Deploying a FreeBSD 6.2 Server
Scope of This Document
I will assume that if you are reading this, that you have completed the installation steps described in the previous document Installing FreeBSD 6.2. This document will show the steps to take to deploy a FreeBSD server. This server will have the latest stable from the Apache 2.2 tree, PHP 5, MySQL 5.0, Sendmail with SMTP-AUTH, Webmail, Bind DNS, SNMP, synchronized local time, and Webmin. I have also included steps to take to build a network graphing solution with Rrdtool/Cacti, and this part can be considered optional. This document is basically, "the way I do it", and I hope you find it useful.
Setup Useful Daemons
We are going to install Webmin with SSL, net-snmp, and then set up ntpd for time synchronization. When you configure Webmin, be sure to choose 'yes' when asked if you want to use SSL. When configuring net-snmp, make sure you specify snmp-v1 and snmp-v2 community strings that only you know (this is for security). Portupgrade, Webmin, and net-snmp can all be safely installed using the 'pkg_add -r' method as well, if you want to save some time (all though I usually prefer to build from the ports collection).
# cd /usr/ports/ports-mgmt/portupgrade; make install clean # cd /usr/ports/sysutils/webmin; make install clean # cd /usr/ports/net-mgmt/net-snmp; make install clean
As we begin time synchronization, lets first manually sync the time of the computer (optional).
# ntpdate -v -b 0.us.pool.ntp.org
Configure net-snmp, and set your community strings.
# sh /usr/local/lib/webmin/setup.sh
Add these daemons to /etc/rc.conf, so that they start at boot.
ntpdate_enable="YES" ntpdate_hosts="0.us.pool.ntp.org" snmpd_enable="YES" webmin_enable="YES" ntpd_enable="YES"
Ntpd will require the creation and population of the file /etc/ntp.conf, with these settings:
server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org restrict 192.168.125.0 mask 255.255.255.0 nomodify notrap driftfile /var/db/ntp.drift
Last, we start our daemons (webmin already started with the configuration script)
# /etc/rc.d/ntpd start; /usr/local/etc/rc.d/snmpd start
Configuring Mail Services
Now we will begin with configuring the Sendmail SMTP server, with SMTP-AUTH. When we compile Sendmail, we want it to recognize that we will use SASL2 for smtp authentication. So, we need to add these items to the file /etc/make.conf:
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2
Now, compile sasl2 and sasl2-saslauthd (in 1 operation):
# cd /usr/ports/security/cyrus-sasl2-saslauthd; make install clean
Check the contents of /usr/local/lib/sasl2/Sendmail.conf, make sure it says: pwcheck_method: saslauthd
# cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd
Configure saslauthd to load at boot. Add this to the end of /etc/rc.conf:
# /usr/local/etc/rc.d/saslauthd start
Now its time to recompile sendmail with SASL2 support.
# cd /usr/src/lib/libsm; make clean; make obj; make depend; make # cd /usr/src/lib/libsmutil; make clean; make obj; make depend; make # cd /usr/src/usr.sbin/sendmail; make clean; make obj; make depend; make; make install
Create your servers copy of the .mc file. it will be [hostname].mc.
# cd /etc/mail # make all
Edit the [hostname].mc file, add these lines, I put mine above DAEMON_OPTIONS:
define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
Set sendmail to start (and listen) at boot, so add this to /etc/rc.conf:
Create the file /etc/mail/local-host-names and insert your domain name(s) to accept mail for. Then, finish the sendmail re-build.
# touch /etc/mail/local-host-names # make all install restart
For good measure, I always give Sendmail a second restart, forcing it to re-read all configuration files.
# /etc/rc.d/sendmail restart
Dovecot is going to be our POP3/IMAP daemon, so our users can get their mail from remote.
# cd /usr/ports/mail/dovecot; make install clean # cd /usr/local/etc # cp dovecot-example.conf dovecot.conf
When you edit the dovecot.conf file, you will need to disable ssl support, and enable plain text login. Also, verify that mail_extra_groups is set to mail.
ssl_disable = yes disable_plaintext_auth = no mail_extra_groups = mail
Configure Dovecot to start at boot, add this to /etc/rc.conf:
And then start dovecoot.
# /usr/local/etc/rc.d/dovecot start
Spam Control is pretty much a necessity in this day and age, and Spamassassin is up for the job.
# cd /usr/ports/mail/spamass-milter; make install clean
And add the following to /etc/rc.conf so that Spamassassin will start at boot time:
spamd_enable="YES" spamd_flags="-u spamd" spamass_milter_enable="YES"
- NOTE I am still researching if this next line is the [wrong] way to do this, but on my system, I make this change so that spamd can write to a single directory in /root (so that it can keep its learning files updated). If you skip this, spamassassin will still work, it just wont be updating its white list.
mkdir /root/.spamassassin chmod 775 /root/.spamassassin chown root:spamd /root/.spamassassin
Finally, create or edit the file /usr/local/etc/mail/spamassassin/local.cf. Here is an example that should get you started, but it would do you well to dig deeper into the available options.
rewrite_header Subject *****SPAM***** report_safe 1 # trusted_networks 212.17.35. # lock_method flock required_score 5.0 use_bayes 1 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 bayes_ignore_header X-Bogosity bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status
# /usr/local/etc/rc.d/sa-spamd start # /usr/local/etc/rc.d/spamass-milter start
Add the following to /etc/mail/[hostname].mc
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') define(`confINPUT_MAIL_FILTERS', `spamassassin')
Apply the configuration changes from [hostname].mc
# make all install restart
Again, I always do the scripted restart of Sendmail as well.
