Bearbeiten von „StuRa:Server/FreeBSD“
Zur Navigation springen
Zur Suche springen
Die Bearbeitung kann rückgängig gemacht werden. Bitte prüfe den Vergleich unten, um sicherzustellen, dass du dies tun möchtest, und veröffentliche dann unten deine Änderungen, um die Bearbeitung rückgängig zu machen.
Aktuelle Version | Dein Text | ||
Zeile 1: | Zeile 1: | ||
Dies ist die | Dies ist die [[Server/Dokumentation | Dokumentation für den Betrieb der]] [[Server]] mit [[FreeBSD]]. | ||
= Sicherheit = | |||
* ports aktuell halten: | |||
** portsnap /var/db/portsnap/INDEX | |||
** edit /etc/crontab: | |||
<code>0 13 * * * root portsnap -I cron fetch && portsnap update && pkg_version -vIL=</code> | |||
0 13 * * * root portsnap -I cron fetch && portsnap update && pkg_version -vIL= | * tägliches Audit der (installierten) Ports: | ||
</ | ** portaudit /var/db/portaudit/auditfile.tbz | ||
** edit /etc/crontab: | |||
<code>0 14 * * * root portaudit -Fda</code> | |||
0 14 * * * root portaudit -Fda | |||
</ | |||
* [http://www.vuxml.org/freebsd/ VuXML] abonnieren | * [http://www.vuxml.org/freebsd/ VuXML] abonnieren | ||
* [http://security.freebsd.org/ http://security.freebsd.org/] mal durchlesen | * [http://security.freebsd.org/ http://security.freebsd.org/] mal durchlesen | ||
* [http://nvd.nist.gov/ National Vulnerability Database] [http://nvd.nist.gov/download/nvd-rss.xml (NVD RSS)] abonnieren | * [http://nvd.nist.gov/ National Vulnerability Database] [http://nvd.nist.gov/download/nvd-rss.xml (NVD RSS)] abonnieren | ||
== Paketfilter == | |||
* [http://www.openbsd.org/faq/pf/ OpenBSD pf] | |||
* | * in /etc/rc.conf: | ||
pf_enable="YES" | |||
pf_rules="/etc/pf.conf" | |||
pf_enable="YES" | pflog_enable="YES" | ||
pf_rules="/etc/pf.conf" | # host system is gateway for jails | ||
pflog_enable="YES" | gateway_enable="YES" | ||
# host system is gateway for jails | |||
gateway_enable="YES" | |||
* syslogd an Hauptmaschine binden | * syslogd an Hauptmaschine binden | ||
* | ** in /etc/rc.conf: (evtl. -ss flag?) | ||
<code>syslogd_flags="-b $MAIN_IP"</code> | |||
syslogd_flags="-b $MAIN_IP" | |||
</ | |||
* Paketfilter starten: | * Paketfilter starten: | ||
<code># /etc/rc.d/pf start | |||
# /etc/rc.d/pflog start</code> | |||
* <code>/etc/pf.conf</code> ( | * pf.config: (check via <code>pfctl -vnf /etc/pf.conf</code>) (inzwischen veraltet) | ||
### MAKROS | |||
### MAKROS | thishost = "$MAIN_IP" | ||
thishost = "$MAIN_IP" | # portsnap5 204.9.55.80 | ||
# portsnap5 204.9.55.80 | portsnap_freebsd = "{ 204.109.56.116 204.9.55.80 }" | ||
portsnap_freebsd = "{ 204.109.56.116 204.9.55.80 }" | # auditfile.tbz is beeing fetched from portaudit.freebsd.org | ||
# auditfile.tbz is beeing fetched from portaudit.freebsd.org | portaudit_freebsd = "69.147.83.36" | ||
portaudit_freebsd = "69.147.83.36" | # dnsserver from resolv.conf | ||
# dnsserver from resolv.conf | dnsserver = "{ 85.214.73.63 217.79.186.148 27.110.120.30 204.152.184.76 194.150$ | ||
dnsserver = "{ 85.214.73.63 217.79.186.148 27.110.120.30 204.152.184.76 194.150$ | ### RULES | ||
### RULES | # default deny | ||
# default deny | block in all | ||
block in all | block out all | ||
block out all | # lokales interface darf ohne einschränkungen | ||
# lokales interface darf ohne einschränkungen | pass in quick on lo0 all | ||
pass in quick on lo0 all | pass out quick on lo0 all | ||
pass out quick on lo0 all | ## HOST | ||
## HOST | # allow ssh | ||
# allow ssh | pass in on bce0 proto tcp from any to $thishost port $SSH_PORT | ||
pass in on bce0 proto tcp from any to $thishost port $SSH_PORT | pass out on bce0 proto tcp from $thishost port $SSH_PORT to any | ||
pass out on bce0 proto tcp from $thishost port $SSH_PORT to any | ## allow outbound icmp | ||
## allow outbound icmp | # echo request | ||
# echo request | pass out inet proto icmp icmp-type 8 code 0 keep state | ||
pass out inet proto icmp icmp-type 8 code 0 keep state | # echo reply | ||
# echo reply | pass in inet proto icmp icmp-type 0 code 0 keep state | ||
pass in inet proto icmp icmp-type 0 code 0 keep state | # destination unreachable | ||
# destination unreachable | pass in inet proto icmp icmp-type 3 keep state | ||
pass in inet proto icmp icmp-type 3 keep state | # allow DNS lookups {also via tcp?} port 53 | ||
# allow DNS lookups {also via tcp?} port 53 | # what about traversal??? | ||
# what about traversal??? | pass out on bce0 proto udp from $thishost to $dnsserver port 53 keep state | ||
pass out on bce0 proto udp from $thishost to $dnsserver port 53 keep state | # allow portsnap to fetch from freebsd.org (ports?) | ||
# allow portsnap to fetch from freebsd.org (ports?) | pass in on bce0 proto tcp from $portsnap_freebsd to $thishost | ||
pass in on bce0 proto tcp from $portsnap_freebsd to $thishost | pass out on bce0 proto tcp from $thishost to $portsnap_freebsd | ||
pass out on bce0 proto tcp from $thishost to $portsnap_freebsd | # allow portaudit to fetch auditfile.tbz via http | ||
# allow portaudit to fetch auditfile.tbz via http | pass in on bce0 proto tcp from $portaudit_freebsd port 80 to $thishost | ||
pass in on bce0 proto tcp from $portaudit_freebsd port 80 to $thishost | pass out on bce0 proto tcp from $thishost to $portaudit_freebsd port 80 | ||
pass out on bce0 proto tcp from $thishost to $portaudit_freebsd port 80 | ## JAIL Beispiel (uneingeschränkt -> '''dumme Idee''', ports dienstabhänging freigeben | ||
## JAIL Beispiel (uneingeschränkt -> '''dumme Idee''', ports dienstabhänging freigeben | pass in on bce0 proto { tcp udp icmp } from any to $jail_srs14 | ||
pass in on bce0 proto { tcp udp icmp } from any to $jail_srs14 | pass out on bce0 proto { tcp udp icmp } from $jail_srs14 to any | ||
pass out on bce0 proto { tcp udp icmp } from $jail_srs14 to any | |||
* regeln überprüfen: <code>pfctl -vnf /etc/pf.conf</code> | |||
*: <code>pfctl -vnf | |||
=== Paketfilter bedienen === | |||
* | * anschalten: <code>pfctl -e</code> | ||
* | * ausschalten: <code>pfctl -d</code> | ||
* sanity check: <code>pfctl -vnf /etc/pf.conf</code> | |||
* alte Regeln ins Klo und neue in die Auslage: <code>pfctl -Fa -f /etc/pf.conf</code> | |||
=== Verweise === | |||
