|
Protect Your Web Server Agains Exploits with mod_security |
|
|
Friday, 03 February 2012 |
A very usefull tool for protecting your web server against exploits, especially from those exploits agains web apps installed on your server, and also from spam is mod_security, a module for Apache web server.
cd /usr/ports/www/mod_security
make install clean
This is just a quick tip for today. A complete tutorial on how to configure mod_security will be made available on ohter section of this site.
|
|
|
Test Your Web Server for Vulnerabilities with nikto |
|
|
Friday, 03 February 2012 |
You can scan your web server for vulnerabilities with a nice tool called nikto, available from FreeBSD ports/packages:
We first install nikto:
cd /usr/ports/security/nikto
make install clean ; rehash
then, we test for vulnerabilities:
nikto -h www.example.com
|
|
Last Updated ( Friday, 03 February 2012 )
|
|
|
Run a Screen Saver in FreeBSD Console Without Restarting the Machine |
|
|
Thursday, 02 February 2012 |
Let's say you've just installed FreeBSD on a laptop and you are rebuilding world and kernel and you want to run a screen saver without rebooting the machine and interrupting the building process.
In this case do the following steps:
Add the screen saver to be activated at boot by adding the following line to /etc/rc.conf:
saver="blank"
Load saver module (for our example we want a blank screen saver):
kldload blank_saver
Then run vidcontrol with -t option that will run the saver in -t seconds:
vidcontrol -t 10
|
|
|
Fixing Proftpd FTP When Working With a Firewall |
|
|
Thursday, 02 February 2012 |
If your Proftpd FTP server is not available even if you've allowd port 20, 21 and upper ports in your firewall (higher than 50000, that are used for passive FTP transfer) and you get the following error in your proftpd log file:
proftpd[48202] localhost (...): Passive data transfer failed, possibly due to network issues
proftpd[48202] localhost (...): Check your PassivePorts and MasqueradeAddress settings,
proftpd[48202] localhost (...): and any router, NAT, and firewall rules in the network path.
proftpd[48202] localhost (...): FTP no transfer timeout, disconnected
proftpd[48202] localhost (...): FTP session closed.
then the problem is that you did not configure upper ports in your ProFTPD server config file: /usr/local/etc/proftpd.conf.
To fix the problem add the following line in /usr/local/etc/proftpd.conf:
PassivePorts 50000 60000
Note! Don't forget to allow ports 20, 21 and ports > 50000 in your firewall rules.
|
|
|
Automaticaly Rescale Images in FreeBSD with Image Magick |
|
|
Wednesday, 01 February 2012 |
To automatically rescale images in FreeBSD we will use Image Magick.
We first install Image Magick:
cd /usr/ports/graphics/ImageMagick
make install clean; rehash
Then we use convert tool from Image Magick to do the scaling:
convert image1.png -resize 85% image_rescaled.png
Previous example will scale image1.png to a size equal with 85% from original size and will save the image to image_rescaled.png.
|
|
Last Updated ( Wednesday, 01 February 2012 )
|
|
|
Develop For Web in FreeBSD with Aptana Studio |
|
|
Wednesday, 01 February 2012 |
You can easely develop for Web on FreeBSD system in CSS3, HTML5 and Java Script with Aptana Studio (based on Eclipse):
cd /usr/ports/java/eclipse-aptana2
make install clean
There's also another eclipse based app for developing Ruby on Rails apps:
cd /usr/ports/java/eclipse-aptana-radrails
make install clean; rehash
Note! You must to install Java first since Aptana is based on Eclipse which require Java.
|
|
Last Updated ( Wednesday, 01 February 2012 )
|
|
|
Kill all Processes for a Jail |
|
|
Wednesday, 01 February 2012 |
We can kill all processes for a jail with killall command. For example:
killall -j 2
will kill all processes for jail 2.
To find the id of a jail instance run on host machine:
jls
|
|
Last Updated ( Wednesday, 01 February 2012 )
|
|
|
Display Jail IDs of Processes on a Machine With ps |
|
|
Wednesday, 01 February 2012 |
You can display Jail IDs of all processes on a machine with ps command and jid option:
ps -o pid,jid -awux
|
|
|
top Command Wrapper for Jails with jtop |
|
|
Wednesday, 01 February 2012 |
You have the posibility to display processes with a top-like tool for your jails with jtop app:
/usr/ports/sysutils/jtop
make install clean; rehash
jtop
|
|
|
Restricting Jail Options |
|
|
Wednesday, 01 February 2012 |
You can restrict jail info and some access features of jail with some sysctl jails variable. Just modify value of one of those sysctl variables that can be found with:
sysctl -a | grep jail
|
|
|
Start KDE Server After FreeBSD Boot with KDM |
|
|
Wednesday, 25 January 2012 |
If you want to automatically start KDE4 server after boot process you can add the following line to /etc/rc.conf file:
kdm4_enable="YES"
|
|
|
Running X.org Applications Remotely Via SSH |
|
|
Wednesday, 25 January 2012 |
You can run X.org applications remotely via SSH by connecting to an Xorg server/machine using:
ssh -X
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
or
ssh -X -Y
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
where:
10.0.0.10 is the Xorg server machine.
