FreeBSD

From ConShell
Jump to: navigation, search

Keep your system updated

FreeBSD is fundamentally divided into the "base" (aka world) and "ports", so keeping the ENTIRE system updated means dealing with both of them.


freebsd-update

This utility keeps your base system updated using binary updates. In a nutshell...

sudo freebsd-update fetch
sudo freebsd-update install
sudo reboot

If you're running 9.2-RELEASE it will track you to -p1, -p2 and so on. If you want to jump to a newer major release that can be specified using the -r X.Y-RELEASE.

 sudo freebsd-update -r 10.2-RELEASE upgrade

For more details see the handbook @ https://www.freebsd.org/doc/handbook/updating-upgrading-freebsdupdate.html

pkg

sudo pkg install packagename
sudo pkg upgrade [packagename]

Without argument, upgrade will attempt to upgrade all currently-installed packages.

portsnap

This is fairly simple two-step process to keep the ports tree updated

sudo portsnap fetch
sudo portsnap update

Once your ports tree is sync-up you case use utilities like portmaster and portaudit to check & fix the outdated ports you have installed.

portaudit

This is a great package auditor which will tell you which software ports installed on your local system have been identified as vulnerable or exploitable.

 sudo pkg_add -r portaudit
 sudo portaudit -Fa

However, portaudit is getting replaced by http://www.freebsd.org/cgi/man.cgi?query=pkg-audit&format=html pkg-audit] . Also, portaudit won't help you identify local base vulnerabilities, you'll want to subscribe to the mailing list for that, and use freebsd-update regularly.

portmaster

Written by Doug Barton, portmaster is a shell script that handles port updates in a similar fashion as portupgrade but without so many dependencies (e.g. ruby).

# portmaster -p security/clamav

Another incantation lets you update all your ports in one fell swoop.

# portmaster -a

There are many other options so read the man page: [1]


Other Tips

creating packages

Building ports is fine for solitary systems, but what about when you have a multitude of FreeBSD systems that need a particular port? Time to build a package!

First create the folder where the packages will land.

mkdir -p /usr/ports/packages/All

Next, choose a package to build. The following will do that and also build all of it's dependent packages.

cd /usr/ports/net-mgmt/net-snmp
make package-recursive

Distributing the packages is another matter, but something like NFS would suffice

Creating new vuxml entries

portaudit relies on a vuxml database to parse vulnerable software. The vuxml port (security/vuxml) is where these entries are tracked. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/security-notify.html

Beginners may want to try the VUXML wizard.

Adding a new vulnerability to the database involves the following steps. Make sure your sources are up-to-date (see below).

cd /usr/ports/security/vuxml
cp vuln.xml vuln.xml.old
make newentry

This will open up your editor, vuxml file loaded and a blank (skeleton) entry towards the top.

 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
   <vuln vid="3dbc7f9f-be26-11dc-b3e8-000c291c2ba7">
     <topic> -- </topic>
     <affects>
       <package>
         <name></name>
         <range><lt></lt></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>SO-AND-SO reports:</p>
         <blockquote cite="INSERT URL HERE">
           <p>.</p>
         </blockquote>
       </body>
     </description>
     <references>
     </references>
     <dates>
       <discovery>2008-01-FIXME</discovery>
       <entry>2008-01-08</entry>
     </dates>
   </vuln>

Then you can edit the entry to fill in the blanks, so to speak. This step-by-step example is based on the maradns DOS vulnerability reported 2008-01-08.

<topic>MaraDNS -- Denial of Service Vulnerability</topic>

Use the topic style of portname -- reason

    <affects>
      <package>
        <name>maradns</name>
        <range><lt>1.2.12.08</lt></range>
        <range><lt>1.0.41</lt></range>
      </package>
    </affects>

Specify the package name (as found below /usr/ports/category/) and the version(s) that fix the problem, inside of lt tags which stands for less-than. Variations include le for less-than-or-equal-to, and ge for greater-than-or-equal-to. Use multiple <range></range> containers when necessary.

     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>MaraDNS reports:</p>
         <blockquote cite="http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html" >
           <p>
 The good news is that it only took me about 15 minutes to find and reproduce the bug
  that was causing the improper resource record rotation. The bad news is that the bug
  that causes the rotation is one that enables a remote denial of service.
 </p>
         </blockquote>
       </body>
     </description>

Enter a paraphrased or quoted description from the announcement. If possible include the source URL in the cite=.

   <references>
     <cvename>CVE-2008-0061</cvename>
     <url>http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html</url>
   </references>

Add any references. CVE references should be contained in a <cvename></cvename>. Otherwise, URLs can be put inside of <url></url>

    <dates>
      <discovery>2008-01-08</discovery>
      <entry>2008-01-08</entry>
    </dates>

Fix up the discovery date - use today's date!

