Linux Commands miscellaneous

•	alias hd='od -Ax -tx1z -v'	Handy hexdump. (usage e.g.: • hd /proc/self/cmdline | less)
•	alias realpath='readlink -f'	Canonicalize path. (usage e.g.: • realpath ~/../$USER)
•	set | grep $USER	Search current envirenement
	touch -c -t 0304050607 file	Set file timestamp (YYMMDDhhmm)
•	python -m SimpleHTTPServer	Serve current directory tree at http://$HOSTNAME:8000/

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands system information

•	uname -a	Show kernel version and system architecture
•	head -n1 /etc/issue	Show name and version of distribution
•	cat /proc/partitions	Show all partitions registered on the system
•	grep MemTotal /proc/meminfo	Show RAM total seen by the system
•	grep "model name" /proc/cpuinfo	Show CPU(s) info
•	lspci -tv	Show PCI info
•	lsusb -tv	Show USB info
•	mount | column -t	List mounted filesystems on the system (and align output)
•	grep -F capacity: /proc/acpi/battery/BAT0/info	Show state of cells in laptop battery
#	dmidecode -q | less	Display SMBIOS/DMI information
#	smartctl -A /dev/sda | grep Power_On_Hours	How long has this disk (system) been powered on in total
#	hdparm -i /dev/sda	Show info about disk sda
#	hdparm -tT /dev/sda	Do a read speed test on disk sda
#	badblocks -s /dev/sda	Test for unreadable blocks on disk sda

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands interactive

• readline Line editor used by bash, python, bc, gnuplot, ...
• screen Virtual terminals with detach capability, ...
• mc Powerful file manager that can browse rpm, tar, ftp, ssh, ...
• gnuplot Interactive/scriptable graphing
• links Web browser
• xdg-open http://www.website.xxx/ open a file or url with the registered desktop application

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands monitoring/debugging

•	tail -f /var/log/messages	Monitor Messages in a log file
•	strace -c ls >/dev/null	Summarise/profile system calls made by command
•	strace -f -e open ls >/dev/null	List system calls made by command
•	ltrace -f -e getenv ls >/dev/null	List library calls made by command
•	lsof -p $$	List paths that process id has open
•	lsof ~	List processes that have specified path open
•	tcpdump not port 22	Show network traffic except ssh.
•	ps -e -o pid,args --forest	List processes in a hierarchy
•	ps -e -o pcpu,cpu,nice,state,cputime,args --sort pcpu | sed '/^ 0.0 /d'	List processes by % cpu usage
•	ps -e -orss=,args= | sort -b -k1,1n | pr -TW$COLUMNS	List processes by mem usage.
•	ps -C firefox-bin -L -o pid,tid,pcpu,state	List all threads for a particular process
•	ps -p 1,2	List info for particular process IDs
•	last reboot	Show system reboot history
•	free -m	Show amount of (remaining) RAM (-m displays in MB)
•	watch -n.1 'cat /proc/interrupts'	Watch changeable data continuously

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands disk space

•	ls -lSr	Show files by size, biggest last
•	du -s * | sort -k1,1rn | head	Show top disk users in current dir.
•	df -h	Show free space on mounted filesystems
•	df -i	Show free inodes on mounted filesystems
•	fdisk -l	Show disks partitions sizes and types (run as root)
•	rpm -q -a --qf '%10{SIZE}\t%{NAME}\n' | sort -k1,1n	List all packages by installed size (Bytes) on rpm distros
•	dpkg -query -W -f='${Installed-Size;10}\t${Package}\n' | sort -k1,1n	List all packages by installed size (KBytes) on deb distros
•	dd bs=1 seek=2TB if=/dev/null of=ext3.test	Create a large test file (taking no space).
•	> file	truncate data of file or create an empty file

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands CDs

	gzip < /dev/cdrom > cdrom.iso.gz	Save copy of data cdrom
	mkisofs -V LABEL -r dir | gzip > cdrom.iso.gz	Create cdrom image from contents of dir
	mount -o loop cdrom.iso /mnt/dir	Mount the cdrom image at /mnt/dir (read only)
	cdrecord -v dev=/dev/cdrom blank=fast	Clear a CDRW
	gzip -dc cdrom.iso.gz | cdrecord -v dev=/dev/cdrom -	Burn cdrom image (use dev=ATAPI -scanbus to confirm dev)
	cdparanoia -B	Rip audio tracks from CD to wav files in current dir
	cdrecord -v dev=/dev/cdrom -audio *.wav	Make audio CD from all wavs in current dir (see also cdrdao)
	oggenc --tracknum='track' track.cdda.wav -o 'track.ogg'	Make ogg file from wav file

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands recode (Obsoletes iconv, dos2unix, unix2dos)

•	recode -l | less	Show available conversions (aliases on each line)
	recode windows-1252.. file_to_change.txt	Windows "ansi" to local charset (auto does CRLF conversion)
	recode utf-8/CRLF.. file_to_change.txt	Windows utf8 to local charset
	recode iso-8859-15..utf8 file_to_change.txt	Latin9 (western europe) to utf8
	recode ../b64 <> file.b64	Base64 encode
	recode /qp.. <> file.qp	Quoted printable decode
	recode ..HTML <> file.html	Text to HTML
•	recode -lf windows-1252 | grep euro
•	echo -n 0x80 | recode latin-9/x1..dump	Show what a code represents in latin-9 charmap
•	echo -n 0x20AC | recode ucs-2/x2..latin-9/x	Show latin-9 encoding
•	echo -n 0x20AC | recode ucs-2/x2..utf-8/x	Show utf-8 encoding

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands locales

•	printf "%'d\n" 1234	Print number with thousands grouping appropriate to locale
•	BLOCK_SIZE=\'1 ls -l	get ls to do thousands grouping appropriate to locale
•	echo "I live in `locale territory`"	Extract info from locale database
•	LANG=en_IE.utf8 locale int_prefix	Lookup locale info for specific country.
•	locale | cut -d= -f1 | xargs locale -kc | less	List fields available in locale database

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands calendar

•	cal -3	Display a calendar
•	cal 9 1752	Display a calendar for a particular month year
•	date -d fri	What date is it this friday. See also day
•	[ $(date -d "tomorrow" +%d) = "01" ] || exit	exit a script unless it's the last day of the month
•	date --date='25 Dec' +%A	What day does xmas fall on, this year
•	date --date='@2147483647'	Convert seconds since the epoch (1970-01-01 UTC) to date
•	TZ=':America/Los_Angeles' date	What time is it on West coast of US (use tzselect to find TZ)
	echo "mail -s 'get the train' P@draigBrady.com < /dev/null" | at 17:45	Email reminder
•	echo "DISPLAY=$DISPLAY xmessage cooker" | at "NOW + 30 minutes"	Popup reminder
locales

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands math

•	echo '(1 + sqrt(5))/2' | bc -l	Quick math (Calculate φ).
•	echo 'pad=20; min=64; (100*10^6)/((pad+min)*8)' | bc	More complex (int) e.g. This shows max FastE packet rate
•	echo 'pad=20; min=64; print (100E6)/((pad+min)*8)' | python	Python handles scientific notation
•	echo 'pad=20; plot [64:1518] (100*10**6)/((pad+x)*8)' | gnuplot -persist	Plot FastE packet rate vs packet size
•	echo 'obase=16; ibase=10; 64206' | bc	Base conversion (decimal to hexadecimal)
•	echo $((0x2dec))	Base conversion (hex to dec) ((shell arithmetic expansion))
•	units -t '100m/9,96s' 'miles/hour'	Unit conversion (metric to imperial)
•	units -t '500GB' 'GiB'	Unit conversion (SI to IEC prefixes)
•	units -t '1 googol'	Definition lookup
•	seq 100 | (tr '\n' +; echo 0) | bc	Add a column of numbers.

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands set operations

	sort file1 file2 | uniq	Union of unsorted files
	sort file1 file2 | uniq -d	Intersection of unsorted files
	sort file1 file1 file2 | uniq -u	Difference of unsorted files
	sort file1 file2 | uniq -u	Symmetric Difference of unsorted files
	join -a1 -a2 file1 file2	Union of sorted files
	join file1 file2	Intersection of sorted files
	join -v2 file1 file2	Difference of sorted files
	join -v1 -v2 file1 file2	Symmetric Difference of sorted files

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands text manipulation

	sed 's/string1/string2/g'	Replace string1 with string2
	sed 's/\(.*\)1/\12/g'	Modify anystring1 to anystring2
	sed '/ *#/d; /^ *$/d'	Remove comments and blank lines
	sed ':a; /\\$/N; s/\\\n//; ta'	Concatenate lines with trailing \
	sed 's/[ \t]*$//'	Remove trailing spaces from lines
	sed 's/\([\\`\\"$\\\\]\)/\\\1/g'	Escape shell metacharacters active within double quotes
•	seq 10 | sed "s/^/ /; s/ *\(.\{7,\}\)/\1/"	Right align numbers
	sed -n '1000p;1000q'	Print 1000th line
	sed -n '10,20p;20q'	Print lines 10 to 20
	sed -i 42d ~/.ssh/known_hosts	Delete a particular line
	sort -t. -k1,1n -k2,2n -k3,3n -k4,4n	Sort IPV4 ip addresses
•	echo 'Test' | tr '[:lower:]' '[:upper:]'	Case conversion
•	tr -dc '[:print:]' < /dev/urandom	Filter non printable characters
•	history | wc -l	Count lines

