You’ll need a freeBSD server – ssmtp installed – a gmail account – about 5 minutes spare time

ssmtp will replace sendmail – all systems commands that use sendmail with automatically now use ssmtp – the sendmail command will still work just ssmpt will be used

Step 1:

Disable Sendmail completely by setting the following in your /etc/rc.conf file:

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

Step 2:

killall sendmail

Step 3:

install ssmtp

cd /usr/ports/mail/ssmtp/

make install replace clean

Step 4:

Configure SSMTP – located here –> cd /usr/local/etc/ssmtp/ssmpt.conf

mailhub=smtp.gmail.com:465
UseTLS=YES
AuthUser=user@domainname.com
AuthPass=password222
FromLineOverride=YES
Hostname=yourhostname
RewriteDomain=sourcedomainame.com
Root=someuser@domainname.com

Step 5:

enable ssmpt at boot

echo ‘ssmtp_enable=“YES”’ >> /etc/rc.conf

FreeBSD says you need a wrapper but the doc is old or just incorrect – when you issue the make install replace clean that updates /etc/mail/mailer.conf with the correct info

Chad Perrin at Techrepublic laid down a useful explanation of the ssmtp.conf file options. I’ve included them below.

* root=user@example.com: This identifies what user account receives all mail for userid under 1000 on the local system. That basically means system accounts, such as the root user account. In other words, if your computer is trying to send your root account an e-mail message, it will send it to whatever e-mail address you specify her. This should normally be your primary e-mail account — probably the account for which you’re configuring sSMTP to send e-mails.

* AuthUser=username: The username indicated here should be the username used to log into the remote SMTP server. In many cases, this is the part of the e-mail address that comes before the @ sign in your e-mail address. In some cases, it may be the entire e-mail address, possibly with the @ replaced by a plus sign. Using the user@example.com example above, this means it the username entry might be user+example.com, depending on the SMTP server configuration.

* AuthPass=password: When authenticating, this is the password used with the username above. Because my e-mail password is stored in the file, I make sure the ssmtp.conf file permissions are set to 640 using the chmod command. This ensures that the ssmtp and system administrator accounts can access the file as needed (both to make sure the ssmtp process works properly and that I can edit the file as root when needed), but no unprivileged accounts have access to the contents of the file. For this to work, you will also need to ensure that you create an ssmtp user (with a command like pw useradd ssmtp -g nogroup -h – -s /sbin/nologin -d /nonexistent -c “sSMTP pseudo-user”) and set ownership of ssmtp.conf to that user (with a command like chown ssmtp ssmtp.conf).

* mailhub=mail.example.com: Set the mailhub option to the fully qualified hostname for the SMTP server you will be using, so that sSMTP knows where to send outgoing e-mails. This option may actually take the form mailhub=mail.example.com:465, which sets the port number to use when contacting the SMTP server to 465. This allows unencrypted connections to use 25 (the default port number for SMTP traffic), and 465 is the standard alternate port number for TLS- and SSL-protected SMTP connections.

* rewriteDomain=example.com: This tells sSMTP that your mail headers need to be edited to say that the domain name you use for your e-mail address will be listed as the source of your e-mail address. Failing to rewrite the source domain name in this manner may cause problems at the receiving end when your e-mail address arrives at its intended destination.

* hostname=hostname.domain: The hostname indicated here is the hostname of the computer you are using to compose and send e-mails. The .domain part may or may not be present. On Unix and Linux systems, you can find the hostname for your computer by entering the command hostname at the shell prompt.

* FromLineOverride=YES: The From: header in an e-mail handled by sSMTP can be overwritten at this point. Setting this to YES just uses the From: value provided by the program that sent the e-mail to sSMTP to be forwarded to the SMTP server in the first place. In my case, since I use mutt as my mail user agent, this means that setting FromLineOverride=YES will cause sSMTP to use whatever From: header line mutt provides.

* UseTLS=YES: At last, we’ve struck gold. This is the configuration line that tells sSMTP to encrypt its connection to the SMTP server, protecting your authentication username and password as well as the rest of the session.

• how to start and stop sendmail
• how to send mail with sendmail
• how to send mail from the terminal, cli, command prompt
• how to make sendmail start at boot time

How to start and stop send mail:

1. /etc/rc.d/sendmail  stop</li>
   	<li>/etc/rc.d/sendmail  start</li>
   	<li>/etc/rc.d/sendmail restart

How to send mail with sendmail from the terminal aka cli or command prompt or root

mail someuser@somedomain.com
Subject: For Testing Only
This email is for testing the mail delivery system only.
* then press ctrl+D

How to make sendmail start at boot time:

1. edit /etc/rc.conf
2. add – sendmail_enable=”YES”

The inetd server should be run at boot time by /etc/rc. It then listens for connections on certain internet sockets. When a connection is found on one of its sockets, it decides what service the socket corresponds to, and invokes a program to service the request. The server program is invoked with the service socket as its standard input, output and error descriptors. After the program is finished, inetd continues to listen on the socket.

