Building a Unix Server
Pages: 1, 2
Post-Install Configuration
When the installer finishes, follow through the post-install configuration
menus. When it asks to create a user, make sure to create an account for
yourself with a good password. Create an excellent password for the super-user
account. When asked to view the ports collection, I say "yes" so I can install
cvsup-without-gui and porteasy.
One of the first
tasks I do after rebooting into the new system -- before I even begin installing
the required server applications -- is to cvsup all of the changes
to the operating system that have occurred since its release.
However, the very first thing I do once the install is complete is to grab
my server binder. Up to this point I've taken only rough notes on my network
settings and partition sizes. Even I have trouble deciphering my handwriting,
so it's time to create some printable documentation. This is where
scp (secure copy) comes in handy. I make sure to have
sshd running on another system with a configured printer, then
copy over my hardware information:
% scp /var/run/dmesg.boot dru@192.168.1.10:/usr/home/druThe above command will access the SSH daemon running on 192.168.1.10, login
as the user dru and copy /var/run/dmesg.boot from
this system to dru's home directory on the other system. As you
can see, scp works just like the cp command, but
allows the source or destination file to be on another system.
I'll then send the output of my NIC settings:
% ifconfig > nic_settings && scp nic_settings dru@192.168.1.10:/usr/home/druDefault gateway settings:
% netstat -rn > gateway && scp gateway dru@192.168.1.10:/usr/home/druDNS settings:
% scp /etc/resolv.conf dru@192.168.1.10:/usr/home/druAnd partition and swap settings:
% df -h > disk_usage && scp disk_usage dru@192.168.1.10:/usr/home/dru
% swapinfo > swap_usage && scp swap_usage dru@192.168.1.10:/usr/home/druFrom the system running sshd, I can now print the copied files
and add them to my binder.
Securing the OS
Now it's time to start securing the system. First, I create a
cvs-supfile:
more /root/cvs-supfile
*default host=cvsup.ca.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_5_2_1_RELEASE
*default release=cvs delete use-rel-suffix compress
src-allChoose a host= geographically close to you and make sure that
the tag= matches your OS. (See the cvsup section of the FreeBSD
Handbook for details.)
I'll then create the base directory and download the changed source:
# mkdir /usr/local/etc/cvsup
# cvsup -L 2 /root/cvs-supfileWhile the download continues, I start my hardening routine. I covered many
of the steps in Securing
FreeBSD. I'll also create an SSH banner on the server and use the
AllowUsers option to limit
SSH access to myself and other authorized staff.
When the download finishes, it's time to rebuild the world and the generic kernel:
# cd /usr/src
# make buildworld
# make buildkernel KERNCONF=GENERIC
# make installkernel KERNCONF=GENERIC
# make installworldAfter rebooting into the up-to-date OS, it's time to strip the kernel. I'll
carefully review each line in /usr/src/sys/i386/conf/GENERIC to
remove the hardware and options that aren't relevant to the server. I'll then
read through NOTES (or LINT) to see if there are
additional options that will increase the security or performance of the
server. Avleen Vig's Tuning FreeBSD for
different applications has some recommendations to get you started.
Next, I install and reboot into the new kernel, printing out a copy of the
kernel configuration file with comments explaining why I added the options I
did, for my server book. I then copy my kernel config file to another location
such as /usr/local/etc. At this point, it's a design decision
whether to remove /usr/src from the system. Removing it frees up
about 400 MB of space; however, /usr/src is sometimes necessary to
implement the solution to a security advisory.
Installing Software
Now that you have an up-to-date OS and an optimized kernel, it's time to
start installing software. While using pkg_add -r to install
pre-compiled binaries is quick and convenient, it isn't the best choice for a
server. The same goes for installing a port without first reading its
Makefile and combing through the installation instructions at the
application's web site. Server applications come with make options
which influence the application's behavior and performance. Be aware of these
options before you compile the binary. This brings us back to the "99%
preparation, 1% configuration" truism.
It also brings us back to your server documentation. As you install a
service, carefully note the make options you used. For example,
here are two entries from one of my server installs:
#installed from /usr/ports/www/apache2
#use "make show-options" to see available make options
#use "make show-modules" to see available modules
#use anon auth and disable SSI and autoindexing:
make -DWITHOUT_AUTH -DWITHOUT_MODULES="autoindex" \
-DWITHOUT_MODULES="include" install clean
#installed from /usr/ports/ftp/pure-ftpd
#install as stand-alone server with privilege separation
make -DWITH-PRIVSEP -DWITHOUT-INETD install cleanKnowing what options you used to compile the binary will greatly assist in troubleshooting future configuration issues. You'll also be able to repeat these options when you eventually upgrade the software.