* [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter] | * [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter] | ||
* [http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/8391665119 Jacek Artymiak - Building Firewalls with OpenBSD and PF, 2nd edition] | * [http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/8391665119 Jacek Artymiak - Building Firewalls with OpenBSD and PF, 2nd edition] | ||
* [http://www.nostarch.com/pf2.htm Peter N. M. Hansteen: The Book of PF, 2nd Edition - A No-Nonsense Guide to the OpenBSD Firewall] | * [http://www.nostarch.com/pf2.htm Peter N. M. Hansteen: The Book of PF, 2nd Edition - A No-Nonsense Guide to the OpenBSD Firewall] | ||
== FreeBSD audit == | |||
* faschistoides Logging von Systemcalls | * faschistoides Logging von Systemcalls | ||
* präventiv wirkungslos, aber in der post-mortem Analyse extrem hilfreich | * präventiv wirkungslos, aber in der post-mortem Analyse extrem hilfreich | ||
* [ | * [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/audit.html FreeBSD Kapitel 17. Security Event Auditing] | ||
* | * in /etc/rc.conf | ||
<code> auditd_enable="YES" </code> | |||
auditd_enable="YES" | * start auditd: | ||
</ | ** <code># /etc/rc.d/auditd start</code> | ||
* auditd | * in /etc/security/audit_control: | ||
* | flags:lo,aa,ex | ||
* | policy:cnt,argv | ||
synchronize config: audit -s | |||
flags:lo,aa,ex | * cronjob für die logs: /etc/crontab | ||
policy:cnt,argv | <code>0 */12 * * * root /usr/sbin/audit -n</code> | ||
synchronize config: audit -s | |||
* cronjob für die logs | |||
0 */12 * * * root /usr/sbin/audit -n | |||
</ | |||
== [ | = Jails = | ||
Jails dienen der Virtualisierung von Betriebssysteminstanzen. Näheres dazu im [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/jails.html FreeBSD Handbuch Kapitel 15 - Jails]. | |||
==== | == Jail Verzeichnis mit ZFS anlegen == | ||
*beim erstenmal | |||
<code> | |||
# zfs create zpool/jails | |||
# zfs set mountpoint=/usr/home/jails zpool/jails | |||
</code> | |||
*ansonsten reicht es | |||
<code> | |||
# zfs create zpool/jails/$JAILNAME | |||
</code> | |||
== Anlegen eines Jails == | |||
* <code># cd /usr/src</code> | |||
* evtl. erst Sourcen installieren: sysinstall-> configure -> distributions | |||
* | * evtl. <code># make buildworld</code> | ||
* | * Jails liegen unter /home/jails/$JAILNAME | ||
* System für jail bauen: | |||
<code> | |||
* | # make installworld DESTDIR=/home/jails/$JAILNAME | ||
# make distribution DESTDIR=/home/jails/$JAILNAME | |||
</code> | |||
* device nodes ins jail packen | |||
* Jails liegen unter | ** <code># mount -t devfs devfs /home/jails/$JAILNAME/dev</code> | ||
* System für | * resolv.conf vom Host kopieren | ||
** <code># cp /etc/resolv.conf /home/jails/$JAILNAME/etc/resolv.conf</code> | |||
* rc.conf editieren: | |||
* device nodes ins | jail_enable="YES" | ||
* | jail_list="$JAILNAME" | ||
* | ifconfig_bce0_alias0="$JAIL_IP netmask 255.255.255.0" | ||
* | jail_$JAILNAME_rootdir="/usr/home/jails/$JAILNAME" | ||
* | jail_$JAILNAME_hostname="$JAILNAME.stura.htw-dresden.de" | ||
jail_$JAILNAME_ip="$JAIL_IP" | |||
