Greg's Garage

I first started messing around with open source back when someone handed me a Redhat 5 CD at Comdex in the late 90's. Since then, I've tried dozens of different Linux distros on many different platforms for numerous things. As much as I love Linux, I have always run into difficulty keeping the machines up to date as various security patches are released. For one reason or another an update along the road somewhere would fail, and various parts of the install would stop working. I can't remember the exact point in time, somewhere around 2004, I happened across one of the FreeBSD 5 versions, and started playing around with it. Since then, I haven't touched another Linux distro. My current web server started out on FreeBSD 6.0, and has been updated 12 times through the entire 6.X & 7.X versions, all the way through 8.0, 8.1 and is currently running 8.2. In 6 years, I have only run across a couple of instances when I had some minor difficulty updating some installed software, and have been very happy with FreeBSD. Since I ran into a lot of hiccups along the way, I thought that I would document everything I had to do to get my server up and running in it's present configuration. What follows is the process I followed to set up a DNS / Mail / Web / Database server.

Installation

Most of the information you need to start an install is available in the handbook, which I won't repeat here. I will state that I usually do a network install, which only requires the latest "bootonly" ISO from freebsd.org to get up and running. This will download the necesarry files from freebsd.org, and install them onto your computer. When I start my install, I'll select the option to do a standard install, and then after setting up the disk partitions, I'll choose the "Minimal" distribution. After setting up the network configuration, the process takes around 5-10 minutes to install. It then asks you to enter a user account, set the administrator password, a couple of other options, and then reboots, and that's it. All done.

At this point, your system is pretty much a blank slate, there's not much there other than basic Unix commands. In order to do something with it, you're going to have to install software. The easiest way to do so is from the ports collection. The ports collection is a categorized collection of software that's been ported to run on FreeBSD. To install the ports collection, run the following at the root prompt:



FreeBSD# mkdir /usr/ports; portsnap fetch extract



After this runs for a while, it will install all the necessary files for you to be able to install any piece of software avaiable in the ports collection. There are two different ways you can install a piece of software, you can either install a precompiled binary, or you can compile from source. Obviously installing a pre-compiled binary takes quite a bit less time, but the binaries might not be as current as compiling form source. I usually compile from source instead of installing binaries, as I think this is where my problem with keeping a system up to date would have issues in the Linux realm. To compile one of the available ports, you just need to enter the directory it's located in, and type "make install clean". If there are any needed dependencies, these will be installed as well. The first peices of software I install are used to keep the kernel and the base system up to date.



FreeBSD# cd /usr/ports/net/cvsup-without-gui; make install clean
FreeBSD# cd /usr/ports/sysutils/fastest_cvsup; make install clean
FreeBSD# rehash



This will download, compile, and install the two utilities we need to update the base system as well as any needed dependencies. This will take a while to compile, since Perl is a dependency. Software included in the base system that needs updating from time to time include bind, sendmail & sshd. To stay on top of any needed updates to the base system, subscribe to the freebsd-security-notifications mailing list. Needed updates for the installed ports can be had by using other utilities such as portaudit or portmanager.

Once the above ports have been installed, it's time to rebuild world. This will ensure our base system is up to date, and help us avoid some issues when setting up Sendmail. To do this, first we will need to download the latest source, and then recompile the system. To download the latest source for the base system, we have to create a supfile, so cvsup knows what it needs to download. There are many options in how to do this, since I am only interested in updating the base system to the latest stable branch, I do the following:



FreeBSD# cp /usr/share/examples/cvsup/stable-supfile /root/supfile



Next, we download the latest source.



FreeBSD# cvsup -L 2 -h `(fastest_cvsup -q -c us )` /root/supfile



Once this process has completed, it's time to rebuild world by typing the following commands.