Validate the XML syntax

make validate
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.

Now generate a patch file using diff and submit using send-pr(1).

diff -u vuln.xml.old vuln.xml > vuln.xml.patch1
send-pr -a vuln.xml.patch1

For the PR, add Cc: security-team@FreeBSD.org and Cc: maintainer@freebsd.org, choose Category: ports and Subject: vuxml update for security vulnerability: ports:portname.


make world (build & install world)

(Caution: this is not the preferred way, use freebsd-update method above unless you have a good reason).

After your sources are updated, the sequence for upgrading world is:

  1. make buildworld
  2. make buildkernel
  3. make installkernel
  4. reboot (use boot -s to go into single-user runlevel)
  5. mergemaster -p
  6. make installworld
  7. mergemaster -U
  8. reboot


Using gmirror for RAID

See this article for a great explanation of how to set this up.

For a recovery situation (when a disk fails), see this article.

Install 4.11 RELEASE under vmware-server using floppies and FTP

Go to ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/floppies/

Save kern.flp and mfsroot.flp to your /var/vm/VMNAME/ folder (possible mkdir).

Using vmware-server-console, create a new VMNAME with 8GB disk using IDE drives. Attach kern.flp to the floppy drive. Boot, and when prompted reassign mfsroot.flp to the floppy and press enter. Partition the disk (see article above). When prompted for source, choose FTP site and specify the following:

ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386


log connections to closed ports, watch for port scanning and stuff

 sysctl -w net.inet.tcp.log_in_vain=1
 sysctl -w net.inet.udp.log_in_vain=1

How to add an ip alias address on FreeBSD

 host1# ifconfig fxp0 alias 192.168.1.12 netmask 0xffffffff 
 or netmask 255.255.255.255 
 #use netmask of 255.255.255.255 if on same network as existing ip/device

How to remove an alias address on FreeBSD

 host1# ifconfig fxp0 -alias 192.168.1.12

Periodic scripts

control with /etc/periodic.conf to suppress email output...use logging instead

 cp /etc/defaults/periodic.conf /etc/periodic.conf
 # change daily_output="root" to daily_output="/var/log/daily.log" and so on.

But on older systems (3.4 etc) there is no mention of periodic.conf, so just tweak the /etc/crontab like so...

 59      1       *       *       *       root    periodic daily 2>&1 >>/var/log/daily.log
 30      3       *       *       6       root    periodic weekly 2>&1 >>/var/log/weekly.log
 30      5       1       *       *       root    periodic monthly 2>&1 >>/var/log/monthly.log

Using pw(8) for user account administration

Use the pw(8) utility to remove users instead of rmuser.

This command will remove the user from /etc/passwd, /etc/master.passwd and /etc/group

 pw userdel username 

Same as above but will also remove the user's home dirrectory

 pw -r userdel username

Expire a user account using pw(8) on freebsd

 pw usermod -n username -e 10-10-2001

Unexpire a user account using pw(8) on freebsd

 pw usermod -n username -e 

Quickly show what services are enabled via inetd

grep -v '^#' /etc/inetd.conf

Hints for binding various network server daemons to a single IP address

If you want to run jails, these are the configuration details for various services to keep them from binding to to the wildcard * (0.0.0.0)

dovecot - adjust /usr/local/etc/dovecot.conf

imap_listen = a.b.c.d
#and/or
pop3_listen = a.b.c.d

mysqld - adjust in /etc/my.cnf

bind-address = a.b.c.d

sshd - adjust /etc/ssh/sshd_config

ListenAddress a.b.c.d

inetd - adjust /etc/rc.conf

add "-a a.b.c.d" to inetd_flags

exim4 - adjust in /usr/local/etc/exim/configure

local_interfaces = <; 127.0.0.1 ; a.b.c.d

postfix - adjust in /etc/postfix/main.cf

inet_interfaces = $myhostname

apache2 - /usr/local/apache2/conf/httpd.conf

Listen a.b.c.d:80

stunnel - adjust /usr/local/etc/stunnel/stunnel.conf

Adjustment is made in service level configuration

[https]
accept  = a.b.c.d:443
connect = 80

ntop - adjust /usr/local/etc/rc.d/ntop.sh

http_port='a.b.c.d:portxy'
#and/or
https_port='a.b.c.d:portyz'

bind (named) - adjust /etc/namedb/named.conf

options {
       listen-on port 53 { a.b.c.d; 127.0.0.1; };
        query-source address a.b.c.d port 53;
};

syslogd - adjust /etc/rc.conf

add either "-ss" and/or "-a a.b.c.d" to syslogd_flags