install and configure apache + mysql on freeBSD

A. Apache Web Server

I assume you have installed openssl. If not yet, see my previous post about openssl.

1. Install

tsuweg# cd /usr/ports/www/apache22

tsuweg# make install ; make install clean

2. Configure

tsuweg#  ee /usr/local/etc/apache22/httpd.conf

in line 138 it should be ServerAdmin you@example.com. change wiyh your email address.

In line 147 it should be ServerName host.example.com:80. Uncomment it and change with your host

In line 449 it should be Include etc/apache22/extra/httpd-ssl.conf, uncomment it to support SSL

save it

tsuweg# ee /usr/local/etc/apache22/extra/httpd-ssl.conf

in line 78 and 79, it describes servername and and person that maintain it.

in line 99,  change it into your ssl certificate path.This is my path: SSLCertificateFile “/usr/local/openssl/certs/tsuweg-cert.pem”

in line 107, change  into your ssl-key path, This is my path : SSLCertificateKeyFile “/usr/local/openssl/certs/tsuweg-unencrypted-key.pem”

save and exit

3. Testing

tsuweg# apachectl configtest

if your syntax correct,it will appear syntax OK

tsuweg# ee /etc/rc.conf

add :

apache22_enable=”YES”

apache22_http_accept_enable=”YES”

save and exit

tsuweg# /usr/local/etc/rc.d/apache22 start

tsuweg#  openssl s_client -connect localhost:443

 

B. Mysql

1. Install

i assume mysql is located in /usr/web.It’s depend on you.

tsuweg# cd /usr/web

tsuweg# tar -xzvf mysql-5.0.77.tar.gz

tsuweg# cd mysql-5.0.77

tsuweg# ./configure –prefix=/usr/local/mysql –without-debug –with-extra-charsets=none –enable-local-infile –enable-assembler

tsuweg# make

tsuweg# make install

 

2. Configure

tsuweg# ./scripts/mysql_install_db

tsuweg# cp /usr/local/mysql/share/mysql/my-medium.cnf /etc/my.cnf

tsuweg# /usr/local/mysql/bin/mysqld_safe –user=root &

tsuweg# ee /usr/local/etc/rc.d/mysql.sh

/usr/local/mysql/bin/mysqld_safe –user=root &

save and exit

chmod 700 /usr/local/mysql/bin/mysqld_safe –user=root &

tsuweg# /usr/local/mysql/bin/mysqladmin -u root password yourpassword

tsuweg# /usr/local/mysql/bin/mysqladmin -u root -h host.example.com password yourremotepassword

tsuweg# ee /etc/rc.conf

mysql_enable=”YES”

 

source :

http://dev.mysql.com/doc/refman/5.1/en/installing-source-distribution.html

http://cipitunk.blog.friendster.com/2006/10/cara-mudah-install-apachephpmysql-di-freebsd-61from-source/

Hong,Bryan J..Building A Server with freeBSD 7

 

Install and Configuration OpenSSH in FreeBSD

SSH is a secure version of telnet. It’a a protocol used to access the console or command line for remote system.

1. Installation

tsuweg# cd /usr/ports/security/openssh-portable

tsuweg# make config ; make install clean

2.  Configure

tsuweg# cp /etc/make.conf /etc/make.conf.old

tsuweg#  echo “NO_OPENSSH = YES” >> /etc/make.conf

tsuweg# cd /etc/ssh/

tsuweg# cp sshd_config sshd_config.old

tsuweg# cp sshd_config-dist ssh_config

tsuweg# /etc/rc.d/sshd restart
Stopping sshd.
Starting sshd.

tsuweg#ee /etc/rc.conf

add command :  sshd_enable=”YES”

this command is used to start ssh automatically

3. Testing

tsuweg# telnet localhost 22
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_5.1p1 FreeBSD-openssh-portable-overwrite-base-5.1.p1,1

press enter to quit. You should now be able to connect with any SSH-capable client and any valid user account other than root.

Source :  Hong,Bryan J.Building a server with FreeBSD 7.

OpenSSL on FreeBSD

OpenSSL is an open source toolkit and cryptographic library that implements the SSL and TLS protocols. OpenSSL provides Cryptographic tools for securing network connections.

1. Install OpenSSL

  • tsuweg# cd /usr/ports/security/openssl
  • tsuweg# cp Makefile Makefile.old
  • tsuweg# echo EXTRACONFIGURE +=no-idea >> Makefile
  • tsuweg# make install clean
  • tsuweg# rehash

 

2. Configure

  • tsuweg# cp /etc/make.conf /etc/make.conf.old
  • tsuweg# echo “WITH_OPENSSL_PORT=YES” >> /etc/make.conf
  • tsuweg# mv /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.old
  • tsuweg# cd /usr/local/openssl
  • tsuweg# cp openssl.cnf.sample openssl.cnf

now,test open ssl by type command below :

  • tsuweg# openssl

 

3.  Create Certificate Request for CA Submission

A.  Generate Request

We will use CA.pl script included with OPENSSL to create certificate request.

  • tsuweg# cd /usr/local/openssl
  • tsuweg# cp misc/CA.pl certs

Run the script to create certificate request

  • tsuweg# cd /usr/local/openssl/certs
  • tsuweg# setenv OPENSSL /usr/local/bin/openssl
  • tsuweg# ./CA.pl -newreq

fill passprase, country,province. After fill an email, just enter twice.

Running CA.pl indirectly create a file named newkey.pem. next step :

  • tsuweg# cp newkey.pem tsuweg-encrypted-key.pem

We will also get new file named newreq.pem that contains certificate request. next :

  • tsuweg# cp newreq.pem tsuweg-req.pem

file tsuweg-encrypted-key.pem is encrypted with the password.If this file is going to be used on an unattended server, it may be a good idea to decrypt the file so that daemons are able to load it without user intervention. To remove the encryption and make the unencrypted file readable only to root, use the following commands :

  • tsuweg# openssl rsa -in tsuweg-encrypted-key.pem\
  • ? -out tsuweg-unencrypted-key.pem
  • tsuweg# chmod 400 tsuweg-unencrypted-key.pem

 

B.  Create A Self-Signed SSL Certificate

1. Command below will create self certificate for about 3 years

  • tsuweg# cd /usr/local/openssl
  • tsuweg# cp misc/CA.pl certs
  • tsuweg# sed -I .old ‘s/365/1095/’ openssl.cnf

2. Run the script

  • tsuweg# cd /usr/local/openssl/certs
  • tsuweg# setenv OPENSSL /usr/local/bin/openssl
  • tsuweg# ./CA.pl -newca

The first prompt will asked about certificate name. Juste type enter. Next, fill the passphrase and remember it. After entering email address,just type enter twice.

3. Generate certificate request

  • tsuweg# ./CA.pl -newreq

fill pasphrase same one you used earlier. After fill email address, just type enter twice

4. Create the signed certificate from the request and certificate authority files.

  • tsuweg# ./CA.pl -signreq

Enter the password that used earlier. Answer yes twice.

  • tsuweg# cp newcert.pem tsuweg-cert.pem
  • tsuweg# cp newkey.pem tsuweg-encrypted-key.pem
  • tsuweg# cp demoCA/cacert.pem ./tsuweg-CAcert.pem
  • tsuweg# cp demoCA/private/cakey.pem ./tsuweg-encrypted-CAkey.pem

If this file is going to be used on an unattended server, it may be a good idea to decrypt this file so that daemons are able to load it without user intervention.To remove the encryption and make the unencrypted file readable only to root, use this command .

  • tsuweg# openssl rsa -in tsuweg-encrypted-key.pem \
  • ? -out tsuweg-unencrypted-key.pem
  • tsuweg# chmod 400 tsuweg-unencrypted-key.pem

5. convert  PEM (Privacy Enhanced Mail) text based certificate to the DER format.

  • tsuweg# openssl x509 -in tsuweg-CAcert.pem -inform PEM \
  • ? -out tsuweg-CAcert.cer -outform DER

 

 

Source :  Hong,Bryan J.Building a server with FreeBSD 7.

Remote FreeBSD via Putty : Setting SSHD

This is step by step to setting SSHd so you can access root in freeBSD via putty :

1. ee  /etc /ssh/sshd_config

2. uncomment PermitRootLogin(it should be in line 47) and change it into yes

3. save that configuration

4.  /etc/rc.d/sshd restart  or reboot your machine

5. try to remote your machine via putty and enjoy it

forget root password in freeBSD

here step by step if you forgetting root password in freeBSD :

1. Login using single user mode

2. When following comment exist :

Enter full pathname of shell or RETURN for /bin/sh:

type ok

3. #fsck -y

4. #mount -u ufs -a

5. #passwd

type a new password

6. #exit

Mounting USB Flash Disk In Slackware

First,check your device
you can check with this command
root@racolo:/mnt/data# dmesg

sd 4:0:0:0: [sdb] 7856128 512-byte hardware sectors (4022 MB)
sd 4:0:0:0: [sdb] Write Protect is off
sd 4:0:0:0: [sdb] Mode Sense: 23 00 00 00
sd 4:0:0:0: [sdb] Assuming drive cache: write through
sdb: sdb1

usb flash disk located in sdb1

Second, make dir in /mnt :
root@racolo:/#mkdir /mnt/usb

Third, mounting your device :
root@racolo:/#mount /dev/sdb1 /mnt/usb

Fourth,goto /mnt/usb :
root@racolo:/#cd /mnt/usb
and you can see files in your usb flashdisk

Basic Linux Security

In this configuration, I used slackware 12.2. I practice this configuration from http://alko.web.id/blog/tag/slackware. So, this is the configuration:

turned of ip forwarding
root@racolo:/# echo “0” > /proc/sys/net/ipv4/ip_forward

drop ping packets
root@racolo:/# echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

ignore broadcast ping. prevent from smurfing attacks.
root@racolo:/# echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Disable source route packets
root@racolo:/home/tsuweg# echo “0” > /proc/sys/net/ipv4/conf/all/accept_source_route

Disable redirect acceptance
root@racolo:/home/tsuweg# echo “0” > /proc/sys/net/ipv4/conf/all/accept_redirects

protect against bad error messages
root@racolo:/home/tsuweg# echo “1” > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

enable reverse path filtering
root@racolo:/home/tsuweg# for i in /proc/sys/net/ipv4/conf/*; do /bin/echo “1” > $i/rp_filter; done

log all spoof routed and redirect packet
root@racolo:/home/tsuweg# echo “1” > /proc/sys/net/ipv4/conf/all/log_martians

But after reboot the configuration are reset, so we must edit sysctl in /etc/sysctl.conf
net.ipv4.ip_forward = 0

source : http://alko.web.id/blog/tag/slackware