Tag Archive : freebsd

/ freebsd

Installing Nagios for Monitoring on FreeBSD 8.3

December 5, 2015 | Article | No Comments

Nagios, one of the best tool we can find for building monitoring server. Nagios is free, open source, modular, easy to use, and high scalable. Initially, Nagios was designed for Linux Operating System, but later it run on almost any UNIX-like Operating System, including FreeBSD.

In this article we will discuss about how to install and use a simple configuration for Nagios. Of course, from the theme you can imply that I use FreeBSD 8.3.

Installation

Installing Nagios is as easy as installing any FreeBSD ports.

cd /usr/ports/net-mgmt/nagios
make install clean

Make sure you choose NETSNMP on nagios group and user. This allows Nagios to manage network using SNMP (Simple Network Management Protocol).

Autostart on Boot

To run Nagios automatically at boot time, we can edit /etc/rc.conf and add nagios_enable=”YES” at end of line. Another way, we can invoke following command:

echo 'nagios_enable="YES"' >> /etc/rc.conf

Running Simple Configuration

Configuration is simple. In fact, there is no need for us to write configuration from scratch. Nagios has provide a basic configuration and ready to use for generic situation. Using it is as simple as copying the file to Nagios working directory. Here is commands:

cd /usr/local/etc/nagios
cp cgi.cfg-sample cgi.cfg
cp nagios.cfg-sample nagios.cfg
cp resource.cfg-sample resource.cfg

cd /usr/local/etc/nagios/objects
cp commands.cfg-sample commands.cfg
cp contacts.cfg-sample contacts.cfg
cp localhost.cfg-sample localhost.cfg
cp printer.cfg-sample printer.cfg
cp switch.cfg-sample switch.cfg
cp templates.cfg-sample templates.cfg
cp timeperiods.cfg-sample timeperiods.cfg

Now check and make sure there is no error occured:

nagios -v /usr/local/etc/nagios/nagios.cfg

Next we need to make administrator account for accessing Nagios home page. We use default password, which is nagiosadmin

htpasswd -c /usr/local/etc/nagios/htpasswd.users nagiosadmin

Next, we need Apache to identifying Nagios. Therefore, edit httpd.conf using ee /usr/local/etc/apache22/httpd.conf. Add following text:

ScriptAlias /nagios/cgi-bin/ /usr/local/www/nagios/cgi-bin/
Alias /nagios /usr/local/www/nagios/

<Directory /usr/local/www/nagios>
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Basic
   AuthUSerFile /usr/local/etc/nagios/htpasswd.users
   Require valid-user
</Directory>

<Directory /usr/local/www/nagios/cgi-bin>
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Basic

   AuthUSerFile /usr/local/etc/nagios/htpasswd.users
   Require valid-user
</Directory>

Now, restart the Apache.

The configurations are stored on /usr/local/etc/nagios/. If we want to use the configuration, we can simply rename or copy the .cfg-sample file to .cfg file.

Before we play around with the files, it’s better for us to backup the directory to something else. For example:

mkdir /home/xathrya/nagios-samples/
cp * /nagios-samples/
mv bigger.cfg-sample bigger.cfg
mv cgi.cfg-sample cgi.cfg
mv checkcommands.cfg-sample checkcommands.cfg
mv localhost.cfg-sample localhost.cfg
mv misccommands.cfg-sample misccommands.cfg
mv nagios.cfg-sample nagios.cfg
mv resource.cfg-sample resource.cfg

Now we have all configuration files we need on /usr/local/etc/nagios.

Next open localhost.cfg file and adjust the setting to our network. This file will instruct Nagios to monitoring localhost or self monitoring.

In this case, we have defined commands to monitor service on localhost, defining contact information of administrator/user for Nagios notify to, etc.

Later we will check whether we have error on Nagios, using:

/usr/local/bin/nagios -v /usr/local/etc/nagios/nagios.cfg

If there is no error, you should get message like this:

.........

.........
Total Warnings: 0
Total Errors: 0
Things look okay - No serious problems were detected during the pre-flight check

Now we start Nagios with following command:

/usr/local/bin/nagios /usr/local/etc/nagios/nagios.cfg &

Now try to open browser and open the Nagios by URL. In my case, my machine has IP address 192.168.3.11 thus I can access nagios using URL http://192.168.3.11/nagios.

And that’s it. You now have Nagios monitoring your network

Installing MySQL into FreeBSD

December 5, 2015 | Article | 1 Comment

On different article, we have discussed about how to configure MySQL on Slackware. In this article we will discuss about how to install MySQL server on FreeBSD machine.

If you want to building a Web Server (installing Apache and PHP) then you might want to install MySQL Database first.

MySQL is well-known as reliable, free open source Database Management. Most of web server use MySQL as Database backend.

For this, I use FreeBSD 8.3 amd64, but you can have any FreeBSD version and platform as you please. The MySQL we use would be 5.5 as provided on FreeBSD ports collection.

Installing the port

Installing MySQL is as easy as installing any ports. Do the following commands:

cd /usr/ports/databases/mysql55-server
make install

If you are going to do fresh installation, you will be prompted by installation options menu. The configuration I choose are list here:

  1. OPENSSL (Enable SSL support)

You might also want to install the client:

cd /usr/ports/databases/mysql55-server
make install

The configuration I choose are list here:

  1. OPENSSL (Enable SSL support)

Once you finish installing, you might find a mysqld script on /usr/local/etc/rc.d. MySQL then will store the data in /var/db/mysql

Starting MySQL

/etc/rc.conf must contain the following line to allow the MySQL server to start

mysql_enable="YES"

Once this line is there you can run the start up script with

/usr/local/etc/rc.d/mysql-server.sh start

Setting the root password

Normally, MySQL root account and anonymouse has no password on fresh install. Therefore we need to set password on it. If not, MySQL will give full access to the database server to anyone.

To set a password on the root accounts use

mysql -u root
mysql> SET PASSWORD FOR ''@'localhost' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR ''@'host_name' = PASSWORD('newpwd');

Note that mysql> is prompt you got when you enter MySQL console.
To set a password for the root account use

mysql -u root
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('newpwd');

Managing your MySQL server with phpMyAdmin

If you are to lazy to use terminal and want to administrate Database graphically, you can use phpMyAdmin. To do that, you have to install Apache and PHP first. With this tool, you can manage MySQL database with web interface. It allows you to perform SQL queries, create new databases, add users, change privileges, backup and import data.

To install phpMyAdmin, you can invoke following commands:

cd /usr/ports/databases/phpmyadmin
make install

Password protecting directories with htaccess

December 5, 2015 | Article | No Comments

Apache allows access to directories to be restricted unless overridden by a valid user name and password. Here you will see how to set it up in your config file, how to create the .htaccess file, and how to generate the password file for it.

Denying access in httpd.conf

The first step is to deny access to the directory in the httpd.conf file. To do this the following must be added for the directory, or the default to deny access.

<Directory "/usr/local/www/data/secret_dir">
    Options Indexes FollowSymLinks
    AllowOverride AuthConfig
    Order deny,allow
</Directory>

The above will deny access to the secret_dir and only allow it to be accessed if the person gains authorization by entering a username and password. We will set this up next.

At this point you need to restart Apache since changes were made the config file, so use

apachectl graceful

Creating an .htaccess file

The htaccess file specifies how a visitor can get authorized to access the directory. It is normally set up in the following way

AuthName "My Secret Directory"
AuthType Basic
AuthUserFile /usr/local/www/htaccess/.mypassfile
Require valid-user

AuthName is the text shown above the password prompt when the directory is accessed. AuthUserFile points to where you have the password file stored, it can be placed anywhere as long as it is secure.

Generating the password file

Now that we have restricted access, set it so that only users who have a valid username and password can get in we need to set up some users. To do this we will be using htpasswd. When creating a new file the -c flag needs to be used with the location of the file we are writing following. The next argument is the user we are adding.

htpasswd -c /usr/local/www/htaccess/.mypassfile joe

In the above example we are creating a new password file called .mypassfile in the location we set above in the .htaccess, and are adding the user joe to it. Once you put in this command you will be asked for the password, and to confirm it.

To add another user to the same file we can use the same command without the -c

htpasswd .mypassfile kelly

For more options on encryption run htpasswd with the -h flag

$ htpasswd -h
Usage:
	htpasswd [-cmdpsD] passwordfile username
	htpasswd -b[cmdpsD] passwordfile username password

	htpasswd -n[mdps] username
	htpasswd -nb[mdps] username password
 -c  Create a new file.
 -n  Don't update file; display results on stdout.
 -m  Force MD5 encryption of the password.
 -d  Force CRYPT encryption of the password (default).
 -p  Do not encrypt the password (plaintext).
 -s  Force SHA encryption of the password.
 -b  Use the password from the command line
 -D  Delete the specified user.

If everything was done successfully a password prompt will come up when you try to access the protected directory, and you will only be allowed in if you enter a correct username and password from the password file.

Apache WebServer is well-known as robust and stable web server. Currently, most of web server use Apache WebServer. Apache 2.2 is simple yet having lots of modules available. Accompanied by PHP5 scripting language, you can have a good web server and ready to run any web applications.

In this article we will discuss about how to install and configure Apache and PHP5 for FreeBSD. For this, I use FreeBSD 8.3 amd64, but you can have any FreeBSD version and platform as you please. The Apache WebServer we use would be 2.2 as provided on FreeBSD ports collection.

You might also install MySQL before

Apache Web Server

Installing the port

Installing Apache2.2 is as easy as installing any ports. Do the following commands:

cd /usr/ports/www/apache22
make install

If you are going to do fresh installation, you will be prompted by installation options menu. The configuration I choose are list here:

  1. THREADS (Enable threads support in APR)
  2. MYSQL (Enable MYSQL support for apr-dbd
  3. PGSQL (Enable PostgreSQL support for apr-dbd)
  4. SQLITE (Enable SQLite support for apr-dbd)
  5. IPV6 (Enable IPv6 support)
  6. BDB (Enable BerkelyDB dbm)
  7. AUTH_BASIC (mod_auth_basic)
  8. AUTH_DIGEST (mod_auth_digest)
  9. AUTHN_ANON (mod_authn_anon)
  10. AUTHN_DBM (mod_authn_dbm)
  11. AUTHN_DEFAULT (mod_authn_default)
  12. AUTHN_FILE (mod_authn_file)
  13. AUTHZ_DBM (mod_authz_dbm)
  14. AUTHZ_DEFAULT (mod_authz_default)
  15. AUTHZ_GROUPFILE (mod_authz_groupfile)
  16. AUTHZ_HOST (mod_auth_host)
  17. AUTHZ_OWNER (mod_auth_owner)
  18. AUTHZ_USER (mod_auth_user)
  19. CACHE (mod_cache)
  20. DISK_CACHE (mod_disk_cache)
  21. FILE_CACHE (mod_file_cache)
  22. DAV (mod_dav)
  23. DAV_FS (mod_dav_fs)
  24. LDAP (Enable mod_ldap)
  25. ACTIONS (mod_actions)
  26. ALIAS (mod_alias)
  27. ASIS (mod_asis)
  28. AUTOINDEX (mod_autoindex)
  29. CERN_META (mod_cern_meta)
  30. CGI (mod_cgi)
  31. CHARSET_LITE (mod_charset_lite)
  32. DEFLATE (mod_deflate)
  33. DIR (mod_dir)
  34. DUMPIO (mod_dumpio)
  35. ENV (mod_env)
  36. EXPIRES (mod_expires)
  37. HEADERS (mod_headers)
  38. IMAGEMAP (mod_imagemap)
  39. INCLUDE (mod_include)
  40. INFO (mod_info)
  41. LOG_CONFIG (mod_log_config)
  42. LOGIO (mod_logio)
  43. MIME (mod_mime)
  44. MIME_MAGIC (mod_mime_magic)
  45. NEGOTIATION (mod_negotiation)
  46. REWRITE (mod_rewrite)
  47. SETENVIF (mod_setenvif)
  48. SPELING (mod_speling)
  49. STATUS (mod_status)
  50. UNIQUE_ID (mod_unique_id)
  51. USERDIR (mod_userdir)
  52. USERTRACK (mod_usertrack)
  53. VHOST_ALIAS (mod_alias)
  54. FILTER (mod_filter)
  55. VERSION (mod_version)
  56. SSL (mod_ssl)
  57. REQTIMOUT (mod_mod_reqtimeout)

Once the installation finish, you will have a new script at your /usr/local/etc/rc.d named apache22. You can use /usr/local/etc/rc.d/apache22 or apachectl to start the server. But before that, you need to add an enable line for Apache to your /etc/rc.conf file:

apache22_enable="YES"

Configuring Apache’s httpd.conf

The httpd.conf contains most all of the important configuration settings. Everything can be done here from adding virtual hosts, to setting the log files, to setting .htm files to be parsed for php. You can open the httpd.conf file for editting with

ee /usr/local/etc/apache22/httpd.conf

The first thing you will need to change in the file to get your server going is the ServerName to the hostname you want to use for the server. If you do not have one you can use the IP address, or localhost. This will need to be followed by the port number.

ServerName www.yourdomain.com:80

Which in my case I use:

ServerName cluster0.xathrya.id:80

Currently in Apache 2.2.x the default directory is /usr/local/www/apache22 instead of the old default. You can change to the standard directory of /usr/local/www/data if you want. Just replace any /usr/local/www/apache22 with /usr/local/www/data on the file and then move the folder like this if you do not have a previous version of apache installed that has created the directory already.

mv /usr/local/www/apache22 /usr/local/www/

You can replace it easily with sarep from the ports with this command.

sarep "/usr/local/www/apache22" "/usr/local/www" httpd.conf

This is enough to get the server going so that you can check that it will run, so do that now.

Starting Apache

Apache is controlled with apachectl, some examples of its usage are

apachectl start
apachectl restart
apachectl graceful
apachectl stop

The graceful option has the same result as restart, it just does it in a nice way as opposed to restart forcefully restarting the server.

Before restarting or starting Apache it is best to run the configtest to check for errors in the httpd.conf

apachectl configtest

If this comes back OK then you are good to go. When starting Apache it will not tell you if the start was successful, the easiest way to check this is to restart it. If apache failed to start up previously it will tell you that Apache is not running when you perform the restart.

Once your apache won’t start for unknown reason, you can check the logs and find the error messages. The log is located at /var/log/messages and you can check by

tail /var/log/messages
tail /var/log/httpd-error.log

To check if you can get to the server just point your web browser to the machine and you should get a message telling you that Apache has been successfully installed.

Turning on the defaults

Many of the default settings are now included in a seperate file and turned off default. To use them unhash this part of your httpd.conf file.

# Various default settings
Include etc/apache22/extra/httpd-default.conf

Common Errors

The most common error when setting up Apache is the “cannot determine local host name” error. This error is caused by the hostname resolving to a different IP than the one it has. To check what your current hostname is use hostname. Then use nslookup on the hostname to get the IP and compare it to the IP that your machine is actually using with ifconfig. For example:

# hostname
	server.mydomain.com

# nslookup server.mydomain.com
	Non-authoritative answer:
	Name:   server.mydomain.com
	Address: 10.1.1.30

# ifconfig
	inet 192.168.0.5 netmask 0xffffff00

We can see here that the IP of the hostname does not match the real IP of the machine. A quick fix for this is to just add the hostname to your /etc/hosts file.

# ee /etc/hosts
	192.168.0.5	server.mydomain.com.

This will set the hostname to the IP assigned to your machine. Make sure you do not forget to put a . on the end when adding this line!

Another very common error is this one

[warn] (2)No such file or directory: Failed to enable 
the 'httpready' Accept Filter

It is caused by not having the accf_http kernel module loaded. Loading it is explained above.

Password Protecting Directories

Directories are set to password protected in the the httpd.conf file also. See the tutorial on password protecting directories with htaccess in Apache

Encrypting Traffic with SSL

The data moving between the user and your server well be plain text unless you use encrypt it. See the tutorial on setting up SSL with Apache 2.

PHP5

Installing PHP5 is as easy as installing any ports. Do the following commands:

cd /usr/ports/lang/php5
make install

You can configure as you like. As a reference here is my configuration:

  1. CLI (Build CLI version)
  2. CGI (Build CGI version)
  3. APACHE (Build Apache module)
  4. SUHOSIN (Enable Suhosin protection system)
  5. IPV6 (Enable ipv6 support)
  6. LINKTHR (Link thread lib (for threaded extensions))

Make sure APACHE is ticked!

Now install PHP5 extensions by

cd /usr/ports/lang/php5-extensions
make install

Again, configuration is yours. Here is my list:

  1. BCMATH (bc style precision math functions)
  2. BZ2 (bzip2 library support)
  3. CTYPE (ctype functions)
  4. CURL (CURL support)
  5. DOM (DOM support)
  6. FILTER (input filter support)
  7. GD (GD library support)
  8. GMP (GNU MP support)
  9. HASH (HASH Message Digest Framework)
  10. ICONV (iconv support)
  11. JSON (JavaScript Object Serialization support)
  12. LDAP (OpenLDAP support)
  13. MYSQL (MySQL database support)
  14. PDO (PHP Data Objects Interface (PDO))
  15. PDO_SQLITE (PDO sqlite driver)
  16. PGSQL (PostgreSQL database support)
  17. PHAR (phar support)
  18. POSIX (POSIX-like functions)
  19. SESSION (session support)
  20. SIMPLEXML (simplexml support)
  21. SQLITE (sqlite support)
  22. SQLITE3 (sqlite3 support)
  23. TOKENIZER (tokenizer support)
  24. WDDX (WDDX support (implies XML))
  25. XML (XML support)
  26. XMLREADER (XMLReader support)
  27. XMLWRITER (XMLWriter support)
  28. ZIP (ZIP support)
  29. ZLIP (ZLIB support)

Make configuratio file for PHP, invoke this command:

cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Then edit Apache’s configuration file on /usr/local/etc/apache22/httpd.conf and add these:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .php

In DirectoryIndex add php extention so it would be something like this:

DirectoryIndex index.html index.php

Edit the Languageconfiguration file (/usr/local/etc/apache22/extra/httpd-languages.conf) and add the following lines:

AddDefaultCharset On

Now restart apache (or start if you don’t start it yet)

/usr/local/etc/rc.d/apache22 restart

Introduction to Operating System Permission

December 5, 2015 | Article | 3 Comments

UNIX are by default a multiuser and multitasking Operating System. Each user can login at same time on a single machine. Thus, UNIX have a regulation to manage users. One of this regulation is permission which constraint what user can do. A user can only do things they are privileged for.

In this article we will discuss about the Permission in UNIX Operating System, which can also used as reference for Linux‘s and FreeBSD‘s OS.

The Read, Write, & Execute Access Permission

In UNIX world, everything is a file. Whether you access real file such as text document, a web page documents, images, song, video, etc; or something such as socket, devices, etc. Everything is file.

UNIX then gives privileges of who can access what resource (files) on the system. The access are divided into three types: read (r), write (w), and execute (x).

As the name suggest, each permission limiting user what user can do. If user has read access to a certain file, He then can read the file. To write a file, a user must obtain write permission. While execute permission allow user to execute a file as executable file. The files such as script and application are treated in this way.

A permission given to user is a set of three access mention before. Thus user can combination of three access, such as: read & write, read & execute, read only, write only, etc. To denote what privilege a user have, there is a common method: using octal number.

In representation of octal based number,

  1. read access (r) represented by 4
  2. write access (w) represented by 2
  3. execute access (x) represented by 1

Thus, a general formula to obtain user privileges is read + write + execute. For example,

  1. a user have no read access, have write access, have execute access = 0 + 2 + 1 = 3
  2. a user have read, write, and execute access = 4 + 2 + 1 = 7

On UNIX, there is also a common method to denote privileges using combination of character. UNIX use three field filled by r, w, and x for read, write, and execute access respectively. If User have don’t have corresponding access, it will be denote by ‘-‘ character. Thus for example above we have:

  1. a user have no read access, have write access, have execute access = -wx
  2. a user have read, write, and execute access = rwx

User, Groups, and Other

In advance, a user of UNIX machine is fall to certain groups of users. Groups is a class of user share same interest and can only be decided by root account. UNIX then divided permission into three category: user (the one who own the file, not always the one who create the file), the group (users who shares same group), and other (users who doesn’t have specified similar group to owner).

Thus, in UNIX every file having ownership. The ownership is identified by two value: the user owner, and group owner. The user owner determine a permission for user permission to file while the group owner determines a permission set for group. The access is denote by same method as mentioned above.

For example: A file “System Blueprint.odt” is created by user xathrya. The ownership of this file is xathrya (user), engineer (group). The file can be read and written by xathrya (as owner), each user in group engineer can read but cannot write, a user which is not inside engineer group cannot read,write,or execute this file. Thus user alice who is on engineer group, can read it, while user bob who is not engineer group is disallowed to access.

Let’s invoke this:

ls -l

You will then see list of files and directory on current path. In the first segment of each entry, there is a string consist of d,r,w, and x. This denotes permission according to personal, group, and other classification we discuss above (except for d which denote if entry is a directory).

The character at 2nd to 4th denote permission for user. Character at 5th to 7 denote permission for group. Character at 8th to 10th denote permission for other. In short, if an entry has permission like this drw-rw-r–, then the directory (d) can be read & write by it user and group, while other user can only read / see it.

Changing the Permission

Like discussed above, a file can have permission of access. This privileges can be changed anytime using chmod. Here is an example:

chmod 444 foo

The 444 means user, group, and other can only read the foo (remember how we denote access using octal-based number).

Beside using numerical method like above, we can use chmod using symbol such as r,w, and x. First see this table:

Option character representing
(who) u User
(who) g Group owner
(who) o Other
(who) a All (“world”)
(action) + add permission
(action) remove permission
(action) = assign permission
(permissions) r Read
(permissions) w Write
(permissions) x Execute
(permissions) t Sticky bit
(permissions) s Set UID or GID

Now, let see some example:

chmod a+rwx foo

That example will assign permission to foo. Symbol a means all user is affected and the permission is setted for read, write, and execute. Those any user has total access to foo.

If you target a you can also ommit the command as:

chmod +rwx foo

Another example:

chmod g-x foobar

This command will remove execute permission from user who share same group of group owner. Thus this command only affect group owner.

FreeBSD File Flags

Exclusive to FreeBSD, there are some additional “file flags” applied. These flags is addition to control and security of file. With this, even root can be prevent to change or remove files.

The flags can be assigned with:

chflags

Some flags are described here:

  • arch: archived flag
  • nodump: nodump flag
  • sappnd: system append-only flag
  • schg: system immutable flag
  • sunlnk: system undeletable flag
  • uappnd: user append-only flag
  • uchg: user immutable flag
  • uunlnk: user undeletable flag

For example, we want to create a file and ensure the file cannot be written, then we use immutable flag, such as:

chflags schg foo

To check flags status, we can use:

ls -ol

Now try using root privileges to remove file with immutable flag 😀

setuid, setgid, and sticky

Along with permission system discussed before, another permission system is introduced: setuid, setgid, and sticky.These settings are important for some systems as they are providing functionality which are not given to normal user.

Setuid will set user ID upon execution. Setgid will set group ID upon execution. These

Before we proceed, let’s discuss about real-user ID and effective-user ID.

real-user ID is an UID which own or start a process.

effective-user ID is an UID which used at process’ runtime.

For example: a user run passwd will have passwd run by their UID but for updating password database, passwd will assign it’s UID as root. This will prevent user to get error message such as “Permission Denied”.

Permission setuid can be set by adding some set of permission with 4 as described here:

chmod 4755 foo

Then see the list of files on current directory. You will see an s symbol on file permission such as the permission will be rwsr-xr-x instead of rwxr-xr-x.

The setgid is similar to setuid, except it change group access. To set gid effective-user, add 2 instead of 4 for previous example such as:

chmod 2755 foo

Of course, using setuid and setgid will create threat. If an attacker can exploit setuid or setgid enabled binary, he can gain access to root level. To prevent this, make sure a normal user don’t have access to setuid, especially for user other then themselves.

For example: if text editor like vi having active setuid it can open any files which can be opened by only ertain user. It is because system will assume vi is ran by root even the one who ran it is normal user. Then, what if the user access sensitive files such as initialization script? or password files?

Last, the sticky permission. If this permission is set, then the one who can remove the file is only the file owner. To add sticky permission, we add 1 when setting permission with chmod, such as:

chmod 1755 foo

A permission set will emerge as character t on permission flags, such as: rwxr-xr-t instead of rwxr-xr-x.

SSH Tunnel over FreeBSD Server

December 5, 2015 | Article | No Comments

An SSH Tunnel can be used to get around a firewall, encrypt data, and to bypass common filters. They can also give you access to your internal network when you are outside of it. Theoretically, our internet connection will go through tunnel using SSH. At the other end, the remote host (the host we did SSH to) we do port forwarding. This method is valid when you have account in remote server and firewall in our network allow SSH connection to pass.

In this article we will discuss how to set up a tunnel between a Linux machine and/or Windows 8 and a FreeBSD machine. For this, I use:

  1. Linux, Slackware64 14.0, as a client / remote computer
  2. Windows 8, as a client / remote computer
  3. FreeBSD 8.3 amd64, as a server / connecting computer
  4. Tinyproxy on FreeBSD

Enabling the SSH Daemon

If you enabled SSH when you installed FreeBSD you already on your way to getting one set up. If you aren’t able to SSH to your machine make sure that it is enabled in rc.conf

sshd_enable="YES"

You can start it with

/etc/rc.d/sshd start

To check that SSH is running you can attempt to SSH into your own machine.

ssh localhost

If you are asked to accept the key or are asked for a password then its working.

Installing Tinyproxy

Like any FreeBSD package, Tinyproxy can be installed from the ports. To do so, invoke this commands:

cd /usr/ports/www/tinyproxy
make install distclean

Once the install completes you will need to rename the config file and edit it.

ee /usr/local/etc/tinyproxy.conf

Its a good idea to change the port to something other than 8888. In this tutorial we will use 1351 for the tinyproxy port. The rest of the settings will work as they are, 127.0.0.1 is allowed access by default, and since we will be tunneling to this machine thats the only one we need.

It may also be a good idea to change the log path to something besides /var/logs/tinyproxy.log if you have a small /var partition. The log contains a list of all urls you access through it and this can easily fill up your partition if you use it daily. You may also want to make sure that data is safe if there are other users on the machine.

Starting Tinyproxy

Before you can start tinyproxy you need to add the following to your /etc/rc.conf file

tinyproxy_enable="YES"

Then start it using its start up script

/usr/local/etc/rc.d/tinyproxy start

Installing SSH Tunnel on Windows

SSH Tunnel is actually the name of the program we will be using for out ssh tunnel. You can download SSH Tunnel here.

Choose Config from the Edit menu and enter in the tunnel information. Fill it out similiar to the following with your own information.

config

The tunnel creates a port on the Windows machine that comes out on the FreeBSD machine. This is why the listen port is your localhost. On the other end you give the internal IP of the BSD box and the port you set tinyproxy to.

Once you save the tunnel it will appear on the drop down menu from the home screen. Choose it and hit connect.

SSH Tunnel

If you are able to connect successfully the light will turn green. If you are not able to connect try connecting with a different SSH client to make sure that you are able to connect at all. If the FreeBSD machine is behind a firewall or router you will need to forward port 22.

Creating the Tunnel on Linux

To create a new tunnel, open up terminal and create connection using ssh client. The things we must consider is: address of our remote host (our FreeBSD machine), the local port we want to redirect, and the port on the remote machine (1351).

For example: our machine is identified as freebsd.celestial-being.net with tinyproxy on port 1351. We want to redirect port 1050 to freebsd.celestial-being.net:1351. Then the command we need is:

ssh -f user:[email protected] -L 1050:freebsd.celestial-being.net:1351 -N

The -f switch tells ssh to go to the background just before it executes commands. This is followed by the username, password, and server you are logging into. The -L 1050:freebsd.celestial-being.net:1351 is in the form of -L local-port:host:remote-port. Finally the -N instructs OpenSSH to not execute a command on the remote system.

Testing the Tunnel

Open a command prompt in Windows 8 (Run and then cmd). If you run Linux, open the terminal. Whether you open command prompt or Linux terminal, type the following

telnet localhost 1050

1050 is the port we used above in the tunnel settings, if you choose a different port use that. If you get an error that you are unable to connect then either the tunnel settings or the tinyproxy config is incorrect. Otherwise you are ready to start using the tunnel.

Configuring the Browser

In Firefox go to Tools > Options and then choose connection settings from the general tab. Select manual proxy configuration and enter localhost and 1050 for the port. This will point your browser to go through the tunnel and tinyproxy on the other end for everything.

mozilla settings

Tunneling Other Traffic

Tinyproxy limits what can go through to traffic on port 80 and 443 by default for web traffic. If you would like to tunnel other traffic such as your instant messengers you will either need to add those ports to the tinyproxy.conf file or you can comment out the following lines

#ConnectPort 443
#ConnectPort 563

Once they are commented out and you restart tinyproxy everything will be allowed through the proxy. This is a risk, so if you don’t need this option just stick to the defaults or allow the ports individually.

Using Putty instead of SSH Tunnel for Windows

If you do not have admin rights on your machine you can use Putty instead to set up the tunnel.

The Secure Socket Layer (SSL) protocol was created by Netscape to ensure secure transactions between two node (server and client). Not always, but usually it is used for web browsing transactions. The protocol uses a third party, a Certificate of Authority (CA) to identify one end or both end of the transactions. In short:

  1. A browser requests a secure page (usually https://)
  2. The web server sends its publik key with its certificate
  3. The browser checks that the certificates was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
  4. The browser the use the publik key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
  5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
  6. The web server sends back the ewquested html document and http data encrypted with the symmetric key.
  7. The browser decyprts the http data and html document using the symmetric key and display the information

If you want to create your own SSL certificates for things such as Apache you need a CA. You can buy an SSL certificate generated by a trusted CA such as Thwate or Verisign, or you can generate one yourself using OpenSSL.Make sure you have install OpenSSL (by ports or binary).

In this article we will discuss about how to generate our own CA using OpenSSL.

openssl.cnf

On FreeBSD you can edit your OpenSSL config file with

ee /etc/ssl/openssl.cnf

This tutorial will use most of the default FreeBSD openssl.cnf settings. You just need to change the following settings in the file

dir = /usr/local/etc/certkeys
default_days = 3650

/usr/local/etc/certkeys is the directory we will be using in this tutorial (the directory is exists). The certificates will be valid for 3650 days or equal to 10 years. This number is freely configure with the default is 365 if you don’t configure it.

Filling out your location and company information is often the most tedious task when generating SSL certificates so it is best to set as much of it as you can in your openssl.cnf file. The places where it can be set end in _default such as

countryName_default = JP
stateOrProvinceName_default = KY
localityName_default = Kyoto

Setting up the directories

Now that the openssl.cnf file is set up it is time to create the directories where we will keep our CA and other certificates that we will generate if you don’t create it before. The best place to put these are in the root directory with 700 for the permissions to restrict access.

cd /usr/local/etc/
mkdir certkeys
chmod 700 certkeys

cd certkeys
mkdir certs private newcerts

Create a serial file which will be used to name the new certificates generated and an index.txt file.

echo 1000 > serial
touch index.txt

Creating the CA

Use the following command to generate the Certificate of Authority. The command is shown with slashes to fit it onto the page.

cd /usr/local/etc/certkeys
openssl req -new -x509 -days 3650 -extensions v3_ca \
-keyout private/cakey.pem -out cacert.pem \
-config /etc/ssl/openssl.cnf

The output will look similar to this. Fill in your own information as needed. Make SURE you choose a good password for your CA, and that you remember it for as many years as you generating the CA for. Without the password you will not be able to use it to generate any new certificates. For fields that show the correct default value you can just hit enter.

Generating a 1024 bit RSA private key
...................++++++
.....................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kyoto]:
Locality Name (eg, city) [Kyoto]:
Organization Name (eg, company) []: Celestial Being
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: freebsd.xathrya.id
Email Address []: [email protected]

The CA should now be generated. You can double check it by looking at the two files that were created.

more ~root/sslCA/cacert.pem
more ~root/sslCA/private/cakey.pem

Keep the cakey.pem file and the password safe and you can now use it to generate SSL certificates.

FreeBSD Basics

December 5, 2015 | Article | No Comments

When first starting out with FreeBSD it can be frustrating when you are unable to find where the config files, where we can configure some things, or how to stop a service from starting up on boot.

In this article we will discuss some important directories and files in FreeBSD, and what is found in them. I assume at least you have understanding the basic of FHS (Filesystem Hierarchical Scheme) to get around the directory structure.

/etc/rc.conf

The rc.conf file normally looks something like this

hostname="host.mydomain.com"
ifconfig_xl0="DHCP"
linux_enable="YES"
moused_enable="YES"
nfs_client_enable="YES"
sshd_enable="YES"
usbd_enable="YES"

It is used during start up and is responsible for configuring system every boot time such as defining the network card, the IP address whether use static IP or use DHCP, defining what daemon should be started, etc.

The variable contain _enable string is used to invoke the script for running some services or enabling some features. With inetd now disabled by default in FreeBSD many packages have start up scripts that only allow the program to start if it is specifically enabled in the rc.conf file. A few of these programs are: bind, mysql, and apache.

For the network setup it is okay to have several different lines for the same network card, only the last one is actually used.

/etc/make.conf

make.conf is a good place to store variables that the ports use so that you do not have to define them in the command line everytime you install a port that uses one.

PERL_VER=5.8.7
PER_VERSION=5.8.7
WITHOUT_X11=yes
KERNCONF=MYKERNEL

/usr/local/etc

The majority of config files for installed packages appear here.

/usr/local/etc/rc.d

Scripts for running installed service / application are stored here. To manually start or stop a program you can go here to do so

/usr/local/etc/rc.d/apache22 start
/usr/local/etc/rc.d/apache22 stop

If you enabling some package on /etc/rc.conf, FreeBSD will search and execute appropriate script from here.

/usr/ports

The ports collection is a directory of makefiles for a large number of common programs. You can install application from ports. A brief explanation of Ports Collection can be read here.

Guide to Shells on FreeBSD

December 5, 2015 | Article | No Comments

A shell is software that provides an interface for users of an operating system to access the services of a kernel. The name shell originates from shells being an outer layer of interface between the user and the internals of the operating system (the kernel).

In this article we will discuss about shells and their role for basic FreeBSD understanding.

Command Line Interface

Mostly shells has Command Line Interface thus if you are people com from the beauty of Graphical User Interface, you must adapt to it.

Command Line Interface means there are only text running on your shell. No button or menus you can click.

To instructs machine, you need to type commands and enter it. Some command or program need arguments or parameter. An example of command and argument:

cp mytext /home/user/folder/newtext

The above command is a command for copying files or directory. There is 1 command (cp) followed by 2 arguments, first is for text in current directory which will be copied and second is the path and filename for new file.

Changing Shell

There are many shell types: bash, csh, tcsh, etc. The default shell used by FreeBSD is tcsh. If you are familiar with bash shell on most linux distro, then you might use bash. Unfortunately bash is not installed by default so we must install it manually from ports. All shells available for FreeBSD is located at /usr/ports/shells.

Once you have installed a new shell you can set it as your default using

chsh

You will then prompt by a screen asking some information. Write the correct shell there.

A quick method to do so is write the shell name and it’s path directly as argument of chsh command, such as:

chsh -s /path/to/myshell

Make sure you write correct path and shell name. Failed to do so will lead your account inaccessible as the account can not execute appropriate shell. Also be careful for your root account.

Change Prompt

If you are using tcsh you can change the default promp under ~/.cshrc. An example prompt is

set prompt = '%[email protected]%m:%/%# '

Auto Completion

Some shells has built in features name auto completion. You do not need to write full name of the command just type a part of command and press TAB to make shell write the rest for you.

On some shells, if you write part of command name which lead to two or moresimilar name, these shells will print you list of command which has similar name.

Environment Variables

Another feature of the shell is the use of environment variables. Environment variables are a variable/key pair stored in the shell’s environment. This environment can be read by any program invoked by the shell, and thus contains a lot of program configuration. Here is a list of common environment variables and their meanings:

Variable Description
USER Current logged in user’s name.
PATH Colon-separated list of directories to search for binaries.
DISPLAY Network name of the Xorg display to connect to, if available.
SHELL The current shell.
TERM The name of the user’s type of terminal. Used to determine the capabilities of the terminal.
TERMCAP Database entry of the terminal escape codes to perform various terminal functions.
OSTYPE Type of operating system.
MACHTYPE The system’s CPU architecture.
EDITOR The user’s preferred text editor.
PAGER The user’s preferred text pager.
MANPATH Colon-separated list of directories to search for manual pages.

How to set an environment variable differs between shells. In tcsh and csh, use setenv to set environment variables. In sh and bash, use export to set the current environment variables. This example sets the default EDITOR to /usr/local/bin/emacs for the tcsh shell:

setenv EDITOR /usr/local/bin/emacs

The equivalent command for bash would be:

export EDITOR="/usr/local/bin/emacs"

To expand an environment variable in order to see its current setting, type a $ character in front of its name on the command line. For example, echo $TERM displays the current $TERM setting.

Shells treat special characters, known as meta-characters, as special representations of data. The most common meta-character is *, which represents any number of characters in a filename. Meta-characters can be used to perform filename globbing. For example, echo * is equivalent to ls because the shell takes all the files that match * and echo lists them on the command line.

To prevent the shell from interpreting a special character, escape it from the shell by starting it with a backslash (\). For example, echo $TERM prints the terminal setting whereas echo \$TERM literally prints the string $TERM.

Guide to FreeBSD Kernel Compilation

December 5, 2015 | Article | No Comments

On previous articles, we have discuss about how to compile kernel in Linux. So far we also have discuss about how to add our own system call. But how about other Operating System?

Today, most of the functionality in the FreeBSD kernel is contained in modules which can be dynamically loaded and unloaded from the kernel as necessary. This allows the running kernel to adapt immediately to new hardware or for new functionality to be brought into the kernel. This is also known as modular kernel.

Unless we have built custom kernel in FreeBSD, we are using GENERIC kernel on default. The GENERIC kernel support a wide range of hardware, contains everything we need to get machine up and running. The custom kernel can stripped down to only provide support for specific hardware of the machine, thus increasing speed and efficiency.

The common reasons for rebuilding the kernel could be fall into these category:

  1. Speed it up by taking out unused modules.
  2. Add support for new hardware
  3. Update the kernel with the new source code during a Make World.

We can also get some benefits, such as:

  1. Faster boot time. Since the kernel will only probe the hardware on the system thus make booting time faster
  2. Lower memory usage. Kernel memory remains resident in physical memory until system shut down. Thus, a minimal modules loaded can gives more memory to be used by another applications.

Now, this article will discuss about how to do a kernel recompilation on FreeBSD. On this article I will use FreeBSD 8.3 amd64 version (another version should be okay).

Finding the System Hardware

Before continuing to compile kernel, it is recommended to find and list all the system hardware of our machine. Make a list of what device is used by system so the corresponding driver can be included on custom kernel.

During boot probe, found hardware will be listed. We can use dmesg command to see what hardware had already identified by system. For example the following lines indicate that the psm driver found a mouse:

psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: [ITHREAD]
psm0: model Generic PS/2 mouse, device ID0

On occasion, the data from dmesg will only show system message instead of the boot probe output. In these situations, the output may be obtained by reading /var/run/dmesg.boot file.

Another method for finding hardware is to use pciconf which provides more verbose output. For example invoking command “pciconf -lv” will show ath driver located a wireless Ethernet device, such as:

[email protected]:3:0:0: card=0x058a1014 chip=0x1014168c rev=0x01 hdr=0x00
vendor = 'Atheros Communications Inc.'
device = 'AR5212 Atheros AR5212 802.11abg wireless'
class = network
subclass = ethernet

A comprehensive information can be obtained by typing man ath to read ath device manual page.

Creating the Kernel Configuration

Like all kernel compilation’s first step, we need to bring a configuration or a list of what our new kernel would be. In this article we will take a sample from our good old GENERIC config from our machine. We do this by invoking following (be sure you have root privileges):

cd /usr/src/sys/amd64/conf
cp GENERIC NEWKERNEL

If the architecture you use is not FreeBSD amd64, then replace amd64 with your corresponding architecture.

Once you have done this, open the new kernel config (the one we have copied) with text editor such as vim or ee and begin “hack” it.

The general format of a configuration file is quite simple. Each line contains a keyword and one or more arguments. For simplicity, most lines only contain one argument. Anything following a # is considered a commend and will be ignored.

An include directive is available for use in configuration file. This allows another configuration file to be included in the current one and make it easy to maintain small changes relative to an existing file.

The machine directive is telling what machine architecture we used. The argument is either amd64, i386, ia64, pc98, powerpc, or sparc64.

Exclude modules you do not needed by write ‘#’ (hash) character on the beginning of the line.

You should also change the ident directive’s argument to the name of the file. This value will be printed when the kernel boots and a good message to identify what kernel version is running now..

List of kernel configuration can be found here.

By default, when a custom kernel is compiled, all kernel modules are rebuilt as well. To update a kernel faster or to build only custom modules, we can edit /etc/make.conf before proceed to next stage. To build a kernel with a list of modules, we can write something like this:

MODULES_OVERRIDE = linux acpi sound/sound sound/driver/ds1 ntfs

In other hand, if we want to exclude list of modules from rebuilding, we can use:

WITHOUT_MODULES = linux acpi sound ntfs

After saving the edits, we can proceed to next stage.

Building and Installing

Before proceeding, it is required to have the full FreeBSD source tree installed

cd /usr/src
make buildkernel KERNCONF=NEWKERNEL
make installkernel KERNCONF=NEWKERNEL

The new kernel will be copied to /boot/kernel as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel

Reboot

When finished customizing the kernel, save a backup copy to a location outside of /usr/src.

Reboot the machine by invoking reboot command. If the machine successfully reboot but gives errors, mostly because the kernel was compiled with the source code that is newer than that of the world.

Social media & sharing icons powered by UltimatelySocial