To enable FTPD Open /etc/inetd.conf file and remove the hash from:

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

Then restart inetd.conf

/etc/rc.d/inetd restart
or
/etc/rc.d/inetd onerestart

Or allow only 127.0.0.1 (localhost) to connect to your ftp server:

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -D -a 127.0.0.1

freeBSD 8 firewall for web server

You’ll see many articles discussing various firewalls for BSD. freeBSD comes with three firewalls but I’ll lay out what I believe is the best freebsd firewall for a web server, pf.

I need firewall that will help negate DDoS attacks, spoofing and fingerprinting. Allows port 80 and 443 as well as ssh and is simple to test and configure.

Well PF handles all that and comes built into the freeBSD kernel so it’s pretty easy and quick to set up and test.

do a ifconfig to figure out what your interface is named

#ifconfig
bigkill# ifconfig
 re0:  flags=8843 metric 0 IC>
        ether 00:2c:c1:f9:5s:d3
        inet 224.210.155.13 netmask 0xfffffff8 broadcast 224.210.155.253
        media: Ethernet autoselect (100baseTX )
        status: active
lo0: flags=8049 metric 0
        inet 127.0.0.1 netmask 0xff000000

As you can see here the interface name is re0

so just replace re0 in the below configuration and apply it to /etc/pf.conf

 ### macro name for external interface.
ext_if = "re0"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble

### set a default deny everything policy.
block all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  - Finish; end of session
### * S : SYN  - Synchronize; indicates request to start session
### * R : RST  - Reset; drop a connection
### * P : PUSH - Push; packet is sent immediately
### * A : ACK  - Acknowledgement
### * U : URG  - Urgent
### * E : ECE  - Explicit Congestion Notification Echo
### * W : CWR  - Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.

### set a rule that allows inbound ssh traffic with synproxy handshaking. yes I changed the ssh port
pass in on $ext_if proto tcp from any to any port 1229 flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port 443 flags S/SA synproxy state
 

If you want to allow any other port simple copy the last line and replace the port number.

Now issue a reboot command to restart the system in 5 minutes to test your pf configuration.

 shutdown -r +5
 

Okay not start PF and test it

 /etc/rc.d/pf onestart
 

Now “test” the current configuration to see what you got

 pfctl -s all" ### list all the current rules that are in effect and shows current connections
 

If you’re happy with your PF firewall configuration for freebsd 8 you’ll need to apply it at boot time by adding the following to your /etc/rc.conf

 pf_enable="YES"
pf_rules="/etc/pf.conf"
 

shutdown -r now

Shutdown freeBSD at a scheduled time or within a set time. In the sample below we have shutdown taking place in 5 minutes. This is useful when you want to set a configuration and you’re worried about the system locking you out. Set the shutdown time for five minutes from now and if you get locked out you just have to wait for he reboot to take place.

shutdown -r +5

And if you want to stop the shutdown process from taking place simple issue a kill.

pkill shutdown

I’ll be using ports of course for this entire install. I’m assuming that you have the proper hardware for this type installation.

Start with a minimal installation of freeBSD 8

Bypass the headache and host on vps or dedicated servers with pre-installed LAMP here.

Update the server ports – freebsd guide on ports

First update your port tree

portsnap fetch update *if this is the first time do a portsnap fetch extract

List available update

pkg_version -vIL=

Once you have updated your Ports Collection, before attempting a port upgrade, you should check /usr/ports/UPDATING. This file describes various issues and additional steps users may encounter and need to perform when updating a port, including such things as file format changes, changes in locations of configuration files, or other such incompatibilities with previous versions.

Upgrade your ports with

portupgrade -rR

Okay now that your freeBSD server ports are updates lets do Binary updates freebsd-update.

freebsd-update fetch

freebsd-update install

Then reboot

shutdown -r now

Verify update took place

uname -a

Rollback if necessary

freebsd-update rollback

Now lets install Apache, PHP, mysql and phpMyAdmin on your freeBSD 8 web server.

