FreeBSD

From ConShell

Contents 1 Ports & Packages 1.1 Port security 1.1.1 portaudit 1.1.2 Creating new vuxml entries 1.2 Installing & updates ports 1.2.1 Keeping the ports and src trees updated 1.2.2 portmaster 1.2.3 pkg_add 1.2.4 pkg_version 1.2.5 creating packages 2 Misc. Tips 2.1 Using gmirror for RAID 2.2 make world (build & install world) 2.3 Install 4.11 RELEASE under vmware-server using floppies and FTP 2.4 log connections to closed ports, watch for port scanning and stuff 2.5 How to add an ip alias address on FreeBSD 2.6 How to remove an alias address on FreeBSD 2.7 Periodic scripts 2.8 Using pw(8) for user account administration 2.9 Quickly show what services are enabled via inetd

Ports & Packages

Port security

portaudit

This is a great package auditor which will tell you when the software installed has been identified as vulnerable or exploitable.

 pkg_add -r portaudit
 portaudit -A

Creating new vuxml entries

portaudit relies on a vuxml database to parse vulnerable software. The vuxml port (security/vuxml) is where these entries are tracked. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/security-notify.html

Beginners may want to try the VUXML wizard.

Adding a new vulnerability to the database involves the following steps. Make sure your sources are up-to-date (see below).

cd /usr/ports/security/vuxml
cp vuln.xml vuln.xml.old
make newentry

This will open up your editor, vuxml file loaded and a blank (skeleton) entry towards the top.

 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
   <vuln vid="3dbc7f9f-be26-11dc-b3e8-000c291c2ba7">
     <topic> -- </topic>
     <affects>
       <package>
         <name></name>
         <range><lt></lt></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>SO-AND-SO reports:</p>
         <blockquote cite="INSERT URL HERE">
           <p>.</p>
         </blockquote>
       </body>
     </description>
     <references>
     </references>
     <dates>
       <discovery>2008-01-FIXME</discovery>
       <entry>2008-01-08</entry>
     </dates>
   </vuln>

Then you can edit the entry to fill in the blanks, so to speak. This step-by-step example is based on the maradns DOS vulnerability reported 2008-01-08.

<topic>MaraDNS -- Denial of Service Vulnerability</topic>

Use the topic style of portname -- reason

    <affects>
      <package>
        <name>maradns</name>
        <range><lt>1.2.12.08</lt></range>
        <range><lt>1.0.41</lt></range>
      </package>
    </affects>

Specify the package name (as found below /usr/ports/category/) and the version(s) that fix the problem, inside of lt tags which stands for less-than. Variations include le for less-than-or-equal-to, and ge for greater-than-or-equal-to. Use multiple <range></range> containers when necessary.

     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>MaraDNS reports:</p>
         <blockquote cite="http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html" >
           <p>
 The good news is that it only took me about 15 minutes to find and reproduce the bug
  that was causing the improper resource record rotation. The bad news is that the bug
  that causes the rotation is one that enables a remote denial of service.
 </p>
         </blockquote>
       </body>
     </description>

Enter a paraphrased or quoted description from the announcement. If possible include the source URL in the cite=.

   <references>
     <cvename>CVE-2008-0061</cvename>
     <url>http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html</url>
   </references>

Add any references. CVE references should be contained in a <cvename></cvename>. Otherwise, URLs can be put inside of <url></url>

    <dates>
      <discovery>2008-01-08</discovery>
      <entry>2008-01-08</entry>
    </dates>

Fix up the discovery date - use today's date!

Validate the XML syntax

make validate
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.

Now generate a patch file using diff and submit using send-pr(1).

diff -u vuln.xml.old vuln.xml > vuln.xml.patch1
send-pr -a vuln.xml.patch1

For the PR, add Cc: security-team@FreeBSD.org and Cc: maintainer@freebsd.org, choose Category: ports and Subject: vuxml update for security vulnerability: ports:portname.

Installing & updates ports

Keeping the ports and src trees updated

You can use cvsup(1) (on 5.x and earlier) or csup (>6.x) to keep the /usr/src and /usr/ports trees in sync with the master FreeBSD sites. Here is what I use for /etc/supfile

*default host=cvsup4.us.freebsd.org
*default base=/usr
*default prefix=/usr
*default release=cvs delete use-rel-suffix compress
src-all tag=RELENG_6_3
ports-all tag=.