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands windows networking

(Note samba is the package that provides all this windows specific networking support)

•	smbtree	Find windows machines. See also findsmb
	nmblookup -A 1.2.3.4	Find the windows (netbios) name associated with ip address
	smbclient -L windows_box	List shares on windows machine or samba server
	mount -t smbfs -o fmask=666,guest //windows_box/share /mnt/share	Mount a windows share
	echo 'message' | smbclient -M windows_box	Send popup to windows machine (off by default in XP sp2)

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands networking (Note ifconfig, route, mii-tool, nslookup commands are obsolete)

	ethtool eth0	Show status of ethernet interface eth0
	ethtool --change eth0 autoneg off speed 100 duplex full	Manually set ethernet interface speed
	iwconfig eth1	Show status of wireless interface eth1
	iwconfig eth1 rate 1Mb/s fixed	Manually set wireless interface speed
•	iwlist scan	List wireless networks in range
•	ip link show	List network interfaces
	ip link set dev eth0 name wan	Rename interface eth0 to wan
	ip link set dev eth0 up	Bring interface eth0 up (or down)
•	ip addr show	List addresses for interfaces
	ip addr add 1.2.3.4/24 brd + dev eth0	Add (or del) ip and mask (255.255.255.0)
•	ip route show	List routing table
	ip route add default via 1.2.3.254	Set default gateway to 1.2.3.254
•	tc qdisc add dev lo root handle 1:0 netem delay 20msec	Add 20ms latency to loopback device (for testing)
•	tc qdisc del dev lo root	Remove latency added above
•	host pixelbeat.org	Lookup DNS ip address for name or vice versa
•	hostname -i	Lookup local ip address (equivalent to host `hostname`)
•	whois pixelbeat.org	Lookup whois info for hostname or ip address
•	netstat -tupl	List internet services on a system
•	netstat -tup	List active connections to/from system

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands wget (multi purpose download tool)

•	(cd dir/ && wget -nd -pHEKk http://www.pixelbeat.org/cmdline.html)	Store local browsable version of a page to the current dir
	wget -c http://www.example.com/large.file	Continue downloading a partially downloaded file
	wget -r -nd -np -l1 -A '*.jpg' http://www.example.com/dir/	Download a set of files to the current directory
	wget ftp://remote/file[1-9].iso/	FTP supports globbing directly
•	wget -q -O- http://www.pixelbeat.org/timeline.html | grep 'a href' | head	Process output directly
	echo 'wget url' | at 01:00	Download url at 1AM to current dir
	wget --limit-rate=20k url	Do a low priority download (limit to 20KB/s in this case)
	wget -nv --spider --force-html -i bookmarks.html	Check links in a file
	wget --mirror http://www.example.com/	Efficiently update a local copy of a site (handy from cron)

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands ssh (Secure SHell)

	ssh $USER@$HOST command	Run command on $HOST as $USER (default command=shell)
•	ssh -f -Y $USER@$HOSTNAME xeyes	Run GUI command on $HOSTNAME as $USER
	scp -p -r $USER@$HOST: file dir/	Copy with permissions to $USER's home directory on $HOST
	ssh -g -L 8080:localhost:80 root@$HOST	Forward connections to $HOSTNAME:8080 out to $HOST:80
	ssh -R 1434:imap:143 root@$HOST	Forward connections from $HOST:1434 in to imap:143

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands rsync (Network efficient file copier: Use the --dry-run option for testing)

	rsync -P rsync://rsync.server.com/path/to/file file	Only get diffs. Do multiple times for troublesome downloads
	rsync --bwlimit=1000 fromfile tofile	Locally copy with rate limit. It's like nice for I/O
	rsync -az -e ssh --delete ~/public_html/ remote.com:'~/public_html'	Mirror web site (using compression and encryption)
	rsync -auz -e ssh remote:/dir/ . && rsync -auz -e ssh . remote:/dir/	Synchronize current directory with remote one

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands archives and compression

	gpg -c file	Encrypt file
	gpg file.gpg	Decrypt file
	tar -c dir/ | bzip2 > dir.tar.bz2	Make compressed archive of dir/
	bzip2 -dc dir.tar.bz2 | tar -x	Extract archive (use gzip instead of bzip2 for tar.gz files)
	tar -c dir/ | gzip | gpg -c | ssh user@remote 'dd of=dir.tar.gz.gpg'	Make encrypted archive of dir/ on remote machine
	find dir/ -name '*.txt' | tar -c --files-from=- | bzip2 > dir_txt.tar.bz2	Make archive of subset of dir/ and below
	find dir/ -name '*.txt' | xargs cp -a --target-directory=dir_txt/ --parents	Make copy of subset of dir/ and below
	( tar -c /dir/to/copy ) | ( cd /where/to/ && tar -x -p )	Copy (with permissions) copy/ dir to /where/to/ dir
	( cd /dir/to/copy && tar -c . ) | ( cd /where/to/ && tar -x -p )	Copy (with permissions) contents of copy/ dir to /where/to/
	( tar -c /dir/to/copy ) | ssh -C user@remote 'cd /where/to/ && tar -x -p'	Copy (with permissions) copy/ dir to remote:/where/to/ dir
	dd bs=1M if=/dev/sda | gzip | ssh user@remote 'dd of=sda.gz'	Backup harddisk to remote machine

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands file searching

•	alias l='ls -l --color=auto'	quick dir listing
•	ls -lrt	List files by date.
•	ls /usr/bin | pr -T9 -W$COLUMNS	Print in 9 columns to width of terminal
	find -name '*.[ch]' | xargs grep -E 'expr'	Search 'expr' in this dir and below.
	find -type f -print0 | xargs -r0 grep -F 'example'	Search all regular files for 'example' in this dir and below
	find -maxdepth 1 -type f | xargs grep -F 'example'	Search all regular files for 'example' in this dir
	find -maxdepth 1 -type d | while read dir; do echo $dir; echo cmd2; done	Process each item with multiple commands (in while loop)
•	find -type f ! -perm -444	Find files not readable by all (useful for web site)
•	find -type d ! -perm -111	Find dirs not accessible by all (useful for web site)
•	locate -r 'file[^/]*\.txt'	Search cached index for names. This re is like glob *file*.txt
•	look reference	Quickly search (sorted) dictionary for prefix
•	grep --color reference /usr/share/dict/words	Highlight occurances of regular expression in dictionary

Linux Commands directory navigation

•	cd -	Go to previous directory
•	cd	Go to $HOME directory
	(cd dir && command)	Go to dir, execute command and return to current dir
•	pushd .	Put current dir on stack so you can popd back to it

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Linux Commands

•	apropos whatis	Show commands pertinent to string.
•	man -t man | ps2pdf - > man.pdf	make a pdf of a manual page
	which command	Show full path name of command
	time command	See how long a command takes
•	time cat	Start stopwatch. Ctrl-d to stop.
•	nice info	Run a low priority command (The "info" reader in this case)
•	renice 19 -p $$	Make shell (script) low priority. Use for non interactive tasks

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE INFORMATIONS DOWNLOADS OR DETAILS.

Virtual Hosting With vsftpd And PostgreSQL

Virtual Hosting With vsftpd And PostgreSQL

This document describes how to install a vsftpd server that uses virtual users from a PostgreSQL database instead of real system users. I couldn't find any tutorial like that on the internet, so when that configuration finally worked for me, I decided to publish it. The documentation is based on FreeBSD 6.2 which I was recently forced to use (I usually use Debian). Nevertheless the document should be suitable for almost any Linux distribution as well (may require very small amendments).

OK, let's start.

Required Packages

• vsftpd
• PostgreSQL Server/Client 7.4+
• PAM_PGSQL

Installation

1. PostgreSQL

#cd /usr/ports/database/postgresql-server82
make install clean

Set your postgres locale before initdb:

#vi /usr/local/pgsql/.cshrc: setenv PGLIB /usr/local/lib
# note: PGDATA can be overridden by the -D startup option
setenv PGDATA $HOME/data

#You might want to set some locale stuff here
setenv PGDATESTYLE ISO
setenv LC_ALL pl_PL.ISO_8859-2

Install db cluster with right encoding (taken from LC_ALL):

su - pgsql
initdb -E latin2

2. PAM-PGSQL

cd /usr/ports/security/pam-pgsql
make install clean

Make sure that pam-pgsql.so is in /usr/lib. If you get SEGFAULT most likely pam_pgsql is not in the right path (I encountered that problem when I tried pam_pwdfile).

ls /usr/lib/pam_pgsql.so

/usr/lib/pam_pgsql.so

3. vsftpd

cd /usr/ports/ftp/vsftpd
make install clean
echo "vsftpd_enable=\"YES\"" >> /etc/rc.conf
adduser vsftpd

4. And Now ... Working Examples Of Configuration Files

vsftpd - is the name of the pam config file /etc/pam.d/vsftpd.

vsftpd - is the name of recently added user (the user needs write access rights to localroot from the example local_umask=0000 - I wanted files to be stored with chmod 77x).

#vi /usr/local/etc/vsftpd.conf:
listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/usr/local/share/vsftpd/empty
pam_service_name=vsftpd
guest_enable=YES
user_sub_token=$USER
local_root=/usr/local/www/apache22/data/$USER
chroot_local_user=YES
hide_ids=YES
ftpd_banner=Welcome to FTP server
file_open_mode=0770
local_umask=0000
anon_mkdir_write_enable=NO
guest_username=vsftpd

By default pam_pgsql is looking for the configuration in the file /etc/pam_pgsql.conf. I might think of a setup where I authenticate different services vs. different tables in the postgres database.

The config_file switch does the job - this is how the file looks:

#vi /etc/pam.d/vsftpd:
auth required pam_pgsql.so config_file=/etc/pam_pgsql_vsftpd.conf
account required pam_pgsql.so config_file=/etc/pam_pgsql_vsftpd.conf

#vi /usr/local/pgsql/data/pg_hba.conf:
host system system 127.0.0.1 255.255.255.255 md5 local all pgsql ident sameuser

# # All other connections by UNIX sockets
local all all ident sameuser
# # All IPv4 connections from localhost
# host all all 127.0.0.1 255.255.255.255 md5 host all tronix 0.0.0.0
0.0.0.0 md5 host sameuser all 0.0.0.0 0.0.0.0 md5 host all all 0.0.0.0 0.0.0.0 reject

#vi/etc/pam_pgsql_vsftpd.conf:
debug
pw_type = md5
connect = hostaddr=127.0.0.1 port=5432 dbname=system user=system password=pass connect_timeout=15
auth_query = select s_password from accounts where s_username = %u
acct_query = select b_expired as acc_expired, 0 as acc_new_pwreq, (s_password ISNULL OR s_password = '') as user_password from accounts where s_username = %u

Let's create the postgres table and a test user:

#su - pgsql
#psql system

Welcome to psql 8.2.4, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

system=# CREATE TABLE "accounts"(
"i_id" SERIAL,
"s_username" VARCHAR(30) NOT NULL,
"s_password" VARCHAR(50),
"b_expired" BOOLEAN DEFAULT false,
CONSTRAINT "accounts_s_username_key" UNIQUE("s_username")
);

NOTICE: CREATE TABLE will create implicit sequence "accounts_i_id_seq" for serial column "accounts.i_id"
NOTICE: CREATE TABLE / UNIQUE will create implicit index "accounts_s_username_key" for table "accounts"
CREATE TABLE

system=# insert into accounts(s_username, s_password) values('testuser',md5('secret_pass'));

INSERT 0 1

system=# select * from accounts;

i_id | s_username | s_password | b_expired
------+------------+----------------------------------+-----------
1 | testuser | baeed6d497bd4f4676306544a0e7faba | f
(1 row)

Let's create a folder for our new virtual user:

mkdir /usr/local/www/apache22/data/testuser
chown vsftpd:vsftpd /usr/local/www/apache22/data/testuser
ls -la /usr/local/www/apache22/data/testuser

Let's start vsftpd on system startup:

#vi /usr/local/etc/rc.d/vsftpd:

#!/bin/sh
/usr/local/libexec/vsftpd &

Let's start vsftpd right now:

#/usr/local/etc/rc.d/vsftpd

... and vsftpd should work fine now.

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE DOWNLOADS OR DETAILS.

Creating A DNS Cache With djbdns

Creating A DNS Cache With djbdns

Building a local DNS cache will speed up your internet connection since the time for the “translation job” (converting domain names into IP addresses) will become negligible with the assumption that the DNS cache gets the information from the parent DNS.

FreeBSD already ships bind in each release but I prefer to use djbdns.

Simple way to build local DNS cache in FreeBSD using ports:

1. Install djbdns ports

su-2.05b# whereis djbdns
djbdns: /usr/ports/dns/djbdns
su-2.05b# cd /usr/ports/dns/djbdns && make install clean

Just press OK and the installation process will begin.

2. Configuration

# pw groupadd nofiles -g 800
# pw useradd dnslog -g nofiles -u 810 -d /nonexistent -s /sbin/nologin
# pw useradd dnscache -g nofiles -u 811 -d /nonexistent -s /sbin/nologin

These commands will add the group nofiles, and the users dnslog and dnscache.

# dnscache-conf dnscache dnslog /etc/dnscache 127.0.0.1
# ln -s /etc/dnscache /var/service
# echo ‘nameserver 127.0.0.1′ >/etc/resolv.conf

These commands will make the IP address 127.0.0.1 a DNS cache “only” for that computer.

In order to be able to use the DNS cache in our network, we need to issue more commands:

# dnscache-conf dnscache dnslog /etc/dnscache 192.168.1.1
# touch /etc/dnscache/root/ip/192.168.1
# ln -s /etc/dnscache /var/service

Now, each client can add 192.168.1.1 as a valid DNS resolver:

To use “daemontools” power we need to add this entry in rc.conf:

svscan_enable=”YES”

The first time, we need to start it manually:

su-2.05b# /usr/local/etc/rc.d/svscan.sh start

Check for running service:

su-2.05b# ps -ax | grep dns

338 ?? I 0:00.03 supervise dnscache
90515 ?? S 0:03.51 /usr/local/bin/dnscache

To check if dnscache “really works”:

su-2.05b# tail -f /etc/dnscache/log/main/current

Example output:

su-2.05b# tail -f /etc/dnscache/log/main/current
@4000000046375a22168f3ee4 cached 1 i.gtld-servers.net.
@4000000046375a22168fcf6c cached 1 j.gtld-servers.net.
@4000000046375a2216905ff4 cached 1 k.gtld-servers.net.
@4000000046375a221690ec94 cached 1 l.gtld-servers.net.
@4000000046375a2216917d1c cached 1 m.gtld-servers.net.
@4000000046375a22169209bc cached 1 a.gtld-servers.net.
@4000000046375a221692c154 cached 1 b.gtld-servers.net.
@4000000046375a22169351dc cached 1 c.gtld-servers.net.
@4000000046375a221693de7c cached 1 d.gtld-servers.net.
@4000000046375a2216945794 tx 0 255 mx44.alanistz.com. com. c005061e c0304f1e c036701e c023331e c037531e c02a5d1e c01a5c1e c0210e1e c029a21e c00c5e1e c02bac1e c01f501e c034b21e
@4000000046375a222673d964 rr cc4a7021 86400 1 mx74mi.clarmu.info. d035034a
@4000000046375a2226787514 rr cc4a7021 86400 1 mx144pb.clarmu.info. 42212090
@4000000046375a222678889c rr cc4a7021 86400 1 mx174hi.clarmu.info. 42f890ae
@4000000046375a222678983c rr cc4a7021 86400 1 mx187tr.clarmu.info. 416f11bb
@4000000046375a222678abc4 rr cc4a7021 86400 1 mx204pa.clarmu.info. 42217dcc
@4000000046375a222678bb64 rr cc4a7021 86400 ns clarmu.info. mx74mi.clarmu.info.
@4000000046375a222678ceec rr cc4a7021 86400 ns clarmu.info. mx204pa.clarmu.info.
@4000000046375a222678de8c rr cc4a7021 86400 ns clarmu.info. mx187tr.clarmu.info.
@4000000046375a222679059c rr cc4a7021 86400 ns clarmu.info. mx174hi.clarmu.info.
@4000000046375a222679153c rr cc4a7021 86400 ns clarmu.info. mx144pb.clarmu.info.
@4000000046375a22267924dc stats 379 144625 13 0
@4000000046375a2226793864 cached 1 mx74mi.clarmu.info.
@4000000046375a2226794804 cached 1 mx204pa.clarmu.info.
@4000000046375a22267957a4 cached 1 mx187tr.clarmu.info.
@4000000046375a2226796744 cached 1 mx174hi.clarmu.info

Congratulations, your DNS cache is working well.

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE DOWNLOADS OR DETAILS.

How To Set Up A FreeBSD Wireless Access Point

This document will guide you on how to use a FreeBSD system as a wireless access point. This is intended to supplement the FreeBSD Handbook and not replace it.

Getting FreeBSD to act as a wireless access point involves the following steps:

• Make sure your installation includes hostapd and named (BIND)
• Recompile your kernel for pf support
  • pf is not the only way to do this, but I strongly prefer pf to the ipfw/ipfilter and have written the How-To to use it
• Configure NAT (and any firewall rules)
• Install isc-dhcp3-server
• Configure daemons and start them

Hardware Requirements/Notes:

• One network card to connect to the upstream. This is the external network interface (ext_if). In this How-To it will be fxp0. Yours may differ.
• One wireless card to provide wireless services. I prefer Atheros-based cards, whatever FreeBSD supported card you have is fine, though (wifi_if). In this How-To it will be ath0. Yours may differ.
• Optionally, an additional wired network card (int_if) for wired LAN access (via crossover cable or a network switch/hub). Not necessary, but my system provides both wirless and wired LAN access. In this How-To it will be fxp1. yours may differ.

Downloadable sample configuration files are available at http://tun0.net/ascii/config/freebsd_access_point/.

Getting Started

Before we proceed, it's a good idea to connect the FreeBSD system you wish to make an access point to the Internet. Connecting to the Internet (or whatever upstream connection you have) is beyond the scope of this document. There is an entire chapter on Network Communication in the FreeBSD Handbook.

For the sake of simplicity, please execute all commands provided on this site as root. The majority of them will require root privileges anyway. To become root, type su, enter the root password and hit enter.

Check if you have BIND

BIND is usually distributed with FreeBSD, however, just to make sure BIND is present on your system, execute the following command:

which named

If that tells you named not found, then you will have to install BIND.

sudo pkg_add -r bind9

Check if you have hostapd

Check for hostapd using the which command:

which hostapd

The hostapd program is part of the base FreeBSD system. If it is not present, you may have a minimal system. You can use the FreeBSD installer to add more distribution sets or just update your system from sources and obtain it that way.

Check if you have kernel sources

You will need to build a custom kernel since the base kernel does not offer the OpenBSD Packet Filter (pf). This is a simple and relatively quick process and will be discussed later.

ls -l /usr/src/sys

If the above tells you No such file or directory or outputs no data, then you will need to obtain kernel sources. This is well explained in the Synchronizing Your Source section of the FreeBSD Handbook.

Recompile Your Kernel

The process of recompiling your kernel and including PF support is well documented in the FreeBSD Handbook. I shall summarize the process below.

Go to the kernel configuration directory and start your own kernel configuration based on the GENERIC (default, stock) kernel.

cd /usr/src/sys/`uname -m`/conf
cp GENERIC CUSTOM

You may edit the above how ever you wish as long as you know what you're doing. You can consult the /usr/src/sys/conf/NOTES file for explanations on any kernel option. Just make sure that you add the following lines for PF support. You may use vi, your favorite text editor, or just echo it into the file.

echo "device pf
device pflog
device pfsync" >> CUSTOM

Optionally, if you wish to take advantage of PF's traffic shaping abilities (ALTQ), I'd recommend adding the following lines to your custom kernel configuration:

options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

Now execute the following commands to build and install the new kernel.

cd /usr/src
make buildkernel KERNCONF=CUSTOM
make installkernel KERNCONF=CUSTOM

Finally, reboot so that you can use the new kernel.

shutdown -r now

Overview on Wireless Access Point Network

We will be setting up a system as follows:

• fxp0 - ext_if - external card that connects to cable/DSL modem, WAN, etc.
• fxp1 - lan_if - internal card that provides wired LAN access.
• ath0 - wifi_if - internal wireless card for wireless access point connections.

If you're aiming for only a wireless LAN, you can omit all references to fxp1 and lan_if. In configuration files simply delete $lan_if from all files. Conversely, for wired only setups, remove all references to $wifi_if and ath0.

The network will be confgiured as follows:

• fxp0 - ext_if - DHCP configured from upstream (e.g. let cable modem provide an IP)
• fxp1 - lan_if - static IP, 192.168.0.1; wired subnet will be 192.168.0.0/24; clients on LAN configured via DHCP
• ath0 - wifi_if - static IP, 192.168.1.1; wireless subnet will be 192.168.1.0/24; clients on WLAN configured via DHCP

Configure the interfaces

Get an IP for the ext_if (the external interface)

dhclient fxp0

Set the IP on lan_if

ifconfig fxp1 inet 192.168.0.1 netmask 255.255.255.0

Make sure drivers are loaded for the wireless interface. For Atheros based cards you'll need the following single, one-line command:

for d in {if_ath,ath_rate,ath_hal}; do kldload $d; done

For any wireless card, including Atheros cards, make sure we have all the proper wireless modules loaded. The following is a long line, but it is a single, one-line command:

for d in {wlan_wep_load,wlan_tkip_load,wlan_ccmp_load,wlan_xauth_load,wlan_acl_load}; do kldload $d; done

Set the IP on wifi_if (ath0) using the single, one-line command:

ifconfig ath0 inet 192.168.1.1 netmask 255.255.255.0 ssid YOURSSID mediaopt hostap

Configure NAT (and any firewall rules)

First, let's set the system up to act as a router/gateway and enable PF. Perform the following commands as root.

sysctl -w net.inet.ip.forwarding=1
pfctl -e

Create a pf.conf for NAT and some basic firewall rules. Use vi or your favorite editor and add the following to the /etc/pf.conf file.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# This configuration is set for use on a machine that is a router with
# three (3) network cards:
# ext_if - connects to the upstream link (cable/dsl modem, WAN, etc.)
# wifi_if - wireless card for internal network
#           (if none present, remove all references to it in this file)
# lan_if  - wired card for internal network
#           (if none present, remove all references to it in this file)
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
logopt = "log"
# interfaces
ext_if  = "fxp0"
wifi_if = "ath0"
lan_if  = "fxp1"
# publically accesible services (transport layer neutral)
pubserv = "{ 22, 443 }"
# internally accessible services (transport layer neutral)
lanserv = "{ 22, 53, 67, 80, 443 }"
# samba ports (transport layer neutral)
samba_ports = "{ 137, 138, 139 }"
# externally permitted inbound icmp types
icmp_types = "echoreq"
# internal network
lan_net = "{ 192.168.0.0/24, 192.168.1.0/24 }"
# hosts granted acces to samba (cifs/smb) shares
smb_net = "{ 192.168.0.0/27, 192.168.1.0/27, 192.168.0.90, 192.168.1.90 }"
# block these networks
table  { 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, \
       169.254.0.0/16, 172.16.0.0/12,  192.0.2.0/24, 192.168.0.0/16, \
       224.0.0.0/3,    255.255.255.255 }
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy return
set loginterface $ext_if
set skip on lo0
# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
scrub out all random-id
#------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
nat on $ext_if from $lan_net to any -> ($ext_if)
#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block all
block return-rst  in  $logopt on $ext_if proto tcp all
block return-icmp in  $logopt on $ext_if proto udp all
block             in  $logopt on $ext_if proto icmp all
block             out $logopt on $ext_if all
# trust localhost
pass in  quick on lo0 all
pass out quick on lo0 all
# anti spoofing
block drop in  $logopt quick on $ext_if from  to any
block drop out $logopt quick on $ext_if from any to 
antispoof for { $lan_if, $wifi_if, $ext_if }
# anti fake return-scans
block  return-rst  out on $ext_if proto tcp all
block  return-rst  in  on $ext_if proto tcp all
block  return-icmp out on $ext_if proto udp all
block  return-icmp in  on $ext_if proto udp all
# toy with script kiddies scanning us
block in $logopt quick proto tcp flags FUP/WEUAPRSF
block in $logopt quick proto tcp flags WEUAPRSF/WEUAPRSF
block in $logopt quick proto tcp flags SRAFU/WEUAPRSF
block in $logopt quick proto tcp flags /WEUAPRSF
block in $logopt quick proto tcp flags SR/SR
block in $logopt quick proto tcp flags SF/SF
# open firewall fully
# warning: insecure. 'nuff said.
#pass in  quick all
#pass out quick all
# allow permitted icmp
pass in inet proto icmp all icmp-type $icmp_types keep state
# allow permitted services
pass in on $ext_if            inet proto tcp       from any      to any port $pubserv flags S/SA keep state
pass in on {$lan_if $wifi_if} inet proto {tcp udp} from $lan_net to any port $lanserv            keep state
pass in on {$lan_if $wifi_if} inet proto {tcp udp} from $smb_net to any port $samba_ports        keep state
# permit access between LAN hosts
pass in  from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
# permit full outbound access
# warning: potentially insecure. you may wish to lock down outbound access.
pass out from any to any keep state

Load the above configuration with the following command:

pfctl -Fa -f /etc/pf.conf

Install and configure the ISC DHCP server

To dynamically assign IP addresses to clients on your LAN/WLAN, you'll need the ISC DHCP server.

pkg_add -r isc-dhcp3-server

Next edit it's configuration file, /usr/local/etc/dhcpd.conf:

###
### GLOBAL SETTINGS
###
ddns-update-style none;
always-broadcast on;
default-lease-time 7200;
max-lease-time 7200;
authoritative;
option domain-name-servers 192.168.1.1;
option domain-name "localnet.localdomain";
option netbios-name-servers 192.168.1.1;
###
### WIRED LOCAL AREA NETWORK
###
subnet 192.168.0.0 netmask 255.255.255.0 {
 #
 # NOTES:
 # (1) allocation of endings 100-199 by DHCP is
 # inteded for clients that are not specified
 # later in this file.
 # (2) allocation is done in increments of 10
 # and this is done intentionally.
 #
 range 192.168.0.100 192.168.0.199;
 option broadcast-address 192.168.0.255;
 option subnet-mask 255.255.255.0;
 option routers 192.168.0.1;
}
###
### WIRELESS NETWORK
###
subnet 192.168.1.0 netmask 255.255.255.0 {
 # NOTE: See: wired->range.notes
       range 192.168.1.100 192.168.1.199;
       option broadcast-address 192.168.1.255;
       option subnet-mask 255.255.255.0;
       option routers 192.168.1.1;
}
###
### ASSIGN SPECIFIC IP ADDRESSES TO SPECIFIC HOSTS BASED ON MAC ADDRESS
### (optional)
###
## host foo
#host foo {
#        hardware ethernet XX:XX:XX:XX:XX:XX;
#        fixed-address 192.168.0.XYZ;
#}
## host bar
#host bar {
#        hardware ethernet XX:XX:XX:XX:XX:XX;
#        fixed-address 192.168.1.XYZ;
#}

Configure hostapd

Edit /etc/hostapd.conf as follows:

interface=ath0
driver=bsd
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=3
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
#### IEEE 802.11 related config ####
ssid=YOURSSID
macaddr_acl=0
auth_algs=1
#### IEEE 802.1X related config ####
ieee8021x=0
#### WPA/IEEE 802.11i config #####
wpa=1
wpa_passphrase=ENTER_YOUR_PASSPHRASE_HERE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

Make our settings permanant via rc.conf

We don't want to manually configure our interfaces or start our daemons manually each time, so we'll put it all into /etc/rc.conf:

### GENERAL SETTINGS
gateway_enable="YES"
hostname="wifiap"
### CONFIGURATION FOR EXTERNAL INTERFACE (UPSTREAM LINK)
### example: link to cable/dsl modem
ifconfig_fxp0="DHCP"
### CONFIGURATION FOR INTERNAL WIRED NETWORK
ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.0"
### CONFIGURATION FOR INTERNAL WIRELESS NETWORK
ifconfig_ath0="inet 192.168.1.1 netmask 255.255.255.0 ssid YOURSSID mediaopt hostap"
### CONFIGURATION FOR PACKET FILTER
### requires kernel recompile, see:
### http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html
pf_enable="YES"                 # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_program="/sbin/pfctl"        # where the pfctl program lives
pf_flags=""                     # additional flags for pfctl
pflog_enable="YES"              # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
### DAEMONS FOR LAN
hostapd_enable="YES"            # wireless services (clients use wpa_supplicant)
named_enable="YES"              # dns for clients
dhcpd_enable="YES"              # dhcp configure clients
sshd_enable="YES"               # so we can remotely access this box

We don't want to have to manually load kernel modules all the time either, so we'll put them into /boot/loader.conf:

wlan_wep_load="YES"
wlan_tkip_load="YES"
wlan_ccmp_load="YES"
wlan_xauth_load="YES"
wlan_acl_load="YES"

Start daemons

You can do this easily by rebooting:

shutdown -r now

If you're a true Unix zealot, however, and dislike rebooting unnecessarily, you can do the following:

/etc/rc.d/pflog start
/etc/rc.d/named start
/etc/rc.d/dhcpd start
/etc/rc.d/hostapd start

Done!

Congratulations! At this point, assuming you followed the directions and had no errors, you should have a functional wireless access point using WPA and a wired LAN that is connected to the upstream link.

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR MORE DOWNLOADS OR DETAILS.

How To Configure Web Access To Subversion Repositories Using Apache

How To Configure Web Access To Subversion Repositories Using Apache

This how to is going to describe the steps to get the mod_dav_svn module to work in an Apache web server. First I'll assume that we don't have Apache and Subversion installed on our FreeBSD box, in a second part I'll explain how to add the module using our current installation.

First we have to install our Apache 2.0.x with Berkeley DB support (because Subversion will use Berkeley DB to save the repositories). To do this we have to go to the ports dir and do this:

box# cd /usr/ports/www/apache20/
box# make -DWITH_BDB4 install clean
some installation steps...

Add apache ability to start automatically at boot time:

box# echo 'apache2_enable="YES"' >> /etc/rc.conf

After we have apache20 installed with bdb support, we'll have to install Subversion:

box# cd /usr/ports/devel/subversion
box# make -DWITH_MOD_DAV_SVN install clean
some installation steps...

After installation we'll have to ensure that mod_dav_svn module was properly installed on apache.

box# cat /usr/local/etc/apache2/httpd.conf | grep svn

LoadModule dav_svn_module libexec/apache2/mod_dav_svn.so
LoadModule authz_svn_module libexec/apache2/mod_authz_svn.so

We have apache with mod_dav_svn module installed properly. At this point we can create a repository. This will help us to test our instalation:

box# mkdir /usr/home/svn
box# mkdir /usr/home/svn/repos
box# svnadmin create /usr/home/svn/repos/test

Then we have to create the files that are going to be used to authenticate the users.

box# mkdir /usr/home/svn/access
box# cd /usr/home/svn/access
box# htpasswd -cm users root
password:****
box# htpasswd -m users viewer
password:*****

box# vi control

[test:/]
root = rw

NameVirtualHost *:80

ServerAdmin ecruz@example.com
ServerName svn.example.com
DocumentRoot /usr/local/www/pages/svn.example.com
CustomLog /var/log/svn.example.com-access_log common

Restart the web server:

/usr/local/etc/rc.d/apache2.sh restart

If all went ok, we have our web server working properly, to test it, open in your Firefox or whatever browser and go to http://svn.example.com/svn/repos/test. It will ask you for the credentials, so use root or viewer. It must display the test repository at revision 0. I'll suggest to install TortoiseSVN on Windows boxes to get access to the repositories.

Now, as a plus, we will configure an alert in our subversion test repository to send a notification when a commit was done. To do this we will have to create an executable file under the hooks directory:

box# cd /usr/home/svn/repos/test/hooks/
box# cat post-commit

[code]
#!/usr/local/bin/php
$message = "SubVersion Commit
Project: Test
http://svn.example.com/svn/repos/test full repository
==============Comments==============
";
$repos = $argv[1];
$version = $argv[2];
$message .= `svnlook log -r $version /usr/home/svn/repos/test`;
$message .= "
===========List of Changes========
";
$message .= `svnlog diff -r $version /usr/home/svn/repos/test`;
mail("address@example.com","SubVersion Commit $repos $version",$mensaje,"From: svn@example.com");
?>
[/code]

To get this to work with your current installation you have to change only the subversion installation step:

box# cd /usr/ports/devel/subversion
box# make deinstall
box# make -DWITH_MOD_DAV_SVN -DWITHOUT_BDB4 install clean

Ok, this is the end of this howto, any improvements are welcome. Regards!

viewer = r

At this point we have apache with bdb support, subversion with mod_dav_svn module installed, our repository created, the users and the control to our repository. Now we will configure apache to read the repositories:

box# cd /usr/local/etc/apache2/Includes/
box# cat svn.conf

DAV svn
SVNParentPath /usr/home/svn/repos
SVNIndexXSLT "http://svn.example.com/svnindex.xsl"
AuthzSVNAccessFile /usr/home/svn/access/control
# anonymous first
Satisfy Any
Require valid-user
# authenticating them valid ones
AuthType Basic
AuthName "Subversion Repositories at example.com"
AuthUserFile /usr/home/svn/access/users

Apache will read all the files that are under the Includes directory, so our svn.conf will be loaded when apache starts, note that we are loading svnindex.xsl that is the file where the transformations are done, if you would like to give to your repository some look and feel work these file will be the appropiate. The file skeletons are under /usr/local/share/subversion/xslt/ directory, there are two files, one .xsl and another .css. Copy these files to your document root. I have a virtual server called svn.example.com in my machine. I have all my virtual servers under /usr/local/www/pages, so I have svn.example.com directory and I've configured that virtual server in /usr/local/etc/apache2/httpd.conf.

YOU CAN USE QUICK SEARCH ENGINE IN THE TOP FOR DOWNLOADS OR DETAILS.

How to Build an Effective Mail Server Defense

A multi-stage approach to securing your email communication

When speaking of mail server-related security, one tends to limit the issue to message applied security measures, and even more to Antivirus and Antispam protection. This is however only one stage in the more complex process of securing your server. This article aims at identifying and explaining all security layers, highly important when choosing a certain mail server and consequently when configuring and using it.

1. Securing mail server connections

When using a newly installed mail server, administrators should first make sure they use secure connections. There are two main possibilities to secure connections: encryption and firewall-like rules.

Encoding methods have continuously been developed as the Internet has become the preferred medium for data transfers. The most commonly used encryption methods are SSL (Secure Sockets Layer) and TLS (Transport Layer Security). However, incorrect usage of encryption often leads to security breaches. Most common examples are web pages containing both secured and unsecured information or communications secured only after login via a plain login page.

Firewall-like rules enforced at server level are recommended to backup an existing Firewall or replace it when one is not available. They can impose limitations both on established connections and on hosted traffic. We recommend creating allow/deny rules both globally (applied to all protocols and listeners) and specifically for each listener in order to prevent attacks such as DOS (Denial of service).

2. Securing mail server protocols

After securing the first stage of an email transfer, the next action to take would be securing protocols.

The recommended steps are to use multiple listeners for each interface and correlate them with certain allow and deny rules. Also, limiting the number of connection and authentication errors, the maximum number of commands or setting a time-out for your sessions can help protect your server from further DOS attacks.

To further enhance protocol security, we recommend client control rules, based on the sender or receiver address and certain limitations regarding the number and size of email messages.

Authentication is also highly important at protocol level. By implementing several authentication methods, either simple (plain, login, CRAM-MD5), or complex (GSSAPI, Kerberos), the mail server enhances communication security and is better equipped against attacks and unauthorized access.

Other efficient protocol level solutions are making sure your mail server is RFC compliant and preventing email looping (a very simple method would be setting a maximum numbers of "Received" headers per email).

3. Securing email control parameters

Apart from using different Antispam and Antivirus applications, there are further actions you should keep in mind where email control based security is concerned. One very handy option would be using gray lists. Gray listing is basically a request to have the email resent, after temporarily rejecting the email. The server saves in a list the sender IP and the recipient and returns a temporary error. All valid servers will then resend the emails, unlike spamming scripts. Please note however that many servers cannot differentiate at this time between a temporary and a permanent error.

Host control is another easy way to ensure only valid emails are further processed by your email server. Two well known methods are SPF (Sender Policy Framework) and DNS based black hole lists. SPF records are public details published by domains within DNS servers. Usually they point to and confirm the real addresses of domains. By using SPF checks, you can successfully prevent spam and back-scatter emails.

Black lists may be either public (free of charge) or private and usually contain IP addresses of open-relay servers, open proxies and ISPs with no spam filtering. Your server needs to be set up such as to request such lists and not to accept connections initiated by IP addresses included in them. If one of your servers gets erroneously listed, to be removed from such a list, you might need to fill an online form, contact the list administrators or, in more severe situations, change your IP.

