StuRa:Server/FreeBSD

2012-12-18T15:12:14Z

193.158.112.210: /* MDA: maildrop */

Dies ist die [[Server/Dokumentation | Dokumentation für den Betrieb der]] [[Server]] mit [[FreeBSD]].

== Sicherheit ==
* ports aktuell halten:
** portsnap /var/db/portsnap/INDEX
** edit /etc/crontab:
<code>0 13 * * * root portsnap -I cron fetch && portsnap update && pkg_version -vIL=</code>
* tägliches Audit der (installierten) Ports:
** portaudit /var/db/portaudit/auditfile.tbz
** edit /etc/crontab:
<code>0 14 * * * root portaudit -Fda</code>
* [http://www.vuxml.org/freebsd/ VuXML] abonnieren
* [http://security.freebsd.org/ http://security.freebsd.org/] mal durchlesen
* [http://nvd.nist.gov/ National Vulnerability Database] [http://nvd.nist.gov/download/nvd-rss.xml (NVD RSS)] abonnieren

=== Paketfilter ===
* [http://www.openbsd.org/faq/pf/ OpenBSD pf]
* in /etc/rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
# host system is gateway for jails
gateway_enable="YES"
* syslogd an Hauptmaschine binden
** in /etc/rc.conf: (evtl. -ss flag?)
<code>syslogd_flags="-b $MAIN_IP"</code>
* Paketfilter starten:
<code># /etc/rc.d/pf start
# /etc/rc.d/pflog start</code>
* pf.config: (check via <code>pfctl -vnf /etc/pf.conf</code>) (inzwischen veraltet)
### MAKROS
thishost = "$MAIN_IP"
# portsnap5 204.9.55.80
portsnap_freebsd = "{ 204.109.56.116 204.9.55.80 }"
# auditfile.tbz is beeing fetched from portaudit.freebsd.org
portaudit_freebsd = "69.147.83.36"
# dnsserver from resolv.conf
dnsserver = "{ 85.214.73.63 217.79.186.148 27.110.120.30 204.152.184.76 194.150$
### RULES
# default deny
block in all
block out all
# lokales interface darf ohne einschränkungen
pass in quick on lo0 all
pass out quick on lo0 all
## HOST
# allow ssh
pass in on bce0 proto tcp from any to $thishost port $SSH_PORT
pass out on bce0 proto tcp from $thishost port $SSH_PORT to any
## allow outbound icmp
# echo request
pass out inet proto icmp icmp-type 8 code 0 keep state
# echo reply
pass in inet proto icmp icmp-type 0 code 0 keep state
# destination unreachable
pass in inet proto icmp icmp-type 3 keep state
# allow DNS lookups {also via tcp?} port 53
# what about traversal???
pass out on bce0 proto udp from $thishost to $dnsserver port 53 keep state
# allow portsnap to fetch from freebsd.org (ports?)
pass in on bce0 proto tcp from $portsnap_freebsd to $thishost
pass out on bce0 proto tcp from $thishost to $portsnap_freebsd
# allow portaudit to fetch auditfile.tbz via http
pass in on bce0 proto tcp from $portaudit_freebsd port 80 to $thishost
pass out on bce0 proto tcp from $thishost to $portaudit_freebsd port 80
## JAIL Beispiel (uneingeschränkt -> '''dumme Idee''', ports dienstabhänging freigeben
pass in on bce0 proto { tcp udp icmp } from any to $jail_srs14
pass out on bce0 proto { tcp udp icmp } from $jail_srs14 to any

* regeln überprüfen: <code>pfctl -vnf /etc/pf.conf</code>

==== Paketfilter bedienen ====
* anschalten: <code>pfctl -e</code>
* ausschalten: <code>pfctl -d</code>
* sanity check: <code>pfctl -vnf /etc/pf.conf</code>
* alte Regeln ins Klo und neue in die Auslage: <code>pfctl -Fa -f /etc/pf.conf</code>

==== Verweise ====
* [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter]
* [http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/8391665119 Jacek Artymiak - Building Firewalls with OpenBSD and PF, 2nd edition]
* [http://www.nostarch.com/pf2.htm Peter N. M. Hansteen: The Book of PF, 2nd Edition - A No-Nonsense Guide to the OpenBSD Firewall]

=== FreeBSD audit ===
* faschistoides Logging von Systemcalls
* präventiv wirkungslos, aber in der post-mortem Analyse extrem hilfreich
* [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/audit.html FreeBSD Kapitel 17. Security Event Auditing]
* in /etc/rc.conf
<code> auditd_enable="YES" </code>
* start auditd:
** <code># /etc/rc.d/auditd start</code>
* in /etc/security/audit_control:
flags:lo,aa,ex
policy:cnt,argv
synchronize config: audit -s
* cronjob für die logs: /etc/crontab
<code>0 */12 * * * root /usr/sbin/audit -n</code>

== Jails ==
Jails dienen der Virtualisierung von Betriebssysteminstanzen. Näheres dazu im [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/jails.html FreeBSD Handbuch Kapitel 15 - Jails].

=== Jail Verzeichnis mit ZFS anlegen ===
* beim ersten Mal

<code>
# zfs create zpool/jails
# zfs set mountpoint=/usr/home/jails zpool/jails
</code>

* ansonsten reicht es

<code>
# zfs create zpool/jails/$JAILNAME
</code>

=== Anlegen eines Jails ===
* <code># cd /usr/src</code>
* evtl. erst Sourcen installieren: sysinstall-> configure -> distributions
* evtl. <code># make buildworld</code>
* Jails liegen unter /home/jails/$JAILNAME
* System für jail bauen:
<code>
# make installworld DESTDIR=/home/jails/$JAILNAME
# make distribution DESTDIR=/home/jails/$JAILNAME
</code>
* device nodes ins jail packen
** <code># mount -t devfs devfs /home/jails/$JAILNAME/dev</code>
* resolv.conf vom Host kopieren
** <code># cp /etc/resolv.conf /home/jails/$JAILNAME/etc/resolv.conf</code>
* rc.conf editieren:
jail_enable="YES"
jail_list="$JAILNAME"
ifconfig_bce0_alias0="$JAIL_IP netmask 255.255.255.0"
jail_$JAILNAME_rootdir="/path/to/jails/$JAILNAME"
jail_$JAILNAME_hostname="$JAILNAME.domain.tld"
jail_$JAILNAME_ip="$JAIL_IP"
jail_$JAILNAME_devfs_enable="YES"
jail_$JAILNAME_devfs_ruleset="devfsrules_jail"
* jail starten
** <code># /etc/rc.d/jail start</code>
* Prozess im jail starten
** <code># jexec $JAIL_ID tcsh</code>
** $JAIL_ID ermitteln mit
*** <code># jls</code>
* Defaultrouting einstellen
** etc/rc.conf
*** defaultrouting="<'''IP''' oder '''interfacename''':network>"
* portscollection installieren
** <code># portsnap fetch extract </code>
* portscollection updaten
** <code># portsnap fetch update </code>
* evtl. ssh anschalten (in rc.conf)
<code>sshd_enable="YES"</code>
* /etc/host
<code> #.#.#.# JAILNAME.stura.htw-dresden.de </code>

=== Löschen eines Jails ===
* ins jailroot wechseln (/home/jails/$JAILNAME)
<code>
# chflags -R noschg *
# rm -rf *
# cd .. && rm -r $JAILNAME (ohne ZFS)
# cd .. && zfs destroy tank/PATH/$JAILNAME (mit ZFS)
</code>

=== Tricks, Probleme etc. ===
* sich evtl. ezjail mal anschauen (war damals kaputt)
* ping aus jails heraus erlauben
** host: allow_raw_socket=1 via
*** <code># sysctl security.jail.allow_raw_sockets=1</code>
*** bzw. in /etc/sysctl.conf setzen
*** [http://www.cyberciti.biz/faq/freebsd-jail-allow-ping-tracerouter-commands/ Quelle]
* ssh:
** etc/ssh/sshd_config:
<code>ListenAddress 0.0.0.0</code>
* [http://www.freebsd.org/cgi/url.cgi?ports/ports-mgmt/jailaudit/pkg-descr jailaudit]
* Apache [http://www.freebsd.org/cgi/url.cgi?ports/www/mod_jail/pkg-descr mod_jail] als Alternative zu mod_chroot
* Linux in den jails
** [http://blog.vx.sk/archives/22-Updated-Tutorial-Debian-GNUkFreeBSD-in-a-FreeBSD-jail.html Debian im FreeBSD jail]
** [http://wiki.freebsd.org/Image/Linux/CentOS55 CentOS]

== ssh ==
* [http://openssh.com/ openssh]
* ssh auf anderen port legen
* Vorschläge für /etc/ssh/sshd_config:
<code>
VersionAddendum
Port $SSH_PORTNUMMER
ListenAddress $JAIL_IP
Protocol 2
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 4
MaxSessions 5
AllowUsers $DER_COOLE_LEUTE_CLUB #einzelne user nur mit leerzeichen trennen
PermitEmptyPasswords no
X11Forwarding no
Banner none
</code>
* immer schön manpage lesen und mit dem Feinkamm durchgehen
* keys + passwörter zur Authentifizierung
* in jails:<code>'''ListenAddress 0.0.0.0'''</code>

