Openbsd Server
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Openbsd Server as PDF for free.
More details
- Words: 3,651
- Pages: 21
openbsd server • • •
•
•
• •
• •
•
•
•
•
1 afterboot 2 crypt harddisk 3 harden the installation o 3.1 sshd o 3.2 clear console on logout o 3.3 lockdown single user mode 4 dsl-router and firewall o 4.1 dsl connection o 4.2 firewall o 4.3 dns server bind o 4.4 dyndns 5 server: nfs, dhcp and ntp o 5.1 nfs o 5.2 dhcp o 5.3 ntp 6 isakmpd (ipsec-wlan) 7 mail-server o 7.1 configure postfix o 7.2 dovecot imap-server o 7.3 procmail and fetchmail 8 ldap 9 cvs-server and mirror o 9.1 cvs-server o 9.2 use repository o 9.3 mail on commit o 9.4 openbsd mirror with cvsync 10 subversion-server o 10.1 subversion-server o 10.2 use repository 11 oamp - openbsd apache mysql php o 11.1 httpd 11.1.1 ssl 11.1.2 mod_perl o 11.2 mysql server o 11.3 php 11.3.1 phpldapadmin 12 x o 12.1 configure o 12.2 fluxbox 13 install additional stuff o 13.1 mergemaster o 13.2 gkrellm
o o o o o o
13.3 13.4 13.5 13.6 13.7 13.8
wget unrar unace mpd mplayer darkstat
1 afterboot • •
read the very good manpage: # man afterboot
..* add the following line to enable linux kernel-emulation:: .. .. kern.emul.linux=1 • • • • • • • • • • • • • • • • • • • • • •
edit fstab and add options softdep all partitions create cdrom and floppy entries in /etc/fstab: # mkdir -p /mnt/dvd; mkdir -p /mnt/floppy # vi /etc/fstab /dev/cd0a /mnt/dvd cd9660 ro,nodev,nosuid,noauto 0 0 /dev/fd0a /mnt/floppy msdos rw,nodev,nosuid,noauto 0 0
don't use inetd: # echo "inetd=NO" >> /etc/rc.conf.local
add an user: # adduser
edit /etc/sudoers: # visudo # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
install ports tree: # # # #
cd /tmp ftp ftp://ftp.openbsd.org/pub/OpenBSD/VERSION/ports.tar.gz cd /usr tar xzvf /tmp/ports.tar.gz
create a directory for scripts # mkdir /usr/local/src/ # mkdir /usr/local/src/scripts # cd /root/ # ln -s /usr/local/src/scripts
2 crypt harddisk • • •
cgd is obsolete, use vnconfig create an image file on the whole mounted partition: # nice dd if=/dev/prandom of=/mnt/my_partition/encrypted bs=512
• • • • • • • • • • • • • • • • • • • • • • • •
configure svnd0 (set password): # vnconfig -cvk svnd0 /mnt/my_partition/encrypted create a filesystem on svnd0c: # newfs /dev/svnd0c # mkdir /my_partition edit /etc/rc.local insert at the end of this file: # svnd addition echo 'mounting crypted disks:' for count in First Second Last do wrong_pw="NO" echo -n "$count try /my_partition - " /usr/sbin/vnconfig -u svnd0 >/dev/null 2>&1 /usr/sbin/vnconfig -k svnd0 /mnt/my_partition/encrypted mount /dev/svnd0c /my_partition && break wrong_pw="YES" done if [ "X${wrong_pw}" != X"NO" ]; then echo "Password 3 times wrong." else echo "Successful." /usr/bin/midiplay -x -t 200 fi unset wrong_pw
3 harden the installation 3.1 sshd • • • • •
do not permit root-login and let sshd listen on another port in /etc/ssh/sshd_config: Port 2222 PermitRootLogin no
maybe change firewall-rules to open 2222 instead of ssh default 22 for working cvs over ssh - maybe add PORT=2222 on clients in ~/.ssh/config
3.2 clear console on logout • • • •
edit /etc/gettytab: P|Pc|Pc console:\ :np:sp#9600:\ :cl=\E[H\E[2J:
3.3 lockdown single user mode
• •
edit /etc/ttys to change line to insecure: console "/usr/libexec/getty Pc" vt220 off insecure
4 dsl-router and firewall 4.1 dsl connection • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
delete old gateways: # # # #
cd /etc cp -p mygate mygate.old rm /etc/mygate route delete default
first networkcard (for LAN) should be configured (during the installation process) second networkcard connected to the dsl-modem is unconfigured after the disconnect (24h) ppp should automatically reconnect edit /etc/ppp/ppp.conf: default: set log Phase Chat IPCP CCP tun command set redial 15 0 set reconnect 15 10000 pppoe: set device "!/usr/sbin/pppoe -i <second_networkcard>" set server /var/run/pppoe "" 0177 disable acfcomp protocomp deny acfcomp set mtu max 1454 set mru max 1454 set crtscts off set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname <user>@<provider> set authkey <password> add! default HISADDR enable dns resolv readonly enable mssfixup set restrictive rights on /etc/ppp/ppp.conf: # chmod 600 /etc/ppp/ppp.conf edit /etc/ppp/ppp.linkup: MYADDR:
• • • • • • • • • • • • • • • • • • •
! sh -c "/sbin/pfctl -e -F all -f /etc/pf-ppp.conf" ! sh -c "/usr/bin/midiplay -x" edit /etc/ppp/ppp.lindown: MYADDR: ! sh -c "/sbin/route delete default"
test your connection: # ifconfig <second_networkcard> up media 10baseT # ppp -ddial pppoe check /var/log/daemon
make settings static: # echo "up media 10baseT" > /etc/hostname.<second_networkcard> add to /etc/rc.local: # ppp echo 'ppp'; /usr/sbin/ppp -ddial pppoe
enable ip-forwarding: # sysctl -w net.inet.ip.forwarding=1 # vi /etc/sysctl.conf net.inet.ip.forwarding=1
4.2 firewall • • • • • • • • • • • •
edit /etc/pf.conf: ...
test pf config: # # # #
chmod chmod pfctl pfctl
0600 /etc/pf.conf 0600 /etc/pf-ppp.conf -nf /etc/pf.conf -nf /etc/pf-ppp.conf
start pf: # /sbin/pfctl -e -F all -f /etc/pf.conf add to /etc/rc.conf.local: pf=YES pflogd_flags=
4.3 dns server bind • • • • • • • • • •
modify following lines in options section in /var/named/etc/named.conf: options { version ""; // remove this to allow version queries forwarders { }; listen-on port 53 { 127.0.0.1; 192.168.100.1;
• • • • • • • • • • • • • • • • • • • • • • • • • •
• • • • • •
192.168.110.1; }; allow-query { 127.0/16; 192.168/16; }; cleaning-interval 120; notify no; }
add following zones to /var/named/etc/named.conf: zone "local" in { type master; file "master/local.zone"; }; zone "100.168.192.in-addr.arpa" in { type master; file "master/192.168.100.zone"; }; zone "110.168.192.in-addr.arpa" in { type master; file "master/192.168.100.zone"; }; create zone-files /var/named/master/192.168.100.zone, /var/named/master/192.168.110.zone and /var/named/master/local.zone
for LAN an WLAN edit /etc/resolv.conf: domain local lookup file bind; nameserver 127.0.0.1
start bind after reboot: echo 'named_flags=' >> /etc/rc.conf.local
4.4 dyndns • • • • • • • • • •
install ddclient: # cd /usr/ports/net/ddclient/ # make install clean clean-depends
edit config-file for your account on dyndns.org: # vi /etc/ddclient/ddclient.conf
test deamon: # /usr/local/sbin/ddclient -daemon=0 -debug -verbose -noquiet add the following lines /etc/rc.local: # dyndns.org if [ -x /usr/local/sbin/ddclient ]; then
• •
echo -n ' ddclient';
/usr/local/sbin/ddclient
-verbose fi
5 server: nfs, dhcp and ntp 5.1 nfs • •
edit /etc/exports, for example:
• • • • •
start all services:
/export_directory1 -mapall=user:group -alldirs -network 192.168.0.0 -mask 255.255.0.0 # /sbin/nfsd -tun 4 # echo -n >/var/db/mountdtab # /sbin/mountd
start nfs after reboot: # echo 'nfs_server=YES' >> /etc/rc.conf.local
•
start portmap after reboot: # echo 'portmap=YES' >> /etc/rc.conf.local
5.2 dhcp • • • • • • • • • • • • • • • • • • •
edit /etc/dhcpd.conf, for example: # # # # #
Network: Domain name: Name server: Default router:
shared-network option option option option option
192.168.100.0/255.255.255.0 local 192.168.100.1 192.168.100.1
LOCAL-NET { domain-name "local"; domain-name-servers 192.168.100.1; subnet-mask 255.255.255.0; broadcast-address 192.168.100.255; routers 192.168.100.1;
default-lease-time 600; max-lease-time 7200; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented.
• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
authoritative; subnet 192.168.100.0 netmask 255.255.255.0 { host host1_nfe0 { hardware ethernet 00:11:22:33:44:55; fixed-address host1.local; } host host2_nfe0 { hardware ethernet 00:12:22:33:44:55; fixed-address host2.local; } host host3_nfe0 { hardware ethernet 00:13:22:33:44:55; fixed-address host3.local; } host guest { fixed-address guest.local; } #range 192.168.100.110 192.168.100.120; } } shared-network WLAN-NET { subnet 192.168.110.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option domain-name-servers 192.168.110.1; option broadcast-address 192.168.110.255; option routers 192.168.110.1; host host4_en1 { hardware ethernet 00:14:22:33:44:55; fixed-address 192.168.110.105; } } }
start dhcpd (replace with the device on which dhcpd should listen, e.g.: nfe0): # touch /var/db/dhcpd.leases # /usr/sbin/dhcpd
start dhcpd after reboot: # echo 'dhcpd_flags=' >> /etc/rc.conf.local
5.3 ntp • • • •
add the following line to /etc/ntpd.conf: #listen on* listen on 192.168.100.1
start ntpd:
• • •
# /usr/sbin/ntpd
start ntpd after reboot: # echo 'ntpd_flags=' >> /etc/rc.conf.local
6 isakmpd (ipsec-wlan) • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
edit /etc/isakmpd/isakmpd.conf: # # isakmpd.conf # [General] Retransmits= Exchange-max-time= Listen-on= Check-interval=
5 120 192.168.110.1 1
[Phase 1] # remote client (road) has dynamic IP addressing Default= road [Phase 2] # passive connection between client and server Passive-Connections= core-road [road] # phase 1: exchange authentication informations Phase= 1 Transport= udp Local-address= 192.168.110.1 Configuration= Default-main-mode Authentication= secret Default= core-road [core-road] # phase 2: establish the connection Phase= 2 ISAKMP-peer= road Configuration= Default-quick-mode Local-ID= Net-core [Net-core] # local net addressing ID-type= Network= Netmask= [Default-main-mode]
IPV4_ADDR_SUBNET 0.0.0.0 0.0.0.0
• • • • • • • • • • • • • • • • • • • •
# declare our main mode of operation DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] # declare our quick mode of operation DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE edit /etc/isakmpd/isakmpd.policy: KeyNote-Version: 2 Comment: IKE policy v3.0 (road warrior VPN) Authorizer: "POLICY" Licensees: "passphrase:secret" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true";
start isakmpd after reboot: # echo 'isakmpd_flags=""' >> /etc/rc.conf.local
7 mail-server • • • • • • • • •
install mailserver software: # # # # # # # #
cd /usr/ports/mail/fetchmail make install clean clean-depends cd /usr/ports/mail/procmail make install clean clean-depends cd /usr/ports/mail/postfix/stable/ make install clean clean-depends cd /usr/ports/mail/dovecot make install clean clean-depends
7.1 configure postfix • • • • • • • • • •
replace sendmail with postfix: # /usr/local/sbin/postfix-enable # echo 'syslogd_flags="-a /var/spool/postfix/dev/log"' >> /etc/rc.conf.local # echo 'sendmail_flags="-bd -q30m"' >> /etc/rc.conf.local
uncomment "sendmail clientmqueue runner" in roots crontab: # crontab -e # sendmail clientmqueue runner #*/30 * * * * /usr/sbin/sendmail -L sm-msp -queue -Ac -q edit following lines in /etc/postfix/main.cf leaving most lines unchanged
