18:09:11 dev sm-mta[3481]: KERBEROS_V4: can't access srvtab file /etc/srvtab: No such file or directory Nov 9 18:09:11 dev sm-mta[3481]: add_plugin(/usr/local/lib/sasl/libkerberos4.so) failed: generic failure (similar messages appear in /var/log/maillog and also in /var/log/messages). I need to figure out why these happen yet, but they don't seem to be fatal errors, everything we need to work works as is. # Qpopper Install qpopper from the ports: root@dev /root # cd /usr/ports/mail/qpopper root@dev /usr/ports/mail/qpopper# make && make install Ensure inetd is set to run at startup (if not already): root@dev /usr/ports/mail/qpopper# grep inetd /etc/rc.conf || echo inetd_enable=\"YES\" >> /etc/rc.conf Modify /etc/inetd.conf to include support for POP: root@dev /usr/ports/mail/qpopper# vi /etc/inetd.conf Modify the pop3 line to read: pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s Test the POP3 server: First see if inetd is running: First case - inetd already running: root@dev /usr/ports/mail/qpopper# ps auxww | grep inetd root 85 0.0 1.0 1056 260 ?? Is 3:48PM 0:00.00 /usr/sbin/inetd -wW This indicates inetd is already running, so just send a hangup (HUP) signal to the inetd process: root@dev /usr/ports/mail/qpopper# kill -HUP `cat /var/run/inetd.pid ` Second case - inetd not already running: root@dev /usr/ports/mail/qpopper# ps auxww | grep inetd root 3140 0.0 3.2 1292 888 p1 RV 5:41PM 0:00.00 grep inetd (csh) This indicates inetd is not running, start it up manuall: root@dev /usr/ports/mail/qpopper# inetd -wW (This starts the inetd superserver in 'wrapped' mode for both internal and external services) Finally test that the POP server is responding ok: root@dev /usr/ports/mail/qpopper# telnet localhost 110 Trying 127.0.0.1... Connected to localhost.munk.me.uk. Escape character is '^]'. +OK Qpopper (version 4.0.4) at dev.munk.me.uk starting. <3157.1035913396@dev.munk.me.uk> quit +OK Pop server at dev.munk.me.uk signing off. Connection closed by foreign host. This indicates qpopper is running ok - if you want you can test to see that you can login as a user, this is beyond the scope of this document though. Notes: Really should include configuration of qpopper here. # Mutt Install mutt from ports: root@dev /root# cd /usr/ports/mail/mutt root@dev /usr/ports/mail/mutt# make && make install Notes: The default skeleton .muttrc file we will be using includes references to the urlview utility, which in turn uses lynx (this allows mutt users to view http links embedded in emails). See the urlview and lynx-ssl install sections for details on installing these ports. # urlview install root@dev /root# cd /usr/ports/textproc/urlview/ root@dev /usr/ports/textproc/urlview# make && make install # Lynx-ssl Install the lynx-ssl port: root@dev /root# cd /usr/ports/www/lynx-ssl/ root@dev /usr/ports/www/lynx-ssl/# make && make install Notes: We install the ssl version of lynx here so we can hack hotmail :) # Wget Install wget from the ports: root@dev /root# cd /usr/ports/ftp/wget root@dev /usr/ports/ftp/wget# make && make install # ProFTPD Install proftpd from the ports collections: root@dev /root# cd /usr/ports/ftp/proftpd root@dev /usr/ports/ftp/proftpd# make && make install Edit /usr/local/etc/proftpd.conf and modify the line starting 'ServerName' to read: ServerName "munk.me.uk ftp server" By default the configuration is setup to run the FTP server in standalone mode, which means each request on the FTP port specified in the configuration file is served directly by the proftpd daemon and not 'wrapped' by the inetd super-server. This also implies the server will be started by the local rc mechanism and as such, a sample rc init script is installed to /usr/local/etc/rc.d called proftpd.sh.sample. Only files that are both executable and end in .sh will run from the /usr/local/etc/rc.d rc startup directory, so copy the sample script to a file ending in .sh and make it executable: root@dev /usr/ports/ftp/proftpd# cd /usr/local/etc/rc.d root@dev /usr/local/etc/rc.d# cp proftpd.sh.sample proftpd.sh root@dev /usr/local/etc/rc.d# chmod +x proftpd.sh Next start the server manually by calling the proftpd.sh script manually with the argument 'start' (this would normally happen when the system boots): root@dev /usr/local/etc/rc.d# ./proftpd.sh start Finally test the server is running ok: root@dev /usr/local/etc/rc.d# ftp localhost Connected to localhost.munk.me.uk. 220 ProFTPD 1.2.6 Server (munk.me.uk ftp server) [dev.munk.me.uk] Name (localhost:munk): 331 Password required for munk. Password: 230 User munk logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,4,9). 