2005年11月17日 星期四

FreeBSD server設定檔

前一陣子家裡的機器被偷了,買了新的弄起來之後一直沒寫怎麼弄得,今天晚上滿無聊的,寫一下好了
我是直接裝6.0 release

裝起來之後先改rc.conf
kern_securelevel_enable="YES"
kern_securelevel="3"
syslogd_flag="-ss"
firewall_enable="NO"
ipfilter_enable="YES"
ipfilter_flags=""
ipmon_enable="YES"
ipmon_flags="-Dsvn"
ipnat_enable="NO"
icmp_redirects_drop="YES"
icmp_log_redirect="YES"
tcp_drop_synfin="YES"
named_enable="YES"
hostname="freebsd.damon.idv.tw"
ifconfig_fxp0="DHCP"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="YES"
mysql_enable="YES"
apache2_enable="YES"
apache2ssl_enable="YES"
有些還沒弄的先不管他,都弄上去,之後再補

/etc/csh.cshrc加上
set autolist
setenv CLICOLOR
再把個人home目錄裡面的.cshrc砍了

/etc/ipf.rules加入
pass out quick on fxp0 proto tcp from fxp0 to any keep state
pass out quick on fxp0 proto udp from fxp0 to any keep state
pass out quick on fxp0 proto icmp from fxp0 to any keep state
block out log quick on fxp0 all
pass in quick on fxp0 proto tcp from any to fxp0 port = 80 keep state
pass in quick on fxp0 proto udp from any to fxp0 port = 80 keep state
pass in quick on fxp0 proto tcp from any to fxp0 port = 443 keep state
pass in quick on fxp0 proto udp from any to fxp0 port = 443 keep state
pass in quick on fxp0 proto tcp from any to fxp0 port = 25 keep state
pass in quick on fxp0 proto udp from any to fxp0 port = 25 keep state
pass in quick on fxp0 proto tcp from any to fxp0 port = 53 keep state
pass in quick on fxp0 proto udp from any to fxp0 port = 53 keep state
pass in quick on fxp0 proto tcp from any to fxp0 port = 22 keep state
pass in quick on fxp0 proto udp from any to fxp0 port = 22 keep state
block return-rst in log quick on fxp0 from any to fxp0
block return-icmp-as-dest(port-unr) in log quick on fxp0 proto udp from any to fxp0
block in log quick on fxp0 all
pass in quick on lo0 all
pass out quick on lo0 all

/etc/sshd_config改成
UsePAM no
ChallengeResponseAuthentication no
再把作好的public key上傳到使用者home目錄,改用public key做認證
/etc/newsyslog.conf加入
/var/log/httpd-access.log 644 7 100 24 B /var/run/httpd.pid 30
/var/log/httpd-error.log 644 7 100 24 B /var/run/httpd.pid 30
/var/log/httpd-ssl_request.log 644 7 100 24 B /var/run/httpd.pid 30
/var/log/openwebmail.log 644 7 100 24 B
/etc/crontab加入
0 0 * * * root /backup/dailyjob.sh
0 0 * * * root /backup/upgrade.sh

/backup/dailyjob.sh用來更新clamav病毒碼還有備份,也把超過30天的備份檔案刪掉
#!/bin/sh
today=`/bin/date +%Y%m%d`
deldate=`/bin/date -v -30d +%Y%m%d`
cd /backup/
/usr/local/bin/freshclam
/usr/bin/tar -zcvf $today.etc.tar.gz /etc/
/usr/bin/tar -zcvf $today.localetc.tar.gz /usr/local/etc/
/usr/bin/tar -zcvf $today.mysql.tar.gz /var/db/mysql/
/usr/bin/tar -zcvf $today.www.tar.gz /usr/local/www/
/usr/bin/tar -zcvf $today.home.tar.gz /home/
/bin/rm -f $deldate.etc.tar.gz
/bin/rm -f $deldate.localetc.tar.gz
/bin/rm -f $deldate.mysql.tar.gz
/bin/rm -f $deldate.www.tar.gz
/bin/rm -f $deldate.home.tar.gz

/backup/upgrade.sh用來更新src還有ports tree
#!/bin/sh
cd /usr/ports/
/usr/local/bin/cvsup /usr/ports/cvsupfile-ports
/usr/bin/make fetchindex
cd /usr/src
/usr/local/bin/cvsup /usr/src/cvsupfile-stable
/usr/bin/make buildworld
/usr/bin/make buildkernel KERNCONF=damon
之後手動作install還有portupgrade的動作

從example裡面複製一份cvsupfile-ports , cvsupfile-src
ports我用的是
*default host=cvsup3.tw.FreeBSD.org
*default base=/var/db
*default prefix=/usr
*default release=cvs tag=.
*default delete use-rel-suffix
src我用的是
*default release=cvs tag=RELENG_6_0
之後pkg_add -r cvsup-without-gui ; rehash
就可以開始更新src , ports tree了,更新完就可以裝自己要用的東西了,我有裝MailScanner , apache , openwebmail , php5 , mysql5這幾個有用到的部份,都用ports裝

/usr/local/etc/pkgtools.conf加入這樣之後升級perl版本的時候才會自動帶入參數
MAKE_ARGS = {
'lang/perl5.8' => 'ENABLE_SUIDPERL=1',
}

裝好開始調一下kernel
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
options TCP_DROP_SYNFIN
device pf
device pflog
device pfsync
其他都是GENERIC預設值,還有把沒用到的硬體的都註解掉而已
重新編譯整各系統還有kernel,重新開機就好了

沒有留言:

張貼留言