jail_$JAILNAME_devfs_enable="YES" | |||
jail_enable="YES" | jail_$JAILNAME_devfs_ruleset="devfs_rules_jail" | ||
jail_list="$JAILNAME" | * jail starten | ||
ifconfig_bce0_alias0="$JAIL_IP netmask 255.255.255.0" | ** <code># /etc/rc.d/jail start</code> | ||
jail_$JAILNAME_rootdir="/ | * Prozess im jail starten | ||
jail_$JAILNAME_hostname="$JAILNAME. | ** <code># jexec $JAIL_ID tcsh</code> | ||
jail_$JAILNAME_ip="$JAIL_IP" | ** $JAIL_ID ermitteln mit | ||
jail_$JAILNAME_devfs_enable="YES" | *** <code># jls</code> | ||
jail_$JAILNAME_devfs_ruleset=" | |||
* | |||
* | |||
* | |||
* | |||
* | |||
** <code> | |||
* portscollection installieren | * portscollection installieren | ||
** <code>portsnap fetch extract </code> | ** <code># portsnap fetch extract </code> | ||
* portscollection updaten | * portscollection updaten | ||
** <code>portsnap fetch update </code> | ** <code># portsnap fetch update </code> | ||
* | * evtl. ssh anschalten (in rc.conf) | ||
<code>sshd_enable="YES"</code> | |||
* /etc/host | |||
<code> #.#.#.# JAILNAME.stura.htw-dresden.de </code> | |||
sshd_enable="YES" | |||
</ | |||
* | |||
#.#.#.# | |||
</ | |||
== Löschen eines Jails == | |||
* ins jailroot wechseln (/home/jails/$JAILNAME) | |||
* | <code> | ||
# chflags -R noschg * | |||
# rm -rf * | |||
# cd .. && rm -r $JAILNAME | |||
</code> | |||
== Tricks, Probleme etc. == | |||
* sich evtl. | * sich evtl. ezjail mal anschauen (war damals kaputt) | ||
* ping aus jails heraus erlauben | * ping aus jails heraus erlauben | ||
** host: allow_raw_socket=1 via | ** host: allow_raw_socket=1 via | ||
** | *** <code># sysctl security.jail.allow_raw_sockets=1</code> | ||
*** bzw. in | *** bzw. in /etc/sysctl.conf setzen | ||
*** [http://www.cyberciti.biz/faq/freebsd-jail-allow-ping-tracerouter-commands/ Quelle] | *** [http://www.cyberciti.biz/faq/freebsd-jail-allow-ping-tracerouter-commands/ Quelle] | ||
* ssh | * ssh: | ||
** | ** etc/ssh/sshd_config: | ||
<code>ListenAddress 0.0.0.0</code> | |||
ListenAddress 0.0.0.0 | |||
</ | |||
* [http://www.freebsd.org/cgi/url.cgi?ports/ports-mgmt/jailaudit/pkg-descr jailaudit] | * [http://www.freebsd.org/cgi/url.cgi?ports/ports-mgmt/jailaudit/pkg-descr jailaudit] | ||
* Apache [http://www.freebsd.org/cgi/url.cgi?ports/www/mod_jail/pkg-descr mod_jail] als Alternative zu mod_chroot | * Apache [http://www.freebsd.org/cgi/url.cgi?ports/www/mod_jail/pkg-descr mod_jail] als Alternative zu mod_chroot | ||
Zeile 243: | Zeile 177: | ||
** [http://wiki.freebsd.org/Image/Linux/CentOS55 CentOS] | ** [http://wiki.freebsd.org/Image/Linux/CentOS55 CentOS] | ||
= ssh = | |||
* [http://openssh.com/ openssh] | |||
* ssh auf anderen | * ssh auf anderen port legen | ||
* Vorschläge | * Vorschläge für /etc/ssh/sshd_config: | ||
<code> | |||
VersionAddendum | |||
VersionAddendum | Port $SSH_PORTNUMMER | ||
Port $SSH_PORTNUMMER | ListenAddress $JAIL_IP | ||
ListenAddress $JAIL_IP | Protocol 2 | ||
Protocol 2 | SyslogFacility AUTH | ||
SyslogFacility AUTH | LogLevel INFO | ||
LogLevel INFO | LoginGraceTime 1m | ||
LoginGraceTime 1m | PermitRootLogin no | ||