A more complex authentication method is DKIM (Domain Keys Identified Mail Signature). Implemented by Yahoo and supported by Google, Cisco, Sendmail, PGP, DKIM has considerable chances of becoming the standard authentication method. The email header contains an encrypted signature and is in its turn encrypted, pointing to an encrypted key, published on DNS servers by the sending domain. The server processing the email will use this key to decode the email body. If the decryption is successful, then the email is valid.

Relay rules can sometimes make the difference between a secured server and an unsecured one. Our first recommendation is to never accept open relaying, as it can easily get you black listed. Therefore you should implement a few relay rules, based on sender address/recipient address, or relay for authenticated users only. When selecting your mail server, you should make sure it has the following features: it allows creating relay rules, domain authentication is configurable, the sending interface is customizable, it supports SSL/TSL and different authentication methods and extensions.

4. Secure configuration and administration

Configuration and administration are not commonly regarded as a security layer. However, the configurability features offered by the server and the actual configuration made by the user play a key part in securing your MTA. Firstly, the administrator should get acquainted to the solution, all its features and all its flaws, if any. The server executable file needs to support programming with no memory leaks, dropping root privileges (on Unices systems only), and blocking all access requests except those for public files.

Access to the configuration file should be granted to the administrator only. Further more, the file should always be very specific, easy to understand and to modify, while all default values should be secure. For example, a default value allowing open relay would represent a major security flaw.

Alternate administration modules (web interface, command line interface) should be provided for modifying the server configuration. It is also highly important that all connections to these modules are made through SSL. To make sure you securely access these modules, we recommend using a mail server with proprietary HTTP server and HTML-based scripting language.

Our most complete security recommendation is implementing a "smart-hosting" system. Such a system consists of several mail servers installed on different machines, each performing a specific task. The server offering the best connection and protocol security should be focused on firewall protection. The second one should run email control parameters (including Antispam and Antivirus applications). The third one should be mainly focused on domain management. However, smart hosting might require more hardware and software resources than those available within your system.

Smart Hosting

Conclusions

The most important aspect you should keep in mind is that there is no full proof security; therefore an optimal protection should substitute perfection. At each security layer, there are possible flaws and breaches. The solution is to choose the best possible configuration and adapt it to your network's needs and topology.

Upgrading FreeBSD

Concept

This document started as a follow up to The Ultimate Multimedia Server Guide and how to go about keeping your server up to date and patched with the latest O/S patches and security patches. The other reason for this document was to try and create an easy to follow update guide for the not so Unix savvy users that visit my website from time to time. My first time trying to upgrade FreeBSD from sources went well but trying to understand and piece together all the other documentation was more of a daunting task than actually upgrading.

General Information

This guide will lead you through bringing your FreeBSD server up to date to ensure that you get the most entertainment pleasure from your server. Before embarking on this journey I would highly recommend reading this documentation in it's fullest before executing any of it. This guide will require time, patience and attention to detail. This is more time consuming than it is difficult.

You will also notice Blue Font type and Underlined type used throughout this documentation. These are actual www links provided to make finding things a bit easier for you.

Requirements

1) Base install of FreeBSD and Ports, preferably FreeBSD 6 as it is the latest stable production release at the time of this document.

2) Some sort of Internet connectivity either broadband or some sort of business connectivity like a t1. The faster your downstream connectivity of course the shorter length of time it will take for you to download the sources.

3) Your favorite text editor. I prefer VI but there are others like Emacs and Pico.

4) sudo or root access to your server and also console access.

5) And last but not least a little time and patience.

Installation

The tools that are required for this project can be easily installed from our ports tree. Most tools needed are already installed but there are a couple that we will use to make things a little easier on us and also to automate this process for future use. The main choice of tool for this process is CVS, if you are interested in what is really happening take 10 minutes of your spare time to read The FreeBSD Handbook CVS section.

The first thing we will do is install cvsup-without-gui, you may want to install just cvsup if you have installed X11 on your server. I prefer not to have the overhead of X11 or any type of gui running on my servers.

#cd /usr/ports/net/cvsup-without-gui

# make install clean

The above will install cvsup-without-gui and clean the source files out of your ports tree to preserve disk space. CVS will also prompt you asking if it should run MAKE SURE to answer NO to this at this time. There is a tad bit more work to do before running this.

Next we will install a tool that with a little script of my own will help make choosing the fastest cvs server on the Internet for us so that downloading the sources take as little time as possible.

#cd /usr/ports/sysutils/fastest_cvsup

# make install clean

Now that we have that out of the way we need to prepare our cvsup-file for use. I prefer to have my files in /root for easy backup purposes but you could put them any place you like.

# cd ~

# cp /usr/share/examples/cvsup/cvs-supfile /root/cvs-supfile

The file you have just copied to your root directory will need to be edited. This file is a very long file so I will not paste it in its entirety here. I would suggest you read your cvs-supfile completely but this document is about making it a tad bit easier so the lines below is what needs editing. Using your favorite editor change these lines to look like such

default

*default host=CHANGE_THIS.FreeBSD.org

change to this

*default host=cvsup15.freebsd.org

default

*default prefix=/home/ncvs

change to this

*default prefix=/usr

This is the first spot in the documentation where we really make sure this is exact. Scroll all the way down to the bottom of this file and comment out EACH of these lines when you are done it should look like this below

## Website

#

# This collection retrieves the www tree of the FreeBSD

# repository

#www

## CVSROOT control files

#

# This is to get the control files that cvs(1) needs and the commit logs.

#cvsroot-all

If you are sure everything is correct save the file and exit your editor. At this point you should have a cvs-supfile capable of pulling down the sources, ports tree and documentation for FreeBSD which is what you need to update your system. Before proceeding we are going to use a little creativity with the great tools provided to us by FreeBSD and automate this process. Now that you have read your cvs-supfile entirely as I suggested you can create your own shorter file thats easier to work with which I HIGHLY recommend.

First lets backup the original file so if anything goes wrong you have this to refer back to.

# mv /root/cvs-supfile /root/cvs.original

Breaking out your favorite editor again create a new shorter file to look like what I have below and call it cvs-supfile.

*default host=cvsup15.FreeBSD.org
*default base=/var/db
*default prefix=/usr
*default release=cvs tag=RELENG_6_0
*default delete use-rel-suffix


src-all
*default tag=.
ports-all
doc-all

I know this seems like a long winding road but there is day light at the end of this tunnel. You will be so happy knowing you have applied all security and O/S patches to your system that you have made available to all the mischievous activity on the Internet Below you will find my script that I have created to do what we need in one step. By no means do I consider myself a coder, though this script is safe to use and I use it all the time; now if you know of a better way to accomplish this task by all means share it with the rest of us. I will include it in this document and give you full credit for your work.

In your editor create this file /root/fastestupgrade.sh

#!/bin/sh
if SERVER=`fastest_cvsup -q -c us`; then
cvsup -h $SERVER /root/cvs-supfile
# Now let's update the ports database...
/usr/local/sbin/portsdb -Uu
# Now let's see how badly we're out of date...
/usr/local/sbin/portversion -vl "<" fi

Save the file and exit out of your editor. A little explanation; the above script calls the fastest_cvsup executable and searches for the fastest cvsup servers from your location. It then uses that server to run your cvs-supfile to retreive all of the goodies. Next the script calls portsdb which manages the ports database via the INDEX file. Lastly we call portversion with the -vl switch for verbosity this will list all packages that you have installed and tell you if they are out of date which looks similar to what you see below.

samba-3.0.20,1 <>

As you can see at the time I did my upgrade samba was out of date it listed what version I have installed and what the newest version is that has been submitted to ports. Unfortunately there will be a separate document on how to deal with updating your applications that have been installed via ports but at least now you have some sort of idea of what apps are out of date.

Ok one last tid bit of info on CVS. For those folks that may be on slow links or running low on disk space or simply want to be considered good net citizens you will want to create yourself a refuse file and put it in your base sup directory. With this file you tell cvs to refuse certain files from the server if not you will pull down everything which is not harmful it just takes up extra disk space. I like to pull down everything that is in reference to the English language this way I am not burdening the cvs server in serving me these additional language files, I do not think I will be reading the translated German documentation for FreeBSD anytime soon so :)

# cd /var/db/

Use your favorite editor to create the refuse file, done this way with VI

# vi refuse

Now if you only want the English language make sure your refuse file looks like such

doc/de
doc/de_*
doc/es
doc/es_*
doc/fr
doc/fr_*
doc/it
doc/it_*
doc/ja
doc/ja_*
doc/nl
doc/nl_*
doc/ru
doc/ru_*
doc/sr
doc/sr_*
doc/zh
doc/zh_*
ports/chinese
ports/french
ports/german
ports/hebrew
ports/japanese
ports/korean
ports/russian
ports/ukrainian
ports/vietnamese

Now save the file and exit out of your editor. This will refuse all languages for documents and ports EXCEPT for the English language. FreeBSD is constantly growing and getting new translations to different languages all the time so I recommend browsing The FreeBSD Repository to check for any new translations but at the time of this writing the above file would work. I will also do my best to try and keep this document up to date as translations do happen. Because I often will refer back to it from time to time also so it will be in my best interest to maintain it.

It is now time for business. We are ready to start our upgrade process now that all the appropriate files are in place. As root

# uname -a

Make note of the kernel you are currently running you will compare this to the new kernel at the end just for reference.

Now

# cd ~
# sh fastestupgrade.sh

This will take a while but after it is complete lets start our world tour.

# cd /usr/src/

Next we will build world, make our kernel and install our kernel. But we will record this by keeping a log file of everything going on just in case there are errors and if there are you can post your file to the FreeBSD-Stable Mailinglist for help. Though there are some very complex things going on it is not all that difficult, the FreeBSD group has mastered this process and all usually goes without a hitch.

# script ~/buildworld
# make buildworld

You have now built world and captured the process in the /root/buildworld log file. Now cancel the script by hitting cntrl d and you will get an output like below.

Script done, output file is /root/buildworld

Remember we will keep these log files as insurance for each process.

# script ~/buildkernel
# make buildkernel
# cntrl d
Script done, output file is /root/buildkernel
# script ~/installkernel
# make installkernel
# cntrl d
Script done, output file is /root/installkernel

The above steps are for everyone using a generic kernel which I assume is most everyone reading this document. If you are using your own customer kernel already you have already went through these steps and probably know what it is you are doing. If you have inherited this system running a custom kernel reference page 491 of book FreeBSD Unleashed and it will have everything you need or you can reference the FreeBSD Handbook either I say is a must for your professional bookshelf.

If you have followed this document step by step all the above steps should have completed without any errors at all, what I like to say is everything went smooth as Stewie Griffiths bottom :) For those adults not familiar treat yourself to a good laugh with the Adult Cartoon Family Guy.

Lets get back to business, now you need to boot your system into single user mode. All of the steps above could have been done through some sort of virtual connection like ssh or vpn connectivity these next steps you will need access to the console itself.

Reboot your machine

# shutdown -r now

This will shutdown all processes gracefully and began the reboot process. When your system starts to boot back up and you are given the options make sure you choose option 4 so that you boot into single user mode. Now run

# fsck -p
# mount -u /
# mount -a -t ufs
# swapon -a

This checks the file systems, remounts / read/write, mounts all the other UFS file systems referenced in /etc/fstab and then turns swapping on.

Note: If your CMOS clock is set to local time and not to GMT (this is true if the output of the date(1) command does not show the correct time and zone), you may also need to run the following command:

I would do it just to be safe if you are not sure.

# adjkerntz -i
# cd /usr/src

This may seem a little scary for the first time but so far it has been a little easier than what it seems. This next piece we will run mergemaster though it is a great tool there seems to be little documentation for it. Of course there is the man page which I would recommend reading. This tool basically compares the files you are about to install in the next step to the files you already have on your system. When running mergemaster you will get options presented to you for each file that looks like such

Use 'd' to delete the temporary .name of file
Use 'i' to install the temporary .name of file
Use 'm' to merge the temporary and installed versions or parts of them.
Use 'v' to view the diff results again
Default is to leave the temporary file to deal with by hand
How should I deal with this? [Leave it for later]

My rules of thumb on this is:

Files I don't want changed which would be files that I have edited by hand like ntpd.conf for setting up time syncing I just hit enter so that I can go back later and compare and edit the files by hand which will not be all that many. Make note of the files you need to go back and compare.

The 'i' is for files that I haven't customized that won't affect things I want my FreeBSD box to do. Most of my files in mergemaster will get this option. Some examples for me are rc.diskless, pam.conf, and rc.syscons. I didn't need to customize these files and their changes won't affect your server install but will need to be there.

Before we proceed we need to take out an insurance policy. As I have stated mergemaster is a very safe tool to use but there is a lot of room for error considering the fuzzy logic that resides between the chair and the keyboard :) We create our insurance policy simply by doing

# cp -Rp /etc /etc.old

This copies what should be all of your current config files to a backup directory /etc.old.

We are now reading to compare the old and new files.

# mergemaster -cv -w 120

This will run mergemaster with verbosity along with a screen width of 120 instead of the standard 80. If run with the standard 80 sometimes it looks as if the split screen between the files are all one. Proceed through carefully and slowly examining each file keeping in mind my rule of thumb above.

Now that you are done with mergemaster the scariest part of this upgrade, you are ready to wrap things up.

Now run

# cd /usr/src
# script ~/installworld
# make installworld

After this is done with no errors you are complete except for checking your work and bringing the system back up. At this point reboot the system and watch it come up make sure all your startup scripts run and most time they will.

# reboot

After the system is up take a deep breathe for that sigh of relief, now make sure you booted on the new kernel by executing from sudo or root

# uname -a

You should now be on the new kernel compare this to the output you took before going through the upgrade. Now try using tools such as ps and top these should be functioning without error. Now go pat yourself on the back and get your favorite beverage, hold your head high with your chest stuck out and feel proud of what you have just accomplished.

References

As I stated when I first completed this task years ago there was a lot of documentation but it was very piece meal. I had a bunch of separate notes in one document all out of place that I used to reference from time to time. As of getting my website together I took those notes and created this documentation as an easy walk through guide. There does seem to be a tad bit more information that you can find with a simple Google search now. But it does seem to be a bit more complicated and scary for the first time upgrader, again the reason for this document.

Hints and Tips

It is always recommended that you keep a good backup. I was blessed with a NAS as a gift from my wife that serves this purpose for me. It is connected to my network and I use the utility rsync to backup to this device. It really works out great because very little hours get put on this drive as it is only on when I am doing my weekly backup which is good enough for me for a home server. A usb drive could also serve this function. I would surely recommend that you come up to speed on rsync and start using it. You can get started by visiting

FOR MORE DETAILS OR DOWNLOADS U CAN USE THE QUICK SEARCH ENGINE IN THE TOP.

How to install The Ultimate Media Server - Apache+SSL , PHP, MySQL and Jinzora

Concept

I started out on this project to create the ultimate multimedia server using all opensource tools and applications. Some of you may be thinking along the lines of a TIVO device, no this was to create a hosting server on my business broadband connection so that I can have access to and listen to my MP3's from anywhere that had an Internet connection while keeping it all secure as possible.

General Information

This guide will lead you through creating a secure ssl based webserver to be able to stream your multimedia across the World Wide Web. Before embarking on this journey I would highly recommend reading this documentation in it's fullest before executing any of it. You may find some pointers in the tips and tweaks section that you can make during installation that would make this install even easier and make it a one time install.

You will also notice Blue Font type and Underlined type used throughout this documentation. These are actual www links provided to make finding things a bit easier for you.

Requirements

1) Base install of FreeBSD and Ports, preferably FreeBSD 6 as it is the latest stable production release.

2) A public domain name for WWW access.

3) Some sort of Internet connectivity either broadband or some sort of business connectivity like a t1. I would like to point out and recommend that your upstream bandwidth be at least 384kbps.

4) Your favorite text editor. I prefer VI but there are others like Emacs and Pico.

5) A Very large hard drive or at least large enough to hold all of your media for your server.

Installation

Now lets get to the fun piece of this document. As I stated this guide is based on FreeBSD 6 which you should have installed, there is so much documentation on the installation of FreeBSD that I will not guide you through that piece, not to mention it is one of the easiest UNIX's to install. But if you do find that you need a bit of help you can always visit The FreeBSD Handbook . After base install I did make sure I had the latest version of these applications in ports by using CVS to get the latest and greatest ports collection. This process of Updating Ports is also a very easy task and well documented by the FreeBSD organization

The first thing we will embark on is installing Apache1.3 and SSL. Apache currently has 3 development paths Apache1.3 and Apache2.0 and the recently released Apache2.2, at the time of this writing I still preferred to run Apache1.3 call me old school, this version has been around for a very long time and is the most used web server on the Internet today and the Apache staff is still developing security patches for it. You can visit Apache's Website to see what the differences are in versions.

Install Apache1.3 and SSL from ports

Login to your server via the console or ssh and make sure you have root privileges. All text with black background are actually commands executed on the server.

# cd /usr/ports/www/apache13-modssl
# make install

The above will install apache13-modssl in / usr /local/etc/apache/

# echo ' apache_enable ="YES"' >> /etc/ rc.conf
# echo ' apache_flags ="-DSSL"' >> /etc/ rc.conf

The above commands makes sure that apache will startup on bootup . See I told you it was not that hard all it takes is a little time and patience and desire to follow through. Now moving on to installing Mysql Sever

Install MySQL Server with SSL Support

# cd /usr/ports/databases/mysql41-server
# make install WITH_OPENSSL=yes

Go crab a coke or your favorite beverage as this may take a while but when you are done you will have just installed MySQL Server with SSL support successfully.

Next we will make sure that MySQL Server starts up on bootup

# echo ' mysql_enable ="YES"' >> /etc/ rc.conf

Next we go about creating the root password for MySQL which should NOT be the same password as the system root user. You can do this with one command from the command line which is what I use below. There is also another way of doing this which can be found in the MySQL documentation, I am taking the easy way out since I am in the comfort of my own home with no one looking over my shoulder.

# mysqladmin -u root password newpassword

We will now create the default database

# mysql_install_db –user= mysql

Thats it for MySQL , this rocks does it not?

PHP Support

When completing the steps below a php configuration screen will popup don't worry this is correct and you need to make sure that you check the OpenSSL box and GD Image support box.

# cd /usr/ports/www/mod_php4
# make install clean
# cd /usr/ports/lang/php4-extensions
# make install clean

The above installs php4 support needed by our multimedia streaming server and Apache.

Next we need to edit the apache configuration file to instruct it to Load the php modules. Add the two lines below to the httpd.conf file after the “ LoadModule � lines but within the same section to give apache php support.

# vi / usr/local/etc/apache/httpd.conf
AddType application/x- httpd-php . php
AddType application/x- httpd-php-source . phps

This next section is the hardest part of this installation but only because it requires a bit more attention to detail simply due to the number of questions that will be asked during installation. So if you are getting a bit tired I would recommend taking a break here and coming back later. If your ready to or feel like continuing lets go for it because you are just about ¾ the way to the end.

