Ernest G. Wilson II's FreeBSD Pages

Ernest G. Wilson II's FreeBSD 8.0 "*UNIX*" Installation Pages
"Many people want to learn UNIX. Here is a complete guide using
some of the most popular software packages in the world!"
The instructions on these pages contain nearly everything you need to: Setup a full blown FreeBSD server that includes Apache (the UNIX web server platform), MySQL (the open source SQL database and web based management), Perl with many useful modules, FreeTDS (allows Perl / UNIX to talk to Microsoft and Sybase SQL Servers), Net-SNMP (SNMP trap receiver logging service and SNMP tool set), PHP (scripting language preferred by many web based applications), phpMyAdmin (web based MySQL administration), Samba (allows UNIX machines to talk with "Windows" based machines), SFTP, SSH and many more popular UNIX tools! These instructions are the result of years of tinkering, enjoy!
FreeBSD is at the heart of many popular things you already know! pfSense - FreeBSD-based firewall tailored for use as a firewall and router FreeNAS - FreeBSD-based Network-Attached Storage server: CIFS (samba), FTP, NFS, RSYNC, iSCSI and more! Apple's MAC OS X, Juniper Network's Routers, Nokia's Firewalls, F5's 4x Series Load Balancers and more!
I feel it appropriate to acknowledge: Steve Comoletti - A "Hard Core FreeBSD UNIX Guy" that showed me the way! I did not write FreeBSD, but I applaud those who do!
Notes: You will want an SSH / X11 client to perform steps in Section II and beyond from your Windows PC, I like free Xming / Putty! If you need to copy files to a functional FreeBSD server that does not have networking, here are some basic CD commands: # Mount the CDRom to make it usable by the operating system mount_cd9660 /dev/acd0c /cdrom # Take a look at the files on your CD cd /cdrom ls # Copy files of your choice, here are some basic examples: cp /cdrom/.tar.gz /usr/src/ cp /cdrom/MyFile.tar.gz /tmp/MyFile.tar.gz # Unmount the CDRom (optional)* umount /cdrom Users operating from behind a company firewall can use a proxy # Set the environment variable: http_proxy=http://MyCorporateProxyServer:8080 # Export the variable into your shell to make it usable from the "Bash" shell: export http_proxy # Download files via the Internet from command line using "fetch": fetch http://www.SomeServer.com/SomeFile.tar.gz # Other Shells: Other than my favorite (Bash) make need to set the environment variable in another manner: setenv http://MyCorporateProxyServer:8080 # Note: You could set it more permanently by editing a file: vi /etc/make.conf: HTTP_PROXY= http://proxy.example.net:8080/ FTP_PROXY= http://proxy.example.net:8080/ # The space after the equal sign is required

Note: These instructions are designed to be followed in order!
Each new instruction set and section builds on previous carefully planned out steps.

I. The Basics (Get a basic system online laying the foundation for applications)

A. Getting FreeBSD

Start by downloading the installation software of your choice:
High Speed (broadband) Internet connection and CD Recorder (and blank CDRom media) required:
a.) Recommended: Network Install (for the brave and the lazy people like me, this may be the only ISO you will ever need if you have high speed Internet!):
     FreeBSD 8.0 Boot Only - ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.0/8.0-RELEASE-i386-bootonly.iso

or

b.) Standard / Stand Alone Media (useful if you don't have Internet or you are stuck behind a firewall):
      FreeBSD 8.0 CD Disk Image 1 - ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.0/8.0-RELEASE-i386-disc1.iso
      FreeBSD 8.0 CD Disk Image 2 - ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.0/8.0-RELEASE-i386-disc2.iso
      FreeBSD 8.0 CD Disk Image 3 - ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.0/8.0-RELEASE-i386-disc3.iso

or

c.) FreeBSD 8.0 Live Disk - ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.0/8.0-RELEASE-i386-livefs.iso

Optional:
FreeBSD 8.0 Docs - ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.0/8.0-RELEASE-i386-docs.iso

Save these ISO files some place you will remember later!

Using your favorite CD burning software, write (burn) each of these files to a blank CD.
WARNING: Make sure that you don't just copy these files to a CD!
                 There files are special "ISO" disk images, meaning you need to "write the image" back to CD, not just copy it to a CD.

For example:
Using a free software package like CD Burner XP Pro
    -    From the "File" menu, choose "Write ISO to CD"
    -    Select each ISO (one at a time per blank CD) that you downloaded earlier and click "Write Disc"
You can of course use your favorite CD writing software.
(This was just a quick example using free CD Recording software)

For anyone having trouble downloading the ISO files or burning them to CD:
Head over to the FreeBSD Mall and purchase an official copy!
http://www.freebsdmall.com

B. Installing FreeBSD

Section 1 - Physical connection to local keyboard and monitor required
                    (Plug in the CPU, monitor, keyboard and network cable and we can get started)

# Perform a "Minimal" network install vi the FreeBSD "Boot Only" disk
# Also add "src" (source files needed later)
# FreeBSD 7 Boot Only - ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.0/8.0-RELEASE-i386-bootonly.iso
# Set the Timezone and root password during the final steps just before rebooting

# Run Portsnap
/usr/sbin/portsnap fetch
/usr/sbin/portsnap extract
/usr/sbin/portsnap update
# Get updated ports by running this combination command periodically (updates the source code in the /usr/ports directory, not any actually installed ports themselves)
/usr/sbin/portsnap fetch && /usr/sbin/portsnap update

# Install Bash Shell
cd /usr/ports/shells/bash
make install clean distclean
# Edit the password file with "vipw" (which uses "vi" commands to edit) and set root's shell to use bash (vipw is a special "vi" for the password file "pw"):
vipw
# Manually change / edit the "shell" for root from: /usr/bin/sh to: /usr/local/bin/bash

# Install SSH Server - Secure Shell Protocol Suite (secure remote administration)
cd /usr/ports/security/openssl
make install clean distclean
# Compile & Install - Making sure to "overwrite" the base on the command line and GUI
cd /usr/ports/security/openssh-portable
make install -DOPENSSH_OVERWRITE_BASE clean distclean
# Also make sure you select overwrite base in the GUI
# Edit /etc/rc.conf so OpenSSH will start at boot time
vi /etc/rc.conf
sshd_enable="YES"
# Backup the example original sshd_config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
# Edit sshd_config (You can do more if you like, this is just a nice start)
vi /etc/ssh/sshd_config
Port 22 Protocol 2 SyslogFacility AUTH LogLevel INFO LoginGraceTime 2m PermitRootLogin yes MaxAuthTries 6 PasswordAuthentication yes PermitEmptyPasswords no AllowTcpForwarding yes GatewayPorts yes X11Forwarding yes PrintMotd yes PrintLastLog yes TCPKeepAlive yes PermitTunnel yes Subsystem sftp /usr/libexec/sftp-server

# Edit /etc/rc.conf - Here is an nice starting configuration that you can edit for your needs!
vi /etc/rc.conf
# This file now contains just the overrides from /etc/defaults/rc.conf # /etc/rc.conf ############## # Networking ####################################### hostname="FreeBSD.VMware.Appliance" ifconfig_lnc0="inet 172.28.0.12 netmask 255.255.255.0" defaultrouter="172.28.0.1" # ifconfig_em0="inet 172.28.1.12 netmask 255.255.255.0 media 100baseTX mediaopt full-duplex" # static_routes="voipnetwork" # route_voipnetwork="-net 172.28.0.0/16 172.28.125.1" # background_dhclient="YES" gateway_enable="YES" arpproxy_all="YES" # IPFW Settings ####################################### # ipfw_enable="YES" # firewall_enable="YES" # firewall_script="/etc/rc.firewall" # firewall_type="/etc/ipfw.rules" # firewall_quiet="NO" # firewall_logging_enable="YES" # tcp_restrict_rst="YES" # icmp_drop_redirect="YES" # NTP ####################################### ntpdate_flags="pool.ntp.org" ntpdate_enable="YES" # Security ####################################### clear_tmp_enable="YES" denyhosts_enable="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" log_in_vain="YES" # accounting_enable="YES" # kern_securelevel_enable="YES" # kern_securelevel="3" # Services ####################################### inetd_enable="YES" sshd_enable="YES" mysql_enable="YES" samba_enable="YES" linux_enable="YES" webmin_enable="YES" vmware_guestd_enable="YES" usermin_enable="YES" sendmail_enable="NO" cupsd_enable="NO" usbd_enable="NO" lpd_enable="NO" nfs_server_enable="NO" nfs_client_enable="NO" portmap_enable="NO" apache22_enable="YES" # proftpd_enable="YES" # teamspeak_enable="YES" # syslogd_program="/usr/local/sbin/syslog-ng" syslogd_flags="" snmpd_enable="NO" snmpd_flags="-a" snmpd_conffile="/etc/snmpd.config" snmptrapd_enable="YES" snmptrapd_flags="-m ALL -Ls 7 -a -p /var/run/snmptrapd.pid" # Environment ####################################### blanktime="900" update_motd="NO" compat4x_enable="YES" compat5x_enable="YES" compat6x_enable="YES" compat7x_enable="YES" # saver="logo" # moused_enable="YES" # moused_type="auto" # moused_enable="YES" # FSCK Enhancements ####################################### fsck_y_enable="YES" background_fsck="NO" # DHCP Server ####################################### dhcpd_enable="NO" dhcpd_flags="-q" dhcpd_conf="/usr/local/etc/dhcpd.conf" dhcpd_ifaces="lnc0" dhcpd_withumask="022" dhcpd_chuser_enable="YES" dhcpd_withuser="dhcpd" dhcpd_withgroup="dhcpd" dhcpd_chroot_enable="YES" dhcpd_devfs_enable="YES" dhcpd_rootdir="/var/db/dhcpd" dhcpd_flags="-early_chroot" dhcpd_jail_enable="YES" # devd ####################################### # devd_enable="YES" # devfs_system_ruleset="devfsrules_common" # tmpmfs="YES" # tmpsize="800m" # tmpmfs_flags="-S"

# Reboot and start working remotely via SSH
shutdown -r now

Section 2 - Network connection to the server is required
                    (Unless this build is a workstation you can leave the server room and perform these steps remotely from your office)

To work remotely use your favorite SSH client - Need a free SSH and X Windows client?
        Example: ssh YourServerIP -l YourUsername (enter your password to log in)
        Then type: su (and enter the root password to become root)

Setting up a comfortable user friendly shell environment
# Log in as root to make these changes
# Setting up an "/opt" directory
# ATTENTION: I install major applications into /opt (Just like Windows has "C:\Program Files" I use "/opt" in FreeBSD)
# Note: No need to do a separate dedicated partition for /opt since we can "symlink" it to /usr/opt
# You should only need to do this once and only if you don't already have a /opt directory
ln -sv /usr/local/opt /opt
cd /usr/local
mkdir opt
chmod -R 755 /opt
chmod -R 755 /usr/local/opt
# Test it out, these commands should now take you to the same place since /opt is symbolically linked to /usr/opt now
cd /opt
cd /usr/local/opt
# Setting up a "/opt/scripts" directory as a central locations for shared scripts
cd /opt
mkdir scripts
chmod a+r /opt/scripts
chmod a+x /opt/scripts
cd /opt/scripts
pwd
# An "auto export DISPLAY" script to make remote X11 apps via SSH easy!
# Change to the scripts directory
cd /opt/scripts
# Edit / create a new script
vi setdisplay.sh
#!/bin/sh # # Simple export DISPLAY script designed to be run by your .profile # # Add these two lines to the bottom of your .profile # DISPLAY=`/PathToThisScript/setdisplay.sh` # export DISPLAY # # You can test / see the output by running the script normally # Don't forget to make this script executable by chmod +x setdisplay.sh # # Created by: Ernest G. Wilson II # ErnestGWilsonII@gmail.com # Old Way # CURRENTSESSION=$(who -m | sed s/$//g | sed s/\\\.$// | sed s/\)//g | awk '{print $6":0.0"}') # DISPLAY=$CURRENTSESSION # echo $DISPLAY # New Way # CURRENTLY=$(whoami) # CURRENTSESSION=$(sockstat -c | grep $CURRENTLY | grep sshd | awk '{print $7}' | sed s/:/" "/g | awk '{print $1":0.0"}') # DISPLAY=$CURRENTSESSION # echo $DISPLAY # New New Way echo $SSH_CLIENT | awk '{print $1":0.0"}' exit 0
# Set the script executable
chmod a+x /opt/scripts/setdisplay.sh
# Check the output
/opt/scripts/setdisplay.sh
# You should see something like IPAddress:0.0 or Hostname:0.0
# This script is designed to work inside the .profile in the next section
# The sole purpose is to automate the environment variable of:
# export DISPLAY=ipaddress:0.0
# Setting up your ".profile" to customize your bash shell environment
# Change to root's home directory
cd /root
# Edit your .profile (you can replace the generic default with this new stuff)
vi .profile
# Set your path PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/opt/scripts:~/bin:./ # Set some basic UNIX options BLOCKSIZE=K; export BLOCKSIZE EDITOR=vi; export EDITOR PAGER=more; export PAGER TERM=${TERM:-cons25} export TERM PAGER=more export PAGER # Set FreeTDS and Sybase (MS SQL) Variables SYBASE=/usr/local/ export SYBASE # Set SNMP MIB Environment MIBDIRS=/usr/local/share/snmp/mibs export MIBDIRS # Set a proxy server if your network uses one uncomment the next two lines # http_proxy=http://ProxyServer.mydomain.com:8080 # export http_proxy # Set some quick keystroke aliases alias ll='ls -alF' alias l='ls -alF' alias x='xterm -T "FreeBSD Xterm - Host: $HOSTNAME - User: $USER" +ai -bg black -bcf 500 -bcn 500 +cm -cr yellow +dc -fg yellow -geometry 132x50 +sb +bc &' # Set your display to "auto export" using a handy script! DISPLAY=`/opt/scripts/setdisplay.sh` export DISPLAY
# Note: Each user account should fix up their unique .profile in their home directory
# vi /usr/share/skel/dot.profile
# Setting up "/etc/motd" for a custom "message of the day"
vi /etc/motd
############################################################################## # FreeBSD 8.0 - Network Management Station # # - Apache - The UNIX web server platform # # - MySQL - An open source SQL database and web based management # # - FreeTDS - UNIX (via Perl) to talk to Microsoft and Sybase SQL Servers # # - Net-SNMP - SNMP Trap Receiver logging service + SNMP tool set # # - PHP / PERL / Python - Scripting languages and modules # # - phpMyAdmin - Web based MySQL Administration # # - RRDtool - Logging and Graphing # # - Cacti - Network graphing solution using the power of RRDtool # # - TFTPD - TFTP Server # # - DHCPD - DHCP Server # # - ntop - Network application monitoring and NetFlow tool # # - Nessus - Network Vulnerability Scanner # # - Snort with ACID / BASE: - Intrusion Detection System # # - Syslog-NG - Syslog logging service with database support # # - Samba - Allows UNIX machines to talk with "Windows" based machines # # - Joomla! - Content Management System # ##############################################################################
# Make sure everyone can motd
chmod a+r /etc/motd
touch /etc/COPYRIGHT
# Setting up "/etc/ssh/banner" for a custom "message of the day"
# Add a line to the bottom of your sshd_config
vi /etc/ssh/sshd_config
Banner /etc/ssh/banner
# Edit / create the banner
vi /etc/ssh/banner
\\|// (o o) -----oOO---(_)------------ *************************************************************** * WARNING: This is a controlled access system. * * * * Unauthorized access attempts will be investigated and * * prosecuted to the full extent of the law. * * * * You have no expectation of privacy, individuals using * * this computer system are subject to having all their * * activities monitored and recorded. * * * * Final Warning: May God have mercy on your soul! * * (Because we won't!) * * * * If you are not an authorized user, please disconnect now! * *************************************************************** ------------------oOO----- |__| |__| | | | |
# Make sure everyone can read the banner
chmod a+r /etc/ssh/banner
# You will need to restart sshd or simply reboot for these changes to take effect

# Reduce boot menu from 10 seconds to 3 seconds
vi /boot/defaults/loader.conf
autoboot_delay="3"

# Install Xterm - So you can "pop" (open) multiple windows after you SSH
cd /usr/ports/x11/xterm
make install clean distclean