PermitRootLogin no | StrictModes yes | ||
StrictModes yes | MaxAuthTries 4 | ||
MaxAuthTries 4 | MaxSessions 5 | ||
MaxSessions 5 | AllowUsers $DER_COOLE_LEUTE_CLUB | ||
AllowUsers $DER_COOLE_LEUTE_CLUB | PermitEmptyPasswords no | ||
PermitEmptyPasswords no | X11Forwarding no | ||
X11Forwarding no | Banner none | ||
Banner none | </code> | ||
</ | * immer schön manpage lesen und mit dem Feinkamm durchgehen | ||
* immer schön manpage | * keys + passwörter zur Authentifizierung | ||
* keys + | * in jails:<code>ListenAddress 0.0.0.0</code> | ||
* in | |||
ListenAddress 0.0.0.0 | |||
</ | |||
= Email = | |||
* MTA: [http://www.postfix.org/ postfix] | * MTA: [http://www.postfix.org/ postfix] | ||
* MDA: [http://www. | * MDA: [http://www.dovecot.org/ dovecot] bzw. [http://www.courier-mta.org/maildrop/ maildrop] | ||
* MUA (clientseitig) empfohlen: | * MUA (clientseitig) empfohlen: | ||
** [https://www.mozilla.org/de/thunderbird/ Mozilla Thunderbird] | ** [https://www.mozilla.org/de/thunderbird/ Mozilla Thunderbird] | ||
** [http://www.mutt.org/ mutt] | ** [http://www.mutt.org/ mutt] | ||
== MTA: postfix == | |||
* in the email jail | * in the email jail | ||
* <code># cd /usr/ports/mail/postfix</code> | * <code># cd /usr/ports/mail/postfix</code> | ||
Zeile 331: | Zeile 230: | ||
mail_spool_directory = /var/spool/mail | mail_spool_directory = /var/spool/mail | ||
relay_domains = stura.htw-dresden.de | relay_domains = stura.htw-dresden.de | ||
smtpd_recipient_restrictions = reject_invalid_hostname, | smtpd_recipient_restrictions = reject_invalid_hostname, | ||
reject_unknown_recipient_domain, | reject_unknown_recipient_domain, | ||
Zeile 343: | Zeile 240: | ||
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net | smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net | ||
== | == MDA: dovecot == | ||
* optionen: kqueue, ssl, managesieve, mysql | |||
<code># echo 'dovecot_enable="YES"' >> /etc/rc.conf | <code># echo 'dovecot_enable="YES"' >> /etc/rc.conf | ||
# cp /usr/local/share/examples/dovecot/dovecot.conf /usr/local/etc | # cp /usr/local/share/examples/dovecot/dovecot.conf /usr/local/etc/dovecot.conf | ||
# cp /usr/local/share/examples/dovecot/dovecot-sql.conf /usr/local/etc | # cp /usr/local/share/examples/dovecot/dovecot-sql.conf /usr/local/etc/dovecot-sql.conf</code> | ||
* in /usr/local/etc/dovecot.conf: (vorerst zum testen) | * in /usr/local/etc/dovecot.conf: (vorerst zum testen) | ||
<code> protocols = imap pop3 | |||
disable_plaintext_auth = no | disable_plaintext_auth = no | ||
ssl = no | ssl = no | ||
Zeile 372: | Zeile 256: | ||
* '''Krypto drankleben (imap -> imaps, pop3 -> pop3s)''' | * '''Krypto drankleben (imap -> imaps, pop3 -> pop3s)''' | ||
== Tricks etc. == | |||
* alias-Adressen anlegen | * alias-Adressen anlegen | ||
** edit: /usr/local/etc/postfix/main.cf: | ** edit: /usr/local/etc/postfix/main.cf: | ||
Zeile 404: | Zeile 278: | ||
# . | # . | ||
# QUIT</code> | # QUIT</code> | ||
= Plone = | |||
* JoSch damals gebaut, zwischenzeitlich grundsaniert | * JoSch damals gebaut, zwischenzeitlich grundsaniert | ||
