[file modified: 07-16-2006]

Step-by-Step FreeBSD ISP

 

Contents:

System Administration

User Administration / User Authentication

 

Pre-Install

Notes: Do not accept predefined partitions, as the temp partition size does not seem near large enough. For almost any modern hard drive, make the temp partition a minimum of 500 MB and optimally between 800 MB and 1 - 2 gig. On one system I had, even though I had plenty of hard drive space, the default temp directory auto configured by FreeBSD was too small and many apps failed while compiling because the system would run out of swap space.

While I really like FreeBSD, the temp drive is one area where Microsoft runs circles around FreeBSD. If you need a bigger swap drive in Windows, you just go in and increase it. If you need a bigger swap partition in FreeBSD, you have to jump through hoops. 

Problems:

You do a standard install and get this error message:

 
WARNING: A geometry of 238216/16/63 for ad1 is incorrect. Using a more likely geometry. If this geometry is incorrect or you are unsure as to whether or not it's correct, please consult the Hardware Guide in the Documentation submenu or use the (G)eometry command to change it now.

Remember: you need to enter whatever your BIOS thinks the geometry is! For IDE, it's what you were told in the BIOS setup. For SCSI, it's the translation mode your controller is using. Do NOT use a ``physical geometry''.

The "more likely" geometry works, but when it installs from CD, you get a huge amount of:

/: create/symlink failed no inodes free

To which it will finally "install" but none of the files can actually copy because it can't copy from the CD to the hard drive. 

Solution:

Go into system BIOS and change the hard drive detection from "auto / auto," to "auto / LBA." The hard drive will still detect automatically, and you may still get a warning message in FreeBSD, but the "more likely" geometry that FreeBSD finds now actually matches the information that BIOS finds when auto detecting using LBA addressing. 

FreeBSD should now install just fine. Of course, all of the above assumes you are working with an IDE drive. If you are getting geometry errors with a SCSI drive, I would advise doing some more googling.

SSH - Allow Root Login

I know all the reasons for not allowing root login to SSH, but if you have just thrown a server together and need to work on it from your home and want to login as root...

vi /etc/ssh/sshd_config

set "PermitRootLogin" to "yes"

Restart sshd or reboot the server.

Note: This assumes that you allowed the SSH option during the FreeBSD install.

Optionally, you can log in as a user and "su root," enter the root password, and change to root.

Note: This is actually fairly easy, as the user only needs to be a member of the "Wheel" group to have the ability to su to root.


Install FreeBSD

Estimated time: 45 minutes to 1.5 hours (if everything goes smooth).

Set the System Clock

If you skip setting the system clock during the FreeBSD install, be sure and set it first before doing anything else after you get into FreeBSD. Some ports will fail on install if the date is set wrong. Save yourself some time and grief by doing this step first.

FreeBSD 5.4:

Note: command is date "+DATE: %Y-%m-%d%nTIME: %H:%M:%S" or

# date 050720113047

Here is how to break it down number by number:

01 - The Year: 05
03 - The Month: 07
28 - The Day : 20
20 - The Hour: 11
55 - The Minutes: 30
47 - The seconds: 47
(Time is 24 hour format, not 12 hours).

FreeBSD 6.0

Note: the above format is broken and won't work on 6.0! The format that works on FreeBSD 6.0 is:

# date 0507201130

Here is how to break it down number by number:

01 - The Year: 05
03 - The Month: 07
28 - The Day : 20
20 - The Hour: 11
55 - The Minutes: 30
(Time is 24 hour format, not 12 hours).

If you want to set seconds:

# date 0507201130.47

Here is how to break it down number by number:

01 - The Year: 05
03 - The Month: 07
28 - The Day : 20
20 - The Hour: 11
55 - The Minutes: 30
47 - The seconds: 47
(Time is 24 hour format, not 12 hours).

If you don't put the period in to separate the seconds, you get an illegal date format.

 

Install Webmin

Estimated time: 35 minutes to an hour

Change to Webmin ports directory (cd /usr/ports/sysutils/webmin)

Issue commands

Make
Make Install

After it installs, you have to change to this directory and issue a setup script:

Issue commands

cd /usr?/lib/webmin/

./setup.sh

Known bugs with Webmin ports:

On FreeBSD 5.4 and the latest version of Webmin, OpenSSL needs to be installed or the Make Install on Webmin exits out with "I could not find your OpenSSL in `' please provide OpenSSL-0.9.6j" or very similar error.

FreeBSD 5.4 & 6.0 with latest Webmin fails on p5-Net-SSLeay

This happens straight off a clean developer install of FreeBSD 5.4 and 6.0. Go to ports and type make. Latest version of Webmin (1.220_3) is downloaded. Make install fails right off with:

# cd /usr/ports/sysutils
# cd webmin
# make install
===> Installing for webmin-1.180_1
===> webmin-1.180_1 depends on file:
/usr/local/lib/perl5/site_perl/5.8.6/mach/Net/SSLeay.pm
- not found
===> Verifying install for
/usr/local/lib/perl5/site_perl/5.8.6/mach/Net/SSLeay.pm
in /usr/ports/security/p5-Net-SSLeay
===> Building for p5-Net-SSLeay-1.25
make: cannot open Makefile.
*** Error code 2

Stop in /usr/ports/security/p5-Net-SSLeay.
*** Error code 1

Stop in /usr/ports/sysutils/webmin.
#

The problem starts here. On FreeBSD 5.4, the default perl off the CD is 5.8.6. p5-Net-SSLeay requires 5.8.7. But even if you take the time (waste the time) to upgrade to 5.8.7, it will not fix the problem.

If you install FreeBSD 6.0 to get the latest perl, you will still get the error. After a lot of time gone, here is the deal:


Perl will not install p5-Net-SSLeay because it is no longer supported.

Well there you have it. Webmin must have it...and perl won't install it.

Workaround to solve this problem: 

Use vi and create a SSLeay.pm file with anything in it (vi /usr/local/lib/perl5/site_perl/5.8.6/mach/Net/SSLeay.pm)

Webmin will go on to install and work, but failed when trying it with SSL enabled.

Official response: 

This is a bug .. but not in the core Webmin code. It is really a problem in the FreeBSD port, which I don't maintain, sorry. You'll have to send this to whoever manages the port. Alternately, you could just install the tar.gz version of Webmin from www.webmin.com , which doesn't forcibly depend on Net::SSLeay.

Webmin shows that Apache is not running, even though it is:

If you installed a 2x version of apache:

Solution: Set the root directory to: /usr/local/etc/apache21

Set the following paths to the correct directory

Path to httpd.conf          /usr/local/etc/apache21/
           srm.conf            /usr/local/etc/apache21/
           access.conf       /usr/local/etc/apache21/
           mime.types       /usr/local/etc/apache21/

Webmin will now show Apache as running.


Webmin shows ProFTPD is not running, even though it is
:

You have ProFTPD up and running, but Webmin says it is not. 

Solution: Go to its module configuration and change:

Path to ProFTPD executable /usr/local/libexec/proftpd

to Path to ProFTPD executable /usr/local/sbin/proftpd

 

Other notes: If you need to run setup again and change something (e.g. you enabled SSL support but that causes Webmin to fail on startup) you can run setup.sh again, but it will find the old configuration and use it. To run setup.sh and have it actually perform a fresh setup do the following: 

Make sure to shutdown Webmin if it is running, or the port you chose to run Webmin on will show to be in use (assuming you want to use that same port).

cd /usr/local/etc

mv webmin webmin.bak or delete the directory (for the brave)
rm -R webmin

run setup.sh again and it will not find an old configuration and use it.

If you forget your login or password:

# cd /usr/local/lib/webmin
# ./changepass.pl

usage: changepass.pl <config-dir> <login> <password>
This program allows you to change the password of a user in the Webmin
password file. For example, to change the password of the admin user
to foo, you would run:
        changepass.pl /etc/webmin admin foo

# ./changepass.pl /usr/local/etc/webmin admin foo
The Webmin user admin does not exist
The users on your system are: jbloe

Install Apache

Estimated time: 30 minutes to an hour

Change to Apache ports directory (cd /usr/ports/www/ApacheXX)

Issue commands:

Make
Make Install

Useful commands etc.

Install PHP support

Estimated time: 20 - 30 minutes

cd /usr/ports/lang/php5/

Issue command:

Make

Note: On the options dialog that comes up, check Apache 2x support if that is the version of Apache you installed. Uncheck IPv6 support if you haven't enabled that support everywhere right from the start.

Issue the following commands (view full explanation of why here). 

cd /usr/ports/lang/php5/work/php-5.0.4/libs
cp libphp5.la /usr/local/build-1/libtool
cp libphp5.la /usr/local/libexec/apache21
cp libphp5.so /usr/local/libexec/apache21/

PHP 5 installs at this point with commands:

cd /usr/ports/lang/php5

make install

Note: You should add the following to your Apache configuration file:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

If, when you browse to your site in a browser, you get a directory listing instead of the browser properly opening the index.php file, you need to find the following section of your Apache configuration file and add the "index.php" to the DirectoryIndex entry (In the following example, only the bolded word "index.php" was added to the configuration file, the rest was already present in the configuration file):

# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
# The index.html.var file (a type-map) is used to deliver content-
# negotiated documents. The MultiViews Option can be used for the 
# same purpose, but it is much slower.
#
<IfModule dir_module>
DirectoryIndex index.html index.html.var index.php
</IfModule>

Note: You should also install the PHP5 extensions, or some applications, such as WebCalendar will not work (you will get this error: Fatal error: Call to undefined function preg_match() in /usr/local/www/data-dist/WebCalendar/includes/init.php on line 47)

Estimated time: 15-35 minutes

cd /usr/ports/lang/php5-extensions
make
make install

If you are getting these errors, on the make (make install?) a screen will come up with PHP extensions that can be installed. The error will be resolved with the two extensions that are already checked by default. You may, however, install other extensions at this time if you need them for some specific reason. Also, toward the end of the install, a screen will pop up and ask if you want to install UTF-8 support. UTF-8 allows for character sets for many languages and may be installed at this point if deemed necessary. 

Note: reboot your server after installing the PHP extensions. 

Install MySQL

cd /usr/ports/databases/mysql41-server

make

make install

Note: Do not try to install an application that uses MySQL client or the MySQL client without first installing the server. If you start the client install and get a bunch of errors*, do a "make clean" before starting the server install, or it will fail with an error.

* This is what you will get if you attempt to install MySQL client without installing the server first:

ctype-ujis.lo  ctype-uca.lo xml.lo my_strtoll10.lo dbug.lo  pack.lo client.lo my_time.lo vio.lo viosocket.lo viossl.lo viosslfactories.lo net.lo -pthread -lcrypt -lm  -pthread  -lz
libtool15: link: `my_pthread.lo' is not a valid libtool object
*** Error code 1
 
Stop in /usr/ports/databases/mysql41-client/work/mysql-4.1.13/libmysql_r.
*** Error code 1
 
Stop in /usr/ports/databases/mysql41-client/work/mysql-4.1.13.
*** Error code 1
 
Stop in /usr/ports/databases/mysql41-client/work/mysql-4.1.13.
*** Error code 1
 
Stop in /usr/ports/databases/mysql41-client.

 

 

 

 

Install ProFTPD

Estimated time: 20 to 30 minutes

Change to ProFTPd directory (cd /usr/ports/ftp/proftpd or cd /usr/ports/ftp/proftpd-mysql)

Issue commands:

Make
Make Install

Notes: Installed from ports without incident.

proftpd: Highly configurable ftp daemon
/usr/ports/ftp/proftpd

nano -w /usr/local/etc/proftpd.conf
-- add the following to the default config:

DeferWelcome on
DisplayLogin /etc/motd
IdentLookups off
UseReverseDNS on
RequireValidShell off
ScoreboardFile /var/run/proftpd.scoreboard
DefaultRoot ~
PassivePorts 3300 3400

/usr/local/libexec/proftpd

Note: To start ProFTPd on startup, edit vi /etc/rc.conf to include the following:

proftpd_enable="YES"

Configure ProFTP in Webmin:

Even though you know ProFTP is up and running, Webmin will inform you that it is not installed or that you need to edit the configuration files. To correct this, click the link provided at this point by Webmin to edit the module configuration. The default path assumed by Webmin is wrong. Find the line that reads "Path to ProFTPD executableConfiguration" and change the incorrect path to read, "/usr/local/sbin/proftpd". Webmin should now be able to access ProFTP server at this point.

ProFTP potential problems:

Problem: Slow login and directory listings.

On a default install of FreeBSD 6.0 and ProFTP 1.30, it is possible to get extremely slow login times and slow directory listings that can take a minute or more. If this condition is experienced, edit the proftpd_config file (located at: /usr/local/etc/proftpd.conf), add the following commands to the configuration file:

IdentLookups off
UseReverseDNS off
ListOptions "" maxdepth 3
ListOptions "" maxdirs 10
ListOptions "" maxfiles 1000
AllowOverride off

Save the configuration file and restart ProFTPd. Note that is can be accomplished right in Webmin by clicking the "Apply Changes" button on the ProFTP server module.


Problem: Users login, but can change directories and access other user's home directories.

On a default install of ProFTP, users will log in to their home directory, but they can "break out" of this directory in the "home" directory, where they can view the contents of other user's home directories. While they should not be able to view or upload to these directories because they don't have permission, unless there is some good reason, users should not be able to view a directory listing of another user.

To cause every FTP user to only have access to their home directory, find the following section in the ProFTP configuration file (located at: /usr/local/etc/proftpd.conf) and uncomment the "DefaultRoot ~" line so that it now looks like this:

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

Save the configuration file and restart ProFTPd. Note that is can be accomplished right in Webmin by clicking the "Apply Changes" button on the ProFTP server module.


Configure sendmail

Install popa3d

related links: http://www.openwall.com/popa3d/

 

 

User Administration

.htpasswd/.htaccess

In order to secure a directory, or a file in a directory, a common method is the use of .htpasswd/.htaccess files. Using this method allows you to create two files. One file, the .htpasswd file, should be placed in a location not accessible by the public. The second file, .htaccess, will contain configuration information, as well as the path to the .htpasswd file. When the directory or file is accessed, the server will follow the configuration directives of the .htaccess file, and it will authenticate access using the username and password information contained in the .htpasswd file.

.htaccess configuration

Add the following to your Apache configuration file (replace "/usr/local/www/data" with your Apache root directory, if different). 

<Directory /usr/local/www/data>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>

Save the configuration and either stop and restart your Apache server, or reboot your server.

Create a directory to store your password file in:

mkdir /usr/local/www/secure

This directory should not be located where it can be accessed from the Internet.

Create a password file and a user:

cd /usr/local/www/secure
htpasswd -c passwds joe

or optionally: # htpasswd -c /usr/local/www/secure joe

The above creates a password file named passwds, and puts a user in it named joe. You will be asked to enter a password for user joe:

New password: *****
Re-type new password: *****
Adding password for user joe

If you open the password file now, you will see something similar to:

joe:9B4cNJPC3vcUe

To add another user to the same file:

# htpasswd -b passwds jim PassWoRd

This will add a user named jim with a password of PassWoRd, with the -b switch used to get the password from the command line instead of prompting for it.

If you look at the contents of the passwds file now, you will see something similar to:

joe:9B4cNJPC3vcUe
jim:2G4qA2g1F22t2

Now, use an editor and create the following file in the directory you wish to password:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /usr/local/www/secure/passwds
Require user jim

Note potential issues: If you go to the site using www.mysite.com, but the index page requested has multiple requests -- for say, a server-side include -- that is for a different URL, mysite.com, for instance, even though the browser knows it is the same site, it must issue another request for a password. On a site with server-side includes or a complex index.php, the password is often asked for multiple times before the page is completely loaded. A workaround is to secure files instead of the whole directory. For instance, the following .htaccess file controls access to just the index.php file, instead of everything in the directory.  

AuthUserFile /usr/local/www/secure/passwds
AuthType Basic
AuthName "Nalcom Intranet"

<Files "index.php">
Require user jim
</Files>

Note potential issues: The above method is really security through obscurity. If you have other important files in the directory and someone knew the name of them, typing in the URL directly to it would allow access to the file. Another option is to password protect all important files in the directory. However, the above method will work on a site that just needs casual security.


Apache Virtual Domain Hosting (Name Based)

In the Apache config file, find the following section:

#
# Use name-based virtual hosting.
#
# NameVirtualHost :80

Uncomment the last line and enter either a FQDN (Fully Qualified Domain Name) or an IP address:

#
# Use name-based virtual hosting.
#
NameVirtualHost 65.201.93.140:80

Name based virtual hosting if fairly simple. If you have a default web site on a server already, set up your DNS for the virtual site to point to the already established web server (DNS configuration will not be covered at this time. I hope to add a separate DNS section at a later date). For example, if opening a web browser with the URL of http://mysite.com (or http://65.201.93.140) opens up your main web site in a browser, and you want another web site hosted on the same server, called mysecondsite.com, register mysecondsite.com and configure your newly registered domain names' DNS server information to point to your name servers . On your name servers, point mysecondsite.com to the IP address of your mysite.com server (as per this example, 65.201.93.140). If everything is configured right, and assuming you have not already configured Apache to handle virtual domains, if you type in http://mysecondsite.com into a browser, it should open up your mysite.com web site. If you can open up your default web site with your newly registered domain, it confirms that your DNS configuration is working properly. Now you only need to configure Apache to serve the correct web site requested, based on the name of the web site.

To do this, you simply need to add, at a minimum, the following to your Apache configuration file:

<VirtualHost 65.201.93.140:80>
DocumentRoot "/usr/home/mysecondsite/www/data"
ServerName www.mysecondsite.com
ServerAlias mysecondsite.com *.mysecondsite.com
<Directory "/usr/home/network/www/data">
allow from all
Options +Indexes
</Directory>

The above, with the use of the ServerAlias tag, allows the site to be visited using the URL of  "mysecondsite.com" or "www.mysecondsite.com."

Optionally, you could set up a host for either "mysecondsite.com" or "www.mysecondsite.com" in this manner (remember to add any future options to both of these virtual servers, or visitors may have a different experience on your site, depending on the URL they typed in to get to the site):

<VirtualHost 65.201.93.140:80>
DocumentRoot /usr/home/mysecondsite/www/data
ServerName www.mysecondsite.com
<Directory "/usr/home/mysecondsite/www/data">
allow from all
Options +Indexes
</Directory>
</VirtualHost>

<VirtualHost 65.201.93.140:80>
DocumentRoot /usr/home/mysecondsite/www/data
ServerName mysecondsite.com
<Directory "/usr/home/mysecondsite/www/data">
allow from all
Options +Indexes
</Directory>
</VirtualHost>


A few things to consider here. The Apache files on name-based virtual hosting do not make it clear that you have to declare either a FQDN or an IP address for the web server. It could therefore logically be assumed that a virtual host setup like the following would work:

NameVirtualHost :80

<VirtualHost :80>
DocumentRoot /usr/home/mysecondsite/www/data
ServerName www.mysecondsite.com
<Directory "/usr/home/mysecondsite/www/data">
allow from all
Options +Indexes
</Directory>
</VirtualHost>

In the above manner, a person might think that as long as it got to the server on port 80, it would look for the ServerName and serve the corresponding html files from the specified DocumentRoot directory.

However, with the above settings, if you SSH into your server, change directory to your Apache directory, and issue the following command:

httpd -S

You will get the following error: [warn] NameVirtualHost *:80 has no VirtualHosts.

If you configure the FQDN or IP address as illustrated in the first example, and check your httpd parsing of virtual domains again, this error will go away and you will get an output similar to this:

65.201.93.140:80 is a NameVirtualHost
default server www.mysite.com (/usr/local/etc/apache21/httpd.conf:114 4)
port 80 namevhost www.mysecondsite.com (/usr/local/etc/apache21/httpd.conf :1154)

Also, if changing the Apache configuration file does not produce the desired results, make sure you stop and start httpd after making the changes. Name-based virtual domains are fairly simple, but it may still take a little trial and error to get them to actually work correctly.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FreeBSD ISP