FreeBSD# cd /usr/obj
FreeBSD# chflags -R noschg *
FreeBSD# rm -rf *
FreeBSD# cd /usr/src
FreeBSD# make -j4 buildworld
FreeBSD# make buildkernel
FreeBSD# make installkernel
FreeBSD# reboot



When the sytem reboots, boot into single user mode - option 4. This mode is similar to Windows Safe Mode, and ensures that there are no services running in the background when the base system is updated. After booting into single user mode, you'll be met with the following prompt:



When prompted Enter full pathname of shell or RETURN for /bin/sh:



Hit "Enter", then type the following commands:



# fsck -p
# mount -u /
# mount -a -t ufs
# swapon -a
# adjkerntz -i
# cd /usr/src
# mergemaster -p
# make installworld
# mergemaster
# reboot



Mergemaster is a script that allows you to overwrite existing configuration files with newer versions, ignore the updated versions leaving the current version intact, or merge the two together. This process allows you to keep the information that you've updated in place, while merging in new information that's been added. Since this is a new install, and I haven't modified any config files just yet, I go through and install the new configuration files that mergemaster locates, and reboot. Once the system comes back up, your system is fully updated, and ready to go. Now it's time to install a few utilities that I find invaluable:



FreeBSD# cd /usr/ports/ports-mgmt/portaudit; make install clean
FreeBSD# cd /usr/ports/ports-mgmt/portupgrade; make install clean
FreeBSD# cd /usr/ports/ports-mgmt/portmanager; make install clean
FreeBSD# cd /usr/ports/security/aide; make install clean
FreeBSD# rehash



portaudit audits the installed ports, and identifies any software with security issues. portupgrade can be used to upgrade the installed ports, and also includes the utilities portversion & portsclean. portversion identifies any software that is out of date where portaudit only identifies software with security issues. portsclean is used to clean out any leftover work files that didn't get deleted when software is compiled. aide is a utility similar to tripwire chkrootkit checks for any root kits installed by hackers. I run most of these nightly by running crontab -e, and adding the following (this has to be tab delimited, so be careful if cutting and pasting):



0      1     *     *     *     /usr/local/bin/aide -u
10     1     *     *     *     /usr/sbin/portsnap cron update && /usr/local/sbin/portversion -v | grep '<'



Running aide nightly checks for any changed files on sensitive areas of the system, and sends an email of the results (you must run "aide -i" before the above crontab entry will work).
Running chkrootkit nightly checks the system for any rootkits that may have installed by hackers.
Running portsnap (with the cron option) & portversion allows me to update my ports tree, and identifies any software that has been updated recently.
Results of the above are received via email to the root account. You can su to root at the command line and enter "mail -u root" to read these, or you can forward them to another account in the sendmail aliases file in /etc/mail.


DNS

To get DNS up and running, simply add the following to your /etc/rc.conf file:



named_enable="YES"



In order to make it work, you need to edit a few files locate in /etc/namedb, first is named.conf. Here's a basic entry of what needs to be added to named.conf:



zone "your_site.com"{
     type master;
     file "your_site.com";
     allow-transfer
     { 192.168.0.15; };
};



The first line states what type of zone this etnry is (I use master or slaves depending if this is the primary DNS server or a backup). The second states the name of the config file for this site. The third allows zone transfers to and from the IP address on the 4th line (a back up DNS server).

The next file we will create is "your_site.com". It should look similar to the following:



$TTL     3h

@     IN     SOA     ns1.your_site.com.     hostmaster.your_site.com. (
     2011092200 ; serial
     3h ; refresh
     1h ; retry
     1w ; expire
     1h ; default_ttl
     )
@     IN   MX   5    mail.your_site.com.
@     IN   NS   ns1.your_site.com.
@     IN   NS   ns2.your_site.com.
@     IN   A    192.168.0.10
ns1   IN   A    192.168.0.10
ns2   IN   A    192.168.0.15
www   IN   A    192.168.0.10
mail  IN   A    192.168.0.10



All you need to do now is start bind.



FreeBSD# /etc/rc.d/named start



You now have a basic system installed, along with DNS and the tools you need to keep it up to date. To see how I configured my system as a mail / web / database server, click here.