The document provides instructions for updating the FreeBSD 7.2 ports tree on a WebServer. The following steps are outlined:
1. Log in as the user "sermpan" and su to root.
2. Extract a backup of the ports tree files from /backups/distfiles72.tar.
3. Install and clean the cvsup port to update the ports tree files.
2. WebServer FreeBSD 7.2
1).
http://bsd.psru.ac.th/microcom/micro240/install53_1.pdf
http://bsd.psru.ac.th/microcom/micro240/install53_2.pdf
FreeBSD 7.2
login as: sermpan
Using keyboard-interactive authentication.
Password:
Last login: Mon Aug 10 11:02:38 2009 from proxy.mu-ph.org
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 7.2-RELEASE (GENERIC) #0: Fri May 1 08:49:13 UTC 2009
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list. If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page. If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility. Edit /etc/motd to change this login announcement.
$ su root
Password:
www#
Welcome Delay 10 3
www# vi /boot/defaults/loader.conf
##############################################################
### Loader settings ########################################
##############################################################
#autoboot_delay="10" # Delay in seconds before autobooting,
autoboot_delay="3" # Delay in seconds before autobooting,
sshd_config User sermpan Secure Shell
www# vi /etc/ssh/sshd_config
# Authentication:
AllowUsers sermpan
#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Save Reload
www# /etc/rc.d/sshd reload
www#
WebServer FreeBSD 7.2 Page 2
3. WebServer FreeBSD 7.2
2). Compile Kernel Firewall Quota
www# cd /usr/src/sys/i386/conf/
www# cp GENERIC PH
www# vi PH ; ( )
www# cat PH
#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.474.2.15.2.1 2008/11/25 02:59:29 kensmith Exp $
cpu I486_CPU
cpu I586_CPU
cpu I686_CPU
#ident GENERIC
ident PH
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for devices.
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFSLOCKD # Network Lock Manager
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
options STOP_NMI # Stop CPUS using NMI instead of IPI
options AUDIT # Security event auditing
WebServer FreeBSD 7.2 Page 3
5. WebServer FreeBSD 7.2
3). Update ports tree
FreeBSD 7.2 Update ports
login as: sermpan
Using keyboard-interactive authentication.
Password:
Last login: Tue Aug 4 20:03:36 2009 from proxy.mu-ph.org
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 7.2-RELEASE (PH) #0: Tue Aug 4 18:53:55 ICT 2009
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list. If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page. If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility. Edit /etc/motd to change this login announcement.
$ su root
Password:
www#
FreeBSD 7.2 tar /backups/distfiles72.tar
/usr/ports/distfiles ( Server download internet)
www# cd /
www# tar xpf /backups/distfiles72.tar
www# cd /usr/ports/net/cvsup
www# make install && make clean
cvsup X11 ( default) library X11
compile Fatal error
WebServer FreeBSD 7.2 Page 5
8. WebServer FreeBSD 7.2
m4 LIBSIGSEGV
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/cvsupd
/usr/local/bin/cvsup
/usr/local/bin/cvpasswd
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.cvsup.org/
===> Cleaning for ezm3-1.2_1
===> Cleaning for liboldX-1.0.1
===> Cleaning for libdmx-1.0.2_1
===> Cleaning for pixman-0.15.2
===> Cleaning for libXaw-1.0.5_1,1
===> Cleaning for gmake-3.81_3
===> Cleaning for libX11-1.2.1,1
===> Cleaning for libtool-1.5.26
===> Cleaning for pkg-config-0.23_1
===> Cleaning for xextproto-7.0.5
===> Cleaning for dmxproto-2.2.2
===> Cleaning for libXext-1.0.5,1
===> Cleaning for perl-threaded-5.8.9_2
===> Cleaning for printproto-1.0.4
===> Cleaning for libXau-1.0.4
===> Cleaning for libXmu-1.0.4,1
===> Cleaning for libXp-1.0.0,1
===> Cleaning for libXpm-3.5.7
===> Cleaning for xproto-7.0.15
===> Cleaning for libXt-1.0.5_1
===> Cleaning for gettext-0.17_1
===> Cleaning for libxcb-1.2_1
===> Cleaning for xorg-macros-1.2.1
===> Cleaning for bigreqsproto-1.0.2
===> Cleaning for xcmiscproto-1.1.2
===> Cleaning for xtrans-1.2.3
===> Cleaning for kbproto-1.0.3
===> Cleaning for inputproto-1.5.0
===> Cleaning for xf86bigfontproto-1.1.2
===> Cleaning for libXdmcp-1.0.2_1
===> Cleaning for automake-1.10.1
WebServer FreeBSD 7.2 Page 8
9. WebServer FreeBSD 7.2
===> Cleaning for autoconf-2.62
===> Cleaning for gdbm-1.8.3_3
===> Cleaning for libSM-1.1.0_1,1
===> Cleaning for libiconv-1.11_1
===> Cleaning for libcheck-0.9.6
===> Cleaning for libxslt-1.1.24_2
===> Cleaning for xcb-proto-1.4
===> Cleaning for libpthread-stubs-0.1
===> Cleaning for python25-2.5.4_1
===> Cleaning for automake-wrapper-20071109
===> Cleaning for m4-1.4.12,1
===> Cleaning for help2man-1.36.4_2
===> Cleaning for autoconf-wrapper-20071109
===> Cleaning for libICE-1.0.4_1,1
===> Cleaning for libxml2-2.7.3
===> Cleaning for libsigsegv-2.5
===> Cleaning for p5-gettext-1.05_2
===> Cleaning for cvsup-16.1h_4
www#
www#
ports-supfile /tmp port Update
www# cp /usr/share/examples/cvsup/ports-supfile /tmp
www# cd /tmp
www# ll
total 14
drwxrwxrwt 2 root wheel 512 Aug 7 09:50 .ICE-unix
drwxrwxrwt 2 root wheel 512 Aug 7 09:50 .X11-unix
drwxrwxrwt 2 root wheel 512 Aug 7 09:50 .XIM-unix
drwxrwxrwt 2 root wheel 512 Aug 7 09:50 .font-unix
drwxrwxr-x 2 root operator 512 Aug 7 15:58 .snap
-r--r--r-- 1 root wheel 3817 Aug 7 10:10 ports-supfile
www#
ports-supfile ( )
www# cat ports-supfile
# $FreeBSD: src/share/examples/cvsup/ports-supfile,v 1.38.6.1 2008/11/25 02:59:29 kensmith Exp $
#
# This file contains all of the "CVSup collections" that make up the
# FreeBSD-current ports collection.
#
# CVSup (CVS Update Protocol) allows you to download the latest CVS
# tree (or any branch of development therefrom) to your system easily
# and efficiently (far more so than with sup, which CVSup is aimed
# at replacing). If you're running CVSup interactively, and are
# currently using an X display server, you should run CVSup as follows
# to keep your CVS tree up-to-date:
#
# cvsup ports-supfile
#
# If not running X, or invoking cvsup from a non-interactive script, then
# run it as follows:
#
# cvsup -g -L 2 ports-supfile
#
# You may wish to change some of the settings in this file to better
# suit your system:
#
# host=CHANGE_THIS.FreeBSD.org
# This specifies the server host which will supply the
# file updates. You must change it to one of the CVSup
# mirror sites listed in the FreeBSD Handbook at
# http://www.freebsd.org/doc/handbook/mirrors.html.
# You can override this setting on the command line
# with cvsup's "-h host" option.
#
# base=/var/db
# This specifies the root where CVSup will store information
# about the collections you have transferred to your system.
# A setting of "/var/db" will generate this information in
WebServer FreeBSD 7.2 Page 9
10. WebServer FreeBSD 7.2
# /var/db/sup. You can override the "base" setting on the
# command line with cvsup's "-b base" option. This directory
# must exist in order to run CVSup.
#
# prefix=/usr
# This specifies where to place the requested files. A
# setting of "/usr" will place all of the files requested
# in "/usr/ports" (e.g., "/usr/ports/devel", "/usr/ports/lang").
# The prefix directory must exist in order to run CVSup.
# Defaults that apply to all the collections
#
# IMPORTANT: Change the next line to use one of the CVSup mirror sites
# listed at http://www.freebsd.org/doc/handbook/mirrors.html.
#*default host=CHANGE_THIS.FreeBSD.org
*default host=cvsup1.FreeBSD.org
*default base=/var/db
*default prefix=/usr
*default release=cvs tag=.
*default delete use-rel-suffix
# If you seem to be limited by CPU rather than network or disk bandwidth, try
# commenting out the following line. (Normally, today's CPUs are fast enough
# that you want to run compression.)
*default compress
## Ports Collection.
#
# The easiest way to get the ports tree is to use the "ports-all"
# mega-collection. It includes all of the individual "ports-*"
# collections,
#ports-all
# These are the individual collections that make up "ports-all". If you
# use these, be sure to comment out "ports-all" above.
#
# Be sure to ALWAYS cvsup the ports-base collection if you use any of the
# other individual collections below. ports-base is a mandatory collection
# for the ports collection, and your ports may not build correctly if it
# is not kept up to date.
ports-base
ports-accessibility
#ports-arabic
ports-archivers
#ports-astro
#ports-audio
#ports-benchmarks
#ports-biology
#ports-cad
#ports-chinese
ports-comms
ports-converters
ports-databases
#ports-deskutils
ports-devel
ports-dns
#ports-editors
ports-emulators
#ports-finance
#ports-french
ports-ftp
#ports-games
#ports-german
ports-graphics
#ports-hebrew
#ports-hungarian
#ports-irc
#ports-japanese
ports-java
#ports-korean
ports-lang
ports-mail
#ports-math
WebServer FreeBSD 7.2 Page 10
11. WebServer FreeBSD 7.2
#ports-mbone
ports-misc
#ports-multimedia
ports-net
ports-net-im
ports-net-mgmt
ports-net-p2p
#ports-news
#ports-palm
#ports-polish
ports-ports-mgmt
#ports-portuguese
ports-print
#ports-russian
#ports-science
ports-security
ports-shells
ports-sysutils
ports-textproc
#ports-ukrainian
#ports-vietnamese
ports-www
ports-x11
ports-x11-clocks
ports-x11-drivers
ports-x11-fm
ports-x11-fonts
ports-x11-servers
ports-x11-themes
ports-x11-toolkits
ports-x11-wm
www# /usr/local/bin/cvsup -g -L 2 /tmp/ports-supfile
Parsing supfile "/tmp/ports-supfile"
Connecting to cvsup1.FreeBSD.org
Connected to cvsup1.FreeBSD.org
Server software version: SNAP_16_1h
Negotiating file attribute support
Exchanging collection information
Establishing multiplexed-mode data connection
Running
Name lookup failure for "cvsup1.FreeBSD.org": Host name lookup failed
Will retry at 11:56:55
ports-supfile
*default host=cvsup1.FreeBSD.org
cvsup1 1 2 3 4 18
http://www.freebsd.org/doc/en/books/handbook/cvsup.html#CVSUP-MIRRORS
www# /usr/local/bin/cvsup -g -L 2 /tmp/ports-supfile
Parsing supfile "/tmp/ports-supfile"
cvsup2.freebsd.org
.
.
.
.
Shutting down connection to server
Finished successfully
www#
WebServer FreeBSD 7.2 Page 11
12. WebServer FreeBSD 7.2
4). Firewall
Compile kernel Firewall Quota Firewall
Step # 1: Enabling IPFW
Open /etc/rc.conf file
firewall_enable="YES"
firewall_script="/backups/ipfw.rules"
Step # 2 Write a Firewall Rule Script
www# vi /backups/ipfw.rules
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
# port 20 = ftp-data
#$IPF 90 allow tcp from any to any 20 in
#$IPF 100 allow tcp from any to any 20 out
# port 21 = ftp
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
# port 22 = ssh
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
# telnet port=23
#$IPF 150 allow tcp from any to any 23 in
#$IPF 160 allow tcp from any to any 23 out
# smtp port=25
#$IPF 170 allow tcp from any to any 25 in
#$IPF 180 allow tcp from any to any 25 out
# nameserver port=42
#$IPF 190 allow tcp from any to any 42 in
#$IPF 200 allow tcp from any to any 42 out
# domain port=53
#$IPF 210 allow udp from any to any 53 in
#$IPF 220 allow udp from any to any 53 out
# tftp port=69
#$IPF 230 allow tcp from any to any 69 in
#$IPF 240 allow tcp from any to any 69 out
WebServer FreeBSD 7.2 Page 12
13. WebServer FreeBSD 7.2
# finger port=79
#$IPF 250 allow tcp from any to any 79 in
#$IPF 260 allow tcp from any to any 79 out
# http port=80
$IPF 270 allow tcp from any to any 80 in
$IPF 280 allow tcp from any to any 80 out
# pop3 port=110
#$IPF 290 allow tcp from any to any 110 in
#$IPF 300 allow tcp from any to any 110 out
# webmin port=10000
$IPF 310 allow tcp from any to any 10000 in
$IPF 320 allow tcp from any to any 10000 out
# deny and log everything
$IPF 500 deny log all from any to any
Step # 3: Start a firewall
You can reboot the box or you could reload these rules by entering on the command line.
www# sh /backups/ipfw.rules
Task: List all the rules in sequence
Type the following command:
www# ipfw list
00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00080 allow icmp from any to any
00110 allow tcp from any to any dst-port 21 in
00120 allow tcp from any to any dst-port 21 out
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00270 allow tcp from any to any dst-port 80 in
00280 allow tcp from any to any dst-port 80 out
00310 allow tcp from any to any dst-port 10000 in
00320 allow tcp from any to any dst-port 10000 out
00500 deny log logamount 120 ip from any to any
65535 allow ip from any to any
www#
quota
WebServer FreeBSD 7.2 Page 13
14. WebServer FreeBSD 7.2
5). Quota
www# cd /etc/
www# vi fstab
/usr userquota,groupquota
www# cat fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/aacd0s1b none swap sw 0 0
/dev/aacd0s1a / ufs rw 1 1
/dev/aacd1s1d /backups ufs rw 2 2
/dev/aacd0s1e /tmp ufs rw 2 2
/dev/aacd0s1f /usr ufs rw,userquota,groupquota 22
/dev/aacd0s1d /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
www#
/etc/rc.conf
enable_quotas="YES"
check_quotas="YES"
Reboot
www# reboot
boot Disk Quota
www# quotacheck -a
www# quotaon -a
www# quota -v sermpan
Disk quotas for user sermpan (uid 1002):
Filesystem usage quota limit grace files quota limit grace
/usr/local 0 0 0 0 0 0
www# www# edquota -u sermpan
Quotas for user sermpan:
/usr/local: kbytes in use: 0, limits (soft = 1044480, hard = 1048576)
inodes in use: 1, limits (soft = 0, hard = 0)
www#
SoftQuota = 1020M HardQuota = 1024M
www# quota -v sermpan
Disk quotas for user sermpan (uid 1003):
Filesystem usage quota limit grace files quota limit grace
/usr/local 1520 1044480 1048576 1 0 0
www#
grace period 7
www# edquota -t
Time units may be: days, hours, minutes, or seconds
Grace period before enforcing soft limits for users:
/var/mail: block grace period: 7 days, file grace period: 7 days
Quota User
www# edquota -p sermpan `awk -F: '$3 > 1003 {print $1}' /etc/passwd`
www#
WebServer FreeBSD 7.2 Page 14
15. WebServer FreeBSD 7.2
6.) mysql50-server
www# cd /usr/ports/database/mysql50-server
www# make config
===> No options to configure
www# make WITH_CHARSET=tis620 WITH_XCHARSET=all WITH_COLLATION=tis620_thai_ci WITH_OPENSSL=yes
BUILD_OPTIMIZED=yes WITH_ARCHIVE=yes WITH_FEDERATED=yes WITH_NDB=yes install clean
( www# make with )
Added group "mysql".
Added user "mysql".
************************************************************************
Remember to run mysql_upgrade (with the optional --datadir=<dbdir> flag)
the first time you start the MySQL server after an upgrade from an
earlier version.
************************************************************************
install-info --quiet /usr/local/info/mysql.info /usr/local/info/dir
===> Installing rc.d startup script(s)
===> Compressing manual pages for mysql-server-5.0.84
===> Registering installation for mysql-server-5.0.84
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/ndb_drop_table
/usr/local/bin/ndb_delete_all
/usr/local/libexec/ndbd
/usr/local/bin/ndb_restore
/usr/local/libexec/ndb_mgmd
/usr/local/bin/ndb_select_all
/usr/local/bin/ndb_drop_index
/usr/local/bin/ndb_desc
/usr/local/bin/ndb_show_tables
/usr/local/lib/mysql/libndbclient.so.2
/usr/local/bin/ndb_waiter
/usr/local/libexec/mysqld
/usr/local/libexec/ndb_cpcd
/usr/local/bin/ndb_select_count
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/mysql-server
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.mysql.com/
===> Cleaning for mysql-client-5.0.84
===> Cleaning for mysql-server-5.0.84
www#
mysql
www# vi /etc/rc.conf
mysql_enable="YES"
save vi reboot
www# reboot
WebServer FreeBSD 7.2 Page 15
16. WebServer FreeBSD 7.2
reboot login password login database
login as: sermpan
Password:
Last login: Thu Aug 6 15:08:09 2009 from 202.129.37.133
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 7.2-RELEASE (NMM) #0: Thu Aug 6 13:11:38 ICT 2009
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list. If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page. If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility. Edit /etc/motd to change this login announcement.
$ su root
Password:
www# /usr/local/bin/mysqladmin -u root password ppppp
www# mysql -u root mysql -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 2
Server version: 5.0.84 FreeBSD port: mysql-server-5.0.84
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> q
Bye
www#
mysql apache22
WebServer FreeBSD 7.2 Page 16
17. WebServer FreeBSD 7.2
7.) Apache22
www# cd /usr/ports/www/apache22
www# make config
WebServer FreeBSD 7.2 Page 17
19. WebServer FreeBSD 7.2
www# make install clean
arp-ipv6-gdbm-db42
To run apache www server from startup, add apache22_enable="YES"
in your /etc/rc.conf. Extra options can be found in startup script.
Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.
===> Installing rc.d startup script(s)
===> Compressing manual pages for apache-2.2.11_7
===> Registering installation for apache-2.2.11_7
===> SECURITY REPORT:
This port has installed the following binaries which execute with
increased privileges.
/usr/local/sbin/suexec
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/apache22/mod_cgid.so
This port has installed the following startup scripts which may cause
WebServer FreeBSD 7.2 Page 19
20. WebServer FreeBSD 7.2
these network services to be started at boot time.
/usr/local/etc/rc.d/apache22
/usr/local/etc/rc.d/htcacheclean
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://httpd.apache.org/
===> Cleaning for expat-2.0.1
===> Cleaning for pcre-7.9
===> Cleaning for apr-gdbm-db42-ndbm-mysql-1.3.8.1.3.9
===> Cleaning for automake-1.9.6_3
===> Cleaning for db42-4.2.52_5
===> Cleaning for apache-2.2.11_7
www#
apache
www# vi /etc/rc.conf
apache22_enable="YES"
save vi
WebServer FreeBSD 7.2 Page 20
21. WebServer FreeBSD 7.2
8.) PHP5
www# cd /usr/ports/lang/php5
www# make config
www# make install clean
***************************************************************
Make sure index.php is part of your DirectoryIndex.
You should add the following to your Apache configuration file:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
***************************************************************
===> Compressing manual pages for php5-5.2.10
===> Registering installation for php5-5.2.10
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/apache22/libphp5.so
/usr/local/bin/php
/usr/local/bin/php-cgi
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.php.net/
===> Cleaning for php5-5.2.10
www#
php5-extensions
WebServer FreeBSD 7.2 Page 21
22. WebServer FreeBSD 7.2
9.) PHP5-extensions
www# cd /usr/ports/lang/php5-extensions
www# make config
WebServer FreeBSD 7.2 Page 22
25. WebServer FreeBSD 7.2
ca_root_nss
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/lib/libcurl.so.5
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://curl.haxx.se/
===> Cleaning for c-ares-config-1.6.0
===> Cleaning for libidn-1.14
===> Cleaning for libssh2-1.1,2
===> Cleaning for ca_root_nss-3.11.9_2
===> Cleaning for curl-7.19.5_1
www#
php5-extensions Apache PHP /usr/local/etc/apache22/Include
www# cd /usr/local/etc/apache22/Includes
php5.conf vi
www# vi php5.conf
DirectoryIndex index.php
AddDefaultCharset tis-620
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
Include etc/apache22/extra/httpd-ssl.conf
save vi
php.ini
www# cd /usr/local/etc/
www# cp php.ini-recommended php.ini
WebServer FreeBSD 7.2 Page 25
26. WebServer FreeBSD 7.2
php.ini
default_charset = "tis-610" # ;
session.save_path = "/tmp/sesstmp" # ; /tmp/sesstmp /tmp chmod 777
/tmp/sesstmp
Generate Cert apache HTTPS
www# cd /usr/local/etc/apache22/
www# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
.......++++++
e is 65537 (0x10001)
www# openssl req -new -days 365 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Bangkok
Locality Name (eg, city) []:Rajchavithi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Faculty of Public Health, Mahidol University
Organizational Unit Name (eg, section) []:Computer Division
Common Name (eg, YOUR name) []:Computer
Email Address []:phwww@mahidol.ac.th
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:pppppppp
An optional company name []:PH
www# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
Signature ok
subject=/C=TH/ST=Bangkok/L=Rajchavithi/O=Faculty of Public Health, Mahidol University/OU=Computer
Division/CN=Computer/emailAddress=phwww@mahidol.ac.th
Getting Private key
www# chmod 400 server.*
www#
apache
www# vi /etc/rc.conf
apache22_enable="YES"
save vi reboot
www# reboot
php
www# cd /usr/local/www/apache22/data
www# echo "<?PHP phpinfo();?>" > info.php
WebServer FreeBSD 7.2 Page 26
28. WebServer FreeBSD 7.2
10). ZendOptimizer
www# cd /usr/ports/devel/ZendOptimizer
www# make config
===> No options to configure
www# make install clean
********************************************************************************
You have installed the ZendOptimizer package.
Edit /usr/local/etc/php.ini and add:
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer="/usr/local/lib/php/20060613/Optimizer"
zend_extension_manager.optimizer_ts="/usr/local/lib/php/20060613/Optimizer_TS"
zend_extension="/usr/local/lib/php/20060613/ZendExtensionManager.so"
zend_extension_ts="/usr/local/lib/php/20060613/ZendExtensionManager_TS.so"
NOTE: PHP should be compiled in non-debug mode (default).
********************************************************************************
===> Registering installation for ZendOptimizer-3.3.0.a
===> Cleaning for compat6x-i386-6.4.604000.200810
===> Cleaning for ZendOptimizer-3.3.0.a
www#
/usr/local/etc/php.ini
restart apache
www# /usr/local/etc/rc.d/apache22 restart
Performing sanity check on apache22 configuration:
Syntax OK
Stopping apache22.
Waiting for PIDS: 704.