* [http://www.freebsdforums.org/how-to-install-apache-for-freebsd/ Apache] installiert | * [http://www.freebsdforums.org/how-to-install-apache-for-freebsd/ Apache] installiert | ||
Zeile 442: | Zeile 291: | ||
* [http://plone.org/products/plone/releases http://plone.org/documentation/kb/freebsdploneapache/preparefreebsd] | * [http://plone.org/products/plone/releases http://plone.org/documentation/kb/freebsdploneapache/preparefreebsd] | ||
= DNS = | |||
* genutzt werden DNS Server des [https://www.foebud.org/ FoeBuD] und des CCC | * genutzt werden DNS Server des [https://www.foebud.org/ FoeBuD] und des CCC | ||
* zusätzlich (für [http://www.opennicproject.org/ OpenNIC]) | * zusätzlich (für [http://www.opennicproject.org/ OpenNIC]) | ||
Zeile 462: | Zeile 297: | ||
** NZ 27.110.120.30 ns1.nz.dns.opennic.glue Dean Gardiner yes (24 hrs) | ** NZ 27.110.120.30 ns1.nz.dns.opennic.glue Dean Gardiner yes (24 hrs) | ||
= Tipps, Tricks etc. = | |||
* die Änderungen an Konfigurationsdateien (z.b. in /etc) via [http://git-scm.com/ git] tracken | * die Änderungen an Konfigurationsdateien (z.b. in /etc) via [http://git-scm.com/ git] tracken | ||
* disk quotas für jails einrichten | * disk quotas für jails einrichten | ||
Zeile 475: | Zeile 310: | ||
# /etc/rc.d/netif restart && /etc/rc.d/routing restart | # /etc/rc.d/netif restart && /etc/rc.d/routing restart | ||
== USB-Stick bauen == | |||
* auf einem FreeBSD | * auf einem FreeBSD | ||
* Image runterladen | * Image runterladen: | ||
wget ftp://ftp.de.freebsd.org/pub/FreeBSD/ISO-IMAGES-amd64/8.2/FreeBSD-8.2-RELEASE-amd64-memstick.img | |||
* Image auf Stick dumpen | * Image auf Stick dumpen | ||
dd if=FreeBSD-8.2-RELEASE-amd64-memstick.img of=/dev/da0 bs=64k | |||
= Server Setup Beschreibung = | |||
* /boot UFS, der Rest ZFS | * /boot UFS, der Rest ZFS | ||
* irgendwas zum booten nehmen (USB, DVD) und ab in die Fixit shell | * irgendwas zum booten nehmen (USB, DVD) und ab in die Fixit shell | ||
Zeile 544: | Zeile 335: | ||
gpart set -a active -i 1 ad0 | gpart set -a active -i 1 ad0 | ||
= | = Verweise etc. = | ||
* [http://www.freebsd.org FreeBSD.org] - [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/ Handbuch] | |||
* [http://www.freebsd.org FreeBSD.org] - [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/ Handbuch] | |||
* [http://www.freebsdwiki.net/ FreeBSD-wiki] | * [http://www.freebsdwiki.net/ FreeBSD-wiki] | ||
* [http://cb.vu/unixtoolbox.xhtml Unix Toolbox] | * [http://cb.vu/unixtoolbox.xhtml Unix Toolbox] | ||
* [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter] | * [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter] | ||
=== | == Intern == | ||
* [[Server/Hauptsystem]] | |||
== Bücher == | |||
* [http://nostarch.com/abs_bsd2.htm Absolute FreeBSD, 2nd Edition] | * [http://nostarch.com/abs_bsd2.htm Absolute FreeBSD, 2nd Edition] | ||
* [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470376031.html BSD UNIX Toolbox: 1000+ Commands for FreeBSD, OpenBSD and NetBSD] | * [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470376031.html BSD UNIX Toolbox: 1000+ Commands for FreeBSD, OpenBSD and NetBSD] |