Deploying a FreeBSD 6.2 Server

From DFWLPiki
Jump to: navigation, search


Scope of This Document

I will assume that if you are reading this, that you have completed the installation steps described in the previous document Installing FreeBSD 6.2. This document will show the steps to take to deploy a FreeBSD server. This server will have the latest stable from the Apache 2.2 tree, PHP 5, MySQL 5.0, Sendmail with SMTP-AUTH, Webmail, Bind DNS, SNMP, synchronized local time, and Webmin. I have also included steps to take to build a network graphing solution with Rrdtool/Cacti, and this part can be considered optional. This document is basically, "the way I do it", and I hope you find it useful.

Setup Useful Daemons

We are going to install Webmin with SSL, net-snmp, and then set up ntpd for time synchronization. When you configure Webmin, be sure to choose 'yes' when asked if you want to use SSL. When configuring net-snmp, make sure you specify snmp-v1 and snmp-v2 community strings that only you know (this is for security). Portupgrade, Webmin, and net-snmp can all be safely installed using the 'pkg_add -r' method as well, if you want to save some time (all though I usually prefer to build from the ports collection).

# cd /usr/ports/ports-mgmt/portupgrade; make install clean
# cd /usr/ports/sysutils/webmin; make install clean
# cd /usr/ports/net-mgmt/net-snmp; make install clean

As we begin time synchronization, lets first manually sync the time of the computer (optional).

# ntpdate -v -b

Configure net-snmp, and set your community strings.

# snmpconf

Configure webmin.

# sh /usr/local/lib/webmin/

Add these daemons to /etc/rc.conf, so that they start at boot.


Ntpd will require the creation and population of the file /etc/ntp.conf, with these settings:

restrict mask nomodify notrap
driftfile /var/db/ntp.drift

Last, we start our daemons (webmin already started with the configuration script)

# /etc/rc.d/ntpd start; /usr/local/etc/rc.d/snmpd start

Configuring Mail Services

Now we will begin with configuring the Sendmail SMTP server, with SMTP-AUTH. When we compile Sendmail, we want it to recognize that we will use SASL2 for smtp authentication. So, we need to add these items to the file /etc/make.conf:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2

Now, compile sasl2 and sasl2-saslauthd (in 1 operation):

# cd /usr/ports/security/cyrus-sasl2-saslauthd; make install clean

Check the contents of /usr/local/lib/sasl2/Sendmail.conf, make sure it says: pwcheck_method: saslauthd

# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd

Configure saslauthd to load at boot. Add this to the end of /etc/rc.conf:


Start saslauthd

# /usr/local/etc/rc.d/saslauthd start

Now its time to recompile sendmail with SASL2 support.

# cd /usr/src/lib/libsm; make clean; make obj; make depend; make
# cd /usr/src/lib/libsmutil; make clean; make obj; make depend; make
# cd /usr/src/usr.sbin/sendmail; make clean; make obj; make depend; make; make install

Create your servers copy of the .mc file. it will be [hostname].mc.

# cd /etc/mail
# make all

Edit the [hostname].mc file, add these lines, I put mine above DAEMON_OPTIONS:


Set sendmail to start (and listen) at boot, so add this to /etc/rc.conf:


Create the file /etc/mail/local-host-names and insert your domain name(s) to accept mail for. Then, finish the sendmail re-build.

# touch /etc/mail/local-host-names
# make all install restart

For good measure, I always give Sendmail a second restart, forcing it to re-read all configuration files.

# /etc/rc.d/sendmail restart

Dovecot is going to be our POP3/IMAP daemon, so our users can get their mail from remote.

# cd /usr/ports/mail/dovecot; make install clean
# cd /usr/local/etc
# cp dovecot-example.conf dovecot.conf

When you edit the dovecot.conf file, you will need to disable ssl support, and enable plain text login. Also, verify that mail_extra_groups is set to mail.

ssl_disable = yes
disable_plaintext_auth = no
mail_extra_groups = mail

Configure Dovecot to start at boot, add this to /etc/rc.conf:


And then start dovecoot.

# /usr/local/etc/rc.d/dovecot start

Spam Control is pretty much a necessity in this day and age, and Spamassassin is up for the job.

# cd /usr/ports/mail/spamass-milter; make install clean

And add the following to /etc/rc.conf so that Spamassassin will start at boot time:

spamd_flags="-u spamd"
  • NOTE I am still researching if this next line is the [wrong] way to do this, but on my system, I make this change so that spamd can write to a single directory in /root (so that it can keep its learning files updated). If you skip this, spamassassin will still work, it just wont be updating its white list.
mkdir /root/.spamassassin
chmod 775 /root/.spamassassin
chown root:spamd /root/.spamassassin

Finally, create or edit the file /usr/local/etc/mail/spamassassin/ Here is an example that should get you started, but it would do you well to dig deeper into the available options.

rewrite_header Subject *****SPAM*****
report_safe 1
# trusted_networks 212.17.35.
# lock_method flock
required_score 5.0
use_bayes 1
bayes_auto_learn 1
skip_rbl_checks         0
use_razor2              1
use_dcc                 1
use_pyzor               1
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status

Start Spamassassin:

# /usr/local/etc/rc.d/sa-spamd start
# /usr/local/etc/rc.d/spamass-milter start

Add the following to /etc/mail/[hostname].mc

INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
define(`confINPUT_MAIL_FILTERS', `spamassassin')

Apply the configuration changes from [hostname].mc

# make all install restart

Again, I always do the scripted restart of Sendmail as well.