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
www#
WebServer FreeBSD 7.2 Page 28
29. WebServer FreeBSD 7.2
11.) webmin
www# cd /usr/ports/sysutils/webmin/
www# make config
===> No options to configure
www# make install clean
After installing Webmin for the first time you should perform the following
steps as root:
* Configure Webmin by running ${LOCALBASE}/lib/webmin/setup.sh
* Add webmin_enable="YES" to your /etc/rc.conf
* Start Webmin for the first time by running ${LOCALBASE}/etc/rc.d/webmin
The parameters requested by setup.sh may then be changed from within Webmin
itself.
===> Installing rc.d startup script(s)
===> Registering installation for webmin-1.480_1
===> Cleaning for p5-Net-SSLeay-1.35_1
===> Cleaning for p5-Authen-PAM-0.16_1
===> Cleaning for p5-MIME-Base64-3.08
===> Cleaning for webmin-1.480_1
www#
setup webmin
www# /usr/local/lib/webmin/setup.sh
***********************************************************************
* Welcome to the Webmin setup script, version 1.480 *
***********************************************************************
Webmin is a web-based interface that allows Unix-like operating
systems and common Unix services to be easily administered.
Installing Webmin in /usr/local/lib/webmin ...
***********************************************************************
Webmin uses separate directories for configuration files and log files.
Unless you want to run multiple versions of Webmin at the same time
you can just accept the defaults.
Log file directory [/var/log/webmin]:
***********************************************************************
Webmin is written entirely in Perl. Please enter the full path to the
Perl 5 interpreter on your system.
Full path to perl (default /usr/bin/perl):
Testing Perl ...
Perl seems to be installed ok
***********************************************************************
Operating system name: FreeBSD
Operating system version: 7.2
***********************************************************************
Webmin uses its own password protected web server to provide access
to the administration programs. The setup script needs to know :
- What port to run the web server on. There must not be another
web server already using this port.
- The login name required to access the web server.
- The password required to access the web server.
- If the webserver should use SSL (if your system supports it).
- Whether to start webmin at boot time.
Web server port (default 10000):
Login name (default admin): admin
Login password:
Password again:
Use SSL (y/n): y
***********************************************************************
Creating web server config files..
..done
Creating access control file..
..done
Creating start and stop scripts..
WebServer FreeBSD 7.2 Page 29
30. WebServer FreeBSD 7.2
..done
Copying config files..
..done
Changing ownership and permissions ..
..done
Running postinstall scripts ..
syslog-ng: not found
..done
www#
Start webmin
www# /usr/local/etc/rc.d/webmin start
Starting webmin.
Pre-loaded WebminCore
www#
port 10000 error ssl
https://www.mu-ph.org:10000 ( Click link )
WebServer FreeBSD 7.2 Page 30
33. WebServer FreeBSD 7.2
12.) phpmyadmin
www# cd /usr/ports/database/phpmyadmin/
www# make config
www# make install clean
php5-pcre
WebServer FreeBSD 7.2 Page 33
34. WebServer FreeBSD 7.2
php5-gd
php5-mbstring
****************************************************************************
The following line has been added to your /usr/local/etc/php/extensions.ini
configuration file to automatically load the installed extension:
extension=mysqli.so
****************************************************************************
===> Returning to build of phpMyAdmin-3.2.0.1
===> phpMyAdmin-3.2.0.1 depends on shared library: mysqlclient.15 - found
===> Generating temporary packing list
===> Checking if databases/phpmyadmin already installed
phpMyAdmin-3.2.0.1 has been installed into:
/usr/local/www/phpMyAdmin
Please edit config.inc.php to suit your needs.
To make phpMyAdmin available through your web site, I suggest
WebServer FreeBSD 7.2 Page 34
35. WebServer FreeBSD 7.2
that you add something like the following to httpd.conf:
Alias /phpmyadmin/ "/usr/local/www/phpMyAdmin/"
<Directory "/usr/local/www/phpMyAdmin/">
Options none
AllowOverride Limit
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 .example.com
</Directory>
===> Registering installation for phpMyAdmin-3.2.0.1
===> Cleaning for php5-ctype-5.2.10
===> Cleaning for php5-mysql-5.2.10
===> Cleaning for php5-session-5.2.10
===> Cleaning for php5-spl-5.2.10
===> Cleaning for php5-filter-5.2.10
===> Cleaning for php5-bz2-5.2.10
===> Cleaning for php5-gd-5.2.10
===> Cleaning for php5-openssl-5.2.10
===> Cleaning for pecl-pdflib-2.1.6_1
===> Cleaning for php5-zlib-5.2.10
===> Cleaning for php5-mbstring-5.2.10
===> Cleaning for php5-zip-5.2.10
===> Cleaning for php5-mysqli-5.2.10
===> Cleaning for php5-pcre-5.2.10
===> Cleaning for php5-simplexml-5.2.10
===> Cleaning for freetype2-2.3.9_1
===> Cleaning for png-1.2.38
===> Cleaning for jpeg-7
===> Cleaning for t1lib-5.1.2_1,1
===> Cleaning for pdflib-7.0.4
===> Cleaning for phpMyAdmin-3.2.0.1
www#
vi /usr/local/etc/apache22/httpd.conf
Alias /admin/phpMyAdmin/ "/usr/local/www/phpMyAdmin/"
<Directory "/usr/local/www/phpMyAdmin/">
Options none
AllowOverride Limit
Order Deny,Allow
Allow from all
</Directory>
restart apache
wwv# /usr/local/etc/rc.d/apache22 restart
Performing sanity check on apache22 configuration:
Syntax OK
Stopping apache22.
Waiting for PIDS: 1595.
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
www#
/usr/local/www/phpMyadmin
www# cd /usr/local/www/phpMyAdmin/
www# cp config.sample.inc.php config.inc.php
www# vi config.inc.php
$cfg['blowfish_secret'] = 'mysecret'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH!
*
//
/* Advanced phpMyAdmin features */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
WebServer FreeBSD 7.2 Page 35
37. WebServer FreeBSD 7.2
13.) vsftp
www# cd /usr/ports/ftp/vsftp/
www# make config
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/vsftpd
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/vsftpd
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://vsftpd.beasts.org/
===> Cleaning for vsftpd-ssl-2.1.2
www#
vsftpd.conf
www# cd /usr/local/etc/
www# vi vsftp.conf
# Example config file /usr/local/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
#anonymous_enable=YES
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
#local_enable=YES
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
WebServer FreeBSD 7.2 Page 37
38. WebServer FreeBSD 7.2
#write_enable=YES
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
chown_uploads=YES
chown_username=ftp
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
nopriv_user=ftp
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
WebServer FreeBSD 7.2 Page 38
39. WebServer FreeBSD 7.2
#ftpd_banner=Welcome to blah FTP service.
ftpd_banner=Welcome to MU-PH FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
deny_email_enable=NO
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=NO
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
secure_chroot_dir=/usr/local/share/vsftpd/empty
# If using vsftpd in standalone mode, uncomment the next two lines:
# listen=YES
# background=YES
www# vi /etc/inetd.conf
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
ftp stream tcp nowait root /usr/local/libexec/vsftpd vsftpd /usr/local/etc/vsftpd.conf
www# killall inetd
No matching processes were found
www# /usr/sbin/inetd -wW
www# ftp localhost
Trying 127.0.0.1...
Connected to localhost.
220 Welcome to MU-PH FTP service.
Name (localhost:sermpan):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||34230|).
150 Here comes the directory listing.
226 Directory send OK.
ftp> quit
221 Goodbye.
www#
inetd_enable=”YES” /etc/rc.conf
ftp upload/Download server
WebServer FreeBSD 7.2 Page 39
40. WebServer FreeBSD 7.2
14.) awstats
www# cd /usr/ports/www/awstats/
www# make config
www# make install clean
*****************************************************************
Please add the following to your apache config, and restart.
#
# Directives to allow use of AWStats as a CGI
#
Alias /awstatsclasses "/usr/local/www/awstats/classes/"
Alias /awstatscss "/usr/local/www/awstats/css/"
Alias /awstatsicons "/usr/local/www/awstats/icons/"
ScriptAlias /awstats/ "/usr/local/www/awstats/cgi-bin/"
#
# This is to permit URL access to scripts/files in AWStats directory.
#
<Directory "/usr/local/www/awstats/">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
*****************************************************************
If you are upgrading from AWStats 6.4 or older, please note the following:
If you used the geoip plugin, you must edit your AWStats config file
to change the line
LoadPlugin="geoip GEOIP_STANDARD"
into
LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat"
*****************************************************************
===> Registering installation for awstats-6.9,1
===> Cleaning for p5-Net-XWhois-0.90_4
===> Cleaning for awstats-6.9,1
www#
WebServer FreeBSD 7.2 Page 40
41. WebServer FreeBSD 7.2
vi /usr/local/etc/apache22/httpd.conf
restart apache
www# /usr/local/etc/rc.d/apache22 restart
Performing sanity check on apache22 configuration:
Syntax OK
Stopping apache22.
Waiting for PIDS: 12473.
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
www#
awstats.conf
www# cd /usr/local/www/awstats/cgi-bin/
www# ll
total 648
-r-xr-xr-x 1 root wheel 5407 Jul 20 15:11 awredir.pl
-r--r--r-- 1 root wheel 60596 Jul 20 15:11 awstats.model.conf
-r-xr-xr-x 1 root wheel 558260 Jul 20 15:11 awstats.pl
drwxr-xr-x 5 root wheel 1536 Jul 20 15:11 lang
drwxr-xr-x 2 root wheel 512 Jul 20 15:11 lib
drwxr-xr-x 3 root wheel 512 Jul 20 15:11 plugins
www# cp awstats.model.conf awstats.conf
www# vi awstats.conf
#
LogType=W
#
SiteDomain="www.mu-ph.org"
#
HostAliases="www.mu-ph.org localhost 127.0.0.1 REGEX[myserver.com$]"
#
AllowToUpdateStatsFromBrowser=1
http://www.mu-ph.org/awstats/awstats.pl
click update error
Error: Couldn't open server log file "/var/log/httpd/mylog.log" : No such file or directory
Setup ('/usr/local/www/awstats/cgi-bin/awstats.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).
www# mkdir /var/log/httpd
www# touch /var/log/httpd/mylog.log
www#
refresh
WebServer FreeBSD 7.2 Page 41
42. WebServer FreeBSD 7.2
15.) ntp
www# cd /usr/ports/net/ntp
www# make config
===> No options to configure
www# make install clean
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/ntpd
/usr/local/bin/ntpdate
/usr/local/bin/sntp
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.ntp.org/
===> Cleaning for ntp-4.2.4p7
www#
NTP crontab
www# crontab –e
0 5 * * * /usr/local/bin/ntpdate –u 203.185.69.60
update
www# date
Wed Aug 12 21:39:00 ICT 2009
www# /usr/local/bin/ntpdate -u 203.185.69.60
12 Aug 21:39:15 ntpdate[70368]: adjust time server 203.185.69.60 offset 0.393085 sec
www# date
Wed Aug 12 21:39:17 ICT 2009
www#
WebServer FreeBSD 7.2 Page 42
43. WebServer FreeBSD 7.2
16). clamav
www# cd /usr/ports/security/clamav
www# make config
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/clamd
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/clamav-milter
/usr/local/etc/rc.d/clamav-freshclam
/usr/local/etc/rc.d/clamav-clamd
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.clamav.net/
===> Cleaning for arc-5.21o_1
===> Cleaning for arj-3.10.22_1
===> Cleaning for lha-1.14i_6
===> Cleaning for unzoo-4.4_2
===> Cleaning for clamav-0.95.2
www#
/etc/rc.conf
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
/usr/local/etc/clamav.conf
LogFile /var/log/clamav/clamd.log
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/ clamd.sock
FixStaleSocket yes
User clamav
AllowSupplementaryGroups yes
ScanPE yes
ScanOLE2 yes
ScanPDF yes
ScanHTML yes
WebServer FreeBSD 7.2 Page 43
44. WebServer FreeBSD 7.2
ScanArchive yes
crontab –e Virus site clamav scan web
www# crontab –e
0 6 * * * /sbin/reboot
0 5 * * * /usr/local/bin/ntpdate -u 203.185.69.60
2 * * * * /usr/local/bin/freshclam –quiet
0 1 * * * /usr/local/bin/clamscan -r -i /usr/local/www
10 11 * * * /etc/webmin/cron/tempdelete.pl
Clamav update
www# /usr/local/etc/rc.d/clamav-freshclam start
Starting clamav_freshclam.
www# /usr/local/etc/rc.d/clamav-clamd start
Starting clamav_clamd.
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
www#
clamav update
www# /usr/local/bin/freshclam
ClamAV update process started at Wed Aug 12 21:46:54 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
WARNING: getfile: daily-9451.cdiff not found on remote server (IP: 193.1.193.64)
WARNING: getpatch: Can't download daily-9451.cdiff from database.clamav.net
Trying host database.clamav.net (130.59.10.36)...
WARNING: getfile: daily-9451.cdiff not found on remote server (IP: 130.59.10.36)
WARNING: getpatch: Can't download daily-9451.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-9451.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 9684, sigs: 64237, f-level: 43, builder: ccordes)
Database updated (609272 signatures) from database.clamav.net (IP: 130.59.10.36)
Clamd successfully notified about the update.
www# /usr/local/bin/freshclam
ClamAV update process started at Wed Aug 12 21:48:03 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cvd is up to date (version: 9684, sigs: 64237, f-level: 43, builder: ccordes)
www#
scan directory scan sub-directory virus
www# /usr/local/bin/clamscan -r -i /usr/local/www
----------- SCAN SUMMARY -----------
Known viruses: 608632
Engine version: 0.95.2
Scanned directories: 67
Scanned files: 1563
Infected files: 0
Data scanned: 29.52 MB
Data read: 12.02 MB (ratio 2.46:1)
Time: 7.825 sec (0 m 7 s)
www#
WebServer FreeBSD 7.2 Page 44
45. WebServer FreeBSD 7.2
17). hostsentry
www# cd /usr/ports/security/hostsentry
www# make config
===> No options to configure
www# make install clean
Edit /usr/local/etc/hostssentry/hostssentry.conf and change
your settings if you haven't already.
===> Registering installation for hostsentry-0.02_2
===> Cleaning for py25-gdbm-2.5.4
===> Cleaning for hostsentry-0.02_2
www#
www# cd /usr/local/etc/hostsentry/
www# ll
total 10
-rw------- 1 root wheel 49 Aug 11 21:31 hostsentry.action-dist
-rw------- 1 root wheel 2767 Aug 11 21:31 hostsentry.conf-dist
-rw------- 1 root wheel 67 Aug 11 21:31 hostsentry.ignore-dist
-rw------- 1 root wheel 135 Aug 11 21:31 hostsentry.modules-dist
www# cp hostsentry.action-dist hostsentry.action
www# cp hostsentry.conf-dist hostsentry.conf
www# cp hostsentry.ignore-dist hostsentry.ignore
www# cp hostsentry.modules-dist hostsentry.modules
www# ll
total 20
-rw------- 1 root wheel 49 Aug 11 21:33 hostsentry.action
-rw------- 1 root wheel 49 Aug 11 21:31 hostsentry.action-dist
-rw------- 1 root wheel 2767 Aug 11 21:33 hostsentry.conf
-rw------- 1 root wheel 2767 Aug 11 21:31 hostsentry.conf-dist
-rw------- 1 root wheel 67 Aug 11 21:34 hostsentry.ignore
-rw------- 1 root wheel 67 Aug 11 21:31 hostsentry.ignore-dist
-rw------- 1 root wheel 135 Aug 11 21:34 hostsentry.modules
-rw------- 1 root wheel 135 Aug 11 21:31 hostsentry.modules-dist
www#
WebServer FreeBSD 7.2 Page 45
46. WebServer FreeBSD 7.2
18). portsentry
www# cd /usr/ports/security/portsentry
www# make config
===> No options to configure
www# make install clean
Edit ${PREFIX}/etc/portsentry.conf and change
your settings if you haven't already. (route, etc)
***************************************************
* IGNORE stealth mode. It is for Linux only. *
* The author hopes to have a platform independent *
* version at some time. So don't even bother *
* trying it now. *
***************************************************
===> Registering installation for portsentry-1.2
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/portsentry
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/portsentry.sh
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
===> Cleaning for portsentry-1.2
www#
www# cd /usr/local/etc/
www# cp portsentry.conf.default portsentry.conf
www# cp portsentry.ignore.default portsentry.ignore
www# touch portsentry.blocked
www# touch portsentry.history
WebServer FreeBSD 7.2 Page 46
47. WebServer FreeBSD 7.2
19). lynx
www# cd /usr/ports/ www/lynx-current
www# make config
===> No options to configure
www# make install clean
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/lynx
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://lynx.isc.org/current/
===> Cleaning for mime-support-3.46.1
===> Cleaning for lynx-2.8.7d13
www#
www# /usr/local/bin/lynx www.mu-ph.org
WebServer FreeBSD 7.2 Page 47
48. WebServer FreeBSD 7.2
20). phpbb3
www# cd /usr/ports/www/phpbb3
www# make config
===> No options to configure
www# make install clean
----------------------------------------------------------------------------
phpBB3 has been installed, but is not quite ready to be used yet!
You have to ensure that you have a database server (or ODBC access to a
remote database) installed and configured, and you have to ensure that your
PHP installation has been compiled with support for your database or
database access method. You have to create a database for phpBB3 to use,
and ensure that this database may be accessed and changed by the user id
under which your web server executes. Further information on these
installation procedures may be found in:
/usr/local/share/doc/phpbb/README.html
Once these steps have been taken, you may connect to the following URL to
configure your installation of phpBB3:
http://localhost/phpBB3/
After configuring phpBB3 and ensuring that it is operational, you MUST
remove or rename the install/ directory from /usr/local/www/phpBB3:
----------------------------------------------------------------------------
===> Registering installation for phpbb-3.0.5
===> Cleaning for phpbb-3.0.5
www#
www# cd /usr/local/www/
www# ll
total 10
drwxr-xr-x 6 root wheel 512 Aug 12 19:37 apache22
drwxr-xr-x 8 root wheel 512 Aug 12 21:29 awstats
drwxr-xr-x 13 www www 1024 Aug 12 22:02 phpBB3
drwxr-xr-x 10 root wheel 2560 Aug 12 21:05 phpMyAdmin
www# mv phpBB3/ forum/
www# ll
total 10
drwxr-xr-x 6 root wheel 512 Aug 12 19:37 apache22
drwxr-xr-x 8 root wheel 512 Aug 12 21:29 awstats
drwxr-xr-x 13 www www 1024 Aug 12 22:02 forum
drwxr-xr-x 10 root wheel 2560 Aug 12 21:05 phpMyAdmin
www#
httpd.conf
www# vi /usr/local/etc/apache22/httpd.conf
Alias /mambers/forum/ "/usr/local/www/forum/"
<Directory "/usr/local/www/forum/">
Options none
AllowOverride Limit
Order Deny,Allow
Allow from all
</Directory>
run apache
www# /usr/local/etc/rc.d/apache22 restart
Performing sanity check on apache22 configuration:
Syntax OK
Stopping apache22.
Waiting for PIDS: 2119.
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
www#
WebServer FreeBSD 7.2 Page 48
50. WebServer FreeBSD 7.2
21). denyhosts
www# cd /usr/ports/security/denyhosts
www# make config
===> No options to configure
www# make install clean
-------------------------------------------------------------------------------
To run denyhosts from startup, add denyhosts_enable="YES"
in your /etc/rc.conf.
Configiration options can be found in /usr/local/etc/denyhosts.conf
-------------------------------------------------------------------------------
In order to proper working of denyhosts
1. edit your /etc/hosts.allow file and add:
sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow
2. issue the following command if /etc/hosts.deniedssh does not exist yet
touch /etc/hosts.deniedssh
-------------------------------------------------------------------------------
Warning:
syslogd should ideally be run with the -c option; this will ensure that
denyhosts notices multiple repeated login attempts.
To do this, add syslogd_flags="-c" to /etc/rc.conf
-------------------------------------------------------------------------------
===> Installing rc.d startup script(s)
===> Registering installation for denyhosts-2.6_2
===> Cleaning for denyhosts-2.6_2
www#
/usr/local/etc/denyhosts.conf
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.allow
PURGE_DENY = 7d
BLOCK_SERVICE = sshd
HOSTNAME_LOOKUP=YES
ADMIN_EMAIL = sermpan@mu-ph.org
denyhosts crontab –e
0,20,40 * * * * /usr/local/bin/python /usr/local/bin/denyhosts.py -c /usr/local/etc/denyhosts.conf
WebServer FreeBSD 7.2 Page 50
51. WebServer FreeBSD 7.2
22). Backup ( )
www# cd /backups/
www# mkdir /backups/last-full
www# date +%d%b > /backups/last-full/www-full-date
www# mkdir /usr/local/util
www# vi backups.sh
#!/bin/sh
#backup database
cd /usr/local/util
mysqldump phpBB3 > phpBB3.sql --password=ppppppp
#backup passwd & group
cp /etc/passwd* .
cp /etc/group* .
cp /etc/master* .
#backup conf
cp /etc/rc.conf .
cp /usr/local/etc/apache22/httpd.conf .
cp /usr/local/etc/apache22/Includes/php5.conf .
cp /usr/local/etc/php.ini .
cp /etc/resolv.conf .
# Full and incremental backup script
# Updated 04 July 2002
# Based on a script by Daniel O'Callaghan <danny@freebsd.org>
# and modified by Gerhard Mourani <gmourani@openna.com>
# Change the 5 variables below to fit your computer/backup
COMPUTER=www # Name of this computer
DIRECTORIES="/usr/local" # Directory to backup
BACKUPDIR=/backups # Where to store the backups
TIMEDIR=/backups/last-full # Where to store time of full backup
TAR=/usr/bin/tar # Name and location of tar
# You should not have to change anything below here
PATH=/usr/local/bin:/usr/bin:/bin
DOW=`date +%a` # Day of the week e.g. Mon
DOM=`date +%d` # Date of the Month e.g. 27
DM=`date +%d%b` # Date and Month e.g. 27 Sep
# On the 1st of the month a permanet full backup is made
# Every Sunday a full backup is made - overwriting last Sundays backup
# The rest of the time an incremental backup is made. Each incremental
# backup overwrites last weeks incremental backup of the same name.
#
# if NEWER = "", then tar backs up all files in the directories
# otherwise it backs up files newer than the NEWER date. NEWER
# gets it date from the file written every Sunday.
# Monthly full backup
if [ $DOM = "01" ]; then
NEWER=""
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DM.tar $DIRECTORIES
fi
# Weekly full backup
if [ $DOW = "Sun" ]; then
NEWER=""
NOW=`date +%d-%b`
# Update full backup date
echo $NOW > $TIMEDIR/$COMPUTER-full-date
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DOW.tar $DIRECTORIES
# Make incremental backup - overwrite last weeks
else
# Get date of last full backup
NEWER="--newer `cat $TIMEDIR/$COMPUTER-full-date`"
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DOW.tar $DIRECTORIES
fi
#remove passwd & group
cd /usr/home/util
rm -f passwd*
rm -f group*
rm -f master*
crontab –e
0 4 * * * /backups/backups.sh
WebServer FreeBSD 7.2 Page 51