# /etc/rc.d/sendmail restart
Configuring Web Services
Next up, is to compile Apache 2.2.x, with mod_ssl and php5. *Important!* Check the Makefile in /usr/ports/lang/php5 by typing 'make config'. Be sure that the apache module is selected, or php5 will not work as planned!
# cd /usr/ports/www/apache22; make install clean # cd /usr/ports/lang/php5; make install clean
There will need to be some lines to /usr/local/etc/apache22/httpd.conf so that the php modules will work, and load php pages. At the end of the LoadModules section of httpd.conf:
AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps
Append this to the line for DirectoryIndex:
We need to generate SSL keys for the Apache server.
# openssl genrsa -des3 -out server.key 1024 # openssl req -new -key server.key -out server.csr # openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt
Copy the certs to the destination directory.
# cp ~/server.key /usr/local/etc/apache22/ # cp ~/server.crt /usr/local/etc/apache22/
I prefer to remove the passphrase from the cert, otherwise each time apache22 must start, you must enter the passphrase.
# cd /usr/local/etc/apache22/ # cp server.key server.key.orig # openssl rsa -in server.key.orig -out server.key
Set the proper security on your new keys.
# chmod 0400 /usr/local/etc/apache22/server.key # chmod 0400 /usr/local/etc/apache22/server.crt
Uncomment this line in the /usr/local/etc/apache22/httpd.conf to call the SSL config (remove the '#' sign)
Add this to /etc/rc.conf to autostart Apache with SSL at boot:
Compile the Squirrelmail webmail interface
# cd /usr/ports/mail/squirreloutlook; make install clean
Create httpd-local.conf in /usr/local/etc/apache22/Includes/, and add these lines to it:
<Directory /usr/local/www/squirreloutlook> AllowOverride None Order Allow,deny Allow from all </Directory> Alias /webmail /usr/local/www/squirreloutlook
Our httpd-local.conf will already be tied into the httpd.conf, because of the last line of the file (take a look if you like). Last, Start Apache.
# /usr/local/etc/rc.d/apache22 start
Configuring System Graphing, powered by MySQL
Compile MySQL 5.0 Server
# cd /usr/ports/databases/mysql50-server; make install clean
Configure MySQL server to load at boot, add this to /etc/rc.conf:
and then start MySQL
# /usr/local/etc/rc.d/mysql-server start
Cacti is a powerful network graphing utility that front ends Rrdtool. This process will compile Rrdtool and all of its dependencies for you.
# cd /usr/ports/net-mgmt/cacti; make install clean
In order to access the Cacti web directory, we have to add a directory listing to our apache httpd-local.conf file. Edit the file /usr/local/etc/apache/Includes/httpd-local.conf, and add these lines:
<Directory /usr/local/share/cacti> AllowOverride None Order Allow,deny Allow from all </Directory> Alias /systems /usr/local/share/cacti/
Notice, that we dont alias as /cacti, but as /systems. This is to avoid a security exploit, where the /cacti alias is randomly probed by script kiddies. Use /systems, or something else of your preference, but avoid using /cacti as the alias name. This needs to be added to your /etc/crontab, to poll your system information every 5 minutes.
*/5 * * * * cacti /usr/local/bin/php /usr/local/share/cacti/poller.php > /dev/null 2>&1
Now, Create the MySQL database:
mysqladmin --user=root create cacti
Set the passwd for the cacti user.
# passwd cacti Changing local password for cacti New Password: [cactipasswd] Retype New Password: [cactipasswd]
Edit the /usr/local/share/cacti/include/config.php file for the proper database permissions:
$database_type = "mysql"; $database_default = "cacti"; $database_hostname = "localhost"; $database_username = "cacti"; $database_password = "cactipasswd"; $database_port = "3306";
Set the Cacti database's permissions.
echo "GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY 'cactipasswd'; FLUSH PRIVILEGES;" | mysql
Import the default tables.
mysql cacti < /usr/local/share/cacti/cacti.sql
Finally, log into the page, using the /system alias that was set up earlier. The default login and password is admin:admin, and you will be prompted to change it on your first successful login.
Install and Configure Bind DNS server, so that we can give our local network DNS resolution against internet hosts. When you start the install, the config page will come up. I leave "Replace base BIND with this version" unchecked. This way the port will keep us up to date, and if a security flaw is found with bind, its quite simple and quick to update it (instead rebuilding the world).
# cd /usr/ports/dns/bind9; make install clean
Configure /var/named/etc/namedb/named.conf to listen on all ips, becuase by default it only wants to listen on loopback. Configure Bind to load at boot by adding this to /etc/rc.conf: