Setting up a FreeBSD File and Fetching Mail Server (Page 3 of 6)
Written by Steve Lake
Posted on: Aug 27, 2007 at 01:23pm Section: Tutorials
Printer Friendly Version
Legacy URL
Post install setup
Ok, now that we've done this, let's move on to the part we came here to work on. Once your system boots, login as root. Root uses the CSH shell by default. If you'd like to use bash at this point, just type "bash" at the command prompt and hit enter. Believe me, it's a better shell than CSH and easier to work with. The first thing we need to do is to secure and setup our basic system. Type "pico .bashrc" and hit enter. This will use Pico for editing your .bashrc file. Type the following two lines.
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin:$HOME/bin; export PATH
PS1="[\u@\h \W]\\$ "
Do "ctrl-x" then "y" then enter to save. Type "cp .bashrc .bash_profile", hit enter. This has now created your login configuration files for both types of logins. AKA, via the console and ssh. Now you'll need to copy these two files up to your admin user so they can have them as well. To do that, do these three commands and replace "username" with the name you gave your admin user:
* cp .bashrc /home/username
* cp .bash_profile /home/username
* chown username /home/username/.bash*
Next, we'll want to upgrade our ports collection and source tree using cvsup. But before we can do that, we need to create our configuration file. Type the following commands:
* cp /usr/share/examples/cvsup/stable-supfile .
* pico stable-supfile
Now that we're inside the cvsup config file, we'll want to do a couple of things.
* About halfway down, find "*default host" and change the entry "CHANGEME.freebsd.org" to a cvsup server that is closest to you, or the least congested. A list of available servers can be found at: http://www.freebsd.org/doc/handbook/mirrors.html
* Go further down and find the following line: src-all. Below it, add this on a separate line: ports-all tag=.
Don't forget the dot on the end or else it won't work right. Ok, that's it. Just save and then type "cvsup stable-supfile" to begin updating your source and ports trees. This can take anywhere from 15 minutes to an hour to complete as it's got a lot of work to do. It may take longer if you're on a slow internet connection or the servers are full due to a recent release of any of the BSD's. In the future, unless you go a long time between updates, this update will typically only take you about 3-15 minutes to complete as the first update is always the biggest.
Now, while that's working, let's jump into another terminal window and do something else. Press "alt-f2" to get into a new tty terminal. You'll see the screen change to a login prompt at this point. If you want to get back to the first terminal to see how it's doing, just press "alt-f1". The first security measure we'll need to achieve is more a deterrent than an actual security measure. But it's handy none the less. Type "pico /etc/motd" and hit enter. Remove anything that is in there and copy this in.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR
OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO
MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
Save and close. Now, to protect it from writing, type "chmod 444 /etc/motd" and hit enter. That'll make the file read only. Now type "pico /etc/aliases", hit enter and then scroll down until you find "# root: me@my.domain". Remove the # sign from the front of this line, then change "me@my.domain" to your email address. If you wish to keep all mail from root local to your machine instead of piping it out onto the internet first before retrieving it, you can specify a local user instead, such as the admin user we setup earlier. Now, save and close. Now type "newaliases" at the command prompt. This will load the new aliases into the system. All mail, including daily logs, error messages (where applicable) and other root mail will now get sent to you.
Next, we need to setup SSH. There are two ways to do this. The first is the standard setup that allows both ssh and SCP through standard windows ssh and scp programs such as putty and winscp, as well as similar linux programs as well. The second is a far more secure way to setup ssh that restricts your usage only to ssh programs such as SecureCRT and Linux ssh which can support OpenSSH secure keys. SCP is possible, but not on windows, and only via the console in Linux as there are currently no graphical scp capable clients that I'm aware of that support OpenSSH keys.
For the standard ssh setup, you'll need to open your sshd_config file and make a few changes. To do that, we'll first want to backup our sshd_config file in case we make a mistake or break something. Type "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup" and hit enter. This will create a backup copy of your sshd_config file as it originally appeared on your system. Now type "pico /etc/ssh/sshd_config". Now do each of the following steps to setup sshd to allow the most common connections while remaining secure. When asked to comment something out, add a # sign at the front of the line. When asked to uncomment something, simply remove the # sign.
* Line 19 - Uncomment this line. It should read "Port 22".
* Line 20 - Uncomment this line. It should read "Protocol 2".
* Line 42 - Uncomment this line. It should read "PermitRootLogin no".
* Line 61 - Uncomment this line. It should read "PasswordAuthentication no". Change "no" to "yes".
* Line 62 - Uncomment this line. It should read "PermitEmptyPasswords no."
