contact :: legal :: webstats  also on this site: - select - home code conspiracy tech writings green business studies popular pages welcome  also in this section:  tech index  most popular pages  search:  this site only Like this site? Your donation is welcome!

with respect and in deference to The FreeBSD Diary

The aim of this project is to produce a unix server which provides SSH, FTP, SMTP, POP, IMAP, NTP, HTTP (Apache, PERL and PHP), SQL (MySQL), SMB file and print sharing (Samba and CUPS), and email filtering (SpamAssassin) service. An all-in-one drop-in replacement for Windows and Netware servers, basically, with some extra features. I know that unix is more reliable and secure, and is more powerful, than any version of Windows, and I wish to pass these benefits onto my customers.

Note, this server will be on a NATted LAN inside the corporate firewall, which is a separate device, and doubles as a router, DNS server, and ADSL uplink. DHCP is not used.

1. research

2. download

3. install
   1. partitioning
   2. options
   3. SSH
   4. CVSup
   5. portaudit
   6. portsnap
   7. denyhosts

4. building the services
   1. NTP
   2. FTP
   3. SMTP (sendmail)
   4. PHP
   5. HTTP (Apache)
   6. SMB (Samba)
   7. CUPS
   8. POP/IMAP (Dovecot)
   9. SQL (MySQL)

5. notes
   1. user management
   2. the packages collection
   3. the ports collection
   4. scripting
   5. DOS refugees
   6. dual-booting
   7. other

research

Looking for a unix desktop instead of a server platform? Check out PC-BSD - This is FreeBSD + KDE (a popular GUI), with a sexy installer, some smart scripts and a bunch of services preinstalled and preconfigured. It doesn't try to be a server - this is a system designed to do the same job as Windows XP. It's very slick indeed.

The first step is to settle upon which unix to use. I poked around on the net, and I read some of the documentation. Factors influencing my decision included popularity, lineage, and hardware support. In the end, FreeBSD was the clear winner; not only modern and well-supported, but also with a distinguished history, and reference sites including yahoo.com, apache.org, cdrom.com and even (once upon a time) hotmail.com. Sold... Linux? Oh yes - that's the unix that uses BSD components, GNU components, Linus components.. I've heard of it.

I then needed to select a distribution - there's NetBSD, OpenBSD and FreeBSD. NetBSD is optimised for portability... I don't need that. OpenBSD's main advantage seems to be security - I didn't feel the need to encrypt my swapspace... so I opted for the high-performance FreeBSD instead. See also a comparison of BSD operating systems and/or Distrowatch for more information.

Hardware-wise, BSD runs on pretty well anything, including the 333MHz AMD K6 in the test server, with 128Mb of RAM and 4Gb of disk (note that I currently recommend a minimum of 10Gb for a FreeBSD 8.x install). BSD can run with less resources than these - but it's not recommended. A BIOS with support for ACPI and bootable CD-ROMs is also suggested. While BSD can run on ancient hardware, the limitations this imposes on the flexibility of the system may be excessive. Certainly, for production servers I hope to use the latest and fastest hardware. Note that BSD, being a community-supported OS, does not immediately support new devices; nor do manufacturers usually ship BSD drivers. Ensure that drivers are available, working and stable before committing to a specific device.

Software-wise, aside from the operating system I also had to decide which servers and applications to deploy. I stuck with the tools I knew.

Note: once you've settled on a distribution, you might like to stick with the particular version of the distribution you download, at least for a while. This will allow you to compare and contrast between your builds (you will no doubt do several). If you always use the latest version of the distribution, you will be introducing inconsistencies between your builds, this will be confusing if you are still learning how the system works. So, select your download very carefully. As always, avoid ".0" releases, you want a version number x.1 or higher.

download

Next, I had to get the FreeBSD CDs. I downloaded the full distribution as an ISO from a mirror; after verifying the MD5 hash for each ISO, I then burned the ISOs onto CDs. If you're not sure how to burn an ISO from a mirror onto a CD, or verify the hashes, this is your cue to open a new browser window and zoom over to your favourite search engine. I did try using BitTorrent to get the ISOs, but it was going to take twice as long, plus saturate my outbound, so I aborted BitTorrent and went for good old FTP.

install

1. Assemble the hardware. Try and use known-good hardware if possible. Ensure the drive you are installing FreeBSD on is connected to the Primary IDE channel, and is configured as Master. This is not strictly necessary, and certainly for SCSI setups is not applicable, however unless you know what you're doing, keep it simple. You may need to use a boot manager if you do not install to a drive configured as master on the primary IDE channel. Ensure the machine can see the hard disk and CD-ROM before continuing.

2. Configure the BIOS. Usually, there's nothing to change, but the system date should be set correctly. Also, the CD-ROM needs to be a bootable device, higher in the boot order than the primary hard disk (just during installation - once the install is complete, it's good security to set the hard disk as the first bootable device, unless otherwise needed). Finally, ACPI should be enabled. If your BIOS does not support booting from CD, or ACPI, my advice is to find a computer that does, and use that, since these features will make your life as admin simpler and faster. Check the BIOS settings, especially the clock, before installing the software.

3. Put in the CD (use disk 1 for FreeBSD 7.x and below) and boot off it. From the welcome screen that appears, select 1. Boot FreeBSD [default] (if you have problems with crashes during startup or install, try the other options on this first screen, especially ACPI). The next two screens allow country and keymap selection (in FreeBSD 4.11, these options are selected later). I suggest UK, then from the next screen, UK CP850. The sysinstall Main Menu is then displayed; select standard install.

4. If you have multiple drives in your system, you will now be prompted to select which drive to install to. Select this VERY carefully. If you select the incorrect drive, you are likely to lose all the data on that drive during the install. If you have multiple drives, but you are not prompted to select a drive, that means that FreeBSD has not detected your other drive(s). Check your hardware setup in this case.

5. FDISK the partition editor will now appear. Check that you are installing to the correct drive - the top-left corner of the FDISK screen shows the Disk Name, which should be ad0 if you are installing to the master drive on your primary IDE channel. If the disk name is correct, press A (to use the entire disk), press down-arrow (to select the new FreeBSD partition), press S (to make the new FreeBSD partition bootable), and finally press Q to quit FDISK. [Note to fellow DOS refugees: FreeBSD calls partitions 'slices'. FreeBSD has partitions too but they are different to DOS-style partitions - in fact they are sub-partitions, and are called labels.]

6. The installer then prompts to install a boot manager. Select install a standard MBR. If you are doing multiboot, I still recommend you select standard MBR here, I had problems with the FreeBSD boot manager (admittedly, a few years back). You'll need to install a Boot Manager separately in this case (see my multiboot notes for more on this).

7. Next, the disklabel editor appears; press A to create the default scheme. Customise label sizes as needed, then press Q to quit the label editor. The disklabel editor can be tricky to use, especially if customising the label sizes - fortunately the defaults are often acceptable. For reference, the following FreeBSD-style partitions are required:

   /	250Mb minimum
   swap	250Mb minimum
   /tmp	250Mb minimum
   /usr	2Gb minimum
   /var	500Mb minimum

   Smaller values may work, but will probably not be useful (especially over time). /usr should be as big as possible. Think carefully before proceeding - ensure the scheme you define will suit the machine's intended usage (a mailserver, which by default puts spools in /var, will probably need an extra-large /var, for example). You may need to juggle the sizes of the various labels, particularly if you are installing on a disk 4Gb or less in size. Once the label sizes are defined, it's difficult to change them without reinstalling the system from scratch. Unfortunately, FreeBSD is not yet blessed with tools like Ghost and Partition Magic (although you could try PING if you were brave).

8. With label sizes defined, the installer then prompts for an installation type - select Developer, unless you have a preference otherwise.

9. In FreeBSD 8.x, the next screen to appear asks whether to install documentation. Selecting the correct documentation for your language is recommended.

10. The installer then asks whether to install the ports collection. If the ports collection is not installed, this can cause difficulty in some circumstances, so electing to install the ports here is recommended.

11. The installer then returns to the "choose distribution" screen - your previous selection should now be marked with an X. If this is the case, press the Tab key to move the cursor to the OK button, then press the Space bar to press OK.

12. Select your installation media.

13. Read the next screen carefully - if you're happy that you're about to erase your hard disk, press Enter to continue! The hard disk will then be partitioned and formatted, and system files will be copied to the disk (this process takes some time). When the install is completed, a congratulations message will appear.

14. The installer then proceeds to the "final configuration questions". These vary depending on previous choices and the distribution being installed (docs: handbook).

    • Would you like to configure any Ethernet or SLIP/PPP network devices? .. Yes.. (I want to configure the network card):
      • select Ethernet card (it should be autodetected)
      • Do you want to try IPv6 configuration of the interface? .. No..
      • Do you want to try DHCP configuration of the interface? .. No..
      • The network configuration screen that then appears is pretty well the same as Windows' TCP/IP Properties box:
        1. for the Hostname, enter a unique name for the machine - this is analogous to Windows' Computer Name setting
        2. in the Domain box, I put my own domainname (eg. cyberdelix.net)
        3. IPv4 gateway is analogous to Windows' gateway setting
        4. nameserver is analogous to Windows' DNS server setting (changed later by editing /etc/resolv.conf)
        5. enter an unallocated IP address into the IPv4 address box
        6. set the netmask box appropriately (analogous to Windows' subnet mask)
        7. leave ifconfig options empty
        8. press OK
    • Would you like to bring the interface up right now? .. No..
    • Do you want this machine to function as a network gateway? .. No..
    • Do you want to configure inetd and the network services it provides? .. No..
    • Would you like to enable SSH login? .. Yes..
    • Do you want to have anonymous FTP access to this machine? .. No..
    • Do you want to configure this machine as an NFS server? .. No..
    • Do you want to configure this machine as an NFS client? .. No..
    • Would you like to customise your system console settings? .. No.. (in FreeBSD 4.11, say Yes here if you want to map a keyboard)
    • Would you like to set this machine's timezone now? .. Yes.. (then select the correct timezone and country)
    • Would you like to enable Linux binary compatibility? .. No.. (in FreeBSD 8.x, this question does not appear)
    • Does this system have a PS/2, serial or bus mouse? .. No..
    • Do you want to browse the package collection now? .. No.. (In FreeBSD 7.x and below, say Yes.. to this, and install cvsup (net/cvsup-without-gui) and portaudit (security/portaudit). The FreeBSD 8.x CD does not seem to have any packages included, except for the documentation - the DVD probably does contain all the packages, however).
    • Would you like to add any initial user accounts to the system? .. Yes.. (docs: handbook)
      1. select group and create a group for your users (eg. "accounts") - leave membership empty
      2. select user and create a user - note the password down - add the user to the group just created. Also, if this is the system administrator's personal account, make the user a member of wheel group.
      3. select exit
    • set root's password - note this down too
    • Visit the general configuration menu for a chance to set any last options? .. No.. (if you made a mistake above, you can probably fix it here)

15. Press the X key to exit the installer and reboot, not forgetting to eject the CD.

16. FreeBSD 7.x and below only: to complete the install, enter some "random entropy" for SSH key generation - this is done on first boot, follow the onscreen instructions (this step won't appear if you did not elect to enable SSH during install).

This done, you should be able to login as root, and immediately ping yahoo.com!

Note: if installing FreeBSD in a dual- or multi-boot system, a boot manager should be installed at this point. You may also wish to remove the ability to boot from CD from the BIOS.

You should now continue to the next section.

SSH: (docs: handbook; manpage - daemon; manpage - config file)

During install, you may have slected "Yes, enable SSH login" - while this generates keys and configures the SSH daemon to start on boot, it crucially does not automatically allow anyone to login remotely (including root). To permit a user to login, first login to the console as root, then:

1. edit the daemon's configuration file: vi /etc/ssh/sshd_config
2. uncomment the line Protocol 2 (this ensures SSH1 is NOT supported)
3. uncomment the PermitRootLogin line and set it to no
4. uncomment the MaxStartups line and set it to 5
5. uncomment the X11Forwarding line and set it to no
6. uncomment the Banner line and set it to none
7. go to the end of the file, add these new lines:

   # denied users
   DenyUsers Administrator Guest Root
   # permitted users
   AllowUsers username@IP.address.you.use
   

8. save the changes to the config file and quit the editor
9. restart the SSH daemon: /etc/rc.d/sshd restart

username is usually the username associated with the sysadmin's personal account (created above, member of group 'wheel'). Do not permit root to login remotely. A more secure configuration is to permit a user who can 'su' to root instead.

IP.address.you.use is the IP address of the computer you use to connect to the server. Failing to add the AllowUsers line permits users to login from anywhere. Failing to add the IP address permits the user specified to login from anywhere.

Remember to restart the daemon after you save your changes to its configuration file. It only reads the file when it starts up.

Note: this configuration permits use of password-based authentication, which is vulnerable to brute-forcing. Key-based authentication is more secure. However, in the configuration above an IP address is specified on the AllowUsers line, which means that a brute-force attack can only be successful if it is made from that IP address. denyhosts can also be used to ban problem IPs.

The rest of the build can be completed remotely (via SSH), if desired. If you wish to connect remotely via SSH, and a firewall is in between, forward the SSH port 22/TCP to the server now. Also, check that port 22/TCP is open on the firewall. It's good security to use an alternate port, if possible (forward, for example, firewall/external port 6666 to server/internal port 22 - you then specify port 6666 in your SSH client and the firewall maps the traffic to port 22 on the server).

SSH issues? Have a look in /var/log/auth.log

You should now continue to the next section.

CVSup: (docs: handbook; homepage)

If you're doing a new install, skip this section and go straight to portaudit. If you want to update an existing system, which is currently FreeBSD 6.3 or higher, please see the Handbook page on the subject, and do not use the instructions below. The instructions below are for FreeBSD 6.2 and below only, as these systems do not include the freebsd-update utility.

I installed CVSup when I installed FreeBSD itself, so next, after logging in as root, I updated the source tree, so as to get the latest patches:

1. cd /usr/local/etc
2. cp /usr/share/examples/cvsup/standard-supfile .
3. chmod 644 standard-supfile
4. vi standard-supfile
5. change the *default host setting (I use cvsup3.uk.FreeBSD.org or cvsup2.nl.FreeBSD.org)
6. save the changes and exit the editor
7. cvsup -g -L 2 standard-supfile (this requires a live internet connection, and takes a while)

The source tree updated, rebuild the system (docs: handbook):

1. cd /usr/src
2. make buildworld (this takes quite a while)
3. make buildkernel (this takes a while)
4. make installkernel
5. reboot, then log back in as root
6. cd /usr/src
7. make installworld
8. reboot

Don't skip the reboots, without them the new kernel does not become active (not sure about world).

The step below is no longer recommended. Use portsnap instead.

The system rebuilt, update the ports collection:

1. cd /usr/local/etc
2. cp /usr/share/examples/cvsup/ports-supfile .
3. chmod 644 ports-supfile
4. vi ports-supfile
5. change the *default host setting (eg. cvsup3.uk.FreeBSD.org)
6. save the changes and exit the editor
7. cvsup -g -L 2 ports-supfile (this requires a live internet connection, and takes a while)

Notes:

• A list of CVS servers is available here.
• CVSup requires port TCP 5999 outbound open on the firewall.
• The more ports there are installed, the longer the port update takes. It's possible to control which groups of ports are updated, however this is not covered here.

Failing to update the system would have left me with a bunch of bugs and security issues that have already been fixed.

portaudit: (docs: manpage)

portaudit is a useful tool that prevents the installation of ports containing known vulnerabilities. It also checks existing ports for known vulnerabilities.

How to install:

1. cd /usr/ports/ports-mgmt/portaudit
2. make install clean

At any time, you can now check all ports for vulnerabilities with the command:

/usr/local/sbin/portaudit -Fda

Notes:

• portaudit should be installed before any other ports
• to temporarily disable portaudit, delete or rename its database in /var/db/portaudit
• portaudit is run by default during a make install - if the database has not been initialised, a message will be shown: "Vulnerability check disabled, database not found"
• if you try and install a port and get a message "Please update your ports tree and try again", do this using portsnap (below).

You should now continue to the next section.

portsnap: (docs: handbook)

portsnap is used to update the ports collection. portsnap is installed with the base system, for FreeBSD 6 and up (earlier versions require it to be installed from the ports collection).

To initialise portsnap, and update to the latest ports tree, login as root, and do this:

portsnap fetch extract

This command is only required when portsnap is first run. To update the ports tree at a later time (eg. once portsnap has been initialised, as above):

portsnap fetch update

Notes:

• portsnap will overwrite your existing ports tree in /usr/ports (including any mods you've made)
• requires a live internet connection
• the initial fetch and extract will probably take a while
• portsnap keeps a complete compressed copy of the ports tree in /var/db/portsnap/ (approx 65Mb, in early 2011)
• configuration file: /etc/portsnap.conf
• it is possible to refuse certain branches of the tree, however this is not recommended
• portsnap removes the need for using CVSup against the ports tree - CVSup is still needed to update FreeBSD itself, however. portsnap is more efficient and secure than CVSup.

denyhosts: (docs: FAQ)

denyhosts can be used to stop many kinds of brute-force attacks. While the SSH configuration above is quite secure, using denyhosts gives an extra layer of security, and may allow some of the other restrictions to be relaxed (eg. restricting login from certain IP addresses only). In addition, denyhosts can be used to simultaneously block attacks on protocols other than SSH. denyhost's drawbacks include its Python dependency, and also its use of TCP wrappers. However this use of TCP wrappers means that it does not need a firewall in order to operate.

NOTE: if you do not plan on exposing any ports to the public internet, you do not need to install denyhosts.

How to install:

1. cd /usr/ports/security/denyhosts
2. make install clean
3. if prompted for Python configuration, make changes as necessary and continue
4. vi /etc/rc.conf
5. add these lines (if the syslogd_flags setting already exists, ensure it includes the -c switch):

   denyhosts_enable="YES"
   syslogd_flags="-c"
   

6. save the changes and exit the editor
7. vi /etc/hosts.allow
8. comment out this line:

   ALL : ALL : allow
   

9. add these lines just before the sendmail settings:

   # denyhosts
   sshd : /etc/hosts.deniedssh : deny
   sshd : ALL : allow
   

10. save the changes and exit the editor
11. vi /usr/local/etc/denyhosts.conf
12. uncomment this line:

    BLOCK_SERVICE  = sshd
    

13. save the changes and exit the editor
14. touch /etc/hosts.deniedssh
15. /etc/rc.d/syslogd restart
16. /usr/local/etc/rc.d/denyhosts start

Notes:

• the file /etc/hosts.deniedssh will be created by touch, if it does not exist
• configuration options can be found in /usr/local/etc/denyhosts.conf
• check that denyhosts is running with ps -ax|grep denyhosts
• logfile is /var/log/denyhosts
• denied hosts will be listed in /etc/hosts.deniedssh
• failed connection attempts will be logged to /var/log/auth.log with a "refused connect" message like this: "You are not welcome to use [service] from [IP]."
• once denyhosts is running, if another daemon (say, mysqld) reports "refused connect" in /var/log/auth.log, add a line to /etc/hosts.allow to permit traffic to that daemon. In the case of mysql, which will also report "mysqld[483]: error: /etc/hosts.allow, line xx: twist option in resident process" in /var/log/auth.log, open /etc/hosts.allow and add these lines after the SSH lines added above:

  # mysql
  mysqld : ALL : allow
  

  All hosts will be then allowed to connect to mysqld. Ensure to remove any mistakenly blocked hosts from /etc/hosts.deniedssh (denyhosts will probably have added any clients that attempted to use mysql while it was blocked to the /etc/hosts.deniedssh file). A restart of denyhosts, mysqld or anything else is NOT required.

  This example permits a single IP access to SWAT (Samba's configuration tool):

  # SWAT
  swat : 192.168.0.1 : allow
  swat : ALL : deny
  

building the services

NTP: (docs: handbook; manpage)

An NTP daemon is installed by default; use this procedure to configure and start it:

1. edit startup file: vi /etc/rc.conf
2. add these lines to the end of the file:

   
   ntpdate_flags="time.server.to.use"
   ntpdate_enable="YES"
   ntpd_enable="YES"
   ntpd_sync_on_start="YES"
   

3. save the file and close the editor
4. open config file: vi /etc/ntp.conf
5. (not needed in FreeBSD 8.x) add a line: server time.server.to.use
6. (not needed in FreeBSD 8.x) add a line: driftfile /var/db/ntp.drift
7. add a line: logfile /var/log/ntpd.log
8. save the file and close the editor
9. start the server: ntpd

Notes:

• time.server.to.use is the address of the NTP server you wish to sync with (try ntp2.cam.ac.uk or ntp.cs.strath.ac.uk). Try a search like this if you don't know of one.

FTP: (docs: handbook - ftp; handbook - inetd; manpage - inetd)

An FTP server is installed by default; use this procedure to configure and start it:

1. run sysinstall
2. select Configure, then Networking
3. go down to inetd and press Enter
4. accept the warning
5. open the editor
6. uncomment the "ftp" line (tcp6 is apparently for IPv6 - I left this commented out)
7. save the changes and exit the editor, then quit sysinstall (press Esc to exit)
8. if needed, add usernames to the banned user file: vi /etc/ftpusers
9. if needed, add usernames to the restricted user file: vi /etc/ftpchroot
10. if needed, edit welcome and motd files: vi /etc/ftpwelcome ... vi /etc/ftpmotd
11. start inetd: /etc/rc.d/inetd start
12. edit startup file: vi /etc/rc.conf
13. ensure the inetd_enable line is set to "YES"
14. if present, ensure TCP_extensions is set to "NO"
15. save any changes and exit the editor

Notes:

• the configuration file is at /etc/ftpd.conf
• the logfile is at /var/log/xferlog
• to quote the FreeBSD Handbook: "Finally there is the TCP Extensions option. This enables the TCP Extensions defined in RFC 1323 and RFC 1644. While on many hosts this can speed up connections, it can also cause some connections to be dropped. It is not recommended for servers, but may be beneficial for stand alone machines."

SMTP (sendmail):

Sendmail is installed and enabled by default. Use this procedure to configure it:

The instructions once given here, which were for configuring sendmail in outbound-only mode, are no longer recommended for use, and instead, ssmtp is suggested (I hope to add instructions for this soon).

PHP: (docs: PHP)

Note: install PHP before installing Apache.

To install PHP:

1. cd /usr/ports/lang/php5
2. make install clean (this requires a live internet connection, and takes a while)
3. PHP options: select CLI, CGI, Apache, Suhosin, FastCGI and pathinfo
4. cp /usr/local/etc/php.ini-development /usr/local/etc/php.ini

   Note: if this is a production server, use /usr/local/etc/php.ini-production instead. The production INI is more secure, but less flexible.

   Note: older versions of PHP come with differently-named sample INIs, try /usr/local/etc/php.ini-recommended in this case. List /usr/local/etc/ and look for files starting with php, if you have problems.

5. open the PHP config file: vi /usr/local/etc/php.ini
6. change the display_errors and error_reporting lines if appropriate
7. change the date.timezone line as needed (eg. Europe/London) [docs]
8. cd /usr/ports/lang/php5-extensions
9. make install clean

   There are too many options to cover here, but recommended options, in addition to the defaults, include CURL, GD, MCRYPT, MYSQL, MSYQLI, and OPENSSL

Notes:

• phpMyAdmin should be installed after Apache.
• if, later, you change PHP.INI, ensure to restart Apache afterwards. Apache needs to be restarted before the changes are noticed by PHP.
• on FreeBSD 5.x and below, PHP is found in cd /usr/ports/www/mod_php5

HTTP (Apache): (docs: handbook; homepage: Apache)

Note: newer versions of FreeBSD seem to install Apache, if it is not installed when PHP was installed; so if you've already installed PHP, skip to step 3 of the instructions below. If you get an error, "file not found" you need to start at step 1.

1. install from the Ports collection: cd /usr/ports/www/apache13-modperl
2. make install clean (this requires a live internet connection, and takes a while)
3. open the Apache config file: vi /usr/local/etc/apache/httpd.conf
4. change the ServerAdmin line
5. change the DocumentRoot line to /usr/local/www/public_html
6. change the second <Directory> line to /usr/local/www/public_html

   Note, ensure to change the second instance of the <Directory> line - it's underneath the text "This should be changed to whatever you set DocumentRoot to."

7. in the same section (just a few lines below), you may wish to change the AllowOverride line to enable various features; example: AllowOverride FileInfo Limit Options
8. locate the DirectoryIndex section, then comment out everything (eg. everything between <IfModule mod_dir.c> and the matching </IfModule>), then add a new line as follows:

   DirectoryIndex index.php index.html index.htm
   

9. change the ServerSignature line to Off
10. add a new line underneath the ServerSignature line: ServerTokens Prod (not sure why this is not in the default .conf file?)
11. locate the Aliases section, then comment out the /manual/ alias
12. locate the Document Types section, then add the following to the end of the section (just before the </IfModule>):

    ## BEGIN extra PHP filetypes ##
       AddType application/x-httpd-php .php
       AddType application/x-httpd-php .phtml
       AddType application/x-httpd-php .php3
       AddType application/x-httpd-php .php4
       AddType application/x-httpd-php .php5
       AddType application/x-httpd-php-source .phps
    ## END extra PHP filetypes ##
    

13. save the changes and exit the editor
14. mkdir /usr/local/www/public_html
15. chmod 775 /usr/local/www/public_html
16. mkdir /usr/local/www/logs
17. echo apache_enable=\"YES\" >> /etc/rc.conf
18. /usr/local/sbin/apachectl start

Notes:

• Apache can be restarted with /usr/local/sbin/apachectl restart
• the syntax in httpd.conf can be tested by running /usr/local/sbin/apachectl configtest
• To set Apache to listen to an alternate port, use the Listen setting in httpd.conf
• PERL does not need to be installed manually - it is installed as a dependency by Apache.
• the path to the PERL interpreter is /usr/local/bin/perl

SMB (Samba): (docs: handbook; manpages; HOW-TO collection)

There are many ways to use Samba. Below are five different methods:

• Samba as a file server (share-level security)
• Samba as a file server (user-level security - with tdbsam)
• Samba as a Primary Domain Controller (with WINS and tdbsam)
• Samba as a member server (with WINS and winbind)
• Samba as a print server (with CUPS)

Samba has a web-based administration tool called SWAT. Note that SWAT will rewrite smb.conf, removing all comments and unnecessary settings. Do not open SWAT if you want to keep your smb.conf 'as is'. To install it:

1. vi /etc/inetd.conf
2. uncomment the line starting with swat stream tcp nowait/400
3. save the changes and exit the editor
4. restart inetd: /etc/rc.d/inetd reload

   SWAT will then be accessible at http://localhost:901/ (the root username and password are required)

   Note also that SWAT uses inetd. Enable it if necessary with the following:

   1. vi /etc/rc.conf
   2. add line to end (if not already present): inetd_enable="YES"

   To start inetd manually: /etc/rc.d/inetd start

Notes:

• The smb.conf manpage is a good source of help for the config file, type man smb.conf to see the it.
• Samba notices changes to its config file without being restarted, however this sometimes takes a minute or so.
• the syntax of smb.conf can be tested with the testparm command
• Samba logs are kept in /var/log/samba
• Samba can be restarted with /usr/local/etc/rc.d/samba restart
• if there are problems, in smb.conf, set the log level to 3 (don't forget to set it back later)
• see also: troubleshooting Samba
• when viewing Samba how-to's, ensure to allow for differences between your platform and Samba version, and those of the how-to
• if you get "X11BASE is now deprecated" when you 'make install', try this: echo X11BASE=\$\{LOCALBASE\} >> /etc/make.conf
• if you get "Bad autotool stanza: autoconf:262 autoheader:262" when you 'make install', try this:
  1. vi /usr/ports/net/samba3/Makefile
  2. change the USE_AUTOTOOLS= line to read USE_AUTOTOOLS= autoconf autoheader
  3. save and quit the editor
  4. retry the install

CUPS (and printserving with Samba): (docs: samba CUPS)

CUPS is not installed by default. Note that Samba should be installed before CUPS. Install CUPS as follows:

1. cd /usr/ports/print/cups
2. make install clean (this requires a live internet connection, and takes a while)
3. from the Ghostscript installer that appears, deselect every printer, then continue (we're using raw mode)
4. vi /usr/local/etc/cups/mime.types
5. uncomment line near end starting with application/octet-stream (in FreeBSD 6.1 this is uncommented by default)
6. save the file and quit the editor
7. vi /usr/local/etc/cups/mime.convs
8. uncomment line near end starting with application/octet-stream
9. save the file and quit the editor
10. vi /usr/local/etc/cups/cupsd.conf
11. comment out the line Listen localhost:631
12. add a line below: Port 631
13. change the Allow line in the <location /> section to suit the LAN, eg. Allow 192.168.0.*
14. change the Allow line in the <location /admin> section to suit your system, eg. IP.address.you.use
15. save the file and quit the editor

IP.address.you.use is the IP address of the computer you use to connect to the server.

The Samba/CUPS interface must then be configured:

1. vi /usr/local/etc/smb.conf
2. in the [global] section, uncomment printing=cups
3. in the [global] section, add a line immediately underneath the one previously edited: printcap name=cups
4. in the [printers] section, add public=yes
5. in the [printers] section, add use client driver=yes
6. in the [printers] section, add printer admin=root
7. in the [printers] section, set guest ok = yes
8. in the [printers] section, ensure browseable = yes
9. in the [printers] section, ensure writeable = yes
10. save the file and quit the editor

enable and run CUPS:

1. vi /etc/rc.conf
2. add a new line to the end: cupsd_enable="YES"
3. save the file and quit the editor
4. start the server: /usr/local/etc/rc.d/cupsd start

Then configure a printer:

1. access the web interface: https://yourserver:631/admin/ (does not require Apache installed)
2. click Administration
3. login (as either root some other user)
4. click Add Printer
5. enter a printer name (descriptive only - appears as sharename when browsing for a printer)
6. click Continue
7. select Parallel Port #1 (interrupt driven)
8. click Continue
9. enter the device name: parallel:/dev/lpt0
10. select raw
11. click Continue
12. select raw queue
13. click Continue

This done, Windows users will be able to browse for the printer and add it as usual to their systems. They will be prompted for drivers which they must install locally.

Note: the above notes assume the printer is connected directly to the server's parallel port. If the printer is connected via a printserver, substitute the protocol and device path above as appropriate, examples: lpd://192.168.0.90/p1 or lpd://yourprintserver/p2

Note: it may take a few minutes for the printer you have shared ("published") to become visible to client computers.

Note: if the server is being configured remotely with SSH, it's possible to create a tunnel to port 631, and then use a local web browser to connect, through the tunnel, to the CUPS control panel, using an address such as http://localhost:3000/ (where 3000 is the local port where the SSH tunnel terminates).

Note: the CUPS logfile, very useful for troubleshooting, can be found in /var/log/cups/

Note: the CUPS admin panel may autodetect network printers, if so it provides a wizard to add them to the CUPS configuration. However this wizard creates sharenames that are incompatible with/invisible to Windows 9x clients. Ensure to use short sharenames (11 characters or less) if Windows 9x clients are in use. The printer will need to be added manually in order to define a sharename.

Note: printing under unix is not straight-forward, and I'm not an expert. While this section works, in that Windows clients can print to the unix printer, this section leaves out certain things (ie. the ability to print from the server to the printer, and loading Windows drivers onto the server).

Issues? See troubleshooting printing with CUPS

POP/IMAP (Dovecot): (docs: Dovecot)

A POP server is not installed by default. I installed Dovecot from the ports collection (it supports IMAP as well):

1. cd /usr/ports/mail/dovecot
2. make install clean (this requires a live internet connection, and takes a while)
3. select any required options from the installation screen, then press OK (the defaults are acceptable for the configuration below)
4. cd /usr/local/etc
5. cp dovecot-example.conf dovecot.conf (in recent installs of Dovecot, this step does not seem necessary)
6. chmod 644 dovecot.conf
7. vi dovecot.conf
8. remove unneeded protocols from the protocols line
9. check that disable_plaintext_auth is set to no
10. if SSL is not in use, uncomment the ssl line and set it to no
11. check that mail_location is set to mbox:~/mail:INBOX=/var/mail/%u
12. save the changes and exit the editor
13. echo dovecot_enable=\"YES\" >> /etc/rc.conf
14. reboot and test

The server can be started manually with the command: dovecot

Note that SSL must be disabled if SSL certificates have not been generated.

SQL (MySQL): (docs: MySQL)

MySQL is not installed by default. How to install and configure it from the ports collection:

1. install MySQL (this requires a live internet connection, and takes a while):

   cd /usr/ports/databases/mysql50-server
   make install clean
   

2. configure the data directory:

   mkdir /data
   mkdir /data/db
   mkdir /data/db/mysql
   chown -R mysql /data/db/mysql/
   chgrp -R mysql /data/db/mysql/
   

   Note: the default directory MySQL uses is /var/db/mysql/ however it has been changed to /data/db/mysql/ in this example.
   Note: a MySQL user and group are required, however these are created automatically by the installer.

3. initialise the database server:

   /usr/local/bin/mysql_install_db -u mysql --datadir=/data/db
   

   Note: If a bunch of 'cannot find file' messages appear here, check the permissions on the data directory.

4. Enable MySQL to start on boot:

   echo mysql_enable=\"YES\" >> /etc/rc.conf
   echo mysql_dbdir=\"/data/db/mysql\" >> /etc/rc.conf
   

5. reboot and test:

   If there are problems, check the file server.err in the MySQL data directory for error messages (the actual name of the file will not be server.err, "server" is substituted for your machine's hostname). Don't skip the reboot - it can fix at least one transient post-install issue.

6. set root password:

   mysqladmin -u root password 'ROOT_PASSWORD'
   

7. grant administrative permissions:

   mysql -uroot -pROOT_PASSWORD -e"GRANT ALL PRIVILEGES ON *.* TO 'root'@'IP.address.you.use' IDENTIFIED BY 'ROOT_PASSWORD'"
   mysql -uroot -pROOT_PASSWORD -e"GRANT SHUTDOWN ON *.* TO 'root'@'IP.address.you.use' IDENTIFIED BY 'ROOT_PASSWORD'"
   

   IP.address.you.use is the IP address of the computer you use to connect to the server.

Notes:

• the file /etc/my.cnf can be used to fine-tune MySQL's performance
• MySQL must be running for the mysql and mysqladmin commands to work
• MySQL can be started manually like this: mysqld_safe -u mysql --datadir=/data/db/mysql &
• MySQL can be restarted manually like this: /usr/local/etc/rc.d/mysql-server restart
• To create a database, and allocate permissions to a user, use this syntax:

  mysqladmin -uroot -pROOT_PASSWORD -hlocalhost CREATE DATABASENAME
  mysql -uroot -pROOT_PASSWORD -e"GRANT ALL PRIVILEGES ON DATABASENAME.* TO 'USERNAME'@'localhost' IDENTIFIED BY 'SECRET_PASSWORD'"
  

  In the above commandlines, substitute ROOT_PASSWORD, DATABASENAME, USERNAME and SECRET_PASSWORD for the correct values for your environment.

• If you plan to use phpMyAdmin, ensure to install MySQL first.

User management

• docs: handbook
• Use the adduser command to add a user to the system; use rmuser to delete a user
• Use the vipw command to see/edit all users and their properties
• Use passwd username to change username's password
• Use chpass username to change username's account details
• edit /etc/group to change user group membership
• user login scripts are found in /usr/home/username/.profile (only if the user's shell is sh, however)
• user login script templates are found in /usr/share/skel

The packages collection

Installing software from the packages collection is done as follows:

1. go into sysinstall
2. select 'Configure' from the main menu
3. select Packages
4. insert disc 1 of the FreeBSD distribution set
5. select CD/DVD (or use FTP, if a CD is inconvenient, but an internet connection is available)
6. browse the collection
7. select the desired package(s)
8. choose Install
9. exit sysinstall

The ports collection (docs: handbook)

• If the ports collection is not installed, software from it cannot be installed, including Apache, PHP, Samba and Dovecot. It's recommended to install the full ports collection during installation.
• To install the ports collection after FreeBSD has been installed: Sysinstall / Configure / Distributions / ports collection
• To update the ports collection, use portsnap
• To list installed ports or packages, use pkg_info
• To list installed ports or packages, including whether they need to be updated, use pkg_version -v
• To uninstall either ports or packages, use pkg_delete portname
• To uninstall either ports or packages and their dependencies, use pkg_delete -r portname
• fun with make:
  • make deinstall - to remove a port
  • make config - to reconfigure port options (and then make install clean)
  • make rmconfig - to remove user-specified options (?)
  • make showconfig - to show which options are available (same as listing the options file, with descriptions)
  • make -I /usr/ports/net/samba3 showconfig (same as above, without having to CD first, using Samba as an example)

scripting

• schedule tasks with cron
• the default shell for users is sh, which is a Bourne-compatible shell based on ash (docs: handbook; manpage; Wiki) - however, the default shell for root is csh.
• before a shell script can be run it must be made executable, eg. chmod 744 script.sh
• a shell script will only execute if the full path to the script is supplied eg. /usr/home/username/script.sh
• to create a 0-byte (empty) file, use touch newfile.txt
• to empty an existing file (eg. delete all the data but not the file), use cat /dev/null > empty.txt
• to append to an existing file, use echo text >> file.txt (this will add the word text to the end of file.txt)
• variable names in shell scripts are case-sensitive