Typical to replace RELENG_6_3 with RELENG_7_0 or similar. Use default_host=cvsup4.us.freebsd.org (freebsd.isc.org) for server in or near California USA, or cvsup7.us.freebsd.org for Pacific NW USA. Servers on the east coast US should probably use cvsup8.us.freebsd.org which is in Buffalo NY. Or try fastest_cvsup port to find out the closest/fastest server for your location.

csup Incantation:

csup /etc/supfile

cvsup Incantation:

cvsup -g -L2 /etc/supfile

portmaster

Written by Doug Barton, portmaster is a shell script that handles port updates in a similar fashion as portupgrade but without so many dependencies (e.g. ruby).

# portmaster -p security/clamav

Another incantation lets you update all your ports in one fell swoop.

# portmaster -a -i

pkg_add

pkg_add -r is awfully handy for installing a remote package, but how does one tell pkg_add what site to use? Enter PACKAGE_SITE environment variable. Here's an example.

 setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/

Drop that into /etc/csh.cshrc to make the change apply system-wide.

Other ftp PACKAGESITE candidates.

• setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
• setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/
• setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-stable/Latest/
• setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-current/Latest/

Note that pointing to Latest/ gets you to the generically-named packages, while the packages in All/ use the full pkgname-version.t[bg]z syntax.

See http://ezine.daemonnews.org/200412/freebsd_apps.html

Tell pkg_add to use passive mode for ftp transfers (applies to fetch also)

 setenv FTP_PASSIVE_MODE 1

Note that this became the default awhile ago, so probably not necessary.

pkg_version

Use pkg_version to grok the installed ports that are in need of an upgrade.

 pkg_version -l '<'

This will show which ports could be upgraded. Some prefer to use http://www.freshports.org/sysutils/portupgrade/ portupgrade]. I myself prefer portmaster (see above)

creating packages

Building ports is fine for solitary systems, but what about when you have a multitude of FreeBSD 6.2 boxes that need a particular port? Build a package!

First though, mkdir -p /usr/ports/packages/All so that all the built packages end up in a central location.

cd /usr/ports/net-mgmt/net-snmp
make package-recursive

Misc. Tips

Using gmirror for RAID

See this article for a great explanation of how to set this up.

For a recovery situation (when a disk fails), see this article.

make world (build & install world)

After your sources are updated, the sequence for upgrading world is:

1. make buildworld
2. make buildkernel
3. make installkernel
4. reboot (use boot -s to go into single-user runlevel)
5. mergemaster -p
6. make installworld
7. mergemaster -U
8. reboot

I tend to automate #1 and #2 via myupdate.

Install 4.11 RELEASE under vmware-server using floppies and FTP

Go to ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/floppies/

Save kern.flp and mfsroot.flp to your /var/vm/VMNAME/ folder (possible mkdir).

Using vmware-server-console, create a new VMNAME with 8GB disk using IDE drives. Attach kern.flp to the floppy drive. Boot, and when prompted reassign mfsroot.flp to the floppy and press enter. Partition the disk (see article above). When prompted for source, choose FTP site and specify the following:

ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386

log connections to closed ports, watch for port scanning and stuff

 sysctl -w net.inet.tcp.log_in_vain=1
 sysctl -w net.inet.udp.log_in_vain=1

How to add an ip alias address on FreeBSD

 host1# ifconfig fxp0 alias 192.168.1.12 netmask 0xffffffff 
 or netmask 255.255.255.255 
 #use netmask of 255.255.255.255 if on same network as existing ip/device

How to remove an alias address on FreeBSD

 host1# ifconfig fxp0 -alias 192.168.1.12

Periodic scripts

control with /etc/periodic.conf to suppress email output...use logging instead

 cp /etc/defaults/periodic.conf /etc/periodic.conf
 # change daily_output="root" to daily_output="/var/log/daily.log" and so on.

But on older systems (3.4 etc) there is no mention of periodic.conf, so just tweak the /etc/crontab like so...

 59      1       *       *       *       root    periodic daily 2>&1 >>/var/log/daily.log
 30      3       *       *       6       root    periodic weekly 2>&1 >>/var/log/weekly.log
 30      5       1       *       *       root    periodic monthly 2>&1 >>/var/log/monthly.log

Using pw(8) for user account administration

Use the pw(8) utility to remove users instead of rmuser.

This command will remove the user from /etc/passwd, /etc/master.passwd and /etc/group

 pw userdel username 

Same as above but will also remove the user's home dirrectory

 pw -r userdel username

Expire a user account using pw(8) on freebsd

 pw usermod -n username -e 10-10-2001

Unexpire a user account using pw(8) on freebsd

 pw usermod -n username -e 

Quickly show what services are enabled via inetd

 grep -v '^#' /etc/inetd.conf