use the default-values:
to
• • • • • • • • • • • •
myhostname = mail.local mydomain = local myorigin = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mynetworks = 192.168.100.0/24, 127.0.0.0/8 relay_domains = $mydestination home_mailbox = .maildir/ mailbox_command = /usr/local/bin/procmail
edit your alias file: # vi /etc/mail/aliases # /usr/local/sbin/postalias /etc/mail/aliases
reboot to apply changes
7.2 dovecot imap-server • • • • • • • • • • • • • •
create maildirs as imap user: # mkdir -p .maildir/new .maildir/cur .maildir/tmp # chmod -R 700 .maildir edit following line in /etc/dovecot.conf: mail_location = maildir:/home/%u/.maildir/ edit /etc/ssl/dovecot-openssl.cnf
create cert and start dovecot: # dovecot-mkcert.sh # dovecot add the follow lines to /etc/rc.local: # dovecot if [ -x /usr/local/sbin/dovecot ]; then echo -n ' dovecot'; /usr/local/sbin/dovecot fi
7.3 procmail and fetchmail • • • • • • •
create a suitable .procmailrc in mail-users home directory create a suitable .fetchmailrc in mail-users home directory create a crontab for fetchmail as user: # su user $ crontab -e */30 * * * * /usr/local/bin/fetchmail -a > /dev/null
8 ldap • • •
install ldap: # cd /usr/ports/databases/openldap/ # make install clean clean-depends
• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
# cd /usr/ports/packages/i386/all/ # pkg_add openldap-server
generate root password (used as rootpw in /etc/openldap/slapd.conf): # /usr/local/sbin/slappasswd New password: Re-enter new password: {SSHA}secret add/change the following lines in /etc/openldap/slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema pidfile argsfile access by by by
/var/openldap-data/slapd.pid /var/openldap-data/slapd.args
to attrs=userpassword self write dn="uid=root,dc=local" write * compare
# all user write access to adress-book access to dn.subtree="ou=global-addresbook, dc=local" by * write database ldbm suffix "dc=local" rootdn "uid=root,dc=local" rootpw {SSHA}secret index index
cn,sn,uid objectclass
pres,eq,approx,sub pres,eq
adjust persmissions for openldap dir: # cd /etc # chown -R _openldap:_openldap openldap/ # chown _openldap:_openldap /var/openldap-data
setup logging: # touch /var/log/ldap.log # echo "/var/log/ldap.log root:wheel 640 7 250* Z" >> /etc/newsyslog.conf add following line to /etc/syslog.conf: local4.* /var/log/ldap.log
restart syslog: # kill -HUP `cat /var/run/syslog.pid`
start and test: # /usr/local/libexec/slapd -u _openldap
• • • • • • • • • • • • • • • • • • • • • • •
create file domain.txt add lines: dn: dc=local objectclass: dcObject objectclass: organization o: local dc: local
insert file into database: # ldapadd -x -D "uid=root,dc=local" -W -f domain.txt # ldapsearch -x -b 'dc=local' '(objectclass=*)' add following lines in /etc/openldap/ldap.conf: BASE dc=local URI ldap://localhost add to /etc/rc.local: # slapd if [ x /usr/local/libexec/slapd ]; then echo -n ' slapd'; /usr/local/libexec/slapd -u _openldap fi add to /etc/rc.shutdown: # slapd if [ -x /var/openldap-data/slapd.pid ]; then kill -INT `cat /var/openldap-data/slapd.pid` rm -f /var/openldap-data/slapd.* fi
9 cvs-server and mirror 9.1 cvs-server • • • • • • • • • • • • • • • •
create location of repositories: # mkdir /usr/local/cvs/ # ln -s /usr/local/cvs /cvs starting the server in /etc/inetd.conf: cvspserver stream tcp nowait root /usr/bin/cvs cvs -allowroot=/usr/local/cvs pserver enable inetd in /etc/rc.conf.local
start inetd: # inetd
create group and add users: # # # # #
groupadd cvs usermod -G cvs username cd /cvs chgrp -R cvs . chmod ug+rwx . CVSROOT
for local access simply use: # export CVSROOT=/cvs
9.2 use repository • • • • • • • • • • • • • • • • • • • •
create repository on the server: # cvs -d /cvs/your_project init
create initial import from client: # # # #
export CVS_RSH=ssh export CVSROOT=:ext:user@cvsserver:/cvs cd /your/project cvs import -m "initial import" your_project user START
checkout your new project from server to client: # cvs checkout your_project
list changes from client: # cvs -n update # cvs status # cvs diff -rX.X
commit changes: # cvs commit # cvs update
project releases: # cvs -q tag # cvs -q export -r -d your_project-0.1 your_project # tar -czvf your_project-0.1.tar.gz your_project-0.1.cdr
9.3 mail on commit • • • • • • • • • • • • • • • • •
on the client: # # # #
cvs checkout CVSROOT cd CVSROOT/ cvs edit loginfo cvs edit commitinfo add following line to loginfo: DEFAULT $CVSROOT/CVSROOT/log_accum -m source-changes@localhost -f $CVSROOT/CVSROOT/ChangeLog %s add following line to commitinfo: DEFAULT $CVSROOT/CVSROOT/commit_prep -r and commit changes: # cvs commit -m ``enabled commit email notification'' loginfo commitinfo
on the server: # cp /usr/libexec/cvs/contrib/log_accum /cvs/your_project/CVSROOT/ # cp /usr/libexec/cvs/contrib/commit_prep /cvs/your_project/CVSROOT/ # chmod 755 /cvs/your_project/CVSROOT/log_accum # chmod 755 /cvs/your_project/CVSROOT/commit_prep finally you need to change the path to sendmail binary in log_accum
9.4 openbsd mirror with cvsync • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
install cvsync: # cd /usr/ports/net/cvsync # make install clean clean-depends
add following to /etc/cvsync.conf: config { hostname cvsync.de.openbsd.org # If your network link is a T1 or faster, comment out the following line. compress collection { name openbsd release rcs prefix /cvs/openbsd umask 002 } }
start sync: # cd /cvs # mkdir /cvs/openbsd # cvsync
running sync and checkout as script: #!/bin/sh # cvsync echo "==> starting cvsync" cd /cvs/openbsd /usr/local/bin/cvsync chown -R user:cvs /cvs/openbsd export CVSROOT=/cvs/openbsd # local www checkout echo "==> starting local www checkout" cd /var/www/htdocs/ cvs -q checkout www
add script as cronjob
10 subversion-server • • •
install subversion: # cd /usr/ports/devel/subversion/ # make install clean clean-depends
10.1 subversion-server
• • • • • • • • • • • • • • • • •
create location of repository: # ln -s /usr/local/svn /svn
create group and add users: # # # # # #
groupadd svn usermod -G svn user cd /usr/local/svn chown -R _svnserve . chgrp -R svn . chmod -R 775 your_project
starting the server: # sudo useradd -u980 -gsvn -c"svnserve daemon" -d/svn -s /sbin/nologin _svnserve # /usr/bin/sudo -u _svnserve /usr/local/bin/svnserve --listenhost 0.0.0.0 -d -r /svn add subversion server to /etc/rc.local: # svnserve if [ -x /usr/local/bin/svnserve ]; then echo -n ' svnserve'; /usr/bin/sudo -u _svnserve /usr/local/bin/svnserve --listen-host 0.0.0.0 -d -r /svn fi
10.2 use repository • • • • • • • • • •
create repository on server: # svnadmin create /svn/your_project
local checkout: # svn co file:///svn/your_project
remote checkout: # svn co svn+ssh://server/svn/your_project
create initial import from client: # mkdir trunk branches tags # svn add trunk/ branches/ tags/ # svn commit -m "inital layout"
11 oamp - openbsd apache mysql php 11.1 httpd 11.1.1 ssl • • • •
generate an rsa cert:
•
let CA sign the key - or sign it self:
# openssl genrsa -out /etc/ssl/private/server.key 2048
generate certificate signing request: # openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
# openssl x509 -req -days 365 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt • • •
insert an entry in /etc/rc.conf.local: # echo 'httpd_flags="-DSSL"' >> /etc/rc.conf.local
restart apache # apachectl stop # apachectl start
11.1.2 mod_perl • • • •
install mod_perl: # cd /usr/ports/www/mod_perl # make install clean clean-depends # /usr/local/sbin/mod_perl-enable
11.2 mysql server • • • • •
install mysql-server:
• • • • •
init database and set the root password for the database:
• • • • • • • • • • • • • • • •
# cd /usr/ports/databases/mysql # env SUBPACKAGE=-server make install clean edit /etc/rc.conf.local and add the following line: shlib_dirs="$shlib_dirs /usr/local/lib/mysql" # extra directories for ldconfig # /usr/local/bin/mysql_install_db # /usr/local/bin/mysqld_safe & # /usr/local/bin/mysqladmin -u root password newpassword # /usr/local/bin/mysqladmin -u root -p -h hostname password 'newpassword' edit /etc/rc.conf.local and add the following line: mysql=YES edit /etc/rc.local and add the following lines: if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/mysqld_safe ]; then echo -n " mysqld"; /usr/local/bin/mysqld_safe -user=_mysql -log & for i in 1 2 3 4 5 6; do if [ -S /var/run/mysql/mysql.sock ]; then break else sleep 1 echo -n "." fi done # # Apache chroot Settings mkdir -p /var/www/var/run/mysql
• • • • • • • •
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock # # Postfix chroot Settings if [ "X${postfix_flags}" != X"NO" ]; then mkdir -p /var/spool/postfix/var/run/mysql ln -f /var/run/mysql/mysql.sock /var/spool/postfix/var/run/mysql/mysql.sock fi fi
11.3 php • • • • • • • • • • • • • • • • • • • • • • • •
install php: # cd /usr/ports/www/php5/ # make install clean clean-depends # /usr/local/sbin/phpxs -s uncomment the following in /var/www/conf/httpd.conf: AddType application/x-httpd-php .php and add index.php to DirectoryIndex: DirectoryIndex index.html index.php copy php.ini: # cp /usr/local/share/examples/php5/php.ini-recommended \ /var/www/conf/php.ini
add and activate mysql extension: # cd /usr/ports/packages/i386/all/ # pkg_add php5-mysql # /usr/local/sbin/phpxs -a mysql
add and activate imap extension: # cd /usr/ports/packages/i386/all/ # pkg_add php5-imap # /usr/local/sbin/phpxs -a imap
add and activate ldap extension: # cd /usr/ports/packages/i386/all/ # pkg_add php5-ldap # /usr/local/sbin/phpxs -a ldap
restart apache # apachectl stop # apachectl start
11.3.1 phpldapadmin • • • • •
install phpldapadmin: # cd /usr/ports/www/phpldapadmin # make install clean clean-depends
install and activate php-ldap if not done already: # cd /usr/ports/packages/i386/all/
• • • • • • • • •
# pkg_add php5-ldap # /usr/local/sbin/phpxs -a ldap
set a softlink for phpldapadmin: # ln -s ../phpldapadmin-1.0.1 /var/www/htdocs/phpldapadmin edit /var/www/phpldapadmin-1.0.1/config/config.php to configure
phpldapadmin maybe create tmp directory if not done already and set it in config.php: # mkdir /var/www/tmp # chown www:daemon /var/www/tmp # chmod 1755 /var/www/tmp
12 x 12.1 configure • • • • • •
enable (according to platform) machdep.allowaperture in /etc/sysctl.conf boot from knoppix and copy x config or run X -configure maybe install pciutils to detect vga-card bus: # /usr/ports/sysutils/pciutils # make install clean clean-depends # /usr/local/sbin/lspci -v
12.2 fluxbox • • •
install fluxbox: # cd /usr/ports/x11/fluxbox # make install clean clean-depends
13 install additional stuff 13.1 mergemaster • • •
install mergemaster: # cd /usr/ports/sysutils/mergemaster/ # make install clean clean-depends
13.2 gkrellm • • • • •
install gkrellm and plugins: # cd /usr/ports/sysutils/gkrellm # make install clean clean-depends edit at least the following lines /etc/gkrellmd.conf: update-hz 3
• • • • • • • • • • • •
max-clients 2 port 19150 allow-host allow-host
localhost 192.168.100.*
add the specified gkrellm-user ang group to your system add the following lines to /etc/rc.local: # gkrellmd if [ -x /usr/local/sbin/gkrellmd ]; then echo -n ' gkrellmd'; /usr/local/sbin/gkrellmd -d fi
from clients use: # gkrellm -s <server_ip>
13.3 wget • • •
install wget: # cd /usr/ports/net/wget # make install clean clean-depends
13.4 unrar • • •
install unrar: # cd /usr/ports/archivers/unrar # make install clean clean-depends
13.5 unace • • •
install unace: # cd /usr/ports/archivers/unace # make install clean clean-depends
13.6 mpd • • • • • • • • • •
install mpd: # cd /usr/ports/audio/mpd # make install clean clean-depends edit /etc/mpd.conf
start mpd: # /usr/local/sbin/mpd add the following lines to /etc/rc.local: if [ -x /usr/local/sbin/mpd ]; then echo -n ' mpd'; /usr/local/sbin/mpd fi
13.7 mplayer
• • • • •
install mplayer: # cd /usr/ports/x11/mplayer # env FLAVOR="mad esd sdl ggi" make install clean clean-depends add the following line to /etc/sysctl.conf: kern.shminfo.shmall=32768
13.8 darkstat • • • • • • •
install darkstat: # cd /usr/ports/net/darkstat # make install clean clean-depends add the following lines to /etc/rc.local: if [ -x /usr/local/sbin/darkstat ]; then echo -n ' darkstat'; /usr/local/sbin/darkstat -n -i pppoe0 -p 80 -b 192.168.100.1 >/dev/null 2>&1 fi
•
•
• •
• •
•
•
•
•
1 afterboot 2 crypt harddisk 3 harden the installation o 3.1 sshd o 3.2 clear console on logout o 3.3 lockdown single user mode 4 dsl-router and firewall o 4.1 dsl connection o 4.2 firewall o 4.3 dns server bind o 4.4 dyndns 5 server: nfs, dhcp and ntp o 5.1 nfs o 5.2 dhcp o 5.3 ntp 6 isakmpd (ipsec-wlan) 7 mail-server o 7.1 configure postfix o 7.2 dovecot imap-server o 7.3 procmail and fetchmail 8 ldap 9 cvs-server and mirror o 9.1 cvs-server o 9.2 use repository o 9.3 mail on commit o 9.4 openbsd mirror with cvsync 10 subversion-server o 10.1 subversion-server o 10.2 use repository 11 oamp - openbsd apache mysql php o 11.1 httpd 11.1.1 ssl 11.1.2 mod_perl o 11.2 mysql server o 11.3 php 11.3.1 phpldapadmin 12 x o 12.1 configure o 12.2 fluxbox 13 install additional stuff o 13.1 mergemaster o 13.2 gkrellm
o o o o o o
13.3 13.4 13.5 13.6 13.7 13.8
wget unrar unace mpd mplayer darkstat
1 afterboot • •
read the very good manpage: # man afterboot
..* add the following line to enable linux kernel-emulation:: .. .. kern.emul.linux=1 • • • • • • • • • • • • • • • • • • • • • •
edit fstab and add options softdep all partitions create cdrom and floppy entries in /etc/fstab: # mkdir -p /mnt/dvd; mkdir -p /mnt/floppy # vi /etc/fstab /dev/cd0a /mnt/dvd cd9660 ro,nodev,nosuid,noauto 0 0 /dev/fd0a /mnt/floppy msdos rw,nodev,nosuid,noauto 0 0
don't use inetd: # echo "inetd=NO" >> /etc/rc.conf.local
add an user: # adduser
edit /etc/sudoers: # visudo # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
install ports tree: # # # #
cd /tmp ftp ftp://ftp.openbsd.org/pub/OpenBSD/VERSION/ports.tar.gz cd /usr tar xzvf /tmp/ports.tar.gz
create a directory for scripts # mkdir /usr/local/src/ # mkdir /usr/local/src/scripts # cd /root/ # ln -s /usr/local/src/scripts
2 crypt harddisk • • •
cgd is obsolete, use vnconfig create an image file on the whole mounted partition: # nice dd if=/dev/prandom of=/mnt/my_partition/encrypted bs=512
• • • • • • • • • • • • • • • • • • • • • • • •
configure svnd0 (set password): # vnconfig -cvk svnd0 /mnt/my_partition/encrypted create a filesystem on svnd0c: # newfs /dev/svnd0c # mkdir /my_partition edit /etc/rc.local insert at the end of this file: # svnd addition echo 'mounting crypted disks:' for count in First Second Last do wrong_pw="NO" echo -n "$count try /my_partition - " /usr/sbin/vnconfig -u svnd0 >/dev/null 2>&1 /usr/sbin/vnconfig -k svnd0 /mnt/my_partition/encrypted mount /dev/svnd0c /my_partition && break wrong_pw="YES" done if [ "X${wrong_pw}" != X"NO" ]; then echo "Password 3 times wrong." else echo "Successful." /usr/bin/midiplay -x -t 200 fi unset wrong_pw
3 harden the installation 3.1 sshd • • • • •
do not permit root-login and let sshd listen on another port in /etc/ssh/sshd_config: Port 2222 PermitRootLogin no
maybe change firewall-rules to open 2222 instead of ssh default 22 for working cvs over ssh - maybe add PORT=2222 on clients in ~/.ssh/config
3.2 clear console on logout • • • •
edit /etc/gettytab: P|Pc|Pc console:\ :np:sp#9600:\ :cl=\E[H\E[2J:
3.3 lockdown single user mode
• •
edit /etc/ttys to change line to insecure: console "/usr/libexec/getty Pc" vt220 off insecure
4 dsl-router and firewall 4.1 dsl connection • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
delete old gateways: # # # #
cd /etc cp -p mygate mygate.old rm /etc/mygate route delete default
first networkcard (for LAN) should be configured (during the installation process) second networkcard connected to the dsl-modem is unconfigured after the disconnect (24h) ppp should automatically reconnect edit /etc/ppp/ppp.conf: default: set log Phase Chat IPCP CCP tun command set redial 15 0 set reconnect 15 10000 pppoe: set device "!/usr/sbin/pppoe -i <second_networkcard>" set server /var/run/pppoe "" 0177 disable acfcomp protocomp deny acfcomp set mtu max 1454 set mru max 1454 set crtscts off set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname <user>@<provider> set authkey <password> add! default HISADDR enable dns resolv readonly enable mssfixup set restrictive rights on /etc/ppp/ppp.conf: # chmod 600 /etc/ppp/ppp.conf edit /etc/ppp/ppp.linkup: MYADDR:
• • • • • • • • • • • • • • • • • • •
! sh -c "/sbin/pfctl -e -F all -f /etc/pf-ppp.conf" ! sh -c "/usr/bin/midiplay -x" edit /etc/ppp/ppp.lindown: MYADDR: ! sh -c "/sbin/route delete default"
test your connection: # ifconfig <second_networkcard> up media 10baseT # ppp -ddial pppoe check /var/log/daemon
make settings static: # echo "up media 10baseT" > /etc/hostname.<second_networkcard> add to /etc/rc.local: # ppp echo 'ppp'; /usr/sbin/ppp -ddial pppoe
enable ip-forwarding: # sysctl -w net.inet.ip.forwarding=1 # vi /etc/sysctl.conf net.inet.ip.forwarding=1
4.2 firewall • • • • • • • • • • • •
edit /etc/pf.conf: ...
test pf config: # # # #
chmod chmod pfctl pfctl
0600 /etc/pf.conf 0600 /etc/pf-ppp.conf -nf /etc/pf.conf -nf /etc/pf-ppp.conf
start pf: # /sbin/pfctl -e -F all -f /etc/pf.conf add to /etc/rc.conf.local: pf=YES pflogd_flags=
4.3 dns server bind • • • • • • • • • •
modify following lines in options section in /var/named/etc/named.conf: options { version ""; // remove this to allow version queries forwarders {
• • • • • • • • • • • • • • • • • • • • • • • • • •
• • • • • •
192.168.110.1; }; allow-query { 127.0/16; 192.168/16; }; cleaning-interval 120; notify no; }
add following zones to /var/named/etc/named.conf: zone "local" in { type master; file "master/local.zone"; }; zone "100.168.192.in-addr.arpa" in { type master; file "master/192.168.100.zone"; }; zone "110.168.192.in-addr.arpa" in { type master; file "master/192.168.100.zone"; }; create zone-files /var/named/master/192.168.100.zone, /var/named/master/192.168.110.zone and /var/named/master/local.zone
for LAN an WLAN edit /etc/resolv.conf: domain local lookup file bind; nameserver 127.0.0.1
start bind after reboot: echo 'named_flags=' >> /etc/rc.conf.local
4.4 dyndns • • • • • • • • • •
install ddclient: # cd /usr/ports/net/ddclient/ # make install clean clean-depends
edit config-file for your account on dyndns.org: # vi /etc/ddclient/ddclient.conf
test deamon: # /usr/local/sbin/ddclient -daemon=0 -debug -verbose -noquiet add the following lines /etc/rc.local: # dyndns.org if [ -x /usr/local/sbin/ddclient ]; then
• •
echo -n ' ddclient';
/usr/local/sbin/ddclient
-verbose fi
5 server: nfs, dhcp and ntp 5.1 nfs • •
edit /etc/exports, for example:
• • • • •
start all services:
/export_directory1 -mapall=user:group -alldirs -network 192.168.0.0 -mask 255.255.0.0 # /sbin/nfsd -tun 4 # echo -n >/var/db/mountdtab # /sbin/mountd
start nfs after reboot: # echo 'nfs_server=YES' >> /etc/rc.conf.local
•
start portmap after reboot: # echo 'portmap=YES' >> /etc/rc.conf.local
5.2 dhcp • • • • • • • • • • • • • • • • • • •
edit /etc/dhcpd.conf, for example: # # # # #
Network: Domain name: Name server: Default router:
shared-network option option option option option
192.168.100.0/255.255.255.0 local 192.168.100.1 192.168.100.1
LOCAL-NET { domain-name "local"; domain-name-servers 192.168.100.1; subnet-mask 255.255.255.0; broadcast-address 192.168.100.255; routers 192.168.100.1;
default-lease-time 600; max-lease-time 7200; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented.
• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
authoritative; subnet 192.168.100.0 netmask 255.255.255.0 { host host1_nfe0 { hardware ethernet 00:11:22:33:44:55; fixed-address host1.local; } host host2_nfe0 { hardware ethernet 00:12:22:33:44:55; fixed-address host2.local; } host host3_nfe0 { hardware ethernet 00:13:22:33:44:55; fixed-address host3.local; } host guest { fixed-address guest.local; } #range 192.168.100.110 192.168.100.120; } } shared-network WLAN-NET { subnet 192.168.110.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option domain-name-servers 192.168.110.1; option broadcast-address 192.168.110.255; option routers 192.168.110.1; host host4_en1 { hardware ethernet 00:14:22:33:44:55; fixed-address 192.168.110.105; } } }
start dhcpd (replace
start dhcpd after reboot: # echo 'dhcpd_flags=' >> /etc/rc.conf.local
5.3 ntp • • • •
add the following line to /etc/ntpd.conf: #listen on* listen on 192.168.100.1
start ntpd:
• • •
# /usr/sbin/ntpd
start ntpd after reboot: # echo 'ntpd_flags=' >> /etc/rc.conf.local
6 isakmpd (ipsec-wlan) • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
edit /etc/isakmpd/isakmpd.conf: # # isakmpd.conf # [General] Retransmits= Exchange-max-time= Listen-on= Check-interval=
5 120 192.168.110.1 1
[Phase 1] # remote client (road) has dynamic IP addressing Default= road [Phase 2] # passive connection between client and server Passive-Connections= core-road [road] # phase 1: exchange authentication informations Phase= 1 Transport= udp Local-address= 192.168.110.1 Configuration= Default-main-mode Authentication= secret Default= core-road [core-road] # phase 2: establish the connection Phase= 2 ISAKMP-peer= road Configuration= Default-quick-mode Local-ID= Net-core [Net-core] # local net addressing ID-type= Network= Netmask= [Default-main-mode]
IPV4_ADDR_SUBNET 0.0.0.0 0.0.0.0
• • • • • • • • • • • • • • • • • • • •
# declare our main mode of operation DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] # declare our quick mode of operation DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE edit /etc/isakmpd/isakmpd.policy: KeyNote-Version: 2 Comment: IKE policy v3.0 (road warrior VPN) Authorizer: "POLICY" Licensees: "passphrase:secret" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true";
start isakmpd after reboot: # echo 'isakmpd_flags=""' >> /etc/rc.conf.local
7 mail-server • • • • • • • • •
install mailserver software: # # # # # # # #
cd /usr/ports/mail/fetchmail make install clean clean-depends cd /usr/ports/mail/procmail make install clean clean-depends cd /usr/ports/mail/postfix/stable/ make install clean clean-depends cd /usr/ports/mail/dovecot make install clean clean-depends
7.1 configure postfix • • • • • • • • • •
replace sendmail with postfix: # /usr/local/sbin/postfix-enable # echo 'syslogd_flags="-a /var/spool/postfix/dev/log"' >> /etc/rc.conf.local # echo 'sendmail_flags="-bd -q30m"' >> /etc/rc.conf.local
uncomment "sendmail clientmqueue runner" in roots crontab: # crontab -e # sendmail clientmqueue runner #*/30 * * * * /usr/sbin/sendmail -L sm-msp -queue -Ac -q edit following lines in /etc/postfix/main.cf leaving most lines unchanged
use the default-values:
to
• • • • • • • • • • • •
myhostname = mail.local mydomain = local myorigin = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mynetworks = 192.168.100.0/24, 127.0.0.0/8 relay_domains = $mydestination home_mailbox = .maildir/ mailbox_command = /usr/local/bin/procmail
edit your alias file: # vi /etc/mail/aliases # /usr/local/sbin/postalias /etc/mail/aliases
reboot to apply changes
7.2 dovecot imap-server • • • • • • • • • • • • • •
create maildirs as imap user: # mkdir -p .maildir/new .maildir/cur .maildir/tmp # chmod -R 700 .maildir edit following line in /etc/dovecot.conf: mail_location = maildir:/home/%u/.maildir/ edit /etc/ssl/dovecot-openssl.cnf
create cert and start dovecot: # dovecot-mkcert.sh # dovecot add the follow lines to /etc/rc.local: # dovecot if [ -x /usr/local/sbin/dovecot ]; then echo -n ' dovecot'; /usr/local/sbin/dovecot fi
7.3 procmail and fetchmail • • • • • • •
create a suitable .procmailrc in mail-users home directory create a suitable .fetchmailrc in mail-users home directory create a crontab for fetchmail as user: # su user $ crontab -e */30 * * * * /usr/local/bin/fetchmail -a > /dev/null
8 ldap • • •
install ldap: # cd /usr/ports/databases/openldap/ # make install clean clean-depends
• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
# cd /usr/ports/packages/i386/all/ # pkg_add openldap-server
generate root password (used as rootpw in /etc/openldap/slapd.conf): # /usr/local/sbin/slappasswd New password: Re-enter new password: {SSHA}secret add/change the following lines in /etc/openldap/slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema pidfile argsfile access by by by
/var/openldap-data/slapd.pid /var/openldap-data/slapd.args
to attrs=userpassword self write dn="uid=root,dc=local" write * compare
# all user write access to adress-book access to dn.subtree="ou=global-addresbook, dc=local" by * write database ldbm suffix "dc=local" rootdn "uid=root,dc=local" rootpw {SSHA}secret index index
cn,sn,uid objectclass
pres,eq,approx,sub pres,eq
adjust persmissions for openldap dir: # cd /etc # chown -R _openldap:_openldap openldap/ # chown _openldap:_openldap /var/openldap-data
setup logging: # touch /var/log/ldap.log # echo "/var/log/ldap.log root:wheel 640 7 250* Z" >> /etc/newsyslog.conf add following line to /etc/syslog.conf: local4.* /var/log/ldap.log
restart syslog: # kill -HUP `cat /var/run/syslog.pid`
start and test: # /usr/local/libexec/slapd -u _openldap
• • • • • • • • • • • • • • • • • • • • • • •
create file domain.txt add lines: dn: dc=local objectclass: dcObject objectclass: organization o: local dc: local
insert file into database: # ldapadd -x -D "uid=root,dc=local" -W -f domain.txt # ldapsearch -x -b 'dc=local' '(objectclass=*)' add following lines in /etc/openldap/ldap.conf: BASE dc=local URI ldap://localhost add to /etc/rc.local: # slapd if [ x /usr/local/libexec/slapd ]; then echo -n ' slapd'; /usr/local/libexec/slapd -u _openldap fi add to /etc/rc.shutdown: # slapd if [ -x /var/openldap-data/slapd.pid ]; then kill -INT `cat /var/openldap-data/slapd.pid` rm -f /var/openldap-data/slapd.* fi
9 cvs-server and mirror 9.1 cvs-server • • • • • • • • • • • • • • • •
create location of repositories: # mkdir /usr/local/cvs/ # ln -s /usr/local/cvs /cvs starting the server in /etc/inetd.conf: cvspserver stream tcp nowait root /usr/bin/cvs cvs -allowroot=/usr/local/cvs pserver enable inetd in /etc/rc.conf.local
start inetd: # inetd
create group and add users: # # # # #
groupadd cvs usermod -G cvs username cd /cvs chgrp -R cvs . chmod ug+rwx . CVSROOT
for local access simply use: # export CVSROOT=/cvs
9.2 use repository • • • • • • • • • • • • • • • • • • • •
create repository on the server: # cvs -d /cvs/your_project init
create initial import from client: # # # #
export CVS_RSH=ssh export CVSROOT=:ext:user@cvsserver:/cvs cd /your/project cvs import -m "initial import" your_project user START
checkout your new project from server to client: # cvs checkout your_project
list changes from client: # cvs -n update # cvs status
commit changes: # cvs commit
project releases: # cvs -q tag
9.3 mail on commit • • • • • • • • • • • • • • • • •
on the client: # # # #
cvs checkout CVSROOT cd CVSROOT/ cvs edit loginfo cvs edit commitinfo add following line to loginfo: DEFAULT $CVSROOT/CVSROOT/log_accum -m source-changes@localhost -f $CVSROOT/CVSROOT/ChangeLog %s add following line to commitinfo: DEFAULT $CVSROOT/CVSROOT/commit_prep -r and commit changes: # cvs commit -m ``enabled commit email notification'' loginfo commitinfo
on the server: # cp /usr/libexec/cvs/contrib/log_accum /cvs/your_project/CVSROOT/ # cp /usr/libexec/cvs/contrib/commit_prep /cvs/your_project/CVSROOT/ # chmod 755 /cvs/your_project/CVSROOT/log_accum # chmod 755 /cvs/your_project/CVSROOT/commit_prep finally you need to change the path to sendmail binary in log_accum
9.4 openbsd mirror with cvsync • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
install cvsync: # cd /usr/ports/net/cvsync # make install clean clean-depends
add following to /etc/cvsync.conf: config { hostname cvsync.de.openbsd.org # If your network link is a T1 or faster, comment out the following line. compress collection { name openbsd release rcs prefix /cvs/openbsd umask 002 } }
start sync: # cd /cvs # mkdir /cvs/openbsd # cvsync
running sync and checkout as script: #!/bin/sh # cvsync echo "==> starting cvsync" cd /cvs/openbsd /usr/local/bin/cvsync chown -R user:cvs /cvs/openbsd export CVSROOT=/cvs/openbsd # local www checkout echo "==> starting local www checkout" cd /var/www/htdocs/ cvs -q checkout www
add script as cronjob
10 subversion-server • • •
install subversion: # cd /usr/ports/devel/subversion/ # make install clean clean-depends
10.1 subversion-server
• • • • • • • • • • • • • • • • •
create location of repository: # ln -s /usr/local/svn /svn
create group and add users: # # # # # #
groupadd svn usermod -G svn user cd /usr/local/svn chown -R _svnserve . chgrp -R svn . chmod -R 775 your_project
starting the server: # sudo useradd -u980 -gsvn -c"svnserve daemon" -d/svn -s /sbin/nologin _svnserve # /usr/bin/sudo -u _svnserve /usr/local/bin/svnserve --listenhost 0.0.0.0 -d -r /svn add subversion server to /etc/rc.local: # svnserve if [ -x /usr/local/bin/svnserve ]; then echo -n ' svnserve'; /usr/bin/sudo -u _svnserve /usr/local/bin/svnserve --listen-host 0.0.0.0 -d -r /svn fi
10.2 use repository • • • • • • • • • •
create repository on server: # svnadmin create /svn/your_project