== Email ==
* MTA: [http://www.postfix.org/ postfix]
* MDA: [http://www.courier-mta.org/maildrop/ maildrop]
* IMAP server: [http://www.dovecot.org/ dovecot]
* MUA (clientseitig) empfohlen:
** [https://www.mozilla.org/de/thunderbird/ Mozilla Thunderbird]
** [http://sup.rubyforge.org/ sup]
*** [https://rubygems.org/ rubygems installieren]
*** archiv [https://rubygems.org/pages/download#formats runterladen] und entpacken
*** z.B. <code>wget http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz</code>
*** in den entpackten ordner wechseln
*** als root: <code>ruby setup.rb</code>
*** rubygems updaten: <code>gem18 update --system</code>
*** <code>gem18 install rake</code>
*** <code>gem18 install ncursesw</code> ... ''broken?''
*** sup aus den gems installieren: <code>gem18 install sup</code>
*** als user im home verzeichnis: <code>sup-config</code>
*** aufruf: <code>sup-mail</code> ... und schön durch die emails pflügen
** [http://www.mutt.org/ mutt]
*** config file "~/.muttrc"
set mbox_type=Maildir
set folder="~/Mail"
set mask="!^\\.[^.]"
set mbox="~/Mail"
set spoolfile="~/Mail"
set editor="mg"
set charset="utf-8"
set realname="XXX (StuRa HTW Dresden)"
set from="XXX@stura.htw-dresden.de"
set use_from=yes
set mime_forward=yes
set mime_forward_rest=yes

=== MTA: postfix ===
* in the email jail
* <code># cd /usr/ports/mail/postfix</code>
* <code># make install clean</code>
** postfix added to group mail -> y
** Would you like to activate Postfix in /etc/mail/mailer.conf -> y
* Einstellungen (Auszug + aliases)
** edit /usr/local/etc/postfix/main.cf:
local_recipient_maps = $alias_maps
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8
myhostname = mail.stura.htw-dresden.de
mydomain = stura.htw-dresden.de
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
inet_interfaces = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
relay_domains = stura.htw-dresden.de
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
permit
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net

==== Links ====
* [http://www.postfix.org/ The Postfix Home Page]
* [http://chains.ch/docs/postfix-UCE-HOWTO-de.html Postfix UCE HOWTO] (Spamkontrolle)

=== IMAP-Server dovecot ===
* dovecot
** optionen: kqueue, ssl, managesieve, mysql
<code># echo 'dovecot_enable="YES"' >> /etc/rc.conf
# cp /usr/local/share/examples/dovecot/dovecot.conf /usr/local/etc/dovecot/dovecot.conf
# cp /usr/local/share/examples/dovecot/dovecot-sql.conf /usr/local/etc/dovecot/dovecot-sql.conf</code>
* dovecot2
** optionen: kqueue, ssl, mysql
<code>
# cp /usr/local/share/doc/dovecot/example-config/dovecot.conf /usr/local/etc/dovecot/dovecot.conf
# cp /usr/local/share/doc/dovecot/example-config/dovecot-sql.conf /usr/local/etc/dovecot/dovecot-sql.conf
</code>

* in /usr/local/etc/dovecot.conf: (vorerst zum testen)
<code>
protocols = imap pop3
disable_plaintext_auth = no
ssl = no
mail_location = mbox:~/mail/:INBOX=/var/mail/%u
mail_privileged_group = mail
protocol imap {
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep
}</code>
* '''Krypto drankleben (imap -> imaps, pop3 -> pop3s)'''

=== MDA: maildrop ===
* maildir in users homeverzeichnis anlegen
maildirmake Mail
* im homeverzeichnis die Datei .mailfilter anlegen:
MAILBOX="$HOME/Mail"
DEFAULT="$MAILBOX"
* chmod 600 .mailfilter
* maildrop in postfix main.cf einarbeiten
mailbox_command = /usr/local/bin/maildrop -d ${USER}

=== Tricks etc. ===
* alias-Adressen anlegen
** edit: /usr/local/etc/postfix/main.cf:
alias_maps = hash:/etc/aliases, hash:/etc/aliases.stura
alias_database = hash:/etc/aliases,hash:/etc/aliases.stura
* edit /etc/aliases.stura
* in das Postfix laden:
<code># newaliases
# postfix reload
# usr/local/etc/rc.d/postfix restart</code>
* SMTP testen:
<code># nc $JAIL_IP 25
# HELO microsoft.com
# MAIL FROM:<bill@microsoft.com>
# RCPT TO:<test@stura.htw-dresden.de>
# DATA
# From: <bill@microsoft.com>
# To: <stest@stura.htw-dresden.de>
# Subject: hui
# das hätte nicht passieren sollen
# .
# QUIT</code>