How did I get those port directories to cd into when I didn't
install the ports collection? This is where porteasy comes into
play: it downloads just the ports skeletons you need. To do so, first set up
your environment:
# setenv CVSROOT :pserver:anoncvs@anoncvs.at.FreeBSD.org/home/ncvs
# touch /root/.cvspassThen, as you need a ports skeleton, tell porteasy what you
want:
# porteasy -u www/apache2That's it — all the convenience of the ports collection without maintaining the entire collection.
Keeping Software Up-to-Date
porteasy will also assist in keeping your software up-to-date.
I create a script like this:
echo "Updating installed ports skeletons"
porteasy -uI
echo "The following ports need upgrading:"
porteasy -s |grep "<"Note that this script will keep my ports skeleton up-to-date and inform me
of out-of-date ports; however, it won't upgrade them for me. This is actually
ideal for a server as you never want to upgrade applications blindly. Instead,
carefully plan the upgrade, research any changes to the new version and their
impact on your current configurations, and schedule the upgrade for a time that
will least impact users on the off-chance that the upgrade results in an
unforeseen glitch. Yes, I'm talking about more preparation. Most major server
applications have an upgrade section to their documentation; all applications
have an UPDATING or README that comes with the new
version. Read them all.
A Final Word on Configuration
The actual configuration of an application will definitely depend on the application. Fortunately, most of the major server products provide excellent documentation at their web sites. If anything, a poor sysadmin might suffer from information overload!
If it's your first time plunging into a product, especially something as complicated as a web or mail server, take the time to skim through all of the documentation before you install anything. Much of it won't apply, but it will give you a good idea of what options you have and what the configuration will entail. You'll probably also find sections that you'll want to print out and add to your server binder until you're more familiar with the product.
I always print out a copy of the original configuration file(s) that come with an application and store it in my server binder. I find it convenient to pencil in the changes that I made with comments to myself reminding me why I did so. An alternate approach is to carefully comment your changes as you make them and to print out the final result. Either way, you do want a hard copy to refer to. (It goes without saying that you'll have at least one software backup copy of both the original and modified configuration files.)
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Return to the BSD DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 15 of 15.
-
Upgrading Perl
2005-02-19 14:24:45 jim58 [Reply | View]
This is getting a little off topic but in my quest to get porteasy running I ran into a problem. The version you get when you run the "pkg_add -r" command will not run on 4.11-RELEASE because it expects perl-5.8.5. 4.11-RELEASE
-
Confusion over the CVS tags
2005-02-19 13:26:13 jim58 [Reply | View]
I also have been confused by the CVS version tags for FreeBSD. Richard Bejtlich's
comment about Dru's use of the wrong tag was a little too modest.
Check out his excellent article about keeping the OS up to date at:
http://www.taosecurity.com/keeping_freebsd_up-to-date.html
In it you'll find the following (which is the best explanation I've seen:
*--*
The following examples begin with 5.3 RELEASE, the most recently published version of FreeBSD:
RELENG_5_3_0_RELEASE is FreeBSD 5.3 RELEASE, just as you might get on CD.
RELENG_5_3 is the "security" branch for 5.3, which is FreeBSD 5.3 RELEASE with patches for security advisories and critical fixes applied.
RELENG_5 is the development line of the FreeBSD 5 tree, also known as 5-STABLE
. ("dot"), also known as HEAD, is the development line of the next version of FreeBSD, 6.0, also known as 6-CURRENT or simply CURRENT
*--* -
Confusion over the CVS tags
2005-02-19 14:03:31 Dru Lavigne |
[Reply | View]
I agree. Richard's explanation of the tags is, by far, the clearest explanation out there :-)
-
Install porteasy without the ports col.
2005-02-19 13:16:33 jim58 [Reply | View]
I'm a newbie and have been dealing with the learning curve. I was a little confused by the porteasy advice in Dru's column.
I've installed 4.11-RELEASE because my old 5160D Toshiba wouldn't boot 5.3 from the CDROM. I also couldn't use the CD after booting 5.3 install from flippy. I could've FTP'd the install but I can envision wanting to use the CDROM in the future so 5.3 is out - at least for now.
Porteasy is not in the packages collection on the 4.11 CD-1 so how can I follow Dru's lean server advice?
When I found the -r option on pkg_add it all came togeter. If you're a newbie too try this command:
pkg_add -vr porteasy
You'll get the package installed directly from the FreeBSD ftp site - very cool :-) Then you can use porteasy to install the ports you need on your server.