150 Opening ASCII mode data connection for file list drwxr-x--- 5 munk munk 1024 Oct 28 21:31 bin drwxr-xr-x 3 munk munk 512 Oct 28 20:05 cvsup -rw-r--r-- 1 root munk 51528 Oct 31 16:30 installscript.scp drwxr-xr-x 2 munk munk 512 Oct 28 21:51 kernel 226 Transfer complete. ftp> bye 221 Goodbye. # Install cclient Normally cclient is installed when we install PHP with support for IMAP. However if you try and install PHP with support for IMAP-SSL (as we will), freebsd messes things up unforunately by installing the dependent cclient without support for SSL. Therefore we have to install cclient with support for SSL first: root@dev /usr/ports/mail/cclient# make -DWITH_SSL && make install # Apache 1.3 with SSL support Ok, this is quite a job to get right straight out of the box, particularly with all the additional options required in the mod_php4 build. The first attempt to build apache13-ssl together with mod_php4 with support for imap-ssl I tried ended up in giving out an Install apache 1.3 with mod_ssl from the ports: (NOTE DON'T INSTALL /usr/ports/www/apache13-ssl/ BY MISTAKE!!!) root@dev /root# cd /usr/ports/www/apache13-modssl root@dev /usr/ports/www/apache13-modssl# make && make install Two copies of the rc boot script for apache are created in /usr/local/etc/rc.d/apache.sh-dist and /usr/local/etc/rc.d/apache.sh. You do not need to do anything else here to have apache run on boot. Notes: Don't worry about the SSL certificates for now(!), a dummy certificate should be created for you. Before messing with the httpd.conf file go on to install PHP straight away (httpd.conf will be modified by the mod_php4 install): # mod_php4 Install mod_php4 from the ports. root@dev /usr/ports/www/apache13# cd /usr/ports/www/mod_php4 root@dev /usr/ports/www/mod_php4# make && make install The make script should present you with a menu to select options to pass to the configure script. Select the following options: - GD1 - zlib - mcrypt - IMAP-SSL - MySQL - OpenSSL - XML - FTP - CURL - gettext - pspell - MCAL - sockets - transsid The installation creates a php.ini-dist in /usr/local/etc which WILL NOT be read by PHP when processing PHP requests via the web server. This file must be copied to a file named php.ini: root@dev /usr/local/etc# cd /usr/ports/www/mod_php4 root@dev /usr/ports/www/mod_php4# cd /usr/local/etc root@dev /usr/local/etc# cp php.ini-dist php.ini SEE BELOW FOR INFO ON CONFIGURING SAFE_MODE IN PHP.INI Notes: DO NOT choose GD2 unless you don't mind having all the X libraries installed (this can literally add a few hours onto the build time). I had problems with the 'mcrypt' dependency and had to run 'make clean' for mod_php4 and start again. This seemed to work. Most of the options selected are required for the Horde application framework (for IMP webmail). The GD option installs a load of extra dependencies. Unfortunately GD2 also depends on X11.6 which means a long long wait and a lot of space being used up. The installation will modify your /usr/local/etc/apache/httpd.conf. This is why we leave the configuration of apache until after the install of mod_php4, although I believe the install for mod_php4 makes modifications to the apache httpd.conf file in a non-destructive manner, so if you do first change the httpd.conf and then later install mod_php4, nothing will be overwritten. The changes that need to be made to enable PHP in httpd.conf are listed at the end of 'make install' for mod_php4: ***************************************************************************** Make sure the mime.types are connected to the php module properly and index.php is part of your DirectoryIndex. The following should be in your Apache configuration file: [...] DirectoryIndex index.php index.html [...] AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps [...] ***************************************************************************** We will set this up below in the configuration of httpd.conf. Safe_mode - from the manual: "When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function." It's a good idea to change this option in the php.ini file, however be aware of the consequences - a large number of PHP functions are highly restricted (read, disabled) by setting safe_mode on. An alternative is to use set safe_mode on a per vhost basis (ie inside the vhost config for each vhost you want to set it with 'php_admin_value safe_mode 1'). More info on this is available in the php manual. Also important for multi-user sites is the 'open_basedir' php.ini setting. This restricts PHP to only those files under the directory/filesystem listed by the open_basedir setting in php.ini. Again this is better set on a per vhost basis in a multi-user system so as to restrict users to only files within their home directory. The php.ini file as we have it is sufficient for PHP to run correctly however, safe_mode and open_basedir are simply additional security measures to consider when securing your installation. # Configure Apache We will configure the following: - ServerAdmin - set this to a valid email address for the web admin - Server Side Includes (SSI) - UserDir - allow access to user's webfolders via http://munk.me.uk/~user - Virtual Hosting (name based) All of these options will be set in /usr/local/etc/apache/httpd.conf. Edit /usr/local/etc/apache/httpd.conf. Uncomment the following line: ExtendedStatus On Set the ServerAdmin line as follows: ServerAdmin webmaster@munk.me.uk Comment out the DocumentRoot line: #DocumentRoot "/usr/local/www/data" Notes: We will create a virtual host entry for our 'default' webserver later on in the vhosting section (ie the server that people will see if no other virtual host url is matched on our network), so we don't need a DocumentRoot setting in httpd.conf. Same applies for the next two items: Comment out the directives for the / directory: # # Options FollowSymLinks # AllowOverride None # Comment out the directives for the /usr/local/www/data directory: # # ## ## This may also be "None", "All", or any combination of "Indexes", ## "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews". ## ## Note that "MultiViews" must be named *explicitly* --- "Options All" ## doesn't give it to you. ## # Options Indexes FollowSymLinks MultiViews # ## ## This controls which options the .htaccess files in directories can ## override. Can also be "All", or any combination of "Options", "FileInfo", ## "AuthConfig", and "Limit" ## # AllowOverride None # ## ## Controls who can get stuff from this server. ## # Order allow,deny # Allow from all # Set the UserDir line as follows: UserDir web Uncomment the following lines to read: AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch Includes Order allow,deny Allow from all Order deny,allow Deny from all and then modify the line to read: Notes: The above directory directives allow users to execute includes from SSI's via the 'Includes' Options setting. Add the following lines to allow cgi scripts to execute from within a user's cgi-bin directory (add it after the above entry for UserDir so you can find it easily later): Options ExecCGI Modify every DirectoryIndex line to include 'index.shtml': DirectoryIndex index.php index.php3 index.html index.shtml Notes: This allows parsable HTML files (SSIs) to be used as default index pages. There may be up to 4 DirectoryIndex lines - only one is applicable to us, but just to be safe include 'index.shtml' on each of them (no harm can be done by doing this). Comment out the CustomLog line: #CustomLog /var/log/httpd-access.log combined Notes: All logging is done on a per web site basis in the virtual host file for the sites (including the default site), so we don't need an Access log line in the main httpd.conf file. Comment out the following line: # ScriptAlias /cgi-bin/ "/usr/local/www/cgi-bin/" Notes: Since we are allowing user's to run cgis from the cgi-bin dir inside their web folder (see above), this alias would affect the correct operation of cgis from within a user's cgi-bin (the cgi script would attempt to be served from /usr/local/www/cgi-bin/ instead of /home/*/web/cgi-bin). Comment out the following: # # AllowOverride None # Options None # Order allow,deny # Allow from all # Notes: cgi-bin will be defined for the default site in a vhost entry. Uncomment the following lines AddHandler cgi-script .cgi AddType text/html .shtml AddHandler server-parsed .shtml Notes: In conjunction with the 'Options Includes' line in the directives for /home/*/web above, these settings allow users to run SSIs from within files ending .shtml. Add the following lines after the AddHandler lines above for .shtml: AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps Uncomment/modify the following lines to read: SetHandler server-status Order deny,allow Deny from all Allow from 213.152.51.194/255.255.255.248 and also: SetHandler server-info Order deny,allow Deny from all Allow from 213.152.51.194/255.255.255.248 Uncomment the following line to read: NameVirtualHost * Add the following line: Include /usr/local/etc/apache/vhosts Finally create the vhosts directory: root@dev /usr/local/etc/apache# mkdir /usr/local/etc/apache/vhosts Notes: This final line tells apache to recursively include every configuration file it finds within /usr/local/etc/apache/vhosts. This is convenient in that it allows us to create subdirectories under /usr/local/etc/apache/vhosts for each domain that is hosted with us, and then within each domain directory we can then create a file for each subdomain within the parent domain. This makes management of vhosting much more convenient when creating new vhosts / users on the system and is also a debugging aid - if an error occurs in one of the vhost files, it's much easier to see exactly which vhost is causing the problem when using this system. We continue to discuss creation of vhost configuration files below. The line 'NameVirtualHost *' basically means 'listen for requests for virtual hosts on our server on all addresses' - if you have more than one ip address and wish to setup a cluster of servers, you would replace the * with an IP address. Don't worry about SSL for now(!) I had problems with getting php to load up and had to add the following lines OUTSIDE of the directive: LoadModule php4_module libexec/apache/libphp4.so and AddModule mod_php4.c You should now be able to run a configuration test on the config file using the 'apachectl' utility: root@dev /usr/local/etc/apache# apachectl configtest Processing config directory: /usr/local/etc/apache/vhosts [Wed Nov 6 20:36:01 2002] [warn] NameVirtualHost *:80 has no VirtualHosts Syntax OK The line that counts here is 'Syntax OK' - this means that the config file is correctly setup. The warning is issued because we haven't named any virtual hosts yet to be served by apache - This follows below. # Apache vhost configuration Create the default site domain vhost directory and populate it with vhost configuration files, one per subdomain. Create the subdirectory /usr/local/etc/apache/vhosts/munk.me.uk/: root@dev /usr/local/etc/apache/vhosts# mkdir munk.me.uk All virtual hosts residing under the domain 'munk.me.uk' will be configured in this directory, one file per virtual host (ie the vhost configuration for joebloggs.munk.me.uk will reside in a file called /usr/local/etc/apache/vhosts/munk.me.uk/joebloggs). Vhost files will be created in this directory dynamically by an adduser script whenever a user is added to the system. One exception to this is the default vhost or webserver served up by apache. Since 'munk.me.uk' is our default domain name at present, we want to make the virtual host 'www.munk.me.uk' the default site that is served by apache when it cannot match any other virtual host names under the domain 'munk.me.uk'. www.munk.me.uk in this sense is a 'catchall' for any requests to the 'munk.me.uk' domain that apache does not know about. For example, if someone requests 'foobar.munk.me.uk', but no configuration exists for 'foobar.munk.me.uk', then we want to ensure that the user is redirected to our default site 'www.munk.me.uk'. In order to do this we must ensure that the vhost configuration for 'www.munk.me.uk' is read by apache BEFORE ALL OTHER VHOST ENTRIES. For this reason we add the vhost entry for 'www.munk.me.uk' in