# Enable Linux in FreeBSD - Enable compatibility with Linux based programs
more /usr/ports/UPDATING

cd /usr/ports/emulators/linux_base-f10
make install clean distclean

# Add Linux startup variables to your system startup
vi /etc/rc.conf
    linux_enable="YES"
# Add procfs to your fstab - simply copy and paste this line to the very bottom of the file (fstab is your File System Table)
# Note: Some Linux emulated software needs linprocfs part to work!
vi /etc/fstab
   linproc /compat/linux/proc linprocfs rw 0 0

#Install FreeBSD Compatibility - Enable compatibility with previous versions of FreeBSD
# FreeBSD 4x Binary Compatibility
cd /usr/ports/misc/compat4x
make install clean distclean

# FreeBSD 5x Binary Compatibility
cd /usr/ports/misc/compat5x
make install clean distclean

# FreeBSD 6x Binary Compatibility
cd /usr/ports/misc/compat6x
make install clean distclean
# FreeBSD 7x Binary Compatibility
cd /usr/ports/misc/compat7x
make install clean distclean

Section 3 - Tune the operating system and environment

FreeBSD under VMware (Optional - Only needed if you are running FreeBSD inside VMware)
# Add "sources"
sysinstall
# Configure --> Distributions --> src --> ALL --> <OK> <OK> <FTP> <OK> <OK> <YES>

# vmware-toolbox - http://open-vm-tools.sourceforge.net
cd /usr/ports/emulators/open-vm-tools
make install clean distclean
# vmshrink - http://chitchat.at.infoseek.co.jp/vmware/vmtools.html
cd /usr/ports/emulators/vmw
make install clean distclean
# X.Org xf86-video-vmware driver
cd /usr/ports/x11-drivers/xf86-video-vmware/
make install clean distclean

vi /etc/rc.conf
vmware_guestd_enable="YES"

shutdown -r now

vmware-toolbox &
vmshrink

Compile FreeBSD Kernel (Optional - Re-compile a custom kernel tuned for your hardware + adds Kernel firewall options!)

vi /etc/make.conf
PERL_VERSION=5.8.9 COPTFLAGS= -O2 -pipe -funroll-loops -ffast-math BOOTWAIT=0

cd /usr/src/sys/i386/conf
# If you don't have that directory with code, go get it using sysinstall tool:
# sysinstall --> configure --> Distributions --> src --> sys

# Make a copy of the GENERIC kernel file and edit the copy (Typically copy it to your computer's name)
cd /usr/src/sys/i386/conf
cp GENERIC VMwareFreeBSD8

# Learn about the hardware found on the machine you are about to compile (see what was detected etc.)
dmesg | more

# Edit your new configuration file (adds, removes, comment stuff out etc.)
# Comment (#) out all unwanted options (refer to kernel config as your guide) example (then save and exit):
# Here are some options you will need (and want) built-in to your kernel - Add these:
vi /usr/src/sys/i386/conf/VMwareFreeBSD

# Typical FreeBSD 8.0 Kernel configuration file running inside VMware
cpu I486_CPU cpu I586_CPU cpu I686_CPU ident GENERIC makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options SCTP # Stream Control Transmission Protocol options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options UFS_GJOURNAL # Enable gjournal-based UFS journaling options MD_ROOT # MD is a potential root device options NFSCLIENT # Network Filesystem Client options NFSSERVER # Network Filesystem Server options NFSLOCKD # Network Lock Manager options NFS_ROOT # NFS usable as /, requires NFSCLIENT options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. options GEOM_LABEL # Provides labelization options COMPAT_43TTY # BSD 4.3 TTY compat (sgtty) options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 options COMPAT_FREEBSD7 # Compatible with FreeBSD7 options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options P1003_1B_SEMAPHORES # POSIX-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed. options KBD_INSTALL_CDEV # install a CDEV entry in /dev options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing options MAC # TrustedBSD MAC Framework options FLOWTABLE # per-cpu routing cache #options KDTRACE_HOOKS # Kernel DTrace hooks # To make an SMP kernel, the next two lines are needed options SMP # Symmetric MultiProcessor Kernel device apic # I/O APIC # CPU frequency control device cpufreq # Bus support. device acpi device eisa device pci # Floppy drives device fdc # ATA and ATAPI devices device ata device atadisk # ATA disk drives device ataraid # ATA RAID drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering # SCSI Controllers device mpt # LSI-Logic MPT-Fusion device bt # Buslogic/Mylex MultiMaster SCSI adapters # SCSI peripherals device scbus # SCSI bus (required for SCSI) device ch # SCSI media changers device da # Direct Access (disks) device sa # Sequential Access (tape etc) device cd # CD device pass # Passthrough device (direct SCSI access) device ses # SCSI Environmental Services (and SAF-TE) # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device kbdmux # keyboard multiplexer device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc device agp # support several AGP chipsets # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports device uart # Generic UART driver # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer device plip # TCP/IP over parallel device ppi # Parallel port interface device device vpo # Requires scbus and da # PCI Ethernet NICs. device em # Intel PRO/1000 Gigabit Ethernet Family device le # AMD Am7900 LANCE and Am79C9xx PCnet # Pseudo devices. device loop # Network loopback device random # Entropy device device ether # Ethernet support device tun # Packet tunnel. device pty # BSD-style compatibility pseudo ttys device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device firmware # firmware assist module # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device usb # USB Bus (required) #device udbp # USB Double Bulk Pipe devices device uhid # "Human Interface Devices" device ukbd # Keyboard device ulpt # Printer device umass # Disks/Mass storage - Requires scbus and da device ums # Mouse # USB Ethernet, requires miibus device miibus device cdce # Generic USB over Ethernet # FireWire support device firewire # FireWire bus code #device sbp # SCSI over FireWire (Requires scbus and da) device fwe # Ethernet over FireWire (non-standard!) device fwip # IP over FireWire (RFC 2734,3146) device dcons # Dumb console driver device dcons_crom # Configuration ROM for dcons # Increases the system memory limits - does not restrict you to only 512 uers maxusers 512 # IPSec VPN options IPSEC #IP security options IPSEC_FILTERTUNNEL device crypto # IPFilter Firewall options IPFILTER options IPFILTER_LOG # options IPFILTER_DEFAULT_BLOCK # PF Firewall device pf device pflog device pfsync # To enable IPFW with default deny all packets options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 #options IPFIREWALL_DEFAULT_TO_ACCEPT # Will accept everything without rules file # To hide firewall from traceroute options IPSTEALTH # Add some protection capabilities for the web services options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP # Incease network performance options DEVICE_POLLING # Don't forget to edit: /etc/sysctl.conf add kern.polling.enable=1

# You can see every possible kernel option (most likely you don't need this) by:
cd /usr/src/sys/i386/conf
make LINT
more /usr/src/sys/i386/conf/LINT

# Prepare your Kernel by using the config command:
/usr/sbin/config VMwareFreeBSD8

# Change to the newly created config directory and set the dependencies:
cd ../compile/VMwareFreeBSD8
make cleandepend
make depend

# Compile the new Kernel
make

# Install the new Kernel only if you compiled without errors:
make install

# WARNING: Complete the "Firewall" section below before rebooting!

# Install and configure a basic firewall (Required if you recompiled the kernel - IPFW is built-in to FreeBSD to help protect your system)
# Edit /etc/rc.conf file
vi /etc/rc.conf
# IPFW Settings ipfw_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" firewall_quiet="NO" # Change to YES once happy with rules firewall_logging_enable="YES" log_in_vain="YES" tcp_restrict_rst="YES" icmp_drop_redirect="YES"
# Edit /etc/ipfw.rules
vi /etc/ipfw.rules
############################################### # ERNIE'S FreeBSD 8.0 IPFW2 RULES # # # # THIS FILE: /etc/ipfw.rules # # # # REQUIRES: # # # # Kernel Options: # # options IPFIREWALL # # options IPFIREWALL_VERBOSE # # options IPFIREWALL_VERBOSE_LIMIT=10 # # options IPSTEALTH # # options ACCEPT_FILTER_DATA # # options ACCEPT_FILTER_HTTP # # # # /etc/rc.conf Settings: # # ipfw_enable="YES" # # firewall_enable="YES" # # firewall_script="/etc/rc.firewall" # # firewall_type="/etc/ipfw.rules" # # firewall_quiet="NO" # # firewall_logging_enable="YES" # # log_in_vain="YES" # # tcp_restrict_rst="YES" # # icmp_drop_redirect="YES" # # # # COMMANDS: # # ipfw show # # ipfw zero # # more /var/log/ipfw.today # # tail /var/log/dmesg.today # # # # Version: 09/05/2009 # ############################################### # # DYNAMIC RULES # # Enable dynamic rules add 00201 check-state # # BASIC CLIENT OUTBOUND # # TCP Out Client add 00301 allow tcp from any to any out keep-state # UDP Out Client add 00302 allow udp from any to any out keep-state # ICMP Out Client add 00303 allow icmp from any to any out keep-state # # BASIC CLIENT INBOUND # # DNS Client Replies add 00401 allow udp from any 53 to any in keep-state # NTP Client Replies add 00402 allow udp from any 123 to any in keep-state # ICMP In Replies sent by this Client NOT from external add 00403 allow icmp from any to any in keep-state icmptypes 0,3,4,5,9,10,11,12,14,16,18 # Allow connections from local loopback add 00404 allow ip from any to any via lo0 # Allow RPC from Loopback add 00405 allow tcp from 127.0.0.1 to 127.0.0.1 in dst-port 111 keep-state # Allow Identd from loopback add 00406 allow tcp from 127.0.0.1 to 127.0.0.1 in dst-port 113 keep-state # Allow comsat (biff) from loopback add 00407 allow udp from 127.0.0.1 to 127.0.0.1 in dst-port 512 keep-state # # SERVER INBOUND TCP # # FTP Data add 00501 allow tcp from any to any in dst-port 20 keep-state # FTP Control add 00502 allow tcp from any to any in dst-port 21 keep-state # SSH and SFTP Server add 00503 allow tcp from any to any in dst-port 22 keep-state # DNS Server add 00504 allow tcp from any to any in dst-port 53 keep-state # Web Server add 00505 allow tcp from any to any in dst-port 80 keep-state # Portmapper for NFS Server add 00506 allow tcp from any to any in dst-port 111 keep-state # Samba Server (epmap loc-srv DCE endpoint resolution) add 00507 allow tcp from any to any in dst-port 135 keep-state # Samba Server (netbios-ns nbname NETBIOS Name Service) add 00508 allow tcp from any to any in dst-port 137 keep-state # Samba Server (netbios-ssn nbsession NETBIOS Session Service) add 00509 allow tcp from any to any in dst-port 139 keep-state # SSL Web Server add 00510 allow tcp from any to any in dst-port 443 keep-state # Samba Server (microsoft-ds) add 00511 allow tcp from any to any in dst-port 445 keep-state # AgentX Net-SNMP service add 00512 allow tcp from any to any in dst-port 705 keep-state # Nessus Console Server add 00513 allow tcp from any to any in dst-port 1241 keep-state # T120 add 00514 allow tcp from any to any in dst-port 1503 keep-state # H323 add 00515 allow tcp from any to any in dst-port 1720 keep-state # PPTP add 00516 allow tcp from any to any in dst-port 1723 keep-state # NTOP HTTP Web Server add 00517 allow tcp from any to any in dst-port 3000 keep-state # NTOP HTTPS Web Server add 00518 allow tcp from any to any in dst-port 3001 keep-state # TCP iSNS (Internet Storage Name Service) add 00519 allow tcp from any to any in dst-port 3230 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00520 allow tcp from any to any in dst-port 3230 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00521 allow tcp from any to any in dst-port 3231 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00522 allow tcp from any to any in dst-port 3232 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00523 allow tcp from any to any in dst-port 3233 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00524 allow tcp from any to any in dst-port 3234 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00525 allow tcp from any to any in dst-port 3235 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00526 allow tcp from any to any in dst-port 3236 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00527 allow tcp from any to any in dst-port 3237 keep-state # TCP iSCSI (SCSI over IP) add 00528 allow tcp from any to any in dst-port 3260 keep-state # MySQL Server add 00529 allow tcp from any to any in dst-port 3306 keep-state # Asterisk GUI Server add 00530 allow tcp from any to any in dst-port 5038 keep-state # SIP add 00531 allow tcp from any to any in dst-port 5060 keep-state # CVS Update Server add 00532 allow tcp from any to any in dst-port 5999 keep-state # X11 Server add 00533 allow tcp from any to any in dst-port 6000 keep-state # Alternate WWW Port add 00534 allow tcp from any to any in dst-port 8000 keep-state # VLC Web add 00535 allow tcp from any to any in dst-port 8080 keep-state # Asterisk GUI add 00536 allow tcp from any to any in dst-port 8088 keep-state # TeamSpeak Client Connections add 00537 allow tcp from any to any in dst-port 8767 keep-state # Cacti Boost Server add 00538 allow tcp from any to any in dst-port 9050 keep-state # Webmin Server add 00539 allow tcp from any to any in dst-port 10000 keep-state # TeamSpeak HTTPServer add 00540 allow tcp from any to any in dst-port 14534 keep-state # Usermin Server add 00541 allow tcp from any to any in dst-port 20000 keep-state # SSL Explorer (Adito) add 00542 allow tcp from any to any in dst-port 28080 keep-state # TeamSpeak TCPQueryPort add 00543 allow tcp from any to any in dst-port 51234 keep-state # # SERVER INBOUND UDP # # DHCP and BOOTP Server add 00601 allow udp from any to any in dst-port 67 keep-state # DHCP and BOOTP Server add 00602 allow udp from any to any in dst-port 68 keep-state # TFTP Server add 00603 allow udp from any to any in dst-port 69 keep-state # NTP Server add 00604 allow udp from any to any in dst-port 123 keep-state # Samba Server (epmap loc-srv DCE endpoint resolution) add 00605 allow udp from any to any in dst-port 135 keep-state # Samba Server (netbios-ns nbname NETBIOS Name Service) add 00606 allow udp from any to any in dst-port 137 keep-state # Samba Server (netbios-dgm nbdatagram NETBIOS Datagram Service) add 00607 allow udp from any to any in dst-port 138 keep-state # SNMP Traplogd Server add 00608 allow udp from any to any in dst-port 162 keep-state # Samba Server (microsoft-ds) add 00609 allow udp from any to any in dst-port 445 keep-state # IPSec VPN add 00610 allow udp from any to any in dst-port 500 keep-state # Syslog Server add 00611 allow udp from any to any in dst-port 514 keep-state # AgentX Net-SNMP service add 00612 allow udp from any to any in dst-port 705 keep-state # RADIUS Server Authentication 1 add 00613 allow udp from any to any in dst-port 1645 keep-state # RADIUS Server Accounting 1 add 00614 allow udp from any to any in dst-port 1646 keep-state # RADIUS Server Authentication 2 add 00615 allow udp from any to any in dst-port 1812 keep-state # RADIUS Server Accounting 2 add 00616 allow udp from any to any in dst-port 1813 keep-state # NFS Server add 00617 allow udp from any to any in dst-port 2049 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00618 allow udp from any to any in dst-port 3230 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00619 allow udp from any to any in dst-port 3231 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00620 allow udp from any to any in dst-port 3232 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00621 allow udp from any to any in dst-port 3233 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00622 allow udp from any to any in dst-port 3234 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00623 allow udp from any to any in dst-port 3235 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00624 allow udp from any to any in dst-port 3236 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00625 allow udp from any to any in dst-port 3237 keep-state # IAX2 add 00626 allow udp from any to any in dst-port 4569 keep-state # IAX add 00627 allow udp from any to any in dst-port 5036 keep-state # SIP add 00628 allow udp from any to any in dst-port 5060 keep-state # NTOP Collector #1 Server add 00629 allow udp from any to any in dst-port 9991 keep-state # NTOP Collector #2 Server add 00630 allow udp from any to any in dst-port 9992 keep-state # NTOP Collector #3 Server add 00631 allow udp from any to any in dst-port 9993 keep-state # # VPN Services # # GRE (Protocol ID 47) add 00701 allow gre from any to any out keep-state add 00702 allow gre from any to any in keep-state # # EXPLICIT (normally already implict) DENY ALL OTHER TRAFFIC NOT LISTED ABOVE # # Deny and Log EVERYTHING else add 65535 deny log ip from any to any
# Comment out biff (comsat) (if you are not using it, you probably are not using it)
vi /etc/services
# biff 512/udp comsat #used by mail system to notify users

# Uncomment auth
vi /etc/inetd.conf
auth stream tcp nowait root internal

# Commands to note:
ipfw show
sockstat -4
ipfw zero
more /var/log/ipfw.today
tail /var/log/dmesg.today

# References and thanks to:
#     http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html
#     http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html
#     http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html

# Also: You may now see messages in /var/log/messages like this:
# Aug 15 19:54:44 nms kernel: Connection attempt to TCP 127.0.0.1:111 from 127.0.0.1:864 flags:0x02
# Since you probably don't have RPC running for NFS use on TCP port 111 you can ignore these.
# If you had RPC running, you wouldn't see these "log in vain" messages.
# "Log in vain" messages show connection attempts on ports where you do not currently have services running
# Note: Webmin's rule editor breaks the rule file - it forgets to put "add" starting each line

Software RAID1 Mirror (Optional - Only needed if you have dual hard drives and want RAID1 using gmirror)
# Boot up and log in as root
# Set security to allow these changes
sysctl kern.geom.debugflags=16

# Create the new mirror
gmirror label -v -b round-robin gm0 /dev/ad4

# Edit the /etc/fstab adding mirror and replacing all ad with gm
vi /etc/fstab
# Device Mountpoint FStype Options Dump Pass# /dev/mirror/gm0s1b none swap sw 0 0 mirror/gm0s1a / ufs rw 1 1 /dev/acd0 /cdrom cd9660 ro,noauto 0 0

# Edit /boot/loader.conf
vi /boot/loader.conf
geom_mirror_load="YES"

# Reboot
shutdown -r now

# Add the second disk to the mirror
gmirror insert gm0 /dev/ad6
# Check the status
gmirror status
gmirror list
# Reboot and verify operation
shutdown -r now
gmirror status
gmirror list
# Note: If you lock yourself out because of a typo in the fstab, do this to get read/write edit control:
mount -u
mount -a -t ufs
swapon -a
vi /etc/fstab

FreeBSD Update - (Optional) Not desired if you compiled your own kernel above - Tracks the FreeBSD security branches
# FreeBSD Update is a system for automatically building, distributing, fetching, and applying binary security updates for FreeBSD
/usr/sbin/freebsd-update fetch
/usr/sbin/freebsd-update install
# Quick updates run this periodically
freebsd-update fetch && freebsd-update install

Section 4 - Update and secure the operating system

# Kick off a portsnap update again!
/usr/sbin/portsnap fetch && /usr/sbin/portsnap update

# Update installed Ports automatically
# Portmanager utility for upgrading all installed ports (use this after you run portsnap)
cd /usr/ports/ports-mgmt/portmanager
make install clean distclean

# Upgrade all installed ports! Run this periodically!
/usr/local/bin/portmanager -u

# Sample config file if you need to make exceptions or exclusions during automatic updates
# /usr/local/etc/portmanager/pm-020.conf.SAMPLE

# Enable the FreeBSD Vulnerability Database using "portaudit"
cd /usr/ports/ports-mgmt/portaudit
make install clean distclean

# Run portaudit for the first time
/usr/local/sbin/portaudit -Fda
/usr/local/etc/periodic/security/*portaudit
# NOTE: portaudit will automatically run each day scheduled via cron now

# Process Accounting - a security method in which an administrator may keep track of system resources used
# Create the accounting file and activate it
touch /var/account/acct
accton /var/account/acct
# Enable accounting startup at boot time by adding a line to the rc.conf
vi /etc/rc.conf
accounting_enable="YES"
# Test out accounting and useful commands
sa
lastcomm
lastcomm ls
# Reference: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security-accounting.html

Hardening FreeBSD - Increase system security prior to going into production
# We only need one (1) "temp" directory on our system and that should be /tmp
rm -R /var/tmp/
ln -s /tmp /var/tmp
# Make the console more secure by prompting for the root password going into single user mode
vi /etc/ttys
console none unknown off insecure
# Increase SSH security by adding or uncommenting a few lines in the sshd_config
vi /etc/ssh/sshd_config
Protocol 2
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 2m
PermitRootLogin no
# WARNING: PermitRootLogin no requires that you have a normal user account and use "su"
StrictModes yes
MaxAuthTries 3
PermitEmptyPasswords no
PrintLastLog yes
UsePrivilegeSeparation yes
UseDNS yes
# WARNING: UseDNS yes means all of your hosts must be in DNS with forward / reverse correct!
# Switch new passwords to use blowfish instead of md5 and increase password security in general
echo "crypt_default=blf" >> /etc/auth.conf
# Edit login.conf and edit and add a few lines to the default section
vi /etc/login.conf
        :passwd_format=blf:\
        :minpasswordlen=9:\
        :mixpasswordcase=true:\
        :passwordtime=90d:\
        :idletime=30:\
        :accounted=true:\
        :autodelete=90d:\
        :warnpassword=14d:\
# Put the changes to login.conf into effect
/usr/bin/cap_mkdb /etc/login.conf
# Only allow root to schedule jobs
echo "root" > /var/cron/allow
echo "root" > /var/at/at.allow
chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch

# Increase security settings by adding or uncommenting these lines in your existing rc.conf
vi /etc/rc.conf
kern_securelevel_enable="YES" kern_securelevel="3" portmap_enable="NO" icmp_drop_redirect="YES" icmp_log_redirect="YES" log_in_vain="YES" sendmail_enable="NO" nfs_server_enable="NO" nfs_client_enable="NO" portmap_enable="NO" update_motd="NO"

# Increase sysctl security settings by adding these values to the current sysctl.conf file
vi /etc/sysctl.conf
# To adjust kernel values: # sysctl # # For details: # man 5 sysctl.conf # kern.module_path=/boot/kernel;/boot/modules;/usr/local/modules security.bsd.see_other_uids=0 net.inet.icmp.icmplim=5000 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.random_id=1

Section 5 - Install some of the key components that make FreeBSD a terrific OS

# Basic Components - Add a few more key basic ingredients!
# LibXML
cd /usr/ports/textproc/libxml2
make install clean distclean
# mc
cd /usr/ports/misc/mc
make install clean distclean

# bison
cd /usr/ports/devel/bison
make install clean distclean

# bzip2
cd /usr/ports/archivers/bzip2
make install clean distclean

# gzip
cd /usr/ports/archivers/gzip
make install clean distclean

# unarj
cd /usr/ports/archivers/unarj
make install clean distclean

# unrar
cd /usr/ports/archivers/unrar
make install clean distclean

# untar
cd /usr/ports/archivers/untar
make install clean distclean

# unzip
cd /usr/ports/archivers/unzip
make install clean distclean

# zip
cd /usr/ports/archivers/zip
make install clean distclean

# unix2dos
cd /usr/ports/converters/unix2dos
make install clean distclean

# curl
cd /usr/ports/ftp/curl
make install clean distclean

# libmcrypt
cd /usr/ports/security/libmcrypt
make install clean distclean

# OpenLDAP
cd /usr/ports/net/openldap24-client/
make install clean distclean

# lame
cd /usr/ports/audio/lame
make install clean distclean

# ncurses-devel
cd /usr/ports/devel/ncurses
make install clean distclean

# audiofile-devel
cd /usr/ports/audio/libaudiofile
make install clean distclean
#cd /usr/ports/audio/linux-libaudiofile
#make install clean distclean
# sox (Enable: mp3 encoding with LAME, mp3 decoding with MAD, Ogg Vorbis support, GSM audio codec support)
cd /usr/ports/audio/sox
make install clean distclean
# PNG
cd /usr/ports/graphics/png
make install clean distclean
# JPEG
cd /usr/ports/graphics/jpeg
make install clean distclean
# GD
cd /usr/ports/graphics/gd
make install clean distclean

# Doxygen
cd /usr/ports/devel/doxygen
make install clean distclean
# Festival
cd /usr/ports/audio/festival
make install clean distclean
# Flite
cd /usr/ports/audio/flite
make install clean distclean
# pidof
cd /usr/ports/sysutils/pidof
make install clean distclean
# Subversion
cd /usr/ports/devel/subversion
make install clean distclean
# cd /usr/src
# svn checkout svn://cvs.cacti.net/var/svnroot/cacti
# Git
cd /usr/ports/devel/git
make install clean distclean
# Screen
cd /usr/ports/sysutils/screen
make install clean distclean
# TTYLoad
cd /usr/ports/sysutils/ttyload
make install clean distclean
# IFTop
cd /usr/ports/net-mgmt/iftop
make install clean distclean
# Ploticus
cd /usr/ports/math/ploticus
make install clean distclean
# MTop
cd /usr/ports/databases/mtop
make install clean distclean
# Sipsak
cd /usr/ports/net/sipsak
make install clean distclean
# PEAK setuptools - see also: http://pypi.python.org/pypi/setuptools
cd /usr/ports/devel/py-setuptools
make install clean distclean
# MCrypt
cd /usr/ports/security/mcrypt
make install clean distclean
# Portupgrade (not used by Ernie, but nice to have just in case)
cd /usr/ports/ports-mgmt/portupgrade
make install clean distclean
# Portmaster (not used by Ernie, but nice to have just in case)
cd /usr/ports/ports-mgmt/portmaster
make install clean distclean

# Useful Network Utilities - Nmap and various other tools every admin should have
# nmap is a powerful network scanning tool that should be a standard item in your tool box
cd /usr/ports/security/nmap
make install clean distclean
# Example:
# nmap v sV -O -p 21,135,139,445,5800,5900 www.netjunkies.net
# nmapfe is a frontend GUI for nmap to make life simpler
# cd /usr/ports/security/nmapfe
# make install clean
# Example:
# nmapfe &
# dnstracer determines where a given Domain Name Server (DNS) gets its information
cd /usr/ports/dns/dnstracer
make install clean distclean
# Example:
# dnstracer www.netjunkies.net

# dhcping sends a DHCP request to DHCP server to see if it's up and running
cd /usr/ports/net/dhcping
make install clean distclean
# Example:
# dhcping -v 172.28.0.10

# echoping tests performances of a remote host by sending it TCP "echo" (or other protocol) packets
cd /usr/ports/net/echoping
make install clean distclean
# Example:
# echoping -h / www.netjunkies.net:80

# fping is meant to be used in scripts and its output is easy to parse
cd /usr/ports/net/fping
make install clean distclean
# Examples:
# fping -g 172.28.0.0/24
# fping -a -g 172.28.0.0/24

# hping is a command-line oriented TCP/IP packet assembler/analyzer
cd /usr/ports/net/hping
make install clean distclean
# Example:
# hping --scan 1-1024 -S 172.28.0.10

# ngrep can be used to debug various plain text protocols like HTTP and FTP etc.
cd /usr/ports/net/ngrep
make install clean distclean
# Example:
# ngrep port 80
# netcat is the tcp/ip "Swiss Army knife"
cd /usr/ports/net/netcat
make install clean distclean
# Examples:
# nc -v www.netjunkies.net 80 (and type: GET / HTTP/1.0)
# nc -v www.netjunkies.net 80 < get.txt
# wget is for retrieving files using HTTP, HTTPS and FTP mostly used by scripts or at the command line
cd /usr/ports/ftp/wget
make install clean distclean
# Example:
# wget http://members.netjunkies.net/n3ncy/FreeBSD61/Useful-Network-Tools.htm
# ipmitools for a simple command-line interface to Baseboard Management Controller (BMC)
cd /usr/ports/sysutils/ipmitool
make install clean distclean
# Example:
# ipmitool -I lan -H 172.28.0.12 -f passfile chassis power status
# tcpview a tcpdump front end GUI
cd /usr/ports/net/tcpview
make install clean distclean
# Example:
# tcpview &
# trafshow
cd /usr/ports/net/trafshow
make install clean distclean
# Example:
# trafshow
# Putty
cd /usr/ports/security/putty
make install clean distclean
# Pancho
cd /usr/ports/net-mgmt/pancho/
make install clean distclean
# Rancid - Cisco "diff" tool
cd /usr/ports/net-mgmt/rancid/
make install clean distclean
# Notes: http://www.joe-ma.co.za/page.php?9
# For further configuration information please look at
# /usr/local/share/rancid/README.
# If you are upgrading from the previous version of rancid look at
# /usr/local/share/rancid/UPGRADING.
# If you would like to set up Rancid to be browseable from Web,
# you need to install devel/cvsweb or devel/viewvc.
# For rancid looking-glass copy the actual CGIs (located at
# /usr/local/libexec/rancid/{lg.cgi lgform.cgi}) to your cgi-bin.
# Switchmap
cd /usr/src
fetch http://superb-east.dl.sourceforge.net/sourceforge/switchmap/switchmap-11.13.tar.gz
tar xvfz switchmap-11.13.tar.gz
# Incomplete
# WireShark
cd /usr/ports/net/wireshark
make install clean distclean
# Lynx
cd /usr/ports/www/lynx
make install clean distclean
cd # wgetpro is also for retrieving files, but has advanced capabilities like pulling a file out of a stream
# v1.3 has vulnerabilities and should not be on a production server
# cd /usr/ports/ftp/wgetpro/
# make install clean
# Example:
# wpro mms://win30ny.audiovideoweb.com/avwebdsnywin3147/bush.wmv

# Kick off a portsnap one last time!
/usr/sbin/portsnap fetch && /usr/sbin/portsnap update

# Kick off a portmanager upgrade one last time!
/usr/local/bin/portmanager -u

II. Setting the Stage (Prerequisites for a useable application server):

# Perl CPAN Shell - A very nice way to add Perl modules to your system
# The CPAN shell is a very effective and methodic way to add perl modules to your system.
# This is the advised and best method to use if your machine can connect to the Internet.

# Configure the CPAN Shell
/usr/bin/perl -MCPAN -e shell
yes
install Bundle::CPAN
yes
yes
yes
exit <PRESS ENTER when asked>
exit

# Re-launch the CPAN shell anytime
/usr/bin/perl -MCPAN -e shell
exit

# Exit and relaunch the CPAN shell once or twice to verify basic operation (Choose "no" if it asks you for detailed config)
/usr/bin/perl -MCPAN -e shell
exit
# CPAN shell commands to know
? <-- Display Help Menu
reload cpan <-- Reloads CPAN interface
i /DBD/ <-- Searches for any module with "DBD" in the name
install DBI <-- Installs module "DBI"
# Add a few basic Perl Modules
perl -MCPAN -e "install Net::Telnet"
perl -MCPAN -e "install IPC::Signal"
perl -MCPAN -e "install Proc::WaitStat"
perl -MCPAN -e "install MIME::Types"

# Add a few modules the hard way via source!
# mime-construct
cd /usr/src
fetch http://search.cpan.org/CPAN/authors/id/R/RO/ROSCH/mime-construct-1.9.tar.gz
tar xvf mime-construct-1.9.tar.gz
cd mime-construct-1.9
perl Makefile.PL
make
make install
# Asterisk-perl - http://asterisk.gnuinter.net/
/usr/bin/perl -MCPAN -e shell
install Asterisk
# XML Perl Modules
/usr/bin/perl -MCPAN -e shell
install XML::LibXML
# Java 1.5x - Please access: http://www.FreeBSDFoundation.org/cgi-bin/download?download=diablo-caffe-freebsd6-i386-1.5.0_07-b01.tar.bz2
# with a web browser and "Accept" the End User License Agreement for: "Caffe Diablo 1.5.0"
# Downloaded file: diablo-caffe-freebsd6-i386-1.5.0_07-b01.tar.bz2
# Put this file into your: /usr/ports/distfiles

# Java 1.6x - Please access: http://www.FreeBSDFoundation.org/cgi-bin/download?download=diablo-caffe-freebsd7-i386-1.6.0_07-b02.tar.bz2
# with a web browser and "Accept" the End User License Agreement for: "Caffe Diablo 1.6.0"
# Downloaded file: diablo-caffe-freebsd6-i386-1.5.0_07-b01.tar.bz2
# Put this file into your: /usr/ports/distfiles

# Also get the "Timezone Update":
http://java.sun.com/javase/downloads/index.jsp
# Download: "JDK US DST Timezone Update Tool - 1_3_25" to obtain the time zone update file:
# tzupdater-1_3_25-2009u.zip (old was: tzupdater-1_3_15-2009g.zip)
# Put this file into your: /usr/ports/distfiles

# Also get the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6":
http://java.sun.com/javase/downloads/
# Obtain the JCE policy file
# jce_policy-6.zip
# Put this file into your: /usr/ports/distfiles

# Java 1.5
cd /usr/ports/java/diablo-jdk15
make install clean distclean

# Java 1.6
cd /usr/ports/java/diablo-jdk16
make install clean distclean

# Eclipse
# cd /usr/ports/java/eclipse/
# make install clean distclean
# Webmin - A web based interface for UNIX Admins to control the server
# SSL Perl module
/usr/bin/perl -MCPAN -e shell
install Net::SSLeay
install Authen::PAM
exit

# Webmin
cd /usr/ports/sysutils/webmin
make install clean distclean
# Run the setup script and set a password
/usr/local/lib/webmin/setup.sh
# Edit /etc/rc.conf and add webmin_enable="YES"
vi /etc/rc.conf
webmin_enable="YES"
# Usermin
cd /usr/ports/sysutils/usermin
make install clean distclean
# Run the setup script and set a password
/usr/local/lib/usermin/setup.sh
# Edit /etc/rc.conf and add usermin_enable="YES"
vi /etc/rc.conf
usermin_enable="YES"

# Test Webmin
https://YourServerIP:10000
# Test Usermin
https://YourServerIP:20000
# GNUPG
cd /usr/ports/security/gnupg
make install clean distclean

III. Server Applications (The reason for existing!):

# Apache - The UNIX web server platform
cd /usr/src
fetch http://mirror.its.uidaho.edu/pub/apache/httpd/httpd-2.2.14.tar.gz
# Unzip and Untar
tar xvf httpd-?.?.??.tar.gz

# Change dir
cd httpd-?.?.??
# Edit two (2) files to mimic FreeBSD "Ports" installation
vi /usr/src/httpd-?.?.??/include/httpd.h
# find DEFAULT_ERRORLOG and change logs/error_log to /var/log/httpd-error.log
vi /usr/src/httpd-?.?.??/include/scoreboard.h
# find DEFAULT_SCOREBOARD and change logs/apache_runtime_status to /var/run/apache_runtime_status
# Configure
./configure --enable-layout=FreeBSD --sysconfdir=/usr/local/etc/apache22 --sharedstatedir=/var/run --localstatedir=/var --with-port=80 --with-sslport=443 --enable-v4-mapped --with-mpm=prefork --mandir=/usr/local/man --infodir=/usr/local/info --build=i386-srcbld-freebsd8.0 --enable-modules=all --enable-mods-shared=all --enable-http --enable-ssl --enable-cgi --enable-cgid --enable-expires --enable-headers --enable-mime-magic --enable-imagemap --enable-cern-meta --enable-usertrack --enable-unique-id --enable-speling --enable-rewrite --enable-so --enable-info --enable-authn-anon --enable-authn-dbd --enable-authn-alias --enable-authz-owner --enable-auth-digest --enable-cache --enable-mem-cache --enable-dav --enable-dav-fs --enable-dav-lock --enable-dbd --enable-dumpio --enable-ext-filter --enable-deflate --enable-log-forensic --enable-logio --enable-ident --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-proxy-ajp --enable-proxy-balancer --enable-vhost-alias --enable-suexec --enable-authz-dbm --enable-isapi --enable-file-cache --enable-disk-cache --enable-case-filter --enable-case-filter-in --enable-charset-lite --enable-deflate --enable-bucketeer --enable-version --enable-authn-dbm --enable-exception-hook --enable-substitute --enable-echo --enable-example --enable-optional-hook-export --enable-optional-hook-import --enable-optional-fn-import --enable-optional-fn-export
# Compile
gmake

# Install
gmake install

# Quick Start Server Tests:
/usr/local/sbin/apachectl -k start
/usr/local/sbin/apachectl -k restart
/usr/local/sbin/apachectl -k stop
/usr/local/sbin/apachectl -k start

# Test with your web browser on another machine:
http://YourServerIP

# Update rc.conf
vi /etc/rc.conf
apache22_enable="YES"
# Create “rc” scripts to start at boot time (Although this example is a source install, these scripts are from the FreeBSD Ports and work as designed):
vi /usr/local/etc/rc.d/apache22
#!/bin/sh # # $FreeBSD: ports/www/apache22/files/apache22.sh.in,v 1.7 2008/09/02 07:34:21 clement Exp $ # # PROVIDE: apache22 # REQUIRE: LOGIN cleanvar # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable apache22: # apache22_enable (bool): Set to "NO" by default. # Set it to "YES" to enable apache22 # apache22_profiles (str): Set to "" by default. # Define your profiles here. # apache22limits_enable (bool):Set to "NO" by default. # Set it to yes to run `limits $limits_args` # just before apache starts. # apache22_flags (str): Set to "" by default. # Extra flags passed to start command. # apache22limits_args (str): Default to "-e -C daemon" # Arguments of pre-start limits run. # apache22_http_accept_enable (bool): Set to "NO" by default. # Set to yes to check for accf_http kernel # module on start up and load if not loaded. # apache22_fib (str): Set an altered default network view for apache . /etc/rc.subr name="apache22" rcvar=`set_rcvar` start_precmd="apache22_prestart" restart_precmd="apache22_checkconfig" reload_precmd="apache22_checkconfig" reload_cmd="apache22_graceful" graceful_cmd="apache22_graceful" gracefulstop_cmd="apache22_gracefulstop" configtest_cmd="apache22_checkconfig" command="/usr/local/sbin/httpd" _pidprefix="/var/run/httpd" pidfile="${_pidprefix}.pid" required_files=/usr/local/etc/apache22/httpd.conf [ -z "$apache22_enable" ] && apache22_enable="NO" [ -z "$apache22_profiles" ] && apache22_profiles="" [ -z "$apache22_flags" ] && apache22_flags="" [ -z "$apache22limits_enable" ] && apache22limits_enable="NO" [ -z "$apache22limits_args" ] && apache22limits_args="-e -C daemon" [ -z "$apache22_http_accept_enable" ] && apache22_http_accept_enable="NO" [ -z "$apache22_fib" ] && apache22_fib="NO" apache22_accf() { retcode=0 if checkyesno apache22_http_accept_enable then /sbin/kldstat -v | grep accf_http >/dev/null 2>&1 retcode=${?} if [ ${retcode} -ne 0 ] then /sbin/kldload accf_http 2> /dev/null retcode=${?} fi else apache22_flags="${apache22_flags} -DNOHTTPACCEPT" fi [ ${retcode} -ne 0 ] && echo "Unable to load accf_http module" return ${retcode} } load_rc_config $name if [ -n "$2" ]; then profile="$2" if [ "x${apache22_profiles}" != "x" ]; then pidfile="${_pidprefix}.${profile}.pid" eval apache22_configfile="\${apache22_${profile}_configfile:-}" if [ "x${apache22_configfile}" = "x" ]; then echo "You must define a configuration file (apache22_${profile}_configfile)" exit 1 fi required_files="${apache22_configfile}" eval apache22_enable="\${apache22_${profile}_enable:-${apache22_enable}}" eval apache22_flags="\${apache22_${profile}_flags:-${apache22_flags}}" eval apache22_http_accept_enable="\${apache22_${profile}_http_accept_enable:-${apache22_http_accept_enable}}" eval apache22limits_enable="\${apache22limits_${profile}_enable:-${apache22limits_enable}}" eval apache22limits_args="\${apache22limits_${profile}_args:-${apache22limits_args}}" eval apache22_fib="\${apache22_${profile}_fib:-${apache22_fib}}" apache22_flags="-f ${apache22_configfile} -c \"PidFile ${pidfile}\" ${apache22_flags}" else echo "$0: extra argument ignored" fi else if [ "x${apache22_profiles}" != "x" -a "x$1" != "x" ]; then for profile in ${apache22_profiles}; do eval _enable="\${apache22_${profile}_enable}" case "x${_enable:-${apache22_enable}}" in x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee]) continue ;; x[Yy][Ee][Ss]) ;; *) if test -z "$_enable"; then _var=apache22_enable else _var=apache22_"${profile}"_enable fi echo "Bad value" \ "'${_enable:-${apache22_enable}}'" \ "for ${_var}. " \ "Profile ${profile} skipped." continue ;; esac echo "===> apache22 profile: ${profile}" /usr/local/etc/rc.d/apache22 $1 ${profile} retcode="$?" if [ "0${retcode}" -ne 0 ]; then failed="${profile} (${retcode}) ${failed:-}" else success="${profile} ${success:-}" fi done exit 0 fi fi if [ "${1}" != "stop" ] ; then \ apache22_accf || apache22_flags="${apache22_flags} -DNOHTTPACCEPT" fi apache22_requirepidfile() { if [ ! "0`check_pidfile ${pidfile} ${command}`" -gt 1 ]; then echo "${name} not running? (check $pidfile)." exit 1 fi } apache22_checkconfig() { if test -f /usr/local/sbin/envvars then . /usr/local/sbin/envvars fi echo "Performing sanity check on apache22 configuration:" eval ${command} ${apache22_flags} -t } apache22_graceful() { apache22_requirepidfile echo "Performing a graceful restart" eval ${command} ${apache22_flags} -k graceful } apache22_gracefulstop() { apache22_requirepidfile echo "Performing a graceful stop" eval ${command} ${apache22_flags} -k graceful-stop } apache22_precmd() { apache22_checkconfig if checkyesno apache22limits_enable then eval `/usr/bin/limits ${apache22limits_args}` 2>/dev/null else return 0 fi } apache22_checkfib () { sysctl net.fibs >/dev/null 2>&1 ret=$? [ $ret -gt 0 ] && return 0 if [ "x$apache22_fib" != "xNO" ] then command="setfib -F ${apache22_fib} ${command}" else return 0 fi } apache22_prestart() { apache22_precmd apache22_checkfib } extra_commands="reload graceful gracefulstop configtest" run_rc_command "$1"

vi /usr/local/etc/rc.d/htcacheclean
#!/bin/sh # # # # PROVIDE: htcacheclean # # Configuration settings for htcacheclean in /etc/rc.conf # # htcacheclean_enable (bool) # Set to "NO" by default # Set it to "YES" to enable htcacheclean # # htcacheclean_cache (str) Set to "/usr/local/www/proxy" by default Set the # location of the mod_disk_cache CacheRoot This should be the same as whats in # your httpd.conf # # htcacheclean_cachelimit (str) Set to "512M" by default Sets the size # htcacheclean should prune the disk cache to expressed in bytes by default, K # for kilobytes, M for megabytes. # # htcacheclean_interval (num) # Set to "10" by default # Sets how frequently in munutes htcacheclean wakes up and prunes the cache # # htcacheclean_args (str) # Set to "-t -n -i" by default # Sets extra command-line arguments to htcacheclean # -t Delete all empty directories # -n Be nice by sleeping occasionally to not saturate the I/O bandwith of the disk # -i Run only when there was a modification of the disk cache . /etc/rc.subr htcacheclean_enable="${htcacheclean_enable:-"NO"}" htcacheclean_cache="${htcacheclean_cache:-"/usr/local/www/proxy"}" htcacheclean_cachelimit="${htcacheclean_cachelimit:-"512M"}" htcacheclean_interval="${htcacheclean_interval:-"60"}" htcacheclean_args="${htcacheclean_args:-"-t -n -i"}" name="htcacheclean" rcvar=`set_rcvar` start_precmd="htc_check" restart_precmd="htc_check" restart_reload="htc_check" load_rc_config "${name}" command="/usr/local/sbin/htcacheclean" flags="-p${htcacheclean_cache} -d${htcacheclean_interval} -l${htcacheclean_cachelimit} ${htcacheclean_args}" required_dirs="${htcacheclean_cache}" htc_check() { [ ! -d ${htcacheclean_cache} ] && { echo "" return 1 } return 0 } run_rc_command "$1"

# Make the startup scripts executable:
chmod +x /usr/local/etc/rc.d/apache22
chmod +x /usr/local/etc/rc.d/htcacheclean

# Edit the "httpd.conf" and add at the very bottom of the conf file
vi /usr/local/etc/apache22/httpd.conf
<Location /server-info> SetHandler server-info </Location>

# Edit the "httpd.conf" to suit your needs, at least change the variables:
vi /usr/local/etc/apache22/httpd.conf
User www
Group www
ServerAdmin you@example.com

# Set directory permissions:
chown -R www:www /usr/local/www/data
# chown -R www:www /usr/local/www/apache22/data
# chown -R www:www /opt/apache/htdocs/

# Commands to remember:
/usr/local/sbin/apachectl -k start
/usr/local/sbin/apachectl -k restart
/usr/local/sbin/apachectl -k stop

# The Apache configuration file:
vi /usr/local/etc/apache22/httpd.conf

# Apache logs:
cd /var/log
tail -f /var/log/httpd-error.log
tail -f /var/log/error_log
cat /var/log/access_log

# See Also:
# http://www.devshed.com/c/a/Apache/Building-Apache-the-Way-You-Want-It/

# Mod PERL
cd /usr/ports/www/mod_perl2
make install clean distclean
# Edit the "httpd.conf" and add the new perl module to load, at the very bottom of the conf file
vi /usr/local/etc/apache22/httpd.conf
# Mod Perl LoadModule perl_module /usr/local/libexec/apache22/mod_perl.so

or

# Change to the /tmp directory not your normal source dir!
cd /tmp

# Download
fetch http://perl.apache.org/dist/mod_perl-2.0-current.tar.gz

# Unzip and Untar
tar xvf mod_perl-?.?-current.tar.gz

# Configure
cd mod_perl-?.?.?
perl Makefile.PL MP_APXS=/usr/local/sbin/apxs
# Edit the "httpd.conf" and add the new perl module to load, at the very bottom of the conf file
vi /usr/local/etc/apache22/httpd.conf
# Mod Perl LoadModule perl_module /usr/local/libexec/apache22/mod_perl.so
# Compile
make

# Install
# make test
make install
cd /usr/src/httpd-?.?.?
make clean
# Mod Perl Quick Start: http://perl.apache.org/docs/2.0/user/intro/start_fast.html

# Adding a "Real" HTTPS / SSL ability to your Apache Web Server: http://slacksite.com/apache/certificate.php
                   $12.99/yr = http://www.godaddy.com/Compare/gdcompare_ssl.aspx?isc=sslqgo001c
cd /usr/local/etc/apache22/
# Generate a key and do not forget the password
openssl genrsa -des3 -out joomla.netjunkies.net-server.key 2048
        password
        password
# Remove the password from the file so Apache can start at boot time without needing a human to be present to type in the password
openssl rsa -in joomla.netjunkies.net-server.key -out joomla.netjunkies.net-server.pem
# Generate a CSR (Certificate Signing Request) that will be used a Godaddy or Thawte or Verisign
# Note: When you are prompted for CN (Common Name), make sure you put the server's FQDN like: joomla.netjunkies.net (DO NOT PUT YOUR ACTUAL NAME!)
openssl req -new -key joomla.netjunkies.net-server.key -out joomla.netjunkies.net-server.csr
# Use the newly created CSR file (and some ca$h) to buy a SSL certificate!
# You will send them a "csr" file and the will send you a "crt' file: joomla.netjunkies.net-server.crt
# Add to httpd.conf
vi /usr/local/etc/apache22/httpd.conf
Listen 209.195.211.6:80
Listen 209.195.211.6:443
Listen 209.195.211.7:80
Listen 209.195.211.7:443
#Listen 80
#Listen 443
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
#
UseCanonicalName off
NameVirtualHost 209.195.211.6
NameVirtualHost 209.195.211.7
#
<VirtualHost 209.195.211.6:443>
ServerAdmin YourEmail@gmail.com
DocumentRoot /usr/local/www/data
ServerName joomla.netjunkies.net
ScriptAlias /cgi-bin/ /usr/local/www/cgi-bin/
SSLEngine on
SSLCertificateFile /usr/local/etc/apache22/joomla.netjunkies.net-server.crt
SSLCertificateKeyFile /usr/local/etc/apache22/joomla.netjunkies.net-server.pem
SSLCACertificateFile /usr/local/etc/apache22/gd_bundle.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Directory "/usr/local/www/data">
allow from all
Options +Indexes
</Directory>
</VirtualHost>
# Make the SSL logs directory
mkdir /usr/local/www/data/logs/
chown -R www:www /usr/local/www/data/logs/
# Restart Apache
/usr/local/etc/rc.d/apache22 restart
sockstat -4