# /etc/rc.d/sendmail restart

Configuring Web Services

Next up, is to compile Apache 2.2.x, with mod_ssl and php5. *Important!* Check the Makefile in /usr/ports/lang/php5 by typing 'make config'. Be sure that the apache module is selected, or php5 will not work as planned!

# cd /usr/ports/www/apache22; make install clean
# cd /usr/ports/lang/php5; make install clean

There will need to be some lines to /usr/local/etc/apache22/httpd.conf so that the php modules will work, and load php pages. At the end of the LoadModules section of httpd.conf:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Append this to the line for DirectoryIndex:


We need to generate SSL keys for the Apache server.

# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt

Copy the certs to the destination directory.

# cp ~/server.key /usr/local/etc/apache22/
# cp ~/server.crt /usr/local/etc/apache22/

I prefer to remove the passphrase from the cert, otherwise each time apache22 must start, you must enter the passphrase.

# cd /usr/local/etc/apache22/
# cp server.key server.key.orig
# openssl rsa -in server.key.orig -out server.key

Set the proper security on your new keys.

# chmod 0400 /usr/local/etc/apache22/server.key
# chmod 0400 /usr/local/etc/apache22/server.crt

Uncomment this line in the /usr/local/etc/apache22/httpd.conf to call the SSL config (remove the '#' sign)

#Include etc/apache22/extra/httpd-ssl.conf

Add this to /etc/rc.conf to autostart Apache with SSL at boot:


Compile the Squirrelmail webmail interface

# cd /usr/ports/mail/squirreloutlook; make install clean

Create httpd-local.conf in /usr/local/etc/apache22/Includes/, and add these lines to it:

<Directory /usr/local/www/squirreloutlook>
    AllowOverride None
    Order Allow,deny
    Allow from all
Alias /webmail /usr/local/www/squirreloutlook

Our httpd-local.conf will already be tied into the httpd.conf, because of the last line of the file (take a look if you like). Last, Start Apache.

# /usr/local/etc/rc.d/apache22 start

Configuring System Graphing, powered by MySQL

Compile MySQL 5.0 Server

# cd /usr/ports/databases/mysql50-server; make install clean

Configure MySQL server to load at boot, add this to /etc/rc.conf:


and then start MySQL

# /usr/local/etc/rc.d/mysql-server start

Cacti is a powerful network graphing utility that front ends Rrdtool. This process will compile Rrdtool and all of its dependencies for you.

# cd /usr/ports/net-mgmt/cacti; make install clean

In order to access the Cacti web directory, we have to add a directory listing to our apache httpd-local.conf file. Edit the file /usr/local/etc/apache/Includes/httpd-local.conf, and add these lines:

<Directory /usr/local/share/cacti>
    AllowOverride None
    Order Allow,deny
    Allow from all
Alias /systems /usr/local/share/cacti/

Notice, that we dont alias as /cacti, but as /systems. This is to avoid a security exploit, where the /cacti alias is randomly probed by script kiddies. Use /systems, or something else of your preference, but avoid using /cacti as the alias name. This needs to be added to your /etc/crontab, to poll your system information every 5 minutes.

*/5 * * * * cacti /usr/local/bin/php /usr/local/share/cacti/poller.php > /dev/null 2>&1

Now, Create the MySQL database:

mysqladmin --user=root create cacti

Set the passwd for the cacti user.

# passwd cacti
Changing local password for cacti
New Password: [cactipasswd]
Retype New Password: [cactipasswd]

Edit the /usr/local/share/cacti/include/config.php file for the proper database permissions:

$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cacti";
$database_password = "cactipasswd";
$database_port = "3306";

Set the Cacti database's permissions.

echo "GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY 'cactipasswd'; FLUSH PRIVILEGES;" | mysql

Import the default tables.

mysql cacti < /usr/local/share/cacti/cacti.sql

Finally, log into the page, using the /system alias that was set up earlier. The default login and password is admin:admin, and you will be prompted to change it on your first successful login.

Configure Bind

Install and Configure Bind DNS server, so that we can give our local network DNS resolution against internet hosts. When you start the install, the config page will come up. I leave "Replace base BIND with this version" unchecked. This way the port will keep us up to date, and if a security flaw is found with bind, its quite simple and quick to update it (instead rebuilding the world).

# cd /usr/ports/dns/bind9; make install clean

Configure /var/named/etc/namedb/named.conf to listen on all ips, becuase by default it only wants to listen on loopback. Configure Bind to load at boot by adding this to /etc/rc.conf: