with respect and in deference to The FreeBSD Diary
The aim of this project is to produce a unix server which provides SSH, FTP, SMTP, POP, IMAP, NTP, HTTP (Apache, PERL and PHP), SQL (MySQL), SMB file and print sharing (Samba and CUPS), and email filtering (SpamAssassin) service. An all-in-one drop-in replacement for Windows and Netware servers, basically, with some extra features. I know that unix is more reliable and secure, and is more powerful, than any version of Windows, and I wish to pass these benefits onto my customers.
Note, this server will be on a NATted LAN inside the corporate firewall, which is a separate device, and doubles as a router, DNS server, and ADSL uplink. DHCP is not used.
Looking for a unix desktop instead of a server platform? Check out PC-BSD - This is FreeBSD + KDE (a popular GUI), with a sexy installer, some smart scripts and a bunch of services preinstalled and preconfigured. It doesn't try to be a server - this is a system designed to do the same job as Windows XP. It's very slick indeed.
I then needed to select a distribution - there's NetBSD, OpenBSD and FreeBSD. NetBSD is optimised for portability... I don't need that. OpenBSD's main advantage seems to be security - I didn't feel the need to encrypt my swapspace... so I opted for the high-performance FreeBSD instead. See also a comparison of BSD operating systems and/or Distrowatch for more information.
Hardware-wise, BSD runs on pretty well anything, including the 333MHz AMD K6 in the test server, with 128Mb of RAM and 4Gb of disk (note that I currently recommend a minimum of 10Gb for a FreeBSD 8.x install). BSD can run with less resources than these - but it's not recommended. A BIOS with support for ACPI and bootable CD-ROMs is also suggested. While BSD can run on ancient hardware, the limitations this imposes on the flexibility of the system may be excessive. Certainly, for production servers I hope to use the latest and fastest hardware. Note that BSD, being a community-supported OS, does not immediately support new devices; nor do manufacturers usually ship BSD drivers. Ensure that drivers are available, working and stable before committing to a specific device.
Software-wise, aside from the operating system I also had to decide which servers and applications to deploy. I stuck with the tools I knew.
Note: once you've settled on a distribution, you might like to stick with the particular version of the distribution you download, at least for a while. This will allow you to compare and contrast between your builds (you will no doubt do several). If you always use the latest version of the distribution, you will be introducing inconsistencies between your builds, this will be confusing if you are still learning how the system works. So, select your download very carefully. As always, avoid ".0" releases, you want a version number x.1 or higher.
Next, I had to get the FreeBSD CDs. I downloaded the full distribution as an ISO from a mirror; after verifying the MD5 hash for each ISO, I then burned the ISOs onto CDs. If you're not sure how to burn an ISO from a mirror onto a CD, or verify the hashes, this is your cue to open a new browser window and zoom over to your favourite search engine. I did try using BitTorrent to get the ISOs, but it was going to take twice as long, plus saturate my outbound, so I aborted BitTorrent and went for good old FTP.
Assemble the hardware. Try and use known-good hardware if possible. Ensure the drive you are installing FreeBSD on is connected to the Primary IDE channel, and is configured as Master. This is not strictly necessary, and certainly for SCSI setups is not applicable, however unless you know what you're doing, keep it simple. You may need to use a boot manager if you do not install to a drive configured as master on the primary IDE channel. Ensure the machine can see the hard disk and CD-ROM before continuing.
Configure the BIOS. Usually, there's nothing to change, but the system date should be set correctly. Also, the CD-ROM needs to be a bootable device, higher in the boot order than the primary hard disk (just during installation - once the install is complete, it's good security to set the hard disk as the first bootable device, unless otherwise needed). Finally, ACPI should be enabled. If your BIOS does not support booting from CD, or ACPI, my advice is to find a computer that does, and use that, since these features will make your life as admin simpler and faster. Check the BIOS settings, especially the clock, before installing the software.
Put in the CD (use disk 1 for FreeBSD 7.x and below) and boot off it. From the welcome screen that appears, select 1. Boot FreeBSD [default] (if you have problems with crashes during startup or install, try the other options on this first screen, especially ACPI). The next two screens allow country and keymap selection (in FreeBSD 4.11, these options are selected later). I suggest UK, then from the next screen, UK CP850. The sysinstall Main Menu is then displayed; select standard install.
If you have multiple drives in your system, you will now be prompted to select which drive to install to. Select this VERY carefully. If you select the incorrect drive, you are likely to lose all the data on that drive during the install. If you have multiple drives, but you are not prompted to select a drive, that means that FreeBSD has not detected your other drive(s). Check your hardware setup in this case.
FDISK the partition editor will now appear. Check that you are installing to the correct drive - the top-left corner of the FDISK screen shows the Disk Name, which should be ad0 if you are installing to the master drive on your primary IDE channel. If the disk name is correct, press A (to use the entire disk), press down-arrow (to select the new FreeBSD partition), press S (to make the new FreeBSD partition bootable), and finally press Q to quit FDISK. [Note to fellow DOS refugees: FreeBSD calls partitions 'slices'. FreeBSD has partitions too but they are different to DOS-style partitions - in fact they are sub-partitions, and are called labels.]
The installer then prompts to install a boot manager. Select install a standard MBR. If you are doing multiboot, I still recommend you select standard MBR here, I had problems with the FreeBSD boot manager (admittedly, a few years back). You'll need to install a Boot Manager separately in this case (see my multiboot notes for more on this).
Next, the disklabel editor appears; press A to create the default scheme. Customise label sizes as needed, then press Q to quit the label editor. The disklabel editor can be tricky to use, especially if customising the label sizes - fortunately the defaults are often acceptable. For reference, the following FreeBSD-style partitions are required:
Smaller values may work, but will probably not be useful (especially over time). /usr should be as big as possible. Think carefully before proceeding - ensure the scheme you define will suit the machine's intended usage (a mailserver, which by default puts spools in /var, will probably need an extra-large /var, for example). You may need to juggle the sizes of the various labels, particularly if you are installing on a disk 4Gb or less in size. Once the label sizes are defined, it's difficult to change them without reinstalling the system from scratch. Unfortunately, FreeBSD is not yet blessed with tools like Ghost and Partition Magic (although you could try PING if you were brave).
With label sizes defined, the installer then prompts for an installation type - select Developer, unless you have a preference otherwise.
In FreeBSD 8.x, the next screen to appear asks whether to install documentation. Selecting the correct documentation for your language is recommended.
The installer then asks whether to install the ports collection. If the ports collection is not installed, this can cause difficulty in some circumstances, so electing to install the ports here is recommended.
The installer then returns to the "choose distribution" screen - your previous selection should now be marked with an X. If this is the case, press the Tab key to move the cursor to the OK button, then press the Space bar to press OK.
Select your installation media.
Read the next screen carefully - if you're happy that you're about to erase your hard disk, press Enter to continue! The hard disk will then be partitioned and formatted, and system files will be copied to the disk (this process takes some time). When the install is completed, a congratulations message will appear.
The installer then proceeds to the "final configuration questions". These vary depending on previous choices and the distribution being installed (docs: handbook).
Press the X key to exit the installer and reboot, not forgetting to eject the CD.
FreeBSD 7.x and below only: to complete the install, enter some "random entropy" for SSH key generation - this is done on first boot, follow the onscreen instructions (this step won't appear if you did not elect to enable SSH during install).
This done, you should be able to login as root, and immediately ping yahoo.com!
Note: if installing FreeBSD in a dual- or multi-boot system, a boot manager should be installed at this point. You may also wish to remove the ability to boot from CD from the BIOS.
You should now continue to the next section.
SSH: (docs: handbook; manpage - daemon; manpage - config file)
During install, you may have selected "Yes, enable SSH login" - while this generates keys and configures the SSH daemon to start on boot, it crucially does not automatically allow anyone to login remotely (including root). To permit a user to login, first login to the console as root, then:
# denied users DenyUsers Administrator Guest Root # permitted users AllowUsers username@IP.address.you.use
username is usually the username associated with the sysadmin's personal account (created above, member of group 'wheel'). Do not permit root to login remotely. A more secure configuration is to permit a user who can 'su' to root instead. The configuration above denies root login, and permits access only by the system administrator's personal account (who can 'su' as needed, as the account is a member of the wheel group).
IP.address.you.use is the IP address of the computer you use to connect to the server. Failing to add the AllowUsers line permits users to login from anywhere. Failing to add the IP address permits the user specified to login from anywhere.
Remember to restart the daemon after you save your changes to its configuration file. It only reads the file when it starts up.
Note: this configuration permits use of password-based authentication, which is vulnerable to brute-forcing. Key-based authentication is more secure. However, in the configuration above an IP address is specified on the AllowUsers line, which means that a brute-force attack can only be successful if it is made from that IP address. denyhosts can be used to ban problem IPs. Nonetheless, key-based authentication is much better, and is recommended.
The rest of the build can be completed remotely (via SSH), if desired. If you wish to connect remotely via SSH, and a firewall is in between, forward the SSH port 22/TCP to the server now. Also, check that port 22/TCP is open on the firewall. It's good security to use an alternate port, if possible (forward, for example, firewall/external port 6666 to server/internal port 22 - you then specify port 6666 in your SSH client and the firewall maps the traffic to port 22 on the server).
SSH issues? Have a look in /var/log/auth.log
You should now continue to the next section.
freebsd-update: (docs: handbook; manpage)
To update a new install OR an existing system, which is currently FreeBSD 6.3 or higher, use the freebsd-update utility as follows:
This step should NOT be skipped if you're doing a new install. The installation media is likely to contain code that has since been updated.
Note that as freebsd-update is included in the base install, there's no need to install it from ports.
Warning: freebsd-update creates creates a work directory in /var/db/freebsd-update. This can get large (approx 800Mb as of December 2014). Ensure to have at least 1Gb of free space on /var before using freebsd-update. If this is not feasible, it's possible to change the location of the work directory, as follows:
If freebsd-update consistently fails on the same file (unexpected end of file? incorrect hash?), try this:
You should now continue to the next section.
portaudit: (docs: manpage)
portaudit is a useful tool that prevents the installation of ports containing known vulnerabilities. It also checks existing ports for known vulnerabilities.
How to install:
At any time, you can now check all ports for vulnerabilities with the command:
You should now continue to the next section.
portsnap: (docs: handbook)
portsnap is used to update the ports collection. portsnap is installed with the base system, for FreeBSD 6 and up (earlier versions require it to be installed from the ports collection).
To initialise portsnap, and update to the latest ports tree, login as root, and do this:
portsnap fetch extract
This command is only required when portsnap is first run. To update the ports tree at a later time (eg. once portsnap has been initialised, as above):
portsnap fetch update
...And that's it! The installation of FreeBSD is complete. It's now possible to install the services, as described in the following sections.
NTP: (docs: handbook; manpage)
An NTP daemon is installed by default; use this procedure to configure and start it:
ntpdate_flags="time.server.to.use" ntpdate_enable="YES"ntpd_enable="YES" ntpd_sync_on_start="YES"
# activity log logfile /var/log/ntpd.log # security fix - see http://www.kb.cert.org/vuls/id/348126 restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
FTP: (docs: handbook - ftp; handbook - inetd; manpage - inetd)
An FTP server is installed by default; use this procedure to configure and start it:
Sendmail is installed and enabled by default. Use this procedure to configure it:
The instructions once given here, which were for configuring sendmail in outbound-only mode, are no longer recommended for use, and instead, ssmtp is suggested (I hope to add instructions for this soon).
HTTP (Apache): (docs: handbook; homepage: Apache)
Note: newer versions of FreeBSD install Apache, if it is not installed when PHP is installed. If you've already installed PHP, skip to step 3 of the instructions below. If you get a blank page at step 3, you need to start at step 1.
Note, ensure to change the second instance of the <Directory> line - it's underneath the text "This should be changed to whatever you set DocumentRoot to."
DirectoryIndex index.php index.html index.htm
## BEGIN extra PHP filetypes ## AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml .html .htm AddType application/x-httpd-php-source .phps ## END extra PHP filetypes ##
LoadModule php5_module libexec/apache/libphp5.so AddModule mod_php5.c # Apache 1.x only - do not use with Apache 2
PHP: (docs: PHP)
Warning: newer versions of FreeBSD install Apache, if it is not installed when PHP is installed. If you planned on, for example, installing an exotic build of Apache, ensure to install it before installing PHP.
To install PHP:
Note: if this is a production server, use /usr/local/etc/php.ini-production instead. The production INI is more secure, but less flexible.
Note: older versions of PHP come with differently-named sample INIs, try /usr/local/etc/php.ini-recommended in this case. List /usr/local/etc/ and look for files starting with php, if you have problems.
There are too many options to cover here, but recommended options, in addition to the defaults, include CURL, GD, MCRYPT, MYSQL, MYSQLI, and OPENSSL
SMB (Samba): (docs: handbook; manpages; HOW-TO collection)
There are many ways to use Samba. Below are five different methods:
Samba has a web-based administration tool called SWAT. Note that SWAT will rewrite smb.conf, removing all comments and unnecessary settings. Do not open SWAT if you want to keep your smb.conf 'as is'. To install it:
SWAT will then be accessible at http://localhost:901/ (the root username and password are required)
Note also that SWAT uses inetd. Enable it if necessary with the following:
To start inetd manually: /etc/rc.d/inetd start
mount_smbfs //ms-windows-user-id@MS-SERVER-NAME/MS-Windows-Share /mnt/mountpoint
mount_smbfs //trevor@bigserver/shared /mnt/shared
CUPS (and printserving with Samba): (docs: samba CUPS)
CUPS is not installed by default. Note that Samba should be installed before CUPS. Install CUPS as follows:
IP.address.you.use is the IP address of the computer you use to connect to the server.
The Samba/CUPS interface must then be configured:
enable and run CUPS:
Then configure a printer:
This done, Windows users will be able to browse for the printer and add it as usual to their systems. They will be prompted for drivers which they must install locally.
Note: the above notes assume the printer is connected directly to the server's parallel port. If the printer is connected via a printserver, substitute the protocol and device path above as appropriate, examples: lpd://192.168.0.90/p1 or lpd://yourprintserver/p2
Note: it may take a few minutes for the printer you have shared ("published") to become visible to client computers.
Note: if the server is being configured remotely with SSH, it's possible to create a tunnel to port 631, and then use a local web browser to connect, through the tunnel, to the CUPS control panel, using an address such as http://localhost:3000/ (where 3000 is the local port where the SSH tunnel terminates).
Note: the CUPS logfile, very useful for troubleshooting, can be found in /var/log/cups/
Note: the CUPS admin panel may autodetect network printers, if so it provides a wizard to add them to the CUPS configuration. However this wizard creates sharenames that are incompatible with/invisible to Windows 9x clients. Ensure to use short sharenames (11 characters or less) if Windows 9x clients are in use. The printer will need to be added manually in order to define a sharename.
Note: printing under unix is not straight-forward, and I'm not an expert. While this section works, in that Windows clients can print to the unix printer, this section leaves out certain things (ie. the ability to print from the server to the printer, and loading Windows drivers onto the server).
Issues? See troubleshooting printing with CUPS
POP/IMAP (Dovecot): (docs: Dovecot)
A POP server is not installed by default. I installed Dovecot from the ports collection (it supports IMAP as well):
The server can be started manually with the command: dovecot
For troubleshooting and administration, use the doveadm command - to see an error log: doveadm log errors (docs: doveadm)
Note that SSL must be disabled if SSL certificates have not been generated.
SQL (MySQL): (docs: MySQL)
MySQL is not installed by default. How to install and configure it from the ports collection:
cd /usr/ports/databases/mysql50-server make install clean
mkdir /data mkdir /data/db mkdir /data/db/mysql chown -R mysql /data/db/mysql/ chgrp -R mysql /data/db/mysql/
Note: the default directory MySQL uses is /var/db/mysql/ however it has been changed to /data/db/mysql/ in this example.
Note: a MySQL user and group are required, however these are created automatically by the installer.
/usr/local/bin/mysql_install_db -u mysql --datadir=/data/db
Note: If a bunch of 'cannot find file' messages appear here, check the permissions on the data directory.
echo mysql_enable=\"YES\" >> /etc/rc.conf echo mysql_dbdir=\"/data/db/mysql\" >> /etc/rc.conf
If there are problems, check the file server.err in the MySQL data directory for error messages (the actual name of the file will not be server.err, "server" is substituted for your machine's hostname). Don't skip the reboot - it can fix at least one transient post-install issue.
mysqladmin -u root password 'ROOT_PASSWORD'
mysql -uroot -pROOT_PASSWORD -e"GRANT ALL PRIVILEGES ON *.* TO 'root'@'IP.address.you.use' IDENTIFIED BY 'ROOT_PASSWORD'" mysql -uroot -pROOT_PASSWORD -e"GRANT SHUTDOWN ON *.* TO 'root'@'IP.address.you.use' IDENTIFIED BY 'ROOT_PASSWORD'"
IP.address.you.use is the IP address of the computer you use to connect to the server.
mysqladmin -uroot -pROOT_PASSWORD -hlocalhost CREATE DATABASENAME mysql -uroot -pROOT_PASSWORD -e"GRANT ALL PRIVILEGES ON DATABASENAME.* TO 'USERNAME'@'localhost' IDENTIFIED BY 'SECRET_PASSWORD'"
In the above commandlines, substitute ROOT_PASSWORD, DATABASENAME, USERNAME and SECRET_PASSWORD for the correct values for your environment.
Installing software from the packages collection is done as follows:
The ports collection (docs: handbook)
The "old package tools" are apparently deprecated. To switch to pkg:
This apparently occurs if the version of FreeBSD in use is no longer compatible with the ports tree (?). To fix, use freebsd-upgrade to upgrade to a supported version of FreeBSD (see doing a minor version upgrade for details).
I've only played with this a bit so nothing in-depth here, however I did try installing FreeBSD on an empty second hard disk in a machine running Windows 2000 Server. During FreeBSD's install I elected to install the Boot Manager, as suggested by the installer, so I could select which operating system to boot.
However the Boot Manager seemed to corrupt my MBR. I got a nasty message from W2KS when I tried to log in - "your paging file is too small", a known fault but after running the fix and rebooting I got an even nastier message from W2KS asking me to reboot in Directory Services Restore Mode. At this point I broke out my Ghost image and restored my W2KS installation from a backup.
I found a third-party boot manager called GAG which did the trick. I reinstalled FreeBSD, this time telling it to leave the MBR alone, then installed GAG. Sorted.