# Adding a "Self Signed" HTTPS / SSL ability to your Apache Web Server
# Create a certificate authority
cd /root
cp /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf
openssl genrsa -des3 -out my-ca.key 2048
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt

# Create a server certificate
# Note: When asked for "CN" do NOT put your name, you must put the FQDN of the web server!
openssl genrsa -des3 -out nms1-server.key 1024
openssl req -new -key nms1-server.key -out nms1-server.csr
openssl x509 -req -in nms1-server.csr -out nms1-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
openssl x509 -in nms1-server.crt -text -noout
chmod 0400 *.key
cp nms1-server.crt /usr/local/etc/apache22/nms1.crt
cp nms1-server.key /usr/local/etc/apache22/nms1.key
cp my-ca.crt /usr/local/etc/apache22/cassl.crt

# HTTPS
vi /usr/local/etc/apache22/httpd.conf
# Edit:
Listen 192.168.0.161:80
Listen 192.168.0.161:443
# Add to the very bottom of your httpd.conf:
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
<VirtualHost 192.168.0.161:443>
DocumentRoot /opt/apache/htdocs
ServerName nms1.yourcompany.com
ServerAdmin YourEmail@yourcompany.com
SSLEngine on
SSLCertificateFile /usr/local/etc/apache22/nms1.crt
SSLCertificateKeyFile /usr/local/etc/apache22/nms1.key
SSLCACertificateFile /usr/local/etc/apache22/cassl.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
<Directory "/opt/apache/htdocs">
SSLOptions +StdEnvVars
Options Indexes
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
</VirtualHost>

# Test:
/usr/local/sbin/apachectl -k stop
/usr/local/sbin/apachectl -k start
sockstat -4
openssl s_client -connect nms1.yourcompany.com:443

# Remove the need to type a passphrase every time Apache starts:
cp /usr/local/etc/apache22/nms1.key /usr/local/etc/apache22/nms1.key.withpassphrase
openssl rsa -in /usr/local/etc/apache22/nms1.key.withpassphrase -out /usr/local/etc/apache22/nms1.key
MySQL - An open source SQL database and web based management
# Add a “mysql” user to your system: (MySQL should not need to run as root!)
pw groupadd mysql
pw useradd mysql -n mysql -G mysql -s /usr/sbin/nologin
cd /usr/src
fetch http://mysql.he.net/Downloads/MySQL-5.1/mysql-5.1.43.tar.gz
# Unzip and Untar and Change Directory
tar xvf mysql-?.?.*.tar.gz
cd mysql-?.?.*

# Configure
./configure --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/ --build=i386-srcbld-freebsd8.0 --localstatedir=/var/db/mysql --with-mysqld-user=mysql --with-mysqlmanager --enable-thread-safe-client --enable-assembler --with-tcp-port=3306 --without-debug --with-ssl=/usr/include -with-readline --enable-dependency-tracking --enable-local-infile --with-libwrap --with-low-memory --with-named-thread-libs=-pthread --with-embedded-server --with-big-tables --enable-profiling --with-plugins=all
# or dynamically linked plugins
./configure --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/ --build=i386-srcbld-freebsd8.0 --localstatedir=/var/db/mysql --with-mysqld-user=mysql --with-mysqlmanager --enable-thread-safe-client --enable-assembler --with-tcp-port=3306 --without-debug --with-ssl=/usr/include -with-readline --enable-dependency-tracking --enable-local-infile --with-libwrap --with-low-memory --with-named-thread-libs=-pthread --with-embedded-server --with-big-tables --enable-profiling --with-plugins=partition,daemon_example,ftexample,archive,blackhole,csv,example,federated,heap,ibmdb2i,innobase,innodb_plugin,myisam,myisammrg,ndbcluster
# or statically linked plugins
./configure --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/ --build=i386-srcbld-freebsd8.0 --localstatedir=/var/db/mysql --with-mysqld-user=mysql --with-mysqlmanager --enable-thread-safe-client --enable-assembler --with-tcp-port=3306 --without-debug --with-ssl=/usr/include -with-readline --enable-dependency-tracking --enable-local-infile --with-libwrap --with-low-memory --with-named-thread-libs=-pthread --with-embedded-server --with-big-tables --enable-profiling --with-plugin-partition --with-plugin-daemon_example --with-plugin-ftexample --with-plugin-archive --with-plugin-blackhole --with-plugin-csv --with-plugin-example --with-plugin-federated --with-plugin-heap --with-plugin-ibmdb2i --with-plugin-innobase --with-plugin-innodb_plugin --with-plugin-myisam --with-plugin-myisammrg --with-plugin-ndbcluster

# Compile
gmake all

# Install
gmake install
# GUI Tools
cd /usr/ports/databases/mysql-gui-tools/
make install clean distclean

# Install the base database
/usr/local/bin/mysql_install_db

# Set permissions to correct owner
chown -R mysql:mysql /var/db/mysql

# Start the server
cd /usr/local ; /usr/local/bin/mysqld_safe &
# Perform basic checks
/usr/local/bin/mysqladmin version
/usr/local/bin/mysqladmin variables
# Set a Password!
/usr/local/bin/mysqladmin -u root password mysqlpassword
# Secure a production server
/usr/local/bin/mysql_secure_installation
# Add a "mysql" user with password and grant that user permission to connect
/usr/local/bin/mysql --user=root --password=mysqlpassword mysql
GRANT ALL PRIVILEGES ON *.* TO mysql@localhost IDENTIFIED BY 'mysqlpassword' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO mysql@"%" IDENTIFIED BY 'mysqlpassword' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO root@localhost IDENTIFIED BY 'mysqlpassword' WITH GRANT OPTION;
FLUSH PRIVILEGES;
exit
# Add a "mysqltop" user with no password and no ability to make changes and only usable via localhost for the "mtop" CLI tool
/usr/local/bin/mysql --user=root --password=mysqlpassword mysql
grant super, reload, process on *.* to mysqltop;
grant super, reload, process on *.* to mysqltop@localhost;
flush privileges;
exit
# (Optional) Add some compatibility for Linux applications by creating a symbolic linksln -sv /usr/local/bin/mysqladmin /usr/bin/mysqladmin
ln -sv /usr/local/bin/mysqldump /usr/bin/mysqldump
# (Optional) Run some tests before going into production (optional)
# /usr/local/mysql-test/mysql-test-run --force
# cd /usr/local/mysql-test ; perl mysql-test-run.pl
# Report any problems with the /usr/local/bin/mysqlbug script

# Create the "rc" startup script
vi /usr/local/etc/rc.d/mysql-server
#!/bin/sh # # $FreeBSD: ports/databases/mysql51-server/files/mysql-server.sh.in,v 1.6 2008/07/30 06:11:16 ale Exp $ # # PROVIDE: mysql # REQUIRE: LOGIN # KEYWORD: shutdown # # Add the following line to /etc/rc.conf to enable mysql: # mysql_enable (bool): Set to "NO" by default. # Set it to "YES" to enable MySQL. # mysql_limits (bool): Set to "NO" by default. # Set it to yes to run `limits -e -U mysql` # just before mysql starts. # mysql_dbdir (str): Default to "/var/db/mysql" # Base database directory. # mysql_args (str): Custom additional arguments to be passed # to mysqld_safe (default empty). # . /etc/rc.subr name="mysql" rcvar=`set_rcvar` load_rc_config $name : ${mysql_enable="NO"} : ${mysql_limits="NO"} : ${mysql_dbdir="/var/db/mysql"} : ${mysql_args=""} mysql_user="mysql" mysql_limits_args="-e -U ${mysql_user}" pidfile="${mysql_dbdir}/`/bin/hostname`.pid" command="/usr/local/bin/mysqld_safe" command_args="--defaults-extra-file=${mysql_dbdir}/my.cnf --user=${mysql_user} --datadir=${mysql_dbdir} --pid-file=${pidfile} ${mysql_args} > /dev/null 2>&1 &" procname="/usr/local/libexec/mysqld" start_precmd="${name}_prestart" start_postcmd="${name}_poststart" mysql_install_db="/usr/local/bin/mysql_install_db" mysql_install_db_args="--ldata=${mysql_dbdir}" mysql_create_auth_tables() { eval $mysql_install_db $mysql_install_db_args >/dev/null 2>/dev/null [ $? -eq 0 ] && chown -R ${mysql_user}:${mysql_user} ${mysql_dbdir} } mysql_prestart() { if [ ! -d "${mysql_dbdir}/mysql/." ]; then mysql_create_auth_tables || return 1 fi if checkyesno mysql_limits; then eval `/usr/bin/limits ${mysql_limits_args}` 2>/dev/null else return 0 fi } mysql_poststart() { local timeout=15 while [ ! -f "${pidfile}" -a ${timeout} -gt 0 ]; do timeout=$(( timeout - 1 )) sleep 1 done return 0 } run_rc_command "$1"

chmod +x /usr/local/etc/rc.d/mysql-server
vi /etc.rc.conf
mysql_enable="YES"

# Test the "rc" script
/usr/local/etc/rc.d/mysql-server restart
/usr/local/etc/rc.d/mysql-server stop
/usr/local/etc/rc.d/mysql-server start
/usr/local/etc/rc.d/mysql-server reload
# Clean up
cd /usr/src/mysql-?.?.*
make clean
# Perform basic checks using the password
/usr/local/bin/mysqladmin --user=root --password=mysqlpassword ping
/usr/local/bin/mysqladmin --user=root --password=mysqlpassword version
/usr/local/bin/mysqladmin --user=root --password=mysqlpassword variables
/usr/local/bin/mysqladmin --user=mysql --password=mysqlpassword var ext stat ver

# Edit your /etc/my.cnf
# See my example my.cnf

# Get the free MySQL Administrator to optimize and test your settings! UNTESTED AT THIS POINT DO NOT USE
# cd /usr/ports/devel/libglade2
# make install clean
# cd /usr/ports/x11-toolkits/gtkmm24
# make install clean
# cd /usr/ports/databases/mysql-administrator
# make install clean
# cd /usr/src
# fetch http://mysql.he.net/Downloads/MySQLGUITools/mysql-gui-tools-5.0r12.tar.gz

# Performance tuning
# Edit /etc/my.cnf
vi /etc/my.cnf
# The following options will be passed to all MySQL clients [client] #password = mysqlpassword port = 3306 socket = /tmp/mysql.sock # The MySQL server [mysqld] #bind-address = 172.16.2.100 port = 3306 socket = /tmp/mysql.sock skip-locking max_connections = 1000 max_heap_table_size = 128M # Ernie Settings ################ # # Default key_buffer = 8M key_buffer = 32M # # Default query_cache_size = 0 query_cache_size = 32M # # Default innodb_buffer_pool_size = 8M innodb_buffer_pool_size = 32M # # Default comment out log-bin to disable replication #log-bin # # Default myisam_sort_buffer_size = 8M myisam_sort_buffer_size = 64M # # Default read_buffer_size = 128K read_buffer_size = 2M # # Default sort_buffer_size = 2M sort_buffer_size = 2M # # Default table_cache = 64 table_cache = 512 # # Default thread_cache = 0 thread_cache = 8 # Unaltered Defaults max_allowed_packet = 1M read_rnd_buffer_size = 4M thread_concurrency = 8 # Replication ID server-id = 1 [mysqldump] quick max_allowed_packet = 16M [mysql] no-auto-rehash # Remove the next comment character if you are not familiar with SQL #safe-updates [isamchk] key_buffer = 128M sort_buffer_size = 128M read_buffer = 2M write_buffer = 2M [myisamchk] key_buffer = 128M sort_buffer_size = 128M read_buffer = 2M write_buffer = 2M [mysqlhotcopy] interactive-timeout

# Restart MySQL
/usr/local/etc/rc.d/mysql.sh restart

# Check out your MySQL settings and tune /etc/my.cnf do more as desired
/usr/local/bin/mysqladmin --user=mysql --password=mysqlpassword var ext stat ver
Perl with Modules - Scripting language with add-ons to get actual work done

# DBI - http://dbi.perl.org
# Launch the CPAN shell anytime
/usr/bin/perl -MCPAN -e shell

# Install HTTP::Date
install HTTP::Date
yes
# Install DBI
install DBI

# install DBD::mysql
install DBD::mysql

#
install Net::SNMP

#
install CGI

#
force install SNMP::Info
yes

#
install HTML::HeadParser

#
install URI

#
install Bundle::LWP

#
install BSD::Resource

install Digest::MD5
install Digest::SHA1
install Digest::SHA2
install Net::Telnet
install Time::HiRes
install Net::Server
install Unicode::Map
install Jcode
install Spreadsheet::WriteExcel
yes
yes

force install Proc::ProcessTable # CTRL-C if it locks up
install IO::Scalar
install Spreadsheet::ParseExcel

# After installation, exit CPAN shell
exit
# CPAN shell commands to know - just FYI
? <-- Display Help Menu
reload cpan <-- Reloads CPAN interface
i /DBD/ <-- Searches for any module with "DBD" in the name
install DBI <-- Installs module "DBI"

# SNMP_Session - http://www.switch.ch/misc/leinen/snmp/perl/
# Change to your desired "source" storage directory
cd /usr/src

# Download
fetch http://snmp-session.googlecode.com/files/SNMP_Session-1.13.tar.gz
# Unzip and Untar
tar xvf SNMP_Session-?.??.tar.gz

# Configure
cd SNMP_Session-?.??
perl Makefile.PL

# Compile
make

# Install
make install

# cgi-lib.pl - http://cgi-lib.berkeley.edu
# Change to the FreeBSD Ports directory for cgi-lib.pl
cd /usr/ports/www/cgi-lib.pl

# Install
make install

# Below is an example CGI that uses PERL that you can use later after you have Apache installed
# A basic html page with form fields that submits to a pl script that reads the values passed to it
# Example web page simple.html (that calls simple.pl)
vi /usr/local/www/data/simple.html
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> </head> <body> <form method="POST" name="form1" action="/cgi-bin/simple.pl"> <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1"> <tr> <td colspan="2"> <p align="center"><font size="4">Login</font></td> </tr> <tr> <td align="right">What is your User Name: </td> <td><input type="text" name="Username" size="20"></td> </tr> <tr> <td align="right">What is your Password:</td> <td><input type="password" name="Password" size="20"></td> </tr> <tr> <td align="right"> </td> <td><input type="submit" value="Fake Login Test" name="B1"></td> </tr> </table> </form> </body> </html>
# Example PERL CGI Script simple.pl
vi /usr/local/www/cgi-bin/simple.pl
#!/usr/bin/perl require "cgi-lib.pl"; # Read in all the variables set by the form &ReadParse(*input); $Username = $input{'Username'}; $Password = $input{'Password'}; # Print the header + html top print &PrintHeader; print &HtmlTop ("Hello World\n"); print "<STRONG>Hello World</STRONG><BR>\n"; print "<STRONG>Username entered was: $Username</STRONG><BR>\n"; print "<STRONG>Password entered was: $Password</STRONG><BR>\n"; print "<BR>Link: \<A HREF\=\"/simple\.html\"\>simple\.html\</A\><BR><BR>\n"; # End the web page print &HtmlBot; exit 0;
# File Permissions
chmod a+x /usr/local/www/cgi-bin/simple.pl
chown www:www /usr/local/www/data/simple.html
chown www:www /usr/local/www/cgi-bin/simple.pl
# Edit Apache config to allow cgi and pl files to execute by editing, un-commenting and adding 3 things
vi /usr/local/etc/apache22/httpd.conf
Options FollowSymLinks ExecCGI
ScriptAlias /cgi-bin/ "/usr/local/www/cgi-bin/"
AddHandler cgi-script .cgi .pl
# Restart Apache
/usr/local/sbin/apachectl -k restart
# Test out the script
http://YourServer/simple.html
# Clean up
cd /usr/ports/www/cgi-lib.pl make clean distclean
FreeTDS - Library that enables UNIX (via Perl) to talk to Microsoft SQL Servers (and Sybase)
# Change to your desired "source" storage directory
cd /usr/src