Now, save and exit. Next, type "killall -9 sshd" to force kill the ssh daemon. Next, type "/usr/sbin/sshd" to restart sshd. If you did it right, it should start immediately. When you hit enter, if it starts right, you should immediately drop back to a command line. It will only give you feedback if there's an error in your config file. Now, try logging into your server from another machine via ssh to see if it works. If you can login successfully, you've done your work right. Now, if you want the more secure setup, just clear out the entire sshd_config file and add these lines:
# SSHD config file for my server
############################
## Base SSHD config settings ###
############################
Port 22
Protocol 2
HostDsaKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin no
############################
## Hack prevention code ######
############################
# After 3 unauthenticated connections, refuse 50% of the new ones, and
# refuse any more than 10 total.
MaxStartups 3:50:10
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
KeepAlive yes
###############
## Logging #####
###############
SyslogFacility AUTH
LogLevel VERBOSE
############################
## Host Authentication #########
############################
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# RSA authentication
RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
ChallengeResponseAuthentication no
##############################
## Secure ftp and authorized users ##
##############################
Subsystem sftp /usr/libexec/sftp-server
AllowUsers username
UsePrivilegeSeparation yes
On the second to last line where it says "AllowUsers username", change "username" to be the username of your admin user. They will be the only one allowed to login via ssh. If you have more than one admin user, put in each username after the first separated by a space. Now, the next thing you'll have to do to make use of the more secure ssh session is to generate a public key for logging in. To do that, type the following:
* su - username (where "username" is the name of your admin user)
* ssh-keygen -d (you'll be prompted to setup a password for decrypting the key so as to prevent unauthorized use. I highly recommend specifying at least a good strong 8 character password here)
* cd .ssh
* cat id_dsa.pub > authorized_keys
Now, what this has done is generate your public and private key pair for secure login into the server. The secure ssh configuration file I listed above is designed to work with this key pair. You'll want to backup your key pair onto an external storage device such as a floppy or a pen drive. If you want to back it up to a floppy, you'll need to log out of your admin user and go back to your root login. Next you'll need to do the following steps:
* mkdir /mnt/floppy (this will create a folder where you can mount your floppy disk)
* mount -t msdos /dev/fd0 /mnt/floppy (floppy disk must be dos formatted)
* cd /mnt/floppy
* cp /home/testuser/.ssh/id_dsa* . (this will copy your files over to the floppy disk.)
Now you can type "ls" to make sure the files are there. After this, type "cd .." to get back to root's home directory and then type "umount /mnt/floppy" to unmount the floppy so you can take it out and store it somewhere.
Now, to do this with a pen drive, you'll need to do the following steps.
* Insert the pen drive into a usb port. You'll also need to be on tty0 to ensure that you see the USBD mount message when USBD has successfully seen your pen drive. It will also alert you in the event that USBD can't load your drive. When USBD reports your pen drive as successfully seen and added as a device, take note of what device it's listed as. Look at the second line of the output from the USBD system message. It should look something like this:
da0 at umass-sim0 bus 0 target 0 lun 0
Looking at this entry, you see "da0" as the first column. That's your pen drive's device ID when dealing with partitions. Write that down.
* Type "mkdir /mnt/pendrive" to create a directory where we can mount our pen drive.
* Type "mount -t msdos /dev/da0 /mnt/pen drive" and hit enter.
* cd /mnt/pendrive
* cp /home/testuser/.ssh/id_dsa* . (this will copy your files over to the pendrive.)
Now type "ls" to make sure the files are there. After this, type "cd .." to get back to root's home directory and then type "umount /mnt/pendrive" to unmount the pendrive so you can take it out and store it somewhere. When you remove the pen drive, you should receive another message from USBD stating that the device was lost and is now detached. You can ignore that as that's a standard message indicating that the usb device was removed. Now hit enter to see your command prompt again. Next, do "cd /home/username/.ssh" to get to your admin user's ssh directory. Type "rm id_ida*" to remove the two secure key files. They should not remain on the machine for security purposes. Now, from here on out, if you'd like to continue managing your server with ssh, feel free to. It's best to set up the ssh clients you'll be using on whatever machines you'll be managing the server from. Also, get used to doing it this way as that's how you'll be doing any management of your server from now on, save for emergency maintenance of any kind. I say this because once we're done, you'll end up with a headless server that'll sit in a corner by itself connected to nothing but a power cord and an Ethernet cable. That's essentially what a headless server is. One that has nothing but power and Ethernet going to it. It allows it to be tucked out of the way, out of sight and out of mind, but still fully usable by everyone on the network.
Now, the next step we need to do is to setup our extra drive(s). If you only have one drive, you may skip this step. To begin, we first have to create the directories where the drives will be mounted. I prefer naming the directories after their purpose, or their use in the system. For example, if it's going to be a drive for use as part of your file server where files will be stored, then "/samba" or "/storage" would be appropriate names. If you want them to be designated by their place within the system, then use "/drive2" or "/driveb" or something similar. For this tutorial, I'll be using the latter. Type "mkdir /drivename" to create this. Replace "drivename" with the name you've chosen for your second drive. Repeat for any additional drives you'll be adding.
Now to get started formatting and slicing these drives, type "/usr/sbin/sysinstall" and hit enter. This will take us into a screen that looks very much like the setup screen we had during our initial install. That's because it's the same sysinstall program that's found on the install disk. If you've worked with freebsd before and remember this program being in /stand/sysinstall, you would be right. In the 6.x line the developers removed the /stand directory and moved all its applications into other directories. Hence why sysinstall is now under /usr/sbin. Now back to the configurations. Arrow down the list here and select "configure". Hit enter. Arrow down and select "Fdisk". Hit enter. You should be presented with two or more square checkboxes and several devices here. We'll ignore ad0 because that's our primary drive. Doing anything with that now would cause some rather unpleasant things to happen to our main system drive which would kill our install and force us to repeat all our previous steps.
So, select ad1 (or whatever your next drive ID is) and hit enter. Partitioning at this point is the same as mentioned earlier for the main drive. Just one gigantic partition. Once you're done here, you'll need to do something a slight bit different than you did before. Instead of typing "Q" immediately, you'll need to type "W" instead. This writes the changes. Before this sysinstall did it for us. But that was because we were installing the system and that's the preferred way to do it. This time you have to do it yourself. Once it's done writing the partition, hit "Q" to exit. Select "none" for the boot record and hit enter. Repeat for each of your other drives if you have more than one extra drive. If you have several drives built as a hardware raid, then all of the drives in that raid array will be seen by Freebsd as one drive and will be treated as such. So no worries there if you have raid. The next step is to create slices. Arrow down one line to where it says "label" and hit enter. Type "C" and hit enter. This will select the entire drive as one huge slice. Type "/drivename" where "drivename" is the folder name you picked for where your second drive will be mounted.
Now, type "W" to write the changes, and "Q" to quit. Rinse and repeat if you have more than one secondary drive. DO NOT touch the primary system drive at any point during this install. If you're unsure whether you're in that drive or not, be sure to take note of the size of each drive in your system and verify by size in each of the windows that the drive you're working with is in fact the correct one. Available space on each of the drives is always listed in each of the windows. Also be sure to note the part ID for each drive. The part ID will typically be next to the name and will say something like "/dev/ad1s1a" or something like that. Write that down for each drive as we'll need it for later Once you're done slicing each drive, arrow up to "exit" and hit enter. Now right arrow and select "exit install", and then hit enter.
Now, we need to insert each of these drives into our file system configuration file so that they're automatically mounted at boot. The first thing we need to do is test and find out if each of your drives mounts right. For each drive, type "mount -t ufs /dev/partid /drivepath" where "partid" is the part ID the system gave you when you created your slice for that drive. /drivepath of course is the folder name you created earlier for that drive. Now, if all goes well, you shouldn't see any errors. If you type "df -h", you should see your newly mounted drive in the list of available slices in this screen. To verify that, look under the "Mounted On" column for the directory path it should be mounted on. If you hit any errors, go back and correct them before continuing.
Now, once you're sure each drive is working, unmount them by typing "unmount /drivepath". Next, type "pico /etc/fstab". This will take you into your filesystem configuration file. One thing to note is to be sure that you don't make any mistakes in here because ugly things can happy if you do. It won't break your system beyond recovery, but it will force you to go through the bad boot recovery process to fix it. And believe me, that's no fun at all. Now, the first thing you will want to do is arrow down to the bottom of the file and put your cursor on the first available free line. To add in each drive you'll first want to type the device id. That'll be like we had before where it was "/dev/devid" where "devid" is the part ID that was shown to you in the label editor. Next, you'll want to hit tab until your cursor lines up with the "MountPoint" column. This will be the folder name you wanted to mount your drive on, such as the "/drive2" example I gave before. Now tab over to the "FStype" column and type "ufs" since your file system is UFS. Hit tab and type "rw" so that your drive is both readable and writable. Tab over to the "Dump" column and type "2", then tab over to the "Pass#" column and type "2". Hit enter and repeat for any other drives you need to add.
Now, save and exit. If you've done your work right, you should be able to type "mount /drivepath" for each drive and it should mount successfully. After this you shouldn't need to manually mount the drives anymore. If you encounter any errors, go back and look in the file and correct any errors or typos you might have left behind.
Now we need to configure our hosts file. To get started, type the following command:
* pico /etc/hosts
Now in this window we'll need to make one addition to the hosts file so that when sendmail starts trying to send mail to local users, it doesn't get confused as to where to send it. Go to the bottom of the file, create an empty line, and type the following:
* x.x.x.x myserver.domain.com
Replace x.x.x.x with the IP of the server and "myserver.domain.com" with the hostname of the machine. Now save your work and exit.
Now, the next thing we need to do to finish preparing our system is to upgrade it to the latest version of everything. The first thing you'll want to do is to verify that cvsup is finished with its work as we can't continue till it is. Press "ctrl-f1" to switch back to the first terminal and check on it. If it's back to a command prompt, we're ready. If not, let it run until it does. Once it's finished, we can then move on to the next step.
When it's finally finished, type the following commands:
* cd /usr/ports/ports-mgt/portupgrade
* make install
* Tab down to the "OK" button and hit enter.
This will install the latest version of portupgrade from the ports collection. Since it has to compile, it's going to take a little bit of time to complete, so go grab something to eat or drink at this point. The whole install should take about 5-15 minutes depending on the speed of your machine. Once this is done, type "portupgrade -r -all", then walk away again. Depending on how much needs to be upgraded on your system, it could take anywhere from 20 minutes to 4 hours as it will have to build and compile each item from source code. Be sure to check in on it about every 15-20 minutes in case it prompts you to select some options. Unless you have a specific reason to choose something other than the default options on any of the configuration prompts, just tab down to OK and hit enter to continue on each. You likely won't see any of these screens along the way, but if you do, you'll need to address them in order to continue.
Once this is done and all upgrades have completed successfully, you are ready to move onto the last step which is a kernel rebuild. But before you do, be sure everything upgraded correctly under portupgrade. To do this, type "pkg_version -L=" and see if it reports anything. If it does, rerun portupgrade until nothing appears when you run that command. Entries will look something like this: "ruby <" indicating it's an out of date version. If a port fails to build, find out why and try rerunning the install manually by changing directories to the port in question (the directory path will be listed in the error message) and running the install manually by typing "make install". If you're unsure of how to fix an error, do a little google diving. Just take part of the error message and type it into google. You'll usually find a quick fix or an answer to why it's not compiling. Although I don't expect this to happen, since there is a small chance of it occurring, I thought to mention it just in case.
Once all your ports are upgraded, type the following commands to rebuild your kernel.
* cd /usr/src
* echo "KERNCONF=GENERIC" >> /etc/make.conf
* make buildworld
* make buildkernel
* make installkernel
Since we don't need to customize our kernel, we'll just be using the generic Freebsd kernel configuration file for this. What the kernel rebuild does do however is it takes us up to the latest kernel version for added security. Total rebuild time will vary between 20 minutes and an hour depending on your system. In extreme cases it may take as much as two hours. Once this is completed, reboot your computer by typing "shutdown -r now". Once it's rebooted, login as root again so that you're ready for the next steps. At this point our post install setup is done. This will have all your drives in place and your system secured. Now we move on to the next part. Setting up the file server. At this point I recommend setting up the server where it's supposed to be and doing the remainder of your configurations via ssh. To do this, just power down the system by typing "shutdown -p now" and hit enter. Once it powers down, unplug everything, move it to its final home, plug in the power and Ethernet, and then power it back on. After this you'll be able to connect to it with your favorite ssh client. To connect from Linux, BSD or another unix style ssh client, type the following command:
For standard ssh configuration:
* ssh -l username x.x.x.x (you'll be prompted for the
For ultra secure ssh configuration:
* ssh -i /path/id_dsa x.x.x.x
In the above examples, "x.x.x.x" is the ip of your server, "username" is your admin user's username, and "/path" is obviously the path where you put the ssh keys on the machine you're using. I typically recommend putting it into the .ssh folder under your admin user's home folder so as to keep everything related to ssh in one neat and tidy place. For windows or mac, you'll need to enter the IP, username, and password for the standard configuration, and you'll need to specify the IP and use "PublicKey" as the authentication type for logging in. You'll also need to set "SSH2" as the protocol for both. Now, let's move on to setting up the file server.
|
Average vistor rating: 4.9 out of 5 (7 total votes) | |
|
Latest Articles
Upcoming Shows and Cons
Announcements
This is just a reminder to everyone that we're always looking for articles for posting on our site. So if you have a Linux, Open Source or Media related article, review, tutorial, or editorial you want to post, by all means please send it to admin@raiden.net and we'll be glad to post it. Thanks.
Have you ever bought a PC or laptop preloaded with Linux?
Latest Releases
(courtesy of Distrowatch)
More
|