Generate Self Signed Certificate

Here we will be creating a self sign certificate to be used by our apache server. You can create a certificate and have it signed by a Public Authority like Verisign or Thawte, the services provided by these companies do cost unlike self signing your own certificate. There is definitely an advantage to having a publically sign certificate by one of the above mentioned companies and that being Trust and Security. Though for this type of installation I am perfectly comfortable using self signed.

Change directory to the spot where you would like to save your certificate I chose the root directory as this place, but from here I will copy it to the proper place for apache to use it.

# cd ~
# openssl genrsa -des3 -out server.key 1024

At this point you asked to enter a password. Please make sure that you remember or TEMPORARILY write down the password because you will need it again.

# openssl req -new -key server.key -out server.csr

Here you have created the CSR ( Certificate Signing Request ) for the key that you created in the previous step. It should have asked you for a password which would be the one you used from the previous step. You will also be asked a number of other questions during this process the most important being “Common Name� make sure that you use your FQDN for this step. Example, my certificate is for https://www.digitalrage.org so your “Common Name� should be entered as www.digitalrage.org. If you manage to get ahead of yourself and did not do this properly thats ok because you can go back and run through this step again. Now you are ready to self sign your certificate and validate it for 365 days.

# openssl x509 - req -days 365 -in /root/ server.csr - signkey /root/ server.key -out /root/ server.crt

Now we need to copy the files to the appropriate directory

# cp ~/ server.key / usr/local/etc/apache/ssl.key /
# cp ~/ server.crt / usr/local/etc/apache/ssl.crt /

You made it through to the end of creating and signing your certificate and putting it in place for apache server to be able to read and utilize it. I would like to suggest that on your spare time you actually read through the documentation and FAQ so that you understand a bit more about certificates and what it is you have just accomplished. You have just installed everything you need to get to the exciting piece we have all been working towards. Which is installing Jinzora the application that will give us the ultimate web based interface for streaming our favorite music across the internet to that lonely hotel room you occupy when on business travel or that interface for serving your media to any pc in your home.

Installation of Jinzora

You begin by downloading the tar.gz file from Jinzora's website. I downloaded the tar file to my / tmp directory. I then went about untaring it and putting it in the htdocs /root directory of apache which by default is / usr /local/www/data/.

# cd / tmp

# tar - zxvf jinzora-X.X.tar.gz

# mkdir / usr/local/www/data/jinzora /

# cp -R / jinzora / / usr/local/www/data/jinzora /

Next we need to make sure the proper permissions are set on the jinzora directory above we created you do this by running the script the jinzora staff has so kindly included to make sure all files and permissions are set properly and securely.

# cd / usr/local/www/data/jinzora

# sh configure.sh

We are just about there we need to create our jinzora database, start our services then finish up.

Here we need to create our database that Jinzora will use, you will need to remember what you set your MySQL root users password to.

# mysql -p

# mysql > create database jinzora ;

Query OK, 1 row affected (0.00 sec)

# mysql > grant select,insert,update,create,delete

-> on jinzora .*

-> to jinzorauser@'localhost '

-> identified by 'password';

Query OK, 0 rows affected (0.04 sec)

mysql > \ q

Next we need to tie it all together. We need to start our services Apache and MySQL Server so that you can finish the install of Jinzora .

# rehash

# apachectl startssl

# / usr/local/etc/rc.d/mysql -server start

These should start up without any issues but if not more than likely it will be a permissions error just make sure that you pay attention to the error and correct it before moving on but if this is a fresh installation as this guide assumes then there will not be any.

All that there is left to do now is to make sure you have copied all your media to your server which I have put in /media and then point your favorite web browser to http://yoursite/path/to/jinzora/index.php
in my case that is https://www.digitalrage.org/jinzora/index.php. From here on out it is gui based via your browser and very simple. The Jinzora staff has put in a lot of hard work making this as simple as possible. Just make sure that you follow their instructions and on screen prompts and you should be up and running within 5 minutes. If you do find yourself needing some sort of support there is a support forum and also premium support at a very reasonable price provided by the jinzora staff.

Server Configuration Tips/Living Document

This part of the document I like to refer to as the Tweaks section or Living Document section because it will surely be changing as advances or tweaks are made and comments come in from the general public. First and foremost I would surely visit the Tips and Tweaks Jinzora forum every now and again for the latest and greatest discoveries.

1) By default apache logs to one file and there is this big misconception that it is a very difficult task to rotate the logs at a specific time or given interval to keep one single file from growing enormously and being hard to manage. Every version of apache comes with rotatelogs , on this machine you will find it in / usr/local/sbin/rotatelogs . You will need to edit your / usr/local/etc/apache/httpd.conf and comment out these lines

CustomLog / var/log/httpd-access.log combined

TransferLog / var/log/httpd-access.log

To look like

CustomLog "| rotatelogs / var/log/apachelog 86400" combined

TransferLnsferLog "| rotatelogs / var/log/apachelog 86400''

This is basically using an external program bundled with apache and doing what is called piped logging and rotating your log file ever 24 hours. More details can be found in the Apache Documentation.

2) I would recommend that before installation of jinzora that you organize you media/mp3's in the format of /genre/artist/album title/track. Then during installation of jinzora make sure you choose the file system base installation and not the id3 base installation doing it this way will give you speed advantages and better control vice using the id3 format. Not to mention if you are not good about ripping your cd's and making sure the id3 tags are right you will end up with one slow install and a mess of a website.

3) During installation of php at the very end you were told to copy /usr/local/etc/php.ini-dist to /usr/local/etc/php.ini make sure that you do not skip this step. PHP is a very important part to Jinzora as it is written in this language. I have noticed on very large installations of Jinzora meaning a site with what I would classify as large being over 5Gig in media data, that you will need to make changes to this file. After copying the above file you will need to make sure that you edit it and change the section you see below. Of course these are the parameters I use and are dependent on how much memory you have in your machine so these parameters may not be optimal for you. My machine has 1gig of memory and this has turned out to be the sweet spot for me and Jinzora simply screams.

;;;;;;;;;;;;;;;;;;;

; Resource Limits ;

;;;;;;;;;;;;;;;;;;;

max_execution_time = 300 ; Maximum execution time of each script, in seconds

max_input_time = 60 ; Maximum amount of time each script may spend parsing request data

memory_limit = 64M ; Maximum amount of memory a script may consume (8MB)

4) By default MySQL will run great but there are some tweaks that I have found to be very helpful especially in reference to speeding up jinzora . MySQL has included four template files that you can use for tweaking, they are

my- huge.cnf , my- large.cnf , my- medium.cnf , my- small.cnf these file reference the type of system you have just installed MySQL on and the type of utilization you expect the database to handle. I copied the / usr/local/share/mysql/my-medium.cnf file to / var/db/mysql/my.cnf which is where MySQL will expect to find this file for use. I then made the following tweaks to this file and MySQL which can be seen below. But before tweaking this file I recommend that you at least read the Getting Started MySQL documentation because if you are not sure what it is you are doing you can bring your system to it's knees with the wrong values. The AdminZone has a very popular thread about tweaking MySQL for speed also but is starting to age a bit. But thats ok because a quick google search for this topic would give you plenty of information.

Configuration changes I made to my my.cnf file that really made a speed difference in Jinzora

key_buffer = 64M

max_allowed_packet = 16M

table_cache = 1024

join_buffer_size = 2M

sort_buffer_size = 4M

read_buffer_size = 2M

myisam_sort_buffer_size = 64M

thread_cache = 8

# Try number of CPU's*2 for thread_concurrency

thread_concurrency = 2

max_connections = 200

max_user_connections = 200

query_cache_limit = 1M

query_cache_size = 32M

query_cache_type = 1

5) Make a few apache tweaks for low utilized sites so it does not eat up so many resources, though the default is good I prefer to change a couple of settings.

# vi / usr/local/etc/apache/httpd.conf

# KeepAliveTimeout 5

# MaxClients 75

# ServerAdmin webmaster@yourdomain.com

# ServerName www.yourdomain.com

This setting is Default but make sure it is set this way so that apache does not use resources or get bogged down trying to host lookups for everyone that visits your site.

# HostnameLookups Off

Also when starting apache with SSL you will be prompted to enter the password you used when creating the key. The reason you have to do this every time is because the key is stored in an encrypted format. *****One BIG thing to note here is that upon reboot the box will NOT boot up all the way until you put in the pass phrase.***** So if this box is hosted remotely and you have no console to it I would recommend getting console access to it via some console server. If this is not possible then as a last resort you can remove the encryption off the key. But please know that this is not recommended as anyone with access to the server if it is not secure can get your key and impersonate you. If you are sure you wish to do this then follow the steps below.

# cd / usr/local/etc/apache/ssl.key
# cp server.key server.key.orig
# openssl rsa -in server.key.orig -out server.key

6) During this installation all these packages were installed from the ports packages. I had tried to include in this documentation the process for upgrading all ports packages with CVS before installing but it turned out way to long. The FreeBSD Handbook has a very easy walk through of installing cvs and for upgrading ports. But I have custom wrote some a few simple scripts that makes this process a little easier which will be in a different document to come. So stay tuned and keep check for the FreeBSD Upgrading Ports document at http://www.digitalrage.org

FOR MORE DETAILS OR DOWNLOADS YOU CAN USE THE QUICK SEARCH ENGINE IN THE TOP.