# Download (Notes: Users behind a Proxy Server should read this and users without Internet but have a CDRom read this.)
fetch http://ibiblio.org/pub/Linux/ALPHA/freetds/stable/freetds-stable.tgz

# Unzip and Untar
tar xvf freetds-stable.tgz

# Configure
cd freetds-?.??/
./configure --enable-msdblib --with-tdsver=8.0

# Compile & Install
make install clean
# PHP tests for a FreeTDS installation by looking for files that FreeTDS no longer installs
touch /usr/local/include/tds.h
touch /usr/local/lib/libtds.a

# DBD::Sybase - http://www.peppler.org/freeware/dbd-sybase.html
# Change to your desired "source" storage directory
cd /usr/src

# Download
fetch http://www.peppler.org/downloads/DBD-Sybase-1.08.tar.gz
# Ungzip and Untar
tar xvf DBD-Sybase-?.??.tar.gz

# Change to the source directory
cd DBD-Sybase-?.??
# Set a few shell variables temporarily
SYBASE=/usr/local/
export SYBASE
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:$SYBASE/lib
export LD_LIBRARY_PATH

# Add the needed environment variables (so it they survive reboots) to /etc/rc.local
vi /etc/rc.local
# FreeTDS DBD::Sybase support for connecting to Microsoft SQL SYBASE=/usr/local/ export SYBASE LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:$SYBASE/lib export LD_LIBRARY_PATH

# Fix dbdimp.c before compiling or you will get an error:
> dbdimp.c:800: error: 'BLK_VERSION_150' undeclared (first use in this function)
> dbdimp.c:800: error: (Each undeclared identifier is reported only once
> dbdimp.c:800: error: for each function it appears in.)
# This is really a FreeTDS bug - they define the CS_VERSION_1xx symbols, but not the corresponding BLK_VERSION_xxx symbols.
Edit dbdimp.c and add
vi /usr/src/DBD-Sybase-1.08/dbdimp.c
#define BLK_VERSION_150 BLK_VERSION_100
#define BLK_VERSION_125 BLK_VERSION_100
#define BLK_VERSION_120 BLK_VERSION_100

somewhere near the top (but after the #include section).

Michael
Michael Peppler - Peppler Consulting SaRL
mpeppler@peppler.org - http://www.peppler.org

# Create the Makefile - press "Enter" on any questions to accept default settings
perl Makefile.PL

# Compile
make
# make test

# Install
make install clean

# Optional test script - safe to ignore / skip this
# Test a connection to a Microsoft SQL Server
# (You should already have a database called "test" a table "authors" a field "Name")

# Create a scripts directory if one does not already exist
cd /opt
mkdir scripts
cd /opt/scripts
# Create a script for testing
vi /opt/scripts/my.pl
#!/usr/bin/perl use DBI; $dbh = DBI->connect('dbi:Sybase:server=SomeServer', 'sa', 'SomePassword') or die 'connect'; $dbh->do("use test"); $sth = $dbh->prepare('select Name from authors') or die 'prepare'; $sth->execute or die 'execute'; while (@data = $sth->fetchrow_array) { print "$data[0]\n"; } $sth->finish; $dbh->disconnect;
# Make the script executable
chmod +x /opt/scripts/my.pl
# Run the script
/opt/scripts/my.pl

# Note: Edit freetds.conf to suit your needs
vi /usr/local/etc/freetds.conf

# UNIXODBC - http://www.unixodbc.org
# Install unixODBC from ports
cd /usr/ports/databases/unixODBC/
make install clean distclean
Net-SNMP - SNMP Trap Receiver (traplogd) logging service + SNMP tool set
# Add SNMP TT
cd /usr/ports/net-mgmt/snmptt
make install clean distclean

# Download (Notes: Users behind a Proxy Server should read this and users without Internet but have a CDRom read this.)
cd /usr/src
fetch http://easynews.dl.sourceforge.net/sourceforge/net-snmp/net-snmp-5.4.2.1.tar.gz

# Warning 5.5 is broken in FreeBSD8 - tested 2/11/2010
# fetch http://downloads.sourceforge.net/project/net-snmp/net-snmp/5.5/net-snmp-5.5.tar.gz
# ./configure --prefix=/usr/local --build=i386-src-freebsd8.0 --disable-debugging --with-mib-modules="if-mib" --with-perl-modules --enable-embedded-perl --enable-shared --with-default-snmp-version=2 --with-sys-contact="scomoletti@gmail.com" --with-sys-location="Earth" --with-zlib=/usr/local/lib --with-bzip2=/usr/local/lib --with-openssl=/usr/local/ssl/lib --with-logfile=/var/log/snmpd.log --with-persistent-directory=/var/net-snmp --enable-as-needed --enable-internal-md5 --enable-mfd-rewrites --enable-reentrant --disable-snmptrapd-subagent --with-transports="UDP UDPIPv6 TCPIPv6 TCP Unix Callback Alias SSH DTLSUDP" --with-security-modules="usm ksm tsm" --enable-ipv6 --enable-new-features --with-mysql --with-mib-modules="mibII snmpv3mibs ucd_snmp agent_mibs agentx notification target utilities disman/event disman/schedule host smux mibII/mta_sendmail ucd-snmp/diskio if-mib"
# configure: error: if-mib/data_access/interface: *** This platform does not yet support IF-MIB rewrites ***

# Ungzip and Untar
tar xvf net-snmp-5*

# Configure
cd net-snmp-5*
# New way:
./configure --prefix=/usr/local --build=i386-src-freebsd8.0 --disable-debugging --with-mib-modules="if-mib" --with-perl-modules --enable-embedded-perl --enable-shared --with-default-snmp-version=2 --with-sys-contact="YourEmail@gmail.com" --with-sys-location="Earth" --with-zlib=/usr/local/lib --with-bzip2=/usr/local/lib --with-openssl=/usr/local/ssl/lib --with-logfile=/var/log/snmpd.log --with-persistent-directory=/var/net-snmp --enable-as-needed --enable-internal-md5 --enable-mfd-rewrites --enable-reentrant --disable-snmptrapd-subagent

# Compile & Install
make
make install
make clean

# Create some directories and edit the snmptrapd.conf:
cd /usr/local/etc
mkdir snmp
vi /usr/local/etc/snmp/snmptrapd.conf
disableAuthorization yes

# Create an “rc” script to start at boot time:
vi /usr/local/etc/rc.d/snmpd
#!/bin/sh # # $FreeBSD: ports/net-mgmt/net-snmp/files/snmpd.sh.in,v 1.7 2007/10/27 07:20:34 kuriyama Exp $ # # PROVIDE: snmpd # REQUIRE: DAEMON # # Add the following line to /etc/rc.conf to enable snmpd: # # snmpd_enable="YES" # snmpd_enable=${snmpd_enable-"NO"} snmpd_flags=${snmpd_flags-""} snmpd_pidfile=${snmpd_pidfile-"/var/run/snmpd.pid"} snmpd_conffile=${snmpd_conffile-""} snmpd_flush_cache=${snmpd_flush_cache-"NO"} . /etc/rc.subr load_rc_config net_snmpd if [ ! -z "$net_snmpd_enable" ]; then echo "Warning: \$net_snmpd_enable is obsoleted." echo " Use \$snmpd_enable instead." snmpd_enable="$net_snmpd_enable" [ ! -z "$net_snmpd_flags" ] && snmpd_flags="$net_snmpd_flags" fi name=snmpd rcvar=`set_rcvar` command=/usr/local/sbin/${name} pidfile=${snmpd_pidfile} start_precmd=snmpd_precmd load_rc_config ${name} snmpd_precmd () { if checkyesno snmpd_flush_cache; then rm -vf /var/net-snmp/.snmp-exec-cache fi } case "${snmpd_flags}" in *-p\ *) echo "Warning: \$snmpd_flags includes -p option." \ "Please use \$snmpd_pidfile instead." ;; *) snmpd_flags="-p ${snmpd_pidfile} ${snmpd_flags}" ;; esac for conffile in ${snmpd_conffile}; do if [ ! -z ${conffile} -a -f ${conffile} ]; then if [ -z ${snmpd_conffile_set} ]; then snmpd_conffile_set="${conffile}" else snmpd_conffile_set="${snmpd_conffile_set},${conffile}" fi else echo "snmpd configuration file $conffile not set or not found." exit 1 fi done case "${snmpd_flags}" in *-c\ *) echo "Warning: \$snmpd_flags includes -c option." \ "Please use \$snmpd_conffile instead." ;; *) if [ ! -z "${snmpd_conffile_set}" ]; then snmpd_flags="-c ${snmpd_conffile_set} ${snmpd_flags}" fi ;; esac run_rc_command "$1"

vi /usr/local/etc/rc.d/snmptrapd
#!/bin/sh # # $FreeBSD: ports/net-mgmt/net-snmp/files/snmptrapd.sh.in,v 1.1 2006/05/08 05:00:27 clsung Exp $ # # PROVIDE: snmptrapd # REQUIRE: DAEMON # # Add the following line to /etc/rc.conf to enable snmptrapd: # # snmptrapd_enable="YES" # snmptrapd_enable=${snmptrapd_enable-"NO"} snmptrapd_flags=${snmptrapd_flags-"-p /var/run/snmptrapd.pid"} . /etc/rc.subr load_rc_config net_snmptrapd if [ ! -z "$net_snmptrapd_enable" ]; then echo "Warning: \$net_snmptrapd_enable is obsoleted." echo " Use \$snmptrapd_enable instead." snmptrapd_enable="$net_snmptrapd_enable" [ ! -z "$net_snmptrapd_flags" ] && snmptrapd_flags="$net_snmptrapd_flags" fi name=snmptrapd rcvar=`set_rcvar` command=/usr/local/sbin/${name} pidfile=/var/run/${name}.pid load_rc_config ${name} run_rc_command "$1"

# Make the startup script executable:
chmod +x /usr/local/etc/rc.d/snmpd
chmod +x /usr/local/etc/rc.d/snmptrapd

# Edit rc.conf to allow remote syslog messages since you now allow remote traps!
vi /etc/rc.conf
syslogd_flags="" snmpd_enable="NO" snmpd_flags="-a" snmpd_conffile="/etc/snmpd.config" snmptrapd_enable="YES" snmptrapd_flags="-m ALL -Ls 7 -a -p /var/run/snmptrapd.pid"

# Edit syslog.conf and add "local7.*" to the "/var/log/messages" line:
vi /etc/syslog.conf
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local7.* /var/log/messages

# Restart Syslog
killall -HUP syslogd

# Notes
# MIBS are here: /usr/local/share/snmp/mibs

# Optional
# Edit snmpd.conf to suit your needs (Remember to fix /etc/rc.conf - snmpd_enable="YES" if you want the agent turned on - security risky!)
vi /etc/snmpd.config

# The agent section is not complete yet - use at your own risk
/usr/local/bin/snmpconf -G
/usr/local/bin/snmpconf -r none -g basic_setup
# Note: This section about the "agent" (snmpd) is not complete - My intention was to get the "server" (traplogd) running quickly.
# Your help is welcomed here!

PHP - Scripting language preferred by many web based applications
# Add IMAP c-Client with SSL support to PHP
cd /usr/src
fetch ftp://ftp.cac.washington.edu/imap/imap-2007e.tar.gz
tar xvf imap-2007e.tar.gz
cd /usr/src/imap-2007e
make bsf

# Add xmlrpc support to PHP
cd /usr/ports/net/xmlrpc-epi/
make install clean distclean

# Get PHP
cd /usr/src
# fetch http://us2.php.net/distributions/php-5.3.0.tar.gz 5.2.10 breaks PEAR and mcrypt and 5.3.0 breaks everything!
# fetch http://us2.php.net/distributions/php-5.2.9.tar.gz
fetch http://museum.php.net/php5/php-5.2.9.tar.gz

# Unzip and Untar
tar xvf php-?.?.*.tar.gz

# Stop Apache
/usr/local/sbin/apachectl -k stop
# Change directory
cd php-?.?.*

# Configure
./configure --with-apxs2=/usr/local/sbin/apxs --with-mysql=/usr/local --with-openssl=/usr --with-mssql=/usr/local --with-zlib --with-jpeg-dir=/usr/local/lib --with-freetype-dir=/usr/local/lib --enable-exif --with-png-dir=/usr/local/lib --enable-calendar --enable-ftp --with-libxml-dir=/usr/local/lib --with-snmp=/usr/local --enable-magic-quotes --enable-mbstring --enable-sockets --with-gd --enable-gd-native-ttf --enable-soap --enable-sigchild --with-mssql --with-bz2 --with-kerberos --with-unixODBC --with-ldap --with-curl --with-curlwrappers --with-pdo-dblib --with-cdb --enable-bcmath --with-mcrypt=/usr/local/lib --enable-zip --with-gettext --with-imap=/usr/src/imap-2007e --with-imap-ssl --with-mysqli --enable-fastcgi --enable-embedded-mysqli --enable-wddx --with-xmlrpc

# Compile & Install
make install clean
#cd /usr/ports/security/php5-mcrypt
#make install clean

# Copy the "php.ini" file
cp /usr/src/php-5.2.9/php.ini-recommended /usr/local/lib/php.ini
# Edit the Apache configuration file (Add to the very bottom of the file!)
vi /usr/local/etc/apache22/httpd.conf
# PHP AddType application/x-httpd-php .php .phtml AddType application/x-httpd-php-source .phps
# Restart Apache:
/usr/local/sbin/apachectl -k start

# Create a PHP Info file
vi /usr/local/www/data/phpinfo.php
<?php // Show all information, defaults to INFO_ALL phpinfo(); ?>
chown -R www:www /usr/local/www/data
# Test the phpinfo.php file with your web browser:http://YourServerIP/phpinfo.php
# Add some compatibility for Linux applications by creating a symbolic linkln -sv /usr/local/bin/php /usr/bin/php # Edit the "php.ini" to suit your needs!
vi /usr/local/lib/php.ini
# You may want to add: /usr/local/lib/php to your php.ini include_path
include_path = ".:/usr/local/lib/php"
# Turn on zlib compressed output
# zlib.output_compression = On
# Tune a few other parameters as you see fit
max_execution_time = 300
max_input_time = 300
memory_limit = 128M
register_globals = Off
post_max_size = 128M
upload_tmp_dir = /tmp
upload_max_filesize = 128M
sendmail_path = /usr/sbin/sendmail
magic_quotes_gpc = On
session.save_path = "/tmp"
error_reporting = E_ALL & ~E_DEPRECATED
display_errors = On

# Notes:
# PEAR system config file at: /usr/local/etc/pear.conf
# PDO headers: /usr/local/include/php/ext/pdo/
# Use PEAR to install DB
pear install DB
pear install MDB2
pear install pear/MDB2#fbsql
pear install pear/MDB2#ibase
pear install pear/MDB2#mysql
pear install pear/MDB2#mysqli
pear install pear/MDB2#mssql
pear install pear/MDB2#oci8
pear install pear/MDB2#pgsql
pear install pear/MDB2#querysim
pear install pear/MDB2#sqlite
# phpMyAdmin - Web based MySQL Administration
cd /usr/src
fetch http://internap.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-3.2.1-all-languages.tar.gz
or
fetch http://downloads.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.3.0-beta1/phpMyAdmin-3.3.0-beta1-all-languages.tar.gz
# Unzip and Untar
tar xvf phpMyAdmin-?.*.gz -C /usr/local/www/data/
mv /usr/local/www/data/phpMyAdmin-3.2.1-all-languages/ /usr/local/www/data/phpMyAdmin/
or
mv /usr/local/www/data/phpMyAdmin-3.3.0-beta1-all-languages/ /usr/local/www/data/phpMyAdmin/
# Create some directories
cd /usr/local/www/data/phpMyAdmin/
mkdir /usr/local/www/data/phpMyAdmin/config
mkdir /usr/local/www/data/phpMyAdmin/uploads
mkdir /usr/local/www/data/phpMyAdmin/exports
# Set directory permissions
chmod o+rw /usr/local/www/data/phpMyAdmin/config
chown -R www:www /usr/local/www/data
# Edit httpd.conf to allow "main.php" as a default web page for a directory listing, add main.php to the end of this line:
vi /usr/local/etc/apache22/httpd.conf
DirectoryIndex index.html index.php
# Restart Apache
/usr/local/sbin/apachectl -k restart