local checkout: # svn co file:///svn/your_project
remote checkout: # svn co svn+ssh://server/svn/your_project
create initial import from client: # mkdir trunk branches tags # svn add trunk/ branches/ tags/ # svn commit -m "inital layout"
11 oamp - openbsd apache mysql php 11.1 httpd 11.1.1 ssl • • • •
generate an rsa cert:
•
let CA sign the key - or sign it self:
# openssl genrsa -out /etc/ssl/private/server.key 2048
generate certificate signing request: # openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
# openssl x509 -req -days 365 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt • • •
insert an entry in /etc/rc.conf.local: # echo 'httpd_flags="-DSSL"' >> /etc/rc.conf.local
restart apache # apachectl stop # apachectl start
11.1.2 mod_perl • • • •
install mod_perl: # cd /usr/ports/www/mod_perl # make install clean clean-depends # /usr/local/sbin/mod_perl-enable
11.2 mysql server • • • • •
install mysql-server:
• • • • •
init database and set the root password for the database:
• • • • • • • • • • • • • • • •
# cd /usr/ports/databases/mysql # env SUBPACKAGE=-server make install clean edit /etc/rc.conf.local and add the following line: shlib_dirs="$shlib_dirs /usr/local/lib/mysql" # extra directories for ldconfig # /usr/local/bin/mysql_install_db # /usr/local/bin/mysqld_safe & # /usr/local/bin/mysqladmin -u root password newpassword # /usr/local/bin/mysqladmin -u root -p -h hostname password 'newpassword' edit /etc/rc.conf.local and add the following line: mysql=YES edit /etc/rc.local and add the following lines: if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/mysqld_safe ]; then echo -n " mysqld"; /usr/local/bin/mysqld_safe -user=_mysql -log & for i in 1 2 3 4 5 6; do if [ -S /var/run/mysql/mysql.sock ]; then break else sleep 1 echo -n "." fi done # # Apache chroot Settings mkdir -p /var/www/var/run/mysql
• • • • • • • •
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock # # Postfix chroot Settings if [ "X${postfix_flags}" != X"NO" ]; then mkdir -p /var/spool/postfix/var/run/mysql ln -f /var/run/mysql/mysql.sock /var/spool/postfix/var/run/mysql/mysql.sock fi fi
11.3 php • • • • • • • • • • • • • • • • • • • • • • • •
install php: # cd /usr/ports/www/php5/ # make install clean clean-depends # /usr/local/sbin/phpxs -s uncomment the following in /var/www/conf/httpd.conf: AddType application/x-httpd-php .php and add index.php to DirectoryIndex: DirectoryIndex index.html index.php copy php.ini: # cp /usr/local/share/examples/php5/php.ini-recommended \ /var/www/conf/php.ini
add and activate mysql extension: # cd /usr/ports/packages/i386/all/ # pkg_add php5-mysql # /usr/local/sbin/phpxs -a mysql
add and activate imap extension: # cd /usr/ports/packages/i386/all/ # pkg_add php5-imap # /usr/local/sbin/phpxs -a imap
add and activate ldap extension: # cd /usr/ports/packages/i386/all/ # pkg_add php5-ldap # /usr/local/sbin/phpxs -a ldap
restart apache # apachectl stop # apachectl start
11.3.1 phpldapadmin • • • • •
install phpldapadmin: # cd /usr/ports/www/phpldapadmin # make install clean clean-depends
install and activate php-ldap if not done already: # cd /usr/ports/packages/i386/all/
• • • • • • • • •
# pkg_add php5-ldap # /usr/local/sbin/phpxs -a ldap
set a softlink for phpldapadmin: # ln -s ../phpldapadmin-1.0.1 /var/www/htdocs/phpldapadmin edit /var/www/phpldapadmin-1.0.1/config/config.php to configure
phpldapadmin maybe create tmp directory if not done already and set it in config.php: # mkdir /var/www/tmp # chown www:daemon /var/www/tmp # chmod 1755 /var/www/tmp
12 x 12.1 configure • • • • • •
enable (according to platform) machdep.allowaperture in /etc/sysctl.conf boot from knoppix and copy x config or run X -configure maybe install pciutils to detect vga-card bus: # /usr/ports/sysutils/pciutils # make install clean clean-depends # /usr/local/sbin/lspci -v
12.2 fluxbox • • •
install fluxbox: # cd /usr/ports/x11/fluxbox # make install clean clean-depends
13 install additional stuff 13.1 mergemaster • • •
install mergemaster: # cd /usr/ports/sysutils/mergemaster/ # make install clean clean-depends
13.2 gkrellm • • • • •
install gkrellm and plugins: # cd /usr/ports/sysutils/gkrellm # make install clean clean-depends edit at least the following lines /etc/gkrellmd.conf: update-hz 3
• • • • • • • • • • • •
max-clients 2 port 19150 allow-host allow-host
localhost 192.168.100.*
add the specified gkrellm-user ang group to your system add the following lines to /etc/rc.local: # gkrellmd if [ -x /usr/local/sbin/gkrellmd ]; then echo -n ' gkrellmd'; /usr/local/sbin/gkrellmd -d fi
from clients use: # gkrellm -s <server_ip>
13.3 wget • • •
install wget: # cd /usr/ports/net/wget # make install clean clean-depends
13.4 unrar • • •
install unrar: # cd /usr/ports/archivers/unrar # make install clean clean-depends
13.5 unace • • •
install unace: # cd /usr/ports/archivers/unace # make install clean clean-depends
13.6 mpd • • • • • • • • • •
install mpd: # cd /usr/ports/audio/mpd # make install clean clean-depends edit /etc/mpd.conf
start mpd: # /usr/local/sbin/mpd add the following lines to /etc/rc.local: if [ -x /usr/local/sbin/mpd ]; then echo -n ' mpd'; /usr/local/sbin/mpd fi
13.7 mplayer
• • • • •
install mplayer: # cd /usr/ports/x11/mplayer # env FLAVOR="mad esd sdl ggi" make install clean clean-depends add the following line to /etc/sysctl.conf: kern.shminfo.shmall=32768
13.8 darkstat • • • • • • •
install darkstat: # cd /usr/ports/net/darkstat # make install clean clean-depends add the following lines to /etc/rc.local: if [ -x /usr/local/sbin/darkstat ]; then echo -n ' darkstat'; /usr/local/sbin/darkstat -n -i pppoe0 -p 80 -b 192.168.100.1 >/dev/null 2>&1 fi
Related Documents
Openbsd Server
May 2020 12
Dns Server Openbsd
May 2020 9
Diapositivas Openbsd
November 2019 6
Mrtg Openbsd
May 2020 18
Ipmp En Openbsd
May 2020 6
Que Es Openbsd (pdf)
May 2020 1More Documents from ""
Index
May 2020 16
Dns Untuk Intranet
May 2020 14
Load Balanced Quangga
May 2020 16
Gnu General Public License
May 2020 21
Konfigurasi Apache
May 2020 20