NTP

Het Network Time Protocol of Netwerk tijdprotocol (NTP) is een protocol waarmee computers die onderling met elkaar in verbinding staan, hun interne klok kunnen gelijkzetten aan die van andere computers.

/etc/ntp.conf

server 0.nl.pool.ntp.org
server 1.nl.pool.ntp.org
server 2.nl.pool.ntp.org
driftfile /var/db/ntp.drift

/etc/rc.conf

ntpd_enable="YES"

Vervolgens kun je de tijdzone nog veranderen naar Amsterdam, doormiddel met de volgende commando:

cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime

MySQL Replication

MySQL Replication Replication enables data from one MySQL database server (called the master) to be replicated to one or more MySQL database servers (slaves). Replication is asynchronous – your replication slaves do not need to be connected permanently to receive updates from the master, which means that updates can occur over long-distance connections and even temporary solutions such as a dial-up service. Depending on the configuration, you can replicate all databases, selected databases and even selected tables within a database.

Master

Bewerk het bestand

# vi /usr/local/my.cnf

Vul de andere server als IP adres in

[mysqld]
log-bin
server-id = 1
replicate-same-server-id = 0
auto-increment-increment = 2
auto-increment-offset = 1
master-host = 192.168.100.69
master-user = slave1_user
master-password = slave1_password
master-connect-retry = 60
replicate-do-db = pdns
binlog-do-db = pdns
binlog-ignore-db = mysql

Aanmaken van de juiste user met rechten

mysql> GRANT REPLICATION SLAVE ON *.* TO 'slave2_user'@'%' IDENTIFIED BY 'password';
mysql> FLUSH PRIVILEGES;

Dump maken van de pdns database, dit voor latere import.

# mysqldump -u root -p pdns > export.sql

Nu dien je uit te loggen binnen MySQL omgeving. Herstart de MySQL server om de instellingen actief te maken.

# /usr/local/etc/rc.d/mysql-server restart

Replication slave

/etc/my.cnf

[mysqld]
server-id=2

Nieuwe Database aanmaken

mysql> CREATE DATABASE pdns;
mysql> GRANT REPLICATION SLAVE ON *.* TO 'slave1_user'@'%' IDENTIFIED BY 'slave1_password';
mysql> FLUSH PRIVILEGES;

Dump inlezen op de slave

# mysql -u root -p pdns < export.sql

Nu dien je uit te loggen binnen MySQL omgeving. Herstart de MySQL server om de instellingen actief te maken.

# /usr/local/etc/rc.d/mysql-server restart

Master

Ga weer naar de Master server toe waar de MySQL server draait, log in.

# mysql -u root -p

Ga dan naar de betreffende database binnen MySQL en noteer de File naam:

mysql> FLUSH TABLES WITH READ LOCK;
mysql> USE pdns;
mysql> SHOW MASTER STATUS;

Replication slave

Ga weer naar de Slave server toe.

Binnen MySQL een useraccount aanmaken en voer bij MASTER_LOG_FILE de naam van het bestand binnen de Master server in, die je net hebt genoteerd

mysql> CHANGE MASTER TO MASTER_HOST='81.4.79.81', MASTER_USER='slave1_user', MASTER_PASSWORD='password', MASTER_LOG_FILE='ns1-bin.000001', MASTER_LOG_POS=98;
mysql> START SLAVE;

Handige commando’s

mysql> SHOW MASTER STATUS;
mysql> SHOW SLAVE STATUS;
mysql> SHOW PROCESSLIST;

Links

How to Set Up Replication

IPFW Firewall

Installeren

Eerst moet er bij de sysinstall twee programma’s geïnstalleerd worden.

/usr/sbin/sysinstall

Kies het volgende: Configure, dan Distributions, dan src, dan base en sys en dan “ok”

Configuratie

Commando om de firewall (IPFW) aan te zetten:

kldload -v ipfw.ko

Firewall automatisch bij het opstarten aanzetten:

# ee /etc/rc.conf
firewall_enable="YES"
firewall_type="open"

IPFW configuratie file aanpassen: /etc/ipfw.rules

################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="em0"     # interface name of NIC attached to Internet

# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0

# Allo if it matches an existing entry in the dynamic rules table
$cmd 00101 check-state

#loopback
$cmd 00010 allow all from any to any via lo0
$cmd 00011 deny ip from any to 127.0.0.0/8
$cmd 00012 deny ip from 127.0.0.0/8 to any

# ISP DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00020 allow tcp from any to 80.84.224.249 53 out via $pif setup keep-state
$cmd 00021 allow udp from any to 80.84.224.249 53 out via $pif keep-state
$cmd 00022 allow tcp from any to 80.84.224.26 53 out via $pif setup keep-state
$cmd 00023 allow udp from any to 80.84.224.26 53 out via $pif keep-state
$cmd 00024 allow tcp from any to 83.96.192.26 53 out via $pif setup keep-state
$cmd 00025 allow udp from any to 83.96.192.26 53 out via $pif keep-state

# FTP-DATA
$cmd 00040 allow tcp from any to any 20 in via $pif
$cmd 00041 allow tcp from any to any 20 out via $pif

# FTP
$cmd 00040 allow tcp from any to any 21 in via $pif
$cmd 00041 allow tcp from any to any 21 out via $pif

# SSH
$cmd 00030 allow tcp from any to any 22 in via $pif setup keep-state
$cmd 00031 allow tcp from any to any 22 out via $pif setup keep-state

# WWW
$cmd 00040 allow tcp from any to any 80 in via $pif
$cmd 00041 allow tcp from any to any 80 out via $pif

# HTTPS
$cmd 00050 allow tcp from any to any 443 in via $pif setup keep-state
$cmd 00051 allow tcp from any to any 443 out via $pif setup keep-state

# PLESK
$cmd 00060 allow tcp from any to any 8443 in via $pif setup keep-state
$cmd 00061 allow tcp from any to any 8443 out via $pif setup keep-state

# POPPASSD (Plesk)
$cmd 00060 allow tcp from 127.0.0.0/8 to any 106 in via $pif setup keep-state
$cmd 00061 allow tcp from 127.0.0.0/8 to any 106 out via $pif setup keep-state
$cmd 00060 allow udp from 127.0.0.0/8 to any 106 in via $pif setup keep-state
$cmd 00061 allow udp from 127.0.0.0/8 to any 106 out via $pif setup keep-state

# AUTH (Plesk)
$cmd 00041 allow tcp from any to any 113 out via $pif

# SMTPS (Plesk)
$cmd 00070 allow tcp from any to any 465 in via $pif setup keep-state
$cmd 00071 allow tcp from any to any 465 out via $pif setup keep-state
$cmd 00072 allow udp from any to any 465 in via $pif setup keep-state
$cmd 00073 allow udp from any to any 465 out via $pif setup keep-state

# FTPS (Plesk)
$cmd 00070 allow tcp from any to any 990 in via $pif setup keep-state
$cmd 00071 allow tcp from any to any 990 out via $pif setup keep-state
$cmd 00072 allow udp from any to any 990 in via $pif setup keep-state
$cmd 00073 allow udp from any to any 990 out via $pif setup keep-state

# plesk-license-update 
$cmd 00071 allow tcp from any to any 5224 out via $pif setup keep-state
$cmd 00073 allow udp from any to any 5224 out via $pif setup keep-state

# SEND & GET EMAIL
$cmd 00070 allow tcp from any to any 25 in via $pif setup keep-state
$cmd 00071 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00072 allow tcp from any to any 110 in via $pif setup keep-state
$cmd 00073 allow tcp from any to any 110 out via $pif setup keep-state
$cmd 00074 allow tcp from any to any 143 in via $pif setup keep-state
$cmd 00075 allow tcp from any to any 143 out via $pif setup keep-state
$cmd 00076 allow tcp from any to any 993 in via $pif setup keep-state
$cmd 00077 allow tcp from any to any 993 out via $pif setup keep-state
$cmd 00078 allow tcp from any to any 995 in via $pif setup keep-state
$cmd 00079 allow tcp from any to any 995 out via $pif setup keep-state

# PING
$cmd 00080 allow icmp from any to any in via $pif setup keep-state
$cmd 00081 allow icmp from any to any out via $pif setup keep-state

# TIME
$cmd 00090 allow tcp from any to any 37 out via $pif setup keep-state

# NTP
$cmd 00100 allow udp from any to any 123 out via $pif setup keep-state

# NNTP NEWS (i.e. news groups)
$cmd 00110 allow tcp from any to any 119 in via $pif setup keep-state
$cmd 00111 allow tcp from any to any 119 out via $pif setup keep-state

# WHOIS
$cmd 00120 allow tcp from any to any 43 in via $pif setup keep-state
$cmd 00121 allow tcp from any to any 43 out via $pif setup keep-state

# FBSD (make install & CVSUP)
$cmd 00130 allow tcp from any to any out via $pif setup keep-state uid root

# Deny all Netbios service
$cmd 00140 deny tcp from any to any 137 in via $pif
$cmd 00141 deny tcp from any to any 138 in via $pif
$cmd 00142 deny tcp from any to any 139 in via $pif
$cmd 00143 deny tcp from any to any 81 in via $pif

# MYSQL
$cmd 00120 allow tcp from any to any 3306 in via $pif setup keep-state
$cmd 00121 allow udp from any to any 3306 in via $pif setup keep-state

# PostgreSQL
$cmd 00120 allow tcp from any to any 5432 in via $pif setup keep-state

# TOMCAT
$cmd 00120 allow tcp from any to any 8080 in via $pif setup keep-state

# Coyote and Warp (Tomcat Java) connectors in Plesk 
$cmd 00120 allow tcp from any to any 9080 in via $pif setup keep-state
$cmd 00120 allow tcp from any to any 9008 in via $pif setup keep-state

$cmd 00150 deny log ip from any to any

De nieuwe firewall regels inladen:

# sh /etc/ipfw.rules
/etc/ipfw.rules.jdn

In /etc/sysctl.conf kan een instelling gemaakt worden waardoor loggen na volgende herstarts wordt ingeschakeld:

net.inet.ip.fw.verbose_limit=5

Je kunt controleren of de instellingen verwerkt zijn:

# ipfw -t list

Links

FreeBSD

FreeBSD installatie Dit zijn de installatie vereisten:

Partions

1G /

1G /tmp

10G /var

10G /usr

2xram SWAP

De rest /home

DNS

/etc/resolf.conf

domain  markterweele.nl
nameserver      46.19.36.88
nameserver      46.19.38.115

User en Groups

De volgende group moet handmatig aangemaakt worden

  • users

De volgende gebruikers moeten worden aangemaakt:

  • admin
  • mark

Alle Users moeten in de group ‘users’ en ‘wheel’ komen

# pw useradd -n mark -G wheel -m -h 0

Vergeet niet dat je meteen erna een wachtwoord moet intypen voor de desbetreffende gebruiker

password for user mark:

Bij de user mark moet meteen een public key worden ingesteld.

/home/mark/.ssh/authorized_keys

ssh-rsa (hier komt de key te staan)

Shell voor ROOT en MARK user

chsh -s /usr/local/bin/bash

Extra software

Installeer de volgende extra software

  • pico
  • manuel pages
  • ports

Ports upgraden

Met CVSup kan nu de ports tree worden geupdate (Let op: is per 28 februari 2013 uitgefaseerd!)

zie ook Cvsup

Ook kan er portsnap gebruikt worden.

Zorg ervoor dat overbodige updates niet worden meegenomen, om te voorkomen dat er te veel wordt geupdate naar de server toe. Voer de onderstaande commando uit:

# vi /etc/portsnap.conf

Voeg de onderstaande regels toe in het bestand:

REFUSE audio finance games multimedia net-p2p

Zorg ervoor dat er wordt gekeken welke portsnap updates beschikbaar zijn:

# portsnap fetch

De eerste keer moet portsnap geextract worden, de volgende keren kan je “portsnap update” commando gebruiken.

# portsnap extract

Nu moet portsnap geupdate worden om alles te downloaden naar de server:

# portsnap update

Elke volgende keer dat portsnap geupdate moet worden:

# portsnap fetch update

3 Ware

tw_cli instaleren vanuit de Ports

Locatie /usr/ports/sysutils/tw_cli

Mail aliasses

/etc/mail/aliases

root:   systeembeheer@markterweele.nl

The program newaliases must be run after this file is updated for any changes to show through to sendmail.

# newaliases

Raid

File aanpassen voor Raid status

/etc/periodic/daily/400.status-disks

dump W || rc=3

echo ""
echo "TW Raid Interface status"
/usr/local/sbin/tw_cli info c0 u0;;

Tuning

# cp /etc/defaults/make.conf /etc/make.conf
# ee /etc/make.conf 

Edit the file, and look for the line starting: #CPUTYPE=

CPUTYPE?=prescott (Core 2 Duo)

#CFLAGS= -O -pipe
CFLAGS= -O2 -pipe -funroll-loops

Applying Security Patches

# freebsd-update fetch
# freebsd-update install

Rollback option:

# freebsd-update rollback

Performing Major and Minor Version Upgrades

# freebsd-update -r 10.3-RELEASE upgrade

External links

MySQL Cluster

Algemeen

MySQL Cluster is a technology that enables clustering of in-memory databases in a shared-nothing system. The shared-nothing architecture allows the system to work with very inexpensive hardware, and with a minimum of specific requirements for hardware or software

MySQL Cluster is designed not to have any single point of failure. For this reason, each component is expected to have its own memory and disk, and the use of shared storage mechanisms such as network shares, network filesystems, and SANs is not recommended or supported.

A MySQL Cluster consists of a set of computers, each running a one or more processes which may include a MySQL server, a data node, a management server, and (possibly) a specialized data access programs. The relationship of these components in a cluster is shown here:

Op alle servers

  • Installeer mySQL via de ports tree
  • Gebruik een extra argument my het Make commando
# cd /usr/ports/databases/mysql56-server/
# make WITH_NDB=yes
# make WITH_NDB=yes install
# /usr/local/bin/mysql_install_db --user=mysql
# /usr/local/bin/mysqladmin -u root password 'xxx'

Edit het bestand /etc/rc.conf

mysql_enable="YES"

Management Node

Edit het bestand /var/lib/mysql-cluster/config.ini

# Options affecting ndbd processes on all data nodes:
[NDBD DEFAULT]    
NoOfReplicas=2    # Number of replicas
DataMemory=80M    # How much memory to allocate for data storage
IndexMemory=18M   # How much memory to allocate for index storage
                  # For DataMemory and IndexMemory, we have used the
                  # default values. Since the "world" database takes up
                  # only about 500KB, this should be more than enough for
                  # this example Cluster setup.

# TCP/IP options:
[TCP DEFAULT]     
portnumber=2202   # This the default; however, you can use any
                               # port that is free for all the hosts in the cluster
                               # Note: It is recommended that you do not specify the 
                               # portnumber at all and allow the default value to be 
                               # used instead

# Management process options:
[NDB_MGMD]                      
hostname=192.168.1.122           # Hostname or IP address of MGM node
datadir=/var/lib/mysql-cluster  # Directory for MGM node log files

# Options for data node "A":
[NDBD]                          
                                # (one [NDBD] section per data node)
hostname=192.168.1.120           # Hostname or IP address
datadir=/var/db/mysql   # Directory for this data node's data files

# Options for data node "B":
[NDBD]                          
hostname=192.168.1.121           # Hostname or IP address
datadir=/var/db/mysql   # Directory for this data node's data files

# SQL node options:
[MYSQLD]                        
hostname=192.168.1.123          # Hostname or IP address
                                # (additional mysqld connections can be
                                # specified for this node for various
                                # purposes such as running ndb_restore)
[MYSQLD] 
hostname=192.168.1.140

[MYSQLD] 
hostname=192.168.1.141

Starten van de Management Node

/usr/local/bin/ndb_mgmd -f /var/lib/mysql-cluster/config.ini &

Starten van de console

/usr/local/bin/ndb_mgm

Laat de status zien binnen de console

NDB> SHOW

Data Node

Edit het bestand /etc/my.cnf

[MYSQLD]                        
ndbcluster
ndb-connectstring=192.168.1.122    # IP management server

[MYSQL_CLUSTER]                 
ndb-connectstring=192.168.1.122  # location of management server

Toevoegen in /etc/rc.local

/usr/local/libexec/ndbd &

API Node

Een API node kan op bijvoorbeeld een webserver worden gedraaid. Zo kan de scripting naar de localhost een connectie maken.

Edit het bestand /etc/my.cnf

[MYSQLD]                        
ndbcluster
ndb-connectstring=192.168.1.122    # IP management server

[MYSQL_CLUSTER]                 
ndb-connectstring=192.168.1.122  # location of management server

Aanmaken Table

Als je een tabel wilt aanmaken moet dit gebeuren met ‘ENGINE=NDBCLUSTER’

DROP TABLE IF EXISTS `City`;
CREATE TABLE `City` (
  `ID` int(11) NOT NULL auto_increment,
  `Name` char(35) NOT NULL default '',
  `CountryCode` char(3) NOT NULL default '',
  `District` char(20) NOT NULL default '',
  `Population` int(11) NOT NULL default '0',
  PRIMARY KEY  (`ID`)
) ENGINE=NDBCLUSTER DEFAULT CHARSET=latin1;

INSERT INTO `City` VALUES (1,'Kabul','AFG','Kabol',1780000);
INSERT INTO `City` VALUES (2,'Qandahar','AFG','Qandahar',237500);
INSERT INTO `City` VALUES (3,'Herat','AFG','Herat',186800);

Links

How to Set Up Cluster

Cvsup

Let op Cvsup is per 28 februari 2013 uitgefaseerd!

Installeren

  • pkg_add -r cvsup-without-gui

Configureren

/etc/stable-supfile

default host=cvsup.nl.FreeBSD.org
default base=/var/db
default prefix=/usr
default release=cvs tag=RELENG_6_1
default delete use-rel-suffix
default compress
src-all
ports-all tag=.

Uitvoeren

  • cvsup -g -L 2 /etc/stable-supfile

PF Firewall

Configureren

Commando om de firewall (PF) aan te zetten:

# kldload pf

Firewall automatisch bij het opstarten aanzetten:

# ee /etc/rc.conf
# Enable PF (load module if required)
pf_enable="YES"
# rules definition file for pf
pf_rules="/etc/pf.conf"
# additional flags for pfctl startup
pf_flags=""
# start pflogd(8)
pflog_enable="YES"
# where pflogd should store the logfile
pflog_logfile="/var/log/pflog"
# additional flags for pflogd startup
pflog_flags="" 

PF rules laden:

pfctl -f /etc/pf.conf

PF Configuratie file:

# ee /etc/pf.conf
#       $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $
#       $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.

# Macros: define common values, so they can be referenced and changed easily.
ext_if="fxp0"   # replace with actual external interface name i.e., dc0
#int_if="fxp1"  # replace with actual internal interface name i.e., dc1
#internal_net="192.168.1.1/8"
external_addr="192.168.1.139"

# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }

# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
#nat on $ext_if from $internal_net to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678

# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

# Filtering: the implicit first two rules are
#pass in all
#pass out all

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log on $ext_if all
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass out on $ext_if proto tcp all keep state
pass out on $ext_if proto udp all keep state

# pass incoming packets destined to the addresses given in table <foo>.
pass in on $ext_if proto tcp from any to any port 80 keep state
pass in on $ext_if proto udp from any to any port 80 keep state
pass in on $ext_if proto tcp from any to any port 8880 keep state
pass in on $ext_if proto udp from any to any port 8880 keep state

# pass incoming ports for ftp-proxy
pass in on $ext_if proto tcp from any to any port 20 keep state
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state

# Alternate rule to pass incoming ports for ftp-proxy
# NOTE: Please see pf.conf(5) BUGS section before using user/group rules.
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state

# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing

# HTTPS
pass in on $ext_if proto tcp from any to any port 443 keep state

# PLESK
pass in on $ext_if proto tcp from any to any port 8443 keep state

# POPPASSD (Plesk)
pass in on $ext_if proto tcp from 127.0.0.0/8 to any port 106 keep state
pass out on $ext_if proto tcp from 127.0.0.0/8 to any port 106 keep state
pass in on $ext_if proto udp from 127.0.0.0/8 to any port 106 keep state
pass out on $ext_if proto udp from 127.0.0.0/8 to any port 106 keep state

# AUTH (Plesk)
pass in on $ext_if proto tcp from any to any port 113 keep state

# SMTPS (Plesk)
pass in on $ext_if proto tcp from any to any port 465 keep state
pass out on $ext_if proto tcp from any to any port 465 keep state
pass in on $ext_if proto udp from any to any port 465 keep state
pass out on $ext_if proto udp from any to any port 465 keep state

# FTPS (Plesk)
pass in on $ext_if proto tcp from any to any port 990 keep state
pass out on $ext_if proto tcp from any to any port 990 keep state
pass in on $ext_if proto udp from any to any port 990 keep state
pass out on $ext_if proto udp from any to any port 990 keep state

# plesk-license-update
pass out on $ext_if proto tcp from any to any port 5224 keep state
pass out on $ext_if proto udp from any to any port 5224 keep state

# ISP DNS
pass out on $ext_if proto tcp from any to 80.84.224.249 port 53 keep state
pass out on $ext_if proto udp from any to 80.84.224.249 port 53 keep state
pass out on $ext_if proto tcp from any to 80.84.224.26 port 53 keep state
pass out on $ext_if proto udp from any to 80.84.224.26 port 53 keep state
pass out on $ext_if proto tcp from any to 83.96.192.26 port 53 keep state
pass out on $ext_if proto udp from any to 83.96.192.26 port 53 keep state

# SEND & GET EMAIL
pass in on $ext_if proto tcp from any to any port 25 keep state
pass out on $ext_if proto tcp from any to any port 25 keep state
pass in on $ext_if proto tcp from any to any port 110 keep state
pass out on $ext_if proto tcp from any to any port 110 keep state
pass in on $ext_if proto tcp from any to any port 143 keep state
pass out on $ext_if proto tcp from any to any port 143 keep state
pass in on $ext_if proto tcp from any to any port 993 keep state
pass out on $ext_if proto tcp from any to any port 993 keep state
pass in on $ext_if proto tcp from any to any port 995 keep state
pass out on $ext_if proto tcp from any to any port 995 keep state

# PING
pass in on $ext_if proto icmp from any to any keep state
pass out on $ext_if proto icmp from any to any keep state

# TIME
pass out on $ext_if proto tcp from any to any port 37 keep state

# NTP
pass out on $ext_if proto udp from any to any port 123 keep state

# NNTP NEWS (i.e. news groups)
pass in on $ext_if proto tcp from any to any port 119 keep state
pass out on $ext_if proto tcp from any to any port 119 keep state

# WHOIS
pass in on $ext_if proto tcp from any to any port 43 keep state
pass out on $ext_if proto tcp from any to any port 43 keep state

# FDSD (make install & CVSUP)
pass out on $ext_if proto tcp from any to any keep state

# Deny all Netbios service
deny in on $ext_if proto tcp from any to any port 137 keep state
deny in on $ext_if proto tcp from any to any port 138 keep state
deny in on $ext_if proto tcp from any to any port 139 keep state
deny in on $ext_if proto tcp from any to any port 81 keep state

# MYSQL
pass in on $ext_if proto tcp from 192.168.1.34 to any port 3306 keep state
pass in on $ext_if proto udp from 192.168.1.34 to any port 3306 keep state

# PostgreSQL
pass in on $ext_if proto tcp from 192.168.1.34 to any port 5432 keep state

# TOMCAT
pass in on $ext_if proto tcp from any to any port 8080 keep state

# Coyote and Warp (Tomcat Java) connectors in Plesk
pass in on $ext_if proto tcp from any to any port 9080 keep state
pass in on $ext_if proto tcp from any to any port 9008 keep state

Controleer of de instellingen juist zijn:

# pfctl -s all

De regels:

# pfctl -s rules

Logfiles:

# tcpdump -n -e -ttt -i pflog0
# tcpdump -netttvvv -i pflog0

Regels herladen

# pfctl -f /etc/pf.conf

Firewall Port scan

Installeren:

cd /etc/ports/security/nmap
make install

Scannen:

# nmap -v -iR 10 -P0 -p 80

nmap port scanning TCP Connect scanning for localhost and network 192.168.0.0/24

# nmap -v -sT localhost
# nmap -v -sT 192.168.0.0/24

nmap TCP SYN (half-open) scanning

# nmap -v -sS localhost
# nmap -v -sS 192.168.0.0/24

nmap TCP FIN scanning

# nmap -v -sF localhost
# nmap -v -sF 192.168.0.0/24

nmap TCP Xmas tree scanning
Useful to see if firewall protecting against this kind of attack or not:

# nmap -v -sX localhost
# nmap -v -sX 192.168.0.0/24

nmap TCP Null scanning
Useful to see if firewall protecting against this kind attack or not:

# nmap -v -sN localhost
# nmap -v -sN 192.168.0.0/24

nmap TCP Windows scanning

# nmap -v -sW localhost
# nmap -v -sW 192.168.0.0/24

nmap TCP RPC scanning
Useful to find out RPC (such as portmap) services

# nmap -v -sR localhost
# nmap -v -sR 192.168.0.0/24

nmap UDP scanning
Useful to find out UDP ports

# nmap -v -O localhost
# nmap -v -O 192.168.0.0/24

nmap remote software version scanning
You can also find out what software version opening the port.

# nmap -v -sV localhost
# nmap -v -sV 192.168.0.0/24

Links

Mergelog

Mergelog Mergelog is a small and fast C program which merges by date httpd log files in ‘Common Log Format’ from web servers behind round-robin DNS. It has been designed to easily manage huge log files from highly stressed servers. mergelog is distributed with zmergelog which supports gzipped log files.

Installatie

# cd /usr/ports/www/mergelog
# make install clean

Instellingen

Pas de config file aan

# ee /usr/local/etc/webalizer.conf
#LogFile        /var/log/httpd-access.log
LogFile         -

Kopieer acces log van een andere server

Een map maken waar de samengevoegde logfiles komen te staan

# mkdir /var/log/merge/

Een bash file aanmaken:

# ee /usr/sbin/merge-logfile.sh

Zet de volgende gegevens in het bestand.

#!/bin/sh
SOURCE_DIR=/
DEST_DIR=/var/log/merge/
USER=log
PASSWORD="markhost"
REMOTE_BOX=192.168.1.142
FILE=httpd-access.log
FILE2=httpd-ssl_request.log
cd $DEST_DIR
ftp -in <<EOF
open $REMOTE_BOX
user $USER $PASSWORD
bin
cd $SOURCE_DIR
get $FILE
get $FILE2
close 
bye
EOF

Dan het bestand uitvoeren:

# cd /usr/sbin/
# sh merge-logfile.sh

Mergelog Starten

Maak een bestand aan.

# ee /usr/sbin/mergelog.sh

Zet het volgende in het bestand.

#!/bin/sh
/usr/local/bin/mergelog /var/log/httpd-access.log /var/log/merge/httpd-access.log

Dan het bestand uitvoeren:

# cd /usr/sbin/
# sh mergelog.sh

Links

Jail

Configuratie

Maak een sh bestand aan

# ee /etc/jail.sh
D=/usr/jail/192.168.1.142
cd /usr/src
mkdir -p $D
make world DESTDIR=$D
make distribution DESTDIR=$D
mount_devfs devfs $D/dev

De sh bestand uitvoeren.

sh jail.sh

Aanpassen van de rc.conf bestand.

ee /etc/rc.conf
jail_enable="YES"   # Set to NO to disable starting of any jails
jail_interface="fxp0"
jail_devfs_enable="YES"
jail_procfs_enable="YES"
jail_list="www"     # Space separated list of names of jails
jail_www_rootdir="/usr/jail/192.168.1.142" # jail's root directory
jail_www_hostname="www.markterweele.nl"  # jail's hostname
jail_www_ip="192.168.1.142"           # jail's IP address
jail_www_devfs_enable="YES"          # mount devfs in the jail
#jail_www_devfs_ruleset="www_ruleset" # devfs ruleset to apply to jail

Aanpassen sysctl

ee /etc/sysctl.conf
#security.jail.set_hostname_allowed: 1
#security.jail.socket_unixiproute_only: 1
#security.jail.sysvipc_allowed: 0
#security.jail.enforce_statfs: 2
#security.jail.allow_raw_sockets: 0
#security.jail.chflags_allowed: 0
#security.jail.jailed: 0

High-level administrative tools

# cd /usr/ports/sysutils/jailutils
# make install clean

Resolv.conf kopiëren naar de jail

# cp /etc/resolv.conf /usr/jail/192.168.1.142/etc/

Maak een bestand make.conf aan

# ee /usr/jail/192.168.1.142/etc/make.conf
WRKDIRPREFIX=/tmp

Maak een map ports aan.

# mkdir /usr/jail/192.168.1.142/usr/ports

Maak rc.conf bestand aan in de jail

# ee /usr/jail/192.168.1.142/etc/rc.conf
defaultrouter="192.168.1.1"
ifconfig_fxp0="inet 192.168.1.142  netmask 255.255.255.0"
network_interfaces="fxp0"
rpcbind_enable="NO"
sshd_enable="YES"
syslogd_flags="-ss"

De Jail mounten

mount /usr/ports and /usr/src
mount_nullfs /usr/ports /usr/jail/192.168.1.142
mount_nullfs /usr/src /usr/jail/192.168.1.142

Na de server reboot is het virtual ip adres beschikbaar

Alle jails zien:

# jls

Via jail programma’s installeren

jail /usr/jail/192.168.1.142 www.markterweele.nl 192.168.1.142 /bin/sh

Om in de jail te komen moet je de volgende commando invoeren:

# jexec 1 tcsh

Jail re starten

# /etc/rc.d/jail restart 192.168.1.142

Links

Dump en Restore

Inleiding

The traditional UNIX® backup programs are dump and restore. They operate on the drive as a collection of disk blocks, below the abstractions of files, links and directories that are created by the file systems. dump backs up an entire file system on a device. It is unable to backup only part of a file system or a directory tree that spans more than one file system. dump does not write files and directories to tape, but rather writes the raw data blocks that comprise files and directories.

Het maken van een Dump (Dump)

Om een dump te maken van een Live filesystem, is de -L optie nodig. Ga als eerste naar een directory toe met genoeg ruimte. Het volgende commando kan worden gebruikt om van de /usr partion een dump te maken. Hierbij wordt de output naar gzip gestreamed, en opgeslagen in een .gz bestand in de huidige working directory.

cd /home/dumps
dump -0 -u -L -a -f - /usr | gzip -2 > usr.gz

Het terugzetten van een Dump (Restore)

In de bios instellen dat hij moet opstarten vanaf de cd-rom speler of de hardeschijf.
Daarna de sysinstall opstarten, als je hebt gekozen voor de cd-rom speler als 1e boot volgorde dan zal sysinstall vanzelf worden opgestart.

Dan Configure > Fdisk
Zet een vinkje aan bij de juiste hardeschijf.
Maak 1 nieuwe slice aan.

# q

Selecteer BootMgr en druk op “ok”

Maak de volgende partities aan:
1G /
1G /tmp
4G /var
10G /usr
2xram geheugen SWAP
De rest /home

# w

En druk dan op “YES”.

# q

Dan “Exit”.
Kies “Fixit”.
Kies dan voor “cd-rom / dvd”.

Typ het volgende commando in, om te kijken welke partities er zijn geladen.

# df –h
# cd /
# mkdir dump

Mount de externe hardeschijf door:
Met de optie rf kun je een bepaalde partitie restoren.

# mount /dev/da0s1h /dump
# cd /mnt
# restore rf /dump/plesk/root
# cd etc
# ee fstab

Device zonodig aanpassen en controleren of alles klopt. Kijken of de ethernet type goed is ingesteld (bijvoorbeeld fpx0) en of de schijfletters overeenkomen met wat op de dump staat.

Om te controleren of welke internet device de server heeft:

# ifconfig

Eventueel dit aanpassen in de rc.conf bestand.
Nu de server opnieuw opstarten en dan tijdens het opstarten naar de bios gaan.
Hier instellen dat je gaat opstarten vanaf de hardeschijf.
Nadat de server weer opnieuw is opgestart optie 4 kiezen tijdens het opstarten van FreeBSD.
Nu moet je alle partities mouten:

# mount /tmp
# mount /var
# mount /usr
# mount /home

Om te controleren of alle partities zijn gemount:

# df –h 

Het mounten van de USB drivers:

# mount /dev/da0s1h /mnt

Hieronder staat hoe je de partities kunt restoren:

# cd /tmp
# restore rf /mnt/plesk/tmp
# cd /var
# restore rf /mnt/plesk/var
# cd /usr
# restore rf /mnt/plesk/usr
# cd /home
# restore rf /mnt/plesk/home

Daarna unmounten van de USB drivers:

# umount /mnt

Restore van gzip bestanden

Ga al eerste naar je working directory, dus waar je je restore terug wilt zetten

gunzip -c /cdrom/usr.gz | restore rf -

Links

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/backup-basics.html