# Create the database: http://wiki.phpmyadmin.net/pma/pmadb
/usr/local/bin/mysqladmin --user=mysql --password=mysqlpassword create phpmyadmin

# Import the default database:
/usr/local/bin/mysql --user=mysql --password=mysqlpassword phpmyadmin < /usr/local/www/data/phpMyAdmin/scripts/create_tables.sql
/usr/local/bin/mysql --user=mysql --password=mysqlpassword phpmyadmin < /usr/local/www/data/phpMyAdmin/scripts/upgrade_tables_mysql_4_1_2+.sql

# Add a "mysqltop" user with no password and no ability to make changes and only usable via localhost for the "mtop" CLI tool
/usr/local/bin/mysql --user=mysql --password=mysqlpassword mysql
GRANT USAGE ON mysql.* TO 'pma'@'localhost' IDENTIFIED BY 'pmapassword';
GRANT SELECT (
    Host, User, Select_priv, Insert_priv, Update_priv, Delete_priv,
    Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
    File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,
    Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,
    Execute_priv, Repl_slave_priv, Repl_client_priv
    ) ON mysql.user TO 'pma'@'localhost';
GRANT SELECT ON mysql.db TO 'pma'@'localhost';
GRANT SELECT ON mysql.host TO 'pma'@'localhost';
GRANT SELECT (Host, Db, User, Table_name, Table_priv, Column_priv)
    ON mysql.tables_priv TO 'pma'@'localhost';
GRANT USAGE ON mysql.* TO 'pma'@"%" IDENTIFIED BY 'pmapassword';
GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma'@"%";
GRANT SELECT (
    Host, User, Select_priv, Insert_priv, Update_priv, Delete_priv,
    Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
    File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,
    Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,
    Execute_priv, Repl_slave_priv, Repl_client_priv
    ) ON mysql.user TO 'pma'@"%";
GRANT SELECT ON mysql.db TO 'pma'@"%";
GRANT SELECT ON mysql.host TO 'pma'@"%";
GRANT SELECT (Host, Db, User, Table_name, Table_priv, Column_priv)
    ON mysql.tables_priv TO 'pma'@"%";

GRANT ALL ON phpmyadmin.* TO pma@localhost IDENTIFIED BY 'pmapassword';
GRANT ALL ON phpmyadmin.* TO pma@"%" IDENTIFIED BY 'pmapassword';

flush privileges;
exit

cp /usr/local/www/data/phpMyAdmin/config.sample.inc.php /usr/local/www/data/phpMyAdmin/config/config.inc.php
chmod o+w /usr/local/www/data/phpMyAdmin/config/config.inc.php
# Web based configuration
# http://YourWebServer/phpMyAdmin/setup/index.php
rm -R /usr/local/www/data/phpMyAdmin/config

# Set directory permissions
chown -R www:www /usr/local/www/data/phpMyAdmin

# Create an ".htaccess" file to permit only users you specify to access phpMyAdmin from the web
vi /usr/local/www/data/phpMyAdmin/.htaccess
AuthUserFile /etc/phpMyAdminhtpasswd.users AuthName "phpMyAdmin Access" AuthType Basic require valid-user
# Add the first user to create the password file:
/usr/local/sbin/htpasswd -c /etc/phpMyAdminhtpasswd.users admin
# Add more users if you want without creating a new file:
/usr/local/sbin/htpasswd /etc/phpMyAdminhtpasswd.users SomeOtherUserNameHere

# Edit the Apache configuration file (Add to the very bottom of the file!)
vi /usr/local/etc/apache22/httpd.conf
# phpMyAdmin Alias /phpMyAdmin "/usr/local/www/data/phpMyAdmin" <Directory "/usr/local/www/data/phpMyAdmin"> AllowOverride AuthConfig Options ExecCGI Order allow,deny Allow from all </Directory>
# Update permissions
chown -R www:www /usr/local/www/data/
# Restart Apache
/usr/local/sbin/apachectl -k restart

# Quick test in your web browser (You should be prompted for a password:
http://YourServerIP/phpMyAdmin
ProFTPd - UNIX FTP Server

# Add a “cmsftpuser” user to your system:
mkdir /usr/home
ln -sv /usr/home /home
pw useradd cmsftpuser -n cmsftpuser -G www -s /usr/local/bin/bash -d /home/cmsftpuser/
passwd cmsftpuser
cmsftpuserpassword
cmsftpuserpassword
mkdir /home/cmsftpuser/
chown -R cmsftpuser:www /home/cmsftpuser/

cd /usr/ports/ftp/proftpd
make install clean distclean

vi /usr/local/etc/proftpd.conf
ServerName "joomla.netjunkies.net" UseIPv6 off UseReverseDNS off IdentLookups off

vi /etc/rc.conf
proftpd_enable="YES"
# Log in to Webmin and fix the proftpd binary location in the module configuration for ProFTPd
# https://YourServer:100000
# Path to ProFTPD executable: /usr/local/sbin/proftpd

shutdown -r now
# Joomla! - Joomla is an award-winning content management system

# Add some configuration settings to Apache to allow virtual directories
# http://rimuhosting.com/howto/virtualhosting.jsp
# http://www.experts-exchange.com/OS/Linux/Q_22539902.html

vi /usr/local/etc/apache22/httpd.conf

UseCanonicalName off

NameVirtualHost 209.195.211.6

<VirtualHost 209.195.211.6:80>
DocumentRoot "/usr/local/www/data"
ServerName netjunkies.net
ServerAlias joomla.netjunkies.net
<Directory "/usr/local/www/data">
allow from all
Options +Indexes
</Directory>
</VirtualHost>

<VirtualHost 209.195.211.6:80>
DocumentRoot "/usr/home/msh/www/data"
ServerName moresatisfyinghobbies.com
ServerAlias www.moresatisfyinghobbies.com
<Directory "/usr/home/msh/www/data">
allow from all
Options +Indexes
</Directory>
</VirtualHost>

# Add a “moresatisfyinghobbies” user to your system:
pw useradd msh -n msh -G www -s /usr/local/bin/bash -d /home/msh/
passwd msh
        mshpassword
        mshpassword
mkdir /home/msh/
mkdir /home/msh/www/
mkdir /home/msh/www/cgi-bin/
mkdir /home/msh/www/data/
chown -R www:www /home/msh/

# Restart Apache
/usr/local/sbin/apachectl -k restart

# Add Joomla to “moresatisfyinghobbies”
cd /home/msh/www/data/
fetch http://joomlacode.org/gf/download/frsrelease/10785/42655/Joomla_1.5.14-Stable-Full_Package.zip
unzip Joomla_1.5.14-Stable-Full_Package.zip
chown -R www:www /home/msh/www/data/
ls -alF /home/msh/www/data/
rm Joomla_1.5.14-Stable-Full_Package.zip
#        http://www.moresatisfyinghobbies.com/

Select English. Click Next.
Check for errors and warnings.
Next. Review license. Next.

Database type: MySQL
Hostname: localhost
User Name: root
Password: mysqlpassword
Database Name: joomla

Next.

FTP configuration: no
Next

Site name (may contain spaces)
Email address: YourEmail@gmail.com
Admin Password: joomlapassword
Next

rm -R /home/msh/www/data/installation

http://www.moresatisfyinghobbies.com/administrator
Admin ID: admin
Admin Password: joomlapassword

# chmod a+rw /home/msh/www/data/configuration.php
Mambo - CMS

cd /usr/src
fetch http://mambo-code.org/gf/download/frsrelease/388/790/MamboV4.6.5.tar.gz

mkdir /usr/local/www/data/mambo
tar xvf MamboV4.?.?.tar.gz -C /usr/local/www/data/mambo
chown -R www:www /usr/local/www/data

http://joomla.netjunkies.net/mambo/installation

rm -R /usr/local/www/data/mambo/installation
chown -R www:www /usr/local/www/data
WordPress - CMS

cd /usr/src
fetch http://wordpress.org/latest.tar.gz
mkdir /home/msh/www/data/blogs
tar xvf latest.tar.gz -C /home/msh/www/data/blogs
cp -R /home/msh/www/data/blogs/wordpress/* /home/msh/www/data/blogs/
rm -R /home/msh/www/data/blogs/wordpress/
chown -R www:www /home/msh/www/data/blogs

create a blank database called: mshwordpress

http://www.moresatisfyinghobbies.com/blogs
http://www.moresatisfyinghobbies.com/blogs/wp-admin/
Drupal - CMS

cd /usr/src
fetch http://ftp.drupal.org/files/projects/drupal-6.13.tar.gz

tar xvf drupal-?.??.tar.gz
mv /usr/src/drupal-?.?? /usr/local/www/data/drupal
cp /usr/local/www/data/drupal/sites/default/default.settings.php /usr/local/www/data/drupal/sites/default/settings.php
chmod a+x /usr/local/www/data/drupal/sites/default/settings.php
chown -R www:www /usr/local/www/

create a blank database called: drupal

http://joomla.netjunkies.net/drupal
Sugar CRM
cd /usr/src
fetch http://www.sugarforge.org/frs/download.php/5961/SugarCE-5.2.0j.zip
unzip SugarCE-5.2.0j.zip
mv /usr/src/SugarCE-Full-5.2.0j/ /usr/local/www/data/joomla/crm/
chown -R www:www /usr/local/www/data/joomla/crm/

#http://joomla.netjunkies.net/joomla/crm/install.php
Moodle
cd /usr/src
fetch http://download.moodle.org/stable19/moodle-weekly-19.zip
unzip moodle-weekly-19.zip
mkdir /usr/local/www/moodledata
mkdir /usr/local/www/data/joomla/lms/

chown -R www:www /usr/local/www/data/joomla/lms
phpBB3
cd /usr/src
fetch http://d10xg45o6p6dbl.cloudfront.net/projects/p/phpbb/phpBB-3.0.5.zip
unzip phpBB-3.0.5.zip
Gallery
#Add some utilities used by Gallery modules
cd /usr/ports/graphics/libkdcraw
make install clean distclean

cd /usr/ports/graphics/dcraw
make install clean distclean

cd /usr/ports/graphics/ImageMagick
make install clean distclean

cd /usr/ports/graphics/netpbm-devel
make install clean distclean

cd /usr/ports/graphics/netpbm
make install clean distclean

#cd /usr/src/
#wget ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick-6.5.5-10.tar.gz

# Download Gallery Full
cd /usr/src/
wget http://downloads.sourceforge.net/project/gallery/gallery2/2.3/gallery-2.3-full.zip?use_mirror=voxel
unzip gallery-2.3-full.zip
mv /usr/src/gallery2/ /usr/local/www/data/joomla/gallery/
chown -R www:www /usr/local/www/data/joomla/gallery/

# create a blank database called: test_gallery2
/usr/local/bin/mysqladmin --user=mysql --password=mysqlpassword create test_gallery2

#http://joomla.netjunkies.net/joomla/gallery/
vi /usr/local/www/data/joomla/gallery/login.txt
chown -R www:www /usr/local/www/data/joomla/gallery/

mkdir /usr/local/www/g2data
chmod 777 /usr/local/www/g2data
chown -R www:www /usr/local/www/g2data

# Configure some modules after install completes
# The Dcraw module was installed, but needs configuration to be activated
# The ImageMagick module was installed, but needs configuration to be activated
# The Multiroot module was installed, but needs configuration to be activated
# The NetPBM module was installed, but needs configuration to be activated
# The Nokia Image Upload module was installed, but needs configuration to be activated
# The URL Rewrite module was installed, but needs configuration to be activated
TeamSpeak - TeamSpeak is flexible, powerful, scalable software which enables people to speak with one another over the Internet
phpMyEdit
Samba - A way for UNIX machines to interact with "Windows" based machines
# Download (Notes: Users behind a Proxy Server should read this and users without Internet but have a CDRom read this.)
# Download and Install from FreeBSD Ports Collection
cd /usr/ports/net/samba3
# Compile
make install
SSL Explorer - SSL VPN Server
PopTop - PPTP VPN Server
IPSec Tools and Racoon 2 - IPSec VPN Server
OpenVPN - SSL VPN Server
Avahi - http://avahi.org (and maybe http://www.apple.com/support/downloads/bonjourforwindows.html)
Amanda - http://amanda.zmanda.com
SAJAX - http://www.modernmethod.com/sajax/index.phtml
PAM - http://trac.des.no/openpam and http://www.freebsd.org/doc/en/articles/pam/pam-freebsd-modules.html and http://www.onlamp.com/pub/a/bsd/2003/02/20/FreeBSD_Basics.html
FreeRADIUS - http://freeradius.org
# Tripwire - Monitor and alert on file changes
# Tripwire v2.4.0.2 http://sourceforge.net/projects/tripwire
# Install Tripwire
cd /usr/ports/security/tripwire
make install
# Answer questions and set various passwords (remember these passwords) when prompted.

# Setup email addresses for notification as described here:
# http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-tripwire-update-policy.html#S2-TRIPWIRE-EMAIL
mv /usr/local/etc/tripwire/twpol.txt /usr/local/etc/tripwire/twpol.txt.original
vi /usr/local/etc/tripwire/twpol.txt
# Be sure to replace every instance of YourEmail@YourDomain.com with your actual email address!
# Make sure you edit the "HOSTNAME=" variable! (Find out your hostname from a prompt by typing: hostname )