-
post installation if security is a big issue
2004-09-06 06:46:53 simbo [Reply | View]
something that I think that everyone should consider is installing tripwire or aide to perform intrusion detection. these will scan the sensitive areas of your system for changes and alert you to them by email so that you can tell immediately when the system has been tampered with. they should be setup last. they are the
only way to find out whether you really have done everything necessary to keep the box secure. the oreilly book Linux security cookbook explains how to do set them up - and the tools and techniques are applicable to FreeBSD (or solaris or any other un*x).
i agree that saying up to date is important - but i would feel uncomfortable leaving the src and
compilers around on an Internet facing server at a high risk organisation such as a bank. it is best not to give an intruder any tools for them to brake further into the organisation. it is likely that a cracker is coming in using a different OS, kernel, hardware or distribution; so why give them everything they need to reconfigure your box to their liking? i am lucky enough to always have spare kit that is identical to the
production kit that is used as the build box for this reason. if this was not the case i would move just the src and compilers onto an encrypted partition using something like cryptoloop.
-
post installation if security is a big issue
2004-09-13 05:39:59 fintanr [Reply | View]
On Solaris post installation security is covered with the JASS toolkit (available as a free download).
- Fintan
-
Comment on cvsup tag
2004-09-02 10:59:51 taosecurity [Reply | View]
Hi Dru,
While reading your newest article I noticed you used this in your supfile:
*default tag=RELENG_5_2_1_RELEASE
If you use this tag on a 5.2.1 REL machine you won't update anything on the system. 'RELENG_5_2_1_RELEASE' is used when you want to cvsup to that RELEASE from, say, 5.1 or 5.0.
I think you wanted to use this tag to track security updates:
*default tag=RELENG_5_2
The Handbook explains these and other tags.
5_2 applies to 5.2.1 REL as well as 5.2 REL, incidentally.
Sincerely,
Richard Bejtlich
TaoSecurity.com -
Comment on cvsup tag
2004-09-16 02:01:32 WebHeads [Reply | View]
Hai there bsd guru's out there,
I think i have a problem with cvsup.
I use the tag
*default host=cvsup1.FreeBSD.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_4_1_RELEASE
*default release=cvs delete use-rel-suffix compress
src-all
to update the 4.10 release, but when i run the cvsup it delete's all my src's.
When i try to use this tag RELENG_4_10_RELEASE
i have the same problem.
Please help me.
Grtz,
Edgar
-
It used to
2004-08-27 07:04:40 tlaurenzo1 [Reply | View]
If you were doing AWT image manipulation in your server app, it had to be able to connect to an XServer prior to Java 1.4. In Java 1.4, you can add an argument (I think it is "-Djava.awt.headless=true") that tells it to only enable the parts of AWT that don't depend on an XServer (this includes about everything that a server side app would use). -
It used to
2004-08-27 09:28:38 riksca [Reply | View]
That is great to know, thanks. -
java awt with headless server
2004-09-06 06:14:12 simbo [Reply | View]
The PJA Toolkit provides a pure java implimentation of AWT. You tell the JVM to use it on the startup options. This works with versions of earlier than 1.4. This is particularly helpful if you are using a server app that builds charts and other images that use the awt classes to draw the shapes.
-
Building a Unix Server - XFree86
2004-08-27 06:41:13 riksca [Reply | View]
I also believe that XFree86 does not belong on a server. Servers should be lean, mean, performance machines without the prettiness, bloat, or security implications provided by a GUI.
I would agree here except for one instance. If your building a webserver that uses Tomcat or any appserver that requires Java, Java requires XFree86.
BTW, I have found FreeBSD to be an outstanding platform for hosting Java-based websites.
~Rik -
Building a Unix Server - XFree86
2004-09-06 06:21:48 simbo [Reply | View]
Not really. If you dont put on XFree86 then you get class load errors on the sun implimentations of abstract classes that attempt to use XFree86 graphics libraries to do the work. This typically happens when the app is trying to draw charts or the like. To get around this you simply have to use a pure java implimentation of the graphics libraries. A good example is the free PJA Toolkit library. You tell the JVM to use it as the implimentation of the graphics libraries on the start up options.
I copied the files I wanted to print (for example named.conf) to the document root of my apache server, then I accessed the server from a browser appending the filename to the address like so http://192.168.1.100/named.conf The result is a printable text file accessible from a browser. Of course you could also copy and paste the text into a word processor if the formatting needed to be adjusted.