== Plone ==
* JoSch damals gebaut, zwischenzeitlich grundsaniert
* [http://www.freebsdforums.org/how-to-install-apache-for-freebsd/ Apache] installiert
* apache 22 optionen:
** mod_ssl
** mod_rewrite
** mod_deflate
** ipv6
* apr ohne berkeley db und gnu db
* [http://plone.org/documentation/kb/freebsdploneapache/preparefreebsd http://plone.org/documentation/kb/freebsdploneapache/preparefreebsd]
* [http://plone.org/products/plone/releases http://plone.org/documentation/kb/freebsdploneapache/preparefreebsd]

== DNS ==
* genutzt werden DNS Server des [https://www.foebud.org/ FoeBuD] und des CCC
* zusätzlich (für [http://www.opennicproject.org/ OpenNIC])
** DE,NRW 217.79.186.148 ns1.nrw.de.dns.opennic.glue Günter Grodotzki yes (no logs kept)
** NZ 27.110.120.30 ns1.nz.dns.opennic.glue Dean Gardiner yes (24 hrs)

== Tipps, Tricks etc. ==
* die Änderungen an Konfigurationsdateien (z.b. in /etc) via [http://git-scm.com/ git] tracken
* disk quotas für jails einrichten
* systemweite make.conf bauen
* rc.conf bzw. /etc/rc neu laden ohne reboot
** Achtung: über Konsole direkt am Gerät (single user mode verliert Netzwerkzugriff!)
# shutdown now
(Note: without -r or -h)
# return
# exit
* netzwerk (services) über ssh neu starten:
# /etc/rc.d/netif restart && /etc/rc.d/routing restart

=== Eigene Scripte ===
Wo:
* /root/scripte
Welche:
* Netzwerk neustart
** networkrestart.sh
* Startup script
** startsetup.sh
* ports Updaten
** portsup.sh
* jails bauen
** jailbuilder.sh
*** Anwenden
# ./jailbuilder.sh $JAILNAME

=== USB-Stick bauen ===
* auf einem FreeBSD
* Image runterladen:
wget ftp://ftp.de.freebsd.org/pub/FreeBSD/ISO-IMAGES-amd64/8.2/FreeBSD-8.2-RELEASE-amd64-memstick.img
* Image auf Stick dumpen
dd if=FreeBSD-8.2-RELEASE-amd64-memstick.img of=/dev/da0 bs=64k

== Server Setup Beschreibung ==
* /boot UFS, der Rest ZFS
* irgendwas zum booten nehmen (USB, DVD) und ab in die Fixit shell
* MBR Geometrie baun
gpart create -s mbr ad4
* nachschauen, ob es geklappt hat
gpart show ad4
* den Rest der Platte mit FreeBSD belegen
gpart add -s (aus gpart show Größe -1 )GB -t freebsd ad4
* riesigen BSD-slice anlegen
gpart create -s BSD ad4s1
* partitionen anlegen
gpart add -s 1G -t freebsd-ufs ad4s1
gpart add -s 4G -t freebsd-swap ad4s1
gpart add -t freebsd-zfs ad4s1
* Partition als aktiv markieren (falls andere schon drauf sind und von denen gebootet werden soll)
gpart set -a active -i 1 ad0

== Verweise etc. ==
* [http://www.freebsd.org FreeBSD.org] - [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/ Handbuch]
* [http://www.freebsdwiki.net/ FreeBSD-wiki]
* [http://cb.vu/unixtoolbox.xhtml Unix Toolbox]
* [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter]

=== Intern ===
* [[Server/Hauptsystem]]

=== Bücher ===
* [http://nostarch.com/abs_bsd2.htm Absolute FreeBSD, 2nd Edition]
* [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470376031.html BSD UNIX Toolbox: 1000+ Commands for FreeBSD, OpenBSD and NetBSD]
* [http://nostarch.com/freebsdserver.htm Building a Server with FreeBSD 7]
* [http://nostarch.com/pf2.htm Book of PF, 2nd Edition]
* [http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/8391665119 Jacek Artymiak - Building Firewalls with OpenBSD and PF, 2nd edition]
* [http://nostarch.com/endingspam.htm Ending Spam]
* [http://nostarch.com/networks.htm Network Know-How - An Essential Guide for the Accidental Admin]
* [http://nostarch.com/tcpip.htm Charles M. Kozierok: TCP/IP Guide - A Comprehensive, Illustrated Internet Protocols Reference]
* [http://nostarch.com/wcss.htm Dave Taylor: Wicked Cool Shell Scripts - 101 Scripts for Linux, Mac OS X, and UNIX Systems]

[[Kategorie:Rechentechnik]]

Wiki StuRa HTW Dresden - Benutzerbeiträge [de]

StuRa:Server/FreeBSD