# # Global Variable Definitions # # These are defined at install time by the installation script. You may # Manually edit these if you are using this file directly and not from the # installation script itself. # @@section GLOBAL TWDOCS="/usr/local/share/doc/tripwire"; TWBIN="/usr/local/sbin"; TWPOL="/usr/local/etc/tripwire"; TWDB="/var/db/tripwire"; TWSKEY="/usr/local/etc/tripwire"; TWLKEY="/usr/local/etc/tripwire"; TWREPORT="/var/db/tripwire/report"; HOSTNAME=yourservername.yourdomain.com; @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SIG_MED = 66 ; # Non-critical files that are of significant security impact SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries ( rulename = "Tripwire Binaries", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { $(TWBIN)/siggen -> $(SEC_BIN) ; $(TWBIN)/tripwire -> $(SEC_BIN) ; $(TWBIN)/twadmin -> $(SEC_BIN) ; $(TWBIN)/twprint -> $(SEC_BIN) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases ( rulename = "Tripwire Data Files", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { # NOTE: We remove the inode attribute because when Tripwire creates a backup, # it does so by renaming the old file and creating a new one (which will # have a new inode number). Inode is left turned on for keys, which shouldn't # ever change. # NOTE: The first integrity check triggers this rule and each integrity check # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. $(TWDB) -> $(SEC_CONFIG) -i ; $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; $(TWPOL)/twpol.txt -> $(SEC_BIN) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWSKEY)/site.key -> $(SEC_BIN) ; #don't scan the individual reports $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; } # Tripwire HQ Connector Binaries #( # rulename = "Tripwire HQ Connector Binaries", # severity = $(SIG_HI) #) #{ # $(TWBIN)/hqagent -> $(SEC_BIN) ; #} # # Tripwire HQ Connector - Configuration Files, Keys, and Logs # # Note: File locations here are different than in a stock HQ Connector # installation. This is because Tripwire 2.3 uses a different path # structure than Tripwire 2.2.1. # # You may need to update your HQ Agent configuation file (or this policy # file) to correct the paths. We have attempted to support the FHS standard # here by placing the HQ Agent files similarly to the way Tripwire 2.3 # places them. # #( # rulename = "Tripwire HQ Connector Data Files", # severity = $(SIG_HI) #) #{ # # # NOTE: Removing the inode attribute because when Tripwire creates a backup # # it does so by renaming the old file and creating a new one (which will # # have a new inode number). Leaving inode turned on for keys, which # # shouldn't ever change. # # # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; # $(TWLKEY)/authentication.key -> $(SEC_BIN) ; # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; # # # Uncomment if you have agent logging enabled. # #/var/log/tripwire/agent.log -> $(SEC_LOG) ; #} # Commonly accessed directories that should remain static with regards to owner and group ( rulename = "Invariant Directories", severity = $(SIG_MED), emailto = YourEmail@YourDomain.com ) { / -> $(SEC_INVARIANT) (recurse = false) ; } # # First, root's "home" # ( rulename = "Root's home", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { # /.rhosts -> $(SEC_CRIT) ; /.profile -> $(SEC_CRIT) ; /.cshrc -> $(SEC_CRIT) ; # /.exrc -> $(SEC_CRIT) ; # /.logout -> $(SEC_CRIT) ; # /.forward -> $(SEC_CRIT) ; /root -> $(SEC_CRIT) (recurse = true) ; !/root/.history ; !/root/.bash_history ; # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed } # # FreeBSD Kernel and boot code # ( rulename = "FreeBSD Kernel", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /boot -> $(SEC_CRIT) ; } # # System Administration Programs # ( rulename = "System Administration Programs", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /sbin -> $(SEC_CRIT) (recurse = true) ; /usr/sbin -> $(SEC_CRIT) (recurse = true) ; } # # User Utilities # ( rulename = "User Utilities", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /bin -> $(SEC_CRIT) (recurse = true) ; /usr/bin -> $(SEC_CRIT) (recurse = true) ; } # # /dev # ( rulename = "/dev", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { } # # /etc # ( rulename = "/etc", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /etc -> $(SEC_CRIT) (recurse = true) ; # /etc/mail/aliases -> $(SEC_CONFIG) ; /etc/dumpdates -> $(SEC_CONFIG) ; /etc/motd -> $(SEC_CONFIG) ; !/etc/ppp/connect-errors ; } # # Copatibility (Linux) # ( rulename = "Linux Compatibility", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /compat -> $(SEC_CRIT) (recurse = true) ; # # Uncomment the following if Linux compatibility is used. Replace # HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port # installed. # #@@ifhost HOSTNAME1 || HOSTNAME2 # /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ; # /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ; # /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ; # /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ; # /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ; # /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; # /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; # /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; # /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; # /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; # /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; # /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; # /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; # /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; # /compat/linux/etc/profile -> $(SEC_CONFIG) ; # /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; # /compat/linux/etc/rpc -> $(SEC_CONFIG) ; # /compat/linux/etc/securetty -> $(SEC_CONFIG) ; # /compat/linux/etc/shells -> $(SEC_CONFIG) ; # /compat/linux/etc/termcap -> $(SEC_CONFIG) ; # /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; # !/compat/linux/etc/ld.so.cache ; # !/compat/linux/var/spool/mail ; #@@endif } # # Libraries, include files, and other system files # ( rulename = "Libraries, include files, and other system files", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /usr/include -> $(SEC_CRIT) (recurse = true) ; /usr/lib -> $(SEC_CRIT) (recurse = true) ; /usr/libdata -> $(SEC_CRIT) (recurse = true) ; /usr/libexec -> $(SEC_CRIT) (recurse = true) ; /usr/share -> $(SEC_CRIT) (recurse = true) ; /usr/share/man -> $(SEC_CONFIG) ; !/usr/share/man/whatis ; !/usr/share/man/.glimpse_filenames ; !/usr/share/man/.glimpse_filenames_index ; !/usr/share/man/.glimpse_filetimes ; !/usr/share/man/.glimpse_filters ; !/usr/share/man/.glimpse_index ; !/usr/share/man/.glimpse_messages ; !/usr/share/man/.glimpse_partitions ; !/usr/share/man/.glimpse_statistics ; !/usr/share/man/.glimpse_turbo ; /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ; ! /usr/share/man/cat1 ; ! /usr/share/man/cat2 ; ! /usr/share/man/cat3 ; ! /usr/share/man/cat4 ; ! /usr/share/man/cat5 ; ! /usr/share/man/cat6 ; ! /usr/share/man/cat7 ; ! /usr/share/man/cat8 ; ! /usr/share/man/cat9 ; ! /usr/share/man/catl ; ! /usr/share/man/catn ; } # # sources # ( rulename = "Sources", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /usr/src -> $(SEC_CRIT) (recurse = true) ; } # # NIS # ( rulename = "NIS", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /var/yp -> $(SEC_CRIT) (recurse = true) ; !/var/yp/binding ; } # # Temporary directories # ( rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW), emailto = YourEmail@YourDomain.com ) { /var/tmp -> $(SEC_INVARIANT) ; /var/preserve -> $(SEC_INVARIANT) ; /tmp -> $(SEC_INVARIANT) ; /opt -> $(SEC_INVARIANT) (recurse = true) ; } # # Local files # ( rulename = "Local files", severity = $(SIG_MED), emailto = YourEmail@YourDomain.com ) { /usr/local/bin -> $(SEC_BIN) (recurse = true) ; /usr/local/sbin -> $(SEC_BIN) (recurse = true) ; /usr/local/etc -> $(SEC_BIN) (recurse = true) ; /usr/local/lib -> $(SEC_BIN) (recurse = true ) ; /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ; /usr/local/share -> $(SEC_BIN) (recurse = true ) ; /usr/local/man -> $(SEC_CONFIG) ; !/usr/local/man/whatis ; !/usr/local/man/.glimpse_filenames ; !/usr/local/man/.glimpse_filenames_index ; !/usr/local/man/.glimpse_filetimes ; !/usr/local/man/.glimpse_filters ; !/usr/local/man/.glimpse_index ; !/usr/local/man/.glimpse_messages ; !/usr/local/man/.glimpse_partitions ; !/usr/local/man/.glimpse_statistics ; !/usr/local/man/.glimpse_turbo ; /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ; ! /usr/local/man/cat1 ; ! /usr/local/man/cat2 ; ! /usr/local/man/cat3 ; ! /usr/local/man/cat4 ; ! /usr/local/man/cat5 ; ! /usr/local/man/cat6 ; ! /usr/local/man/cat7 ; ! /usr/local/man/cat8 ; ! /usr/local/man/cat9 ; ! /usr/local/man/catl ; ! /usr/local/man/catn ; !/usr/local/krb5/man/whatis ; !/usr/local/krb5/man/.glimpse_filenames ; !/usr/local/krb5/man/.glimpse_filenames_index ; !/usr/local/krb5/man/.glimpse_filetimes ; !/usr/local/krb5/man/.glimpse_filters ; !/usr/local/krb5/man/.glimpse_index ; !/usr/local/krb5/man/.glimpse_messages ; !/usr/local/krb5/man/.glimpse_partitions ; !/usr/local/krb5/man/.glimpse_statistics ; !/usr/local/krb5/man/.glimpse_turbo ; ! /usr/local/krb5/man/cat1 ; ! /usr/local/krb5/man/cat2 ; ! /usr/local/krb5/man/cat3 ; ! /usr/local/krb5/man/cat4 ; ! /usr/local/krb5/man/cat5 ; ! /usr/local/krb5/man/cat6 ; ! /usr/local/krb5/man/cat7 ; ! /usr/local/krb5/man/cat8 ; ! /usr/local/krb5/man/cat9 ; ! /usr/local/krb5/man/catl ; ! /usr/local/krb5/man/catn ; /usr/local/www -> $(SEC_CONFIG) (recurse = true) ; } ( rulename = "Security Control", severity = $(SIG_HI), emailto = YourEmail@YourDomain.com ) { /etc/group -> $(SEC_CRIT) ; /etc/crontab -> $(SEC_CRIT) ; }

# Update your site policy
/usr/local/sbin/twadmin --create-polfile -S /usr/local/etc/tripwire/site.key /usr/local/etc/tripwire/twpol.txt
# Create a new database
/usr/local/sbin/tripwire --init
# Make sure tripwire runs daily
cp /usr/ports/security/tripwire/work/tripwire-2.4.1.2-src/contrib/tripwire-check /etc/periodic/daily/998.tripwire-check
chmod +x /etc/periodic/daily/998.tripwire-check
# Edit the default script and fix two lines!
vi /etc/periodic/daily/998.tripwire-check
TWCFG_PATH=/usr/local/etc/tripwire TWDB_PATH=/var/db/tripwire
# Run tripwire manually as desired (try it at least once now)
/usr/local/sbin/tripwire --check
# Tripwire Reports (*.twr) are kept here: /var/db/tripwire/report/
# Get a list of your reports
ls /var/db/tripwire/report
# View a report
/usr/local/sbin/twprint -m r --twrfile /var/db/tripwire/report/<name>.twr
# NOTE: After you see your first report, you will want to cleanup tripwire's configuration
# to stop checking for things that don't exist, this means deleting lines in twpol.txt
vi /usr/local/etc/tripwire/twpol.txt
# You will then need to update your policy file and create a new database again
/usr/local/sbin/twadmin --create-polfile -S /usr/local/etc/tripwire/site.key /usr/local/etc/tripwire/twpol.txt
/usr/local/sbin/tripwire --init
# Run tripwire manually again and view the new report to verify your policy is error free
/usr/local/sbin/tripwire --check
# Clean up the install directory
cd /usr/ports/security/tripwire
make clean
# Guide: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html
OpenNTPD - Time Server
RRDtool - Logging and Graphing
cd /usr/ports/databases/rrdtool/
make install clean distclean
Cacti - Network graphing solution designed to harness the power of RRDtool
Cacti Message Management - http://forums.cacti.net/viewtopic.php?t=31374
SNMP Trap Translator - http://www.snmptt.org/
SNMPTT Gui - http://snmptt-gui.sourceforge.net/

# Notes to self:
# cd /opt/scripts
# fetch http://www.N3NCY.com/NMSWorld/UNIX/bloom.pl.txt
# fetch http://www.N3NCY.com/NMSWorld/UNIX/PIAUpdateArray.pl.txt
# mv bloom.pl.txt bloom.pl
# mv PIAUpdateArray.pl.txt PIAUpdateArray.pl
# chmod a+x bloom.pl
# chmod a+x PIAUpdateArray.pl
# Download (Notes: Users behind a Proxy Server should read this and users without Internet but have a CDRom read this.)
cd /usr/src
fetch http://www.cacti.net/downloads/cacti-0.8.7e.tar.gz
# Unzip and Untar
tar xvf cacti-?.?.*.tar.gz

# Put Cacti under your public web area document root
mv /usr/src/cacti-?.?.?? /usr/local/www/data/cacti/

# Create the MySQL database:
/usr/local/bin/mysqladmin --user=mysql --password=mysqlpassword create cacti

# Import the default cacti database:
/usr/local/bin/mysql --user=mysql --password=mysqlpassword cacti < /usr/local/www/data/cacti/cacti.sql# Create a MySQL username and password for Cacti
/usr/local/bin/mysql --user=root --password=mysqlpassword mysql
GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'cactipassword';
GRANT ALL ON cacti.* TO cactiuser@"%" IDENTIFIED BY 'cactipassword';
flush privileges;
exit

# Edit include/config.php and specify the MySQL user, password and database for your Cacti configuration
#vi /usr/local/www/data/cacti/include/config.php
#$database_default = "cacti";
#$database_hostname = "localhost";
#$database_username = "cactiuser";
#$database_password = "cactipassword";
#$config['url_path'] = '/cacti/';
#cp /usr/local/www/data/cacti/include/config.php /usr/local/www/data/cacti/include/config.php
perl -i.bak -p -e 's/database_username = "\w*";/database_username = "cactiuser";/ig' /usr/local/www/data/cacti/include/config.php
perl -i.bak -p -e 's/database_password = "\w*";/database_password = "cactipassword";/ig' /usr/local/www/data/cacti/include/config.php

# Add a line to the very bottom of your /etc/crontab file
#vi /etc/crontab
## Cacti */5 * * * * root /usr/local/bin/php /usr/local/www/data/cacti/poller.php > /dev/null 2>&1
echo "# Cacti Poller" >> /etc/crontab
echo "*/5 * * * * root /usr/local/bin/php /usr/local/www/data/cacti/poller.php > /dev/null 2>&1" >> /etc/crontab
# Update directory permissions
chown -R www:www /usr/local/www/data
# Point your web browser to:
http://YourServersIP/cacti/

# Log in the with a username/password of admin
# You will be required to change this password immediately.
# Make sure to fill in all of the path variables carefully and correctly on the following screen.

# Get the "Plug-in Architecture" http://www.CactiUsers.org
cd /usr/local/www/data/cacti
fetch http://mirror.cactiusers.org/downloads/plugins/cacti-plugin-0.8.7e-PA-v2.5.zip
unzip cacti-plugin-0.8.7e-PA-v2.5.zip
chown -R www:www /usr/local/www/data

tar xvf cacti-plugin-arch.tar.gz
cp -R /usr/src/cacti-plugin-arch/files-0.8.7e/ /usr/local/www/data/cacti/
# Edit your Cacti global configuration file
vi /usr/local/www/data/cacti/include/global.php
$database_type = "mysql"; $database_default = "cacti"; $database_hostname = "localhost"; $database_username = "cactiuser"; $database_password = "cactipassword"; $database_port = "3306"; $config['url_path'] = '/cacti/';
perl -i.bak -p -e 's/database_username = "\w*";/database_username = "cactiuser";/ig' /usr/local/www/data/cacti/include/global.php
perl -i.bak -p -e 's/database_password = "\w*";/database_password = "cactipassword";/ig' /usr/local/www/data/cacti/include/global.php

# Import the default cacti database:
/opt/mysql/bin/mysql --user=cactiuser --password=cactipassword cacti < /usr/src/cacti-plugin-arch/pa.sql
# Set the file permissions in the web directories so the web server has permission to display them
chown -R www:www /usr/local/www/data
Syslog-NG - Syslog logging service with database support
# Install SyslogNG
cd /usr/ports/sysutils/syslog-ng3
make
make install
# Copy the sample configuration file to get you started
cp /usr/local/etc/syslog-ng/syslog-ng.conf.sample /usr/local/etc/syslog-ng.conf

# Edit your startup parameters to enable starting on reboot by adding two lines
vi /etc/rc.conf
syslog_ng_enable="YES"
syslogd_enable="NO"
syslogd_program="/usr/local/sbin/syslog-ng"
syslogd_flags=""

# Edit the SyslogNG configuration file to suit your needs
vi /usr/local/etc/syslog-ng.conf
#
# *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
#
log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
log { source(src); filter(f_news); filter(f_err); destination(messages); };
# HERE IS THE NEW LINE YOU NEED TO ADD
log { source(src); filter(f_local7); destination(messages); };

# Shut down the standard FreeBSD syslogd
kill `cat /var/run/syslog.pid`

# Start the new syslog-ng:
/usr/local/etc/rc.d/syslog-ng start
# /usr/local/sbin/syslog-ng
# At this point you have swapped out the FreeBSD built-in Syslog with the newer SyslogNG
ntop - Network application monitoring and NetFlow tool
TFTPD - TFTP Server
DHCPD - DHCP Server
Snort - Network intrusion detection system with Oinkmaster and BASE
Nessus - Network Vulnerability Scanner
Cisco Router Audit Tool - An automated Cisco configuration checking system

IV. End User Applications for UNIX Workstations

VNC - The vncviewer for connecting to servers
# Install a basic vncviewer
cd /usr/ports/net/tightvnc
make install clean distclean
# Launch it:
vncviewer
RDesktop - The rdesktop client for connecting to Microsoft Terminal Service from UNIX
# rdesktop is an open source client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services
cd /usr/ports/net/rdesktop
make install clean distclean
# Example:
rdesktop 172.28.0.10 &
X Window System - A graphical window based environment for end users
KDE - K Desktop Environment
Firefox
Opera
Open Office
xv - Graphics viewer
Cygwin/X - Display "X11" applications running in FreeBSD on your Windows workstation

Now that you have a basic FreeBSD UNIX machine:
Head on over to www.NMSWorld.com to install "Network Management" related software like:
TFTPd, DHCPd, NTop, Nessus, Snort, MRTG, RRDTool, Cacti and more!