the main httpd.conf file, BEFORE the vhost configurations within the vhosts directory is read into apache by the 'Include /usr/local/etc/apache/vhosts' line. So: Add the following vhost entry AFTER the 'NameVirtualHost *' line and BEFORE the line 'Include /usr/local/etc/apache/vhosts': NameVirtualHost * ServerName munk.me.uk ServerAlias munkboxen.mine.nu ServerAlias www.munk.me.uk ServerAdmin webmaster@munk.me.uk DocumentRoot "/usr/local/www/data" Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all Alias /doc/ "/usr/share/doc/" AllowOverride None Options Indexes FollowSymLinks Order allow,deny Allow from all # alias the ebooks dir Alias /sitedocs/ "/home/sitedocs/" AllowOverride None Options Indexes Order allow,deny Allow from all Include /usr/local/etc/apache/vhosts Notes: The main server name is 'munk.me.uk' and the names 'www.munk.me.uk' and 'munkboxen.mine.nu' are just aliases that point to 'munk.me.uk' in effect. In this way a user can either type 'http://munk.me.uk' or 'http://www.munk.me.uk' to access our default website. This vhost entry also includes more than usual for a normal user vhost, since the default site has additional requirements such as serving up documents from various directories not under the server's DocumentRoot. To exemplify this, the line: Alias /sitedocs/ "/home/sitedocs/" indicates that any requests made for the Uniform Resource Indicator (URI), 'http://munk.me.uk/sitedocs/', should be served up from the system server path '/home/sitedocs'. There is also a set of directives underneath this: AllowOverride None Options Indexes Order allow,deny Allow from all which specifies how access to the files should be allowed and what options should apply to the /home/sitedocs directory and subdirectories. Without these lines the server would not be able to serve up files from /home/sitedocs, since apache was not told previously in the configuration file how to deal with requests for files under this directory. # MySQL Install MySQL from the ports: root@dev /root# cd /usr/ports/databases/mysql323-server/ root@dev /usr/ports/databases/mysql323-server# make && make install The installation creates a script file in /usr/local/etc/rc.d to start the mysql server on boot. Edit this file so it looks like this: #!/bin/sh DATE=`date "+%Y%m%d%H%M%S"` LOG=/var/db/mysql/`hostname`.update.log.${DATE}; case "$1" in start) # set up the env limits according to /etc/login.conf: # eval `limits -e -C daemon` >/dev/null 2>&1 if [ -x /usr/local/bin/safe_mysqld ]; then # --log-update[=file] Log updates to file.# where # is a unique number /usr/local/bin/safe_mysqld --user=mysql --log --log-update=$LOG > /dev/null & && echo -n ' mysqld' fi ;; stop) /usr/bin/killall mysqld > /dev/null 2>&1 && echo -n ' mysqld' ;; *) echo "" echo "Usage: `basename $0` { start | stop }" echo "" exit 64 ;; esac This just adds timestamps to the updatelogs. At some point I'll work out how to rotate the updatelogs once a day! Now we need to create a password for the root mysql account. The root mysql account has full privileges on all the databases in mysql, so you want to set a password to stop any old user just logging on as root without a password and setting up whatever databases they want. First you need to start the mysql daemon: root@dev /usr/local/etc/rc.d# ./mysql-server.sh start Now change the root password: root@dev /usr/local/etc/rc.d# mysqladmin -u root password yourpasswordhere obviously change 'yourpasswordhere' for whatever you want the password to be. Now you can login to mysql as user root as follows: root@dev /usr/local/etc/rc.d# mysql -u root -p Enter password: (enter the password you set above) Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 to server version: 3.23.53 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> Now you're in mysql as the root user, tidy up the databases and accounts that are installed by default. Firstly make sure you're using the 'mysql' database (all the account and database details are stored in the mysql database): mysql> use mysql Database changed You're now using the mysql database. Execute the following SQL query to remove the 'guest' account. This account allows any local shell user to login to mysql without a password. They can't do a lot at all with this account since it's highly restricted as you'd expect for a default account, but still, we don't want this account around. mysql> delete from user where User=''; Query OK, 2 rows affected (0.02 sec) Also delete any root account without a password set as follows: mysql> delete from user where User='root' and Password=''; Query OK, 1 row affected (0.01 sec) You can now check that the 'user' table looks right: mysql> select * from user; +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ | localhost | root | 1234we8u374e1e94 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ 1 row in set (0.00 sec) You should see only one line, the root account details (note the password hash above is ficticious!) Finally remove the 'test' database that is created by default: mysql> drop database test; Query OK, 0 rows affected (0.02 sec) Confirm the drop: mysql> show databases; +----------+ | Database | +----------+ | mysql | +----------+ 1 row in set (0.01 sec) You can see only the 'mysql' database is left now. Whilst we're still here, adding a new mysql account is done as follows: mysql> grant all on test.* to test@localhost identified by 'testpassword'; Query OK, 0 rows affected (0.00 sec) mysql> grant all on test.* to test@"%" identified by 'testpassword'; Query OK, 0 rows affected (0.01 sec) mysql> select * from user; +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ | localhost | root | 6524aa5a374a1e94 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | localhost | test | 34464d3918c0793c | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | % | test | 34464d3918c0793c | N | N | N | N | N | N | N | N | N | N | N | N | N | N | +-----------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+ 3 rows in set (0.00 sec) mysql> create database test; Query OK, 1 row affected (0.01 sec) The first grant statement adds a new mysql user, 'test', with all privileges on all tables in the database called 'test' and allows the user to login as test from localhost with the password 'testpassword'. The second grant statement adds a new mysql user, 'test', with all privileges on all tables in the database called 'test' and allows the user to login as test from any hostname with the password 'testpassword' - note that the '%' must be enclosed in " marks when using a shell, otherwise it may be mistaken for a shell character. Note this entry only needs to be made if you want to allow the test user to login from anywhere (not just localhost). If you only want the user to login locally, leave this line out. In the third statement we just check to make sure the 'test' user entries were added ok. Note how the password supplied in the grant statements is hashed using mysql's PASSWORD() function - this is the beauty of using the 'grant' statement to add users, you don't need to worry about hashing the password string yourself. Finally we created the 'test' database. For more info check out http://www.mysql.com/doc/en/Adding_users.html. To make logging into mysql easier, you can also create a mysql options file in your home directory, .my.cnf, containing the username and password you want to use whenever you type 'mysql' on the command line: [client] user=root password=yourpasswordhere obviously change the username and password to those you used in the steps above. # Tcl Install Tcl from the ports: root@dev /root# cd /usr/ports/lang/tcl84/ root@dev /usr/ports/lang/tcl84# make && make install Notes: Tcl is mainly used by eggdrop users. # Pico and Pine Install Pine from the ports: root@dev /root# cd /usr/ports/mail/pine4/ root@dev /usr/ports/mail/pine4# make -DWITH_SSL && make install Notes: Answer 'Yes' to the first security notice. The second notice is about the cclient package, the cclient required by pine should be the same as we've just installed as long as a long period hasn't expired between installing cclient (required in the mod_php4 installtion) and installing pine. # procmail root@dev /root# cd /usr/ports/mail/procmail/ root@dev /usr/ports/mail/procmail# make && make install Notes: procmail is very handy for dealing with mail lists and spam. # idled root@dev /root# cd /usr/ports/sysutils/idled/ root@dev /usr/ports/sysutils/idled# make && make install Copy the idled config template to idled.cf: root@dev /usr/ports/sysutils/idled# cd /usr/local/etc/ root@dev /usr/local/etc# cp idled.cf.template idled.cf Finally modify idled to make any changes necessary. These are very much personal preference - I modify the following to read: multiples 3 and add the following lines at the end of the file: exempt login munk all exempt login eggdrop all Notes: idled is a daemon that can be configured to log users out from a terminal after so many minutes of idleness. idled starts from /usr/local/etc/rc.d/idled.sh on boot. # Configure logging Make a backup of syslog.conf: root@dev /root# cd /etc root@dev /etc# cp syslog.conf syslog.conf.bak Add the following lines to /etc/syslog.conf: console.info /var/log/console.log *.* /var/log/all.log mail.debug /var/log/maildebuglog !named *.* /var/log/named.log !qpopper *.* /var/log/qpopper.log !ipmon *.* /var/log/ipmon.log !proftpd *.* /var/log/ftp.log !inetd *.* /var/log/inetd.log Also 'touch' each of these logfiles to create them: root@dev /etc# cd /var/log root@dev /var/log# touch console.log all.log maildebuglog named.log qpopper.log ipmon.log ftp.log inetd.log Restart syslogd: root@dev /var/log# kill -HUP `cat /var/run/syslog.pid ` You should be able to check that syslogd restarted ok by looking at the tail of /var/all.log: root@dev /var/log# tail all.log Nov 11 00:39:27 dev syslogd: restart # Configure log rotation Configure the system to rotate old logs into /opt/backup/logs: root@dev /root# mkdir -p /opt/backup/logs root@dev /root# chmod 0770 /opt (This makes /opt accessible only to root and wheel users.) Edit /etc/newsyslog.conf to read: # configuration file for newsyslog #logfilename [o:g] mode count size when [ZJB] [/pid_file] [sig_num] #daily: /var/log/maillog 640 10000 * @T05 Z /var/log/daily.log 640 10000 * @T00 Z /var/log/all.log 660 10000 * @T00 Z /var/log/ipmon.log 660 10000 * @T00 Z /var/log/messages 644 10000 * @TO0 Z /var/log/console.log 600 10000 * @TO0 Z #weekly: /var/log/auth.log 600 10000 1 $W6D0 Z /var/log/weekly.log 640 10000 1 $W6D0 Z /var/log/named.log 600 10000 1 $W6D0 Z /var/run/named.pid /var/log/cron 600 10000 * $W6D0 Z /var/log/qpopper.log 640 10000 * $W6D0 Z /var/log/ftp.log 640 10000 * $W6D0 Z /var/log/xferlog 640 10000 * $W6D0 Z #monthly: /var/log/monthly.log 640 10000 * $M1D0 Z /var/log/wtmp 644 10000 * $M1D0 B /var/log/httpd-error.log 644 10000 * $M1D0 Z /var/run/httpd.pid /var/log/httpd-access.log 644 10000 * $M1D0 Z /var/run/httpd.pid /var/log/sendmail.st 640 10000 * $M1D0 B # # IMPORTANT - COMMENT OUT THE ORIGINAL NEWSYSLOG.CONF ENTRIES SO YOU CAN ROLL BACK IF SOMETHING GOES WRONG # # original settings: #/var/log/cron 600 3 100 * Z #/var/log/amd.log 644 7 100 * Z #/var/log/auth.log 600 7 100 * Z #/var/log/kerberos.log 600 7 100 * Z #/var/log/lpd-errs 644 7 100 * Z #/var/log/maillog 640 7 * @T00 Z #/var/log/sendmail.st 640 10 * 168 B #/var/log/messages 644 5 100 * Z #/var/log/all.log 600 7 * @T00 Z #/var/log/slip.log root:network 640 3 100 * Z #/var/log/ppp.log root:network 640 3 100 * Z #/var/log/security 600 10 100 * Z #/var/log/wtmp 644 3 * @01T05 B #/var/log/daily.log 640 7 * @T00 Z #/var/log/weekly.log 640 5 1 $W6D0 Z #/var/log/monthly.log 640 12 * $M1D0 Z #/var/log/console.log 600 5 100 * Z Finally tell newsyslog to rotate logs into /opt/backup/logs. Edit the following line in /etc/crontab to read: 0 * * * * root newsyslog -a /opt/backup/logs # Configure periodic Periodic is a mechanism which allows tasks to be performed on a daily, weekly or monthly basis. Edit (create) /etc/periodic.conf to read: daily_status_security_output="munk" # user or /file daily_output="munk" # user or /file weekly_output="munk" # user or /file monthly_output="munk" # user or /file daily_show_badconfig="YES" # scripts returning 2 daily_clean_tmps_enable="YES" # Delete stuff daily daily_clean_disks_enable="YES" # Delete files daily daily_clean_disks_files=".#* a.out *.core *.CKP .emacs_[0-9]*" weekly_show_badconfig="YES" # scripts returning 2 weekly_catman_enable="YES" # Preformat man pages weekly_noid_enable="YES" # Find unowned files monthly_show_badconfig="YES" # scripts returning 2 # # Other utilities to consider: fetchmail ## END