First install the latest apache from ports.

cd /usr/ports/www/apache22/
make config install clean
echo 'apache22_enable="YES"' << /etc/rc.conf
echo 'apache22ssl_enable="YES"' << /etc/rc.conf
echo 'accf_http_ready="YES"' << /etc/rc.conf &amp;&amp; kldload accf_http

Now install PHP

cd /usr/ports/lang/php5
make config install clean
cd /usr/ports/lang/php5-extensions  ** enable <strong>mysql </strong>extensions **
make config install clean

Now modify your httpd.conf – Add the following entries to /usr/local/etc/apache22/httpd.conf directly after all the LoadModule lines

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

now locate IfModule mod_dir.c and add index.php

DirectoryIndex index.php index.html index.htm

Last but not least get a good php.ini file setup

cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini

Restart apache and

/usr/local/etc/rc.d/apache22 start

Now its time for mySQL installation, configuration and setup

cd /usr/ports/databases/mysql50-server
make install WITH_OPENSSL=yes
make distclean
echo 'mysql_enable="YES"' << /etc/rc.conf

Start mysql server and change root password

/usr/local/etc/rc.d/mysql-server start
mysqladmin -u root password sumcrazypaswrd
mysql -u root -p    *make sure you can log in*
rm /root/.history  *remove history so password isn't exposed*

Create a configuration file for mysql in /etc/my.cnf

[client]
port=29912
[mysqld]
port=29912
bind-address=127.0.0.1

Now lets install configure and setup phpMyAdmin

cd /usr/ports/databases/phpmyadmin
make config install clean
cd /usr/local/www/phpMyAdmin && cp config.sample.inc.php
config.inc.php
vi config.inc.php
$cfg['blowfish_secret'] = 'sdf934sdfgHijh98Y';

open httpd.conf and Alias

Alias /phpmyadmin /usr/local/www/phpMyAdmin

Now allow who you want to access it

        <Directory "/usr/local/www/phpmyadmin'<
Order allow,deny
        Allow from all   *or allow from 222.114.123.0/12*
</Directory<

you’ll want https when you connect to phpmyadmin so lets enable https and make some httpd.conf changes

Create your certificate

In order to access phpmyadmin of ssl you need to get https going on apache. You can buy an SSL certificate generated by a trusted CA such as Thwate or Verisign, or you can generate one yourself using OpenSSL. I borrowed a ton of infor from freebsdmadeeasy.com

lets get the openssl.cnf file ready

vi /etc/ssl/openssl.cnf
dir = /root/sslCA
default_days = 3650

Now set up the directories

cd ~root/
mkdir sslCA
chmod 700 sslCA
chmod 700 sslCA
mkdir certs private newcerts
echo 1000 < serial
touch index.txt
cd ~root/sslCA
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf

The CA should now be all set.. test with more;

more ~root/sslCA/cacert.pem
more ~root/sslCA/private/cakey.pem

Now lets generate an SSL certificate for apache

cd ~root/sslCA
openssl req -new -nodes -out yourhostname-req.pem -keyout private/yourhostname-key.pem -config /etc/ssl/openssl.cnf
openssl ca -config /etc/ssl/openssl.cnf -out yourhostname-cert.pem -infiles yourhostname-req.pem

Lets put everything where it needs to be.

mkdir /etc/ssl/crt
mkdir /etc/ssl/key
cp ~root/sslCA/yourhostname-cert.pem /etc/ssl/crt
cp ~root/sslCA/private/yourhostname-key.pem /etc/ssl/key

And finally add the SSL virtual host

Find the below line in your httpd.conf and take the comment hash out.

# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf

Now modify your httpd-ssl.conf

ServerName ssl.yourhostname.com
SSLCertificateFile /etc/ssl/crt/yourhostname-cert.pem
SSLCertificateKeyFile /etc/ssl/key/yourhostname-key.pem
DocumentRoot "/etc/www/apache22/data"      ** whatever your location is**
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"

In /usr/local/etc/apache22/extra/httpd-default.conf, disable ServerSignature to prevent the server from showing more information than it has to. Make sure the server-status and the server-info sections in /usr/local/etc/apache22/extra/httpd-info.conf are commented out.

Finally restart apache

/usr/local/etc/rc.d/apache22 restart

Now install wordpress

cd /usr/ports/wordpress
make install clean

do a locate wordpress and move file to web root

locate wordpress
cp /usr/local/www/data/wordpress/* /usr/local/whatever web root is

go into web root and copy wp-config-sample.php to wp-config.php

navigate to https://hostname/phpmyadmin and create wordpress db – add that name to wp-config.php

# portsnap fetch
# portsnap update
# portmanager -u -l<span id="more-651"></span>

portsnap – Approximately every hour, a snapshot of the ports tree is generated, repackaged, and cryptographically signed. portsnap gets this information to see which ports you have out of date so you can easily update them.

portsmanager – updates ports in the correct order based on their dependencies.

Now on to the binary security updates:

# freebsd-update fetch

# freebsd-update install

# freebsd-update  rollback   (in case you need to rollback)

Now just check the kernal version
1

Source: http://www.cyberciti.biz/tips/howto-keep-freebsd-system-upto-date.html

]]>
			http://analysisandreview.com/unix/how-to-keep-freebsd-up-to-date/feed/
		0