On 10.0.0.10 you must have uncommented the following options in /etc/ssh/sshd_config file:
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
|
|
Last Updated ( Wednesday, 25 January 2012 )
|
|
|
Protect Server Against Brute Force SSH Attacks and Other Attacks |
|
|
Saturday, 21 January 2012 |
In order to protect our machine against brute force SSH attacks we will use sshguard-pf app from FreeBSD ports:
cd /usr/ports/security/sshguard-pf
make install clean ; rehash
The app sshguard-pf works by reading log files. Please note that this app will also protect our server against:
- sendmail, exim, dovecot, cucipop, UWimap bruteforce attacks
- proftpd, vsftpd, pure-ftpd, FreeBSD's ftpd bruteforce attacks
To configure sshguard for SSH bruteforce protection, edit your /etc/pf.conf file and add the following lines:
table <sshguard> persist
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "SSH bruteforce atempt"
Note: Make sure these rules are added to proper sections from pf.conf.
Then edit /etc/syslog.conf file and add/uncomment the following line:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard
Now restart your syslog service:
/etc/rc.d/syslogd restart
To check if the attacker IP is added to sshguard table of your PF firewall run:
pfctl -Tshow -tsshguard
|
|
Last Updated ( Saturday, 21 January 2012 )
|
|
|
Add Swap Space to Your FreeBSD System |
|
|
Tuesday, 17 January 2012 |
Let's say you've booted the FreeBSD OS on a different machine and drive name was change. For example instead of ada0p5 your swap partition is now ada2p5 (your drive is seen as ada2 instead of ada0). Until you change fstab it is possible to manually setup your new partition to be seen as swap partition using swapon command:
swapon /dev/ada2p5
If you are not sure which is swap partition you can find that info with:
gpart show
|
|
Last Updated ( Tuesday, 17 January 2012 )
|
|
|
Connect to a FTP server from Midnight Commander using username/password stored in .netrc file |
|
|
Wednesday, 11 January 2012 |
If you want to connect to a FTP server from Midnight Commander you have the possibility to save your username and password to a file that will be used by Midnight Commander FTP Client. This is usefull when you have lots of FTP servers and you want to connect by only using the host name of the FTP server and then username and password will be used from that file.
This is also usefull when you have your FTP server username in username@domainname format and you cannot enter in Midnight Commander username@domainname@domainname.
So, in order to do that create a file in your root directory of your username account called .netrc. Then set permission to 600 to that file and set owner of that file to be your username of your local account.
Then to add records to that file enter on a separat line the following:
machine yourdomain.com login mark password yourpasshere
You will only modify:
yourdomain.com - use your FTP server name
mark - put your FTP username instead
yourpasshere - put your FTP password instead
Keywords machine, login, password will remain unchanged.
|
|
Last Updated ( Wednesday, 11 January 2012 )
|
|
|
Use Unique IDs in /etc/fstab to prevent booting errors in FreeBSD |
|
|
Tuesday, 10 January 2012 |
If for example we add a new sata controller drive order might be changed and our FreeBSD system will not boot. To prevent that we can use drive unique IDs in /etc/fstab instead of partition names.
Do do that we will first find the unique ID of the mounted partition using dumpfs (the example is for partition mounted for /):
dumpfs / | grep id
We will get:
superblock location 65536 id [ 4ecd076f 51229e38 ]
volname swuid 0
Then we edit /etc/fstab and add the id for / partition:
/dev/ufsid/4ecd076f51229e38 / ufs rw 1 1
We can repeat the process for every partition that will be mounted at boot time using /etc/fstab.
|
|
|
Show a complete line of a ps output command |
|
|
Friday, 09 December 2011 |
|
If you've executed ps command but you only see a small portion of the commands parameters for some process you want to see then there's a way to see more of it. To accomplish that we use ps -awuxwww:
For example we see find is running on our system (with top command) but we want so see more info:
running ps -awux will output:
# ps -awux | grep find root 10107 16.6 0.1 18248 5896 ?? D 6:01PM 10:31.91 find -sx / /mnt/floppy /mnt/tank /mnt/tankfs /dev/null -type f ( ( ! -per
But we notice is not the complete find command. If we run:
# ps -awuxwww | grep find root 10107 11.8 0.1 18248 5896 ?? D 6:01PM 10:02.47 find -sx / /mnt/floppy /mnt/tank /mnt/tankfs /dev/null -type f ( ( ! -perm +010 -and -perm +001 ) -or ( ! -perm +020 -and -perm +002 ) -or ( ! -perm +040 -and -perm +004 ) ) -exec ls -liTd {} +
then we get the full command.
|
|
|
Protect Apache Web Server against brute force attacks |
|
|
Wednesday, 07 December 2011 |
To protect an Apache Web Server against DDoS attacks by spiders or HTTP brute force attacks by limiting number of HTTP POSTs per second use the following Apache module:
cd /usr/ports/www/mod_evasive
make install clean
Then you must configure it.
|
|
|
Monitoring ZFS with zfs-stats |
|
|
Thursday, 01 December 2011 |
You can see ZFS statistics and monitor ZFS in FreeBSD with zfs-stats tool from ports:
cd /usr/ports/sysutils/zfs-stats
make install clean; rehash
zfs-stats -a
|
|
|
SSL/TLS Replacement Library for OpenSSL |
|
|
Friday, 25 November 2011 |
If you are looking for a lightweight SSL/TLS Library to replace OpenSSL, one that is very good for embeded systems too, there is PolarSSL in FreeBSD's Ports:
cd /usr/ports/security/polarssl
make install clean
|
|
|
Make periodic snapshots of your ZFS file system with zfsnap |
|
|
Monday, 14 November 2011 |
There's an usefull tool in FreeBSD ports for taking periodically ZFS snapshots, called zfsnap. To install it run:
cd /usr/ports/sysutils/zfsnap/
make install clean ; rehash
|
|
Last Updated ( Friday, 25 November 2011 )
|
|
|
Create GUID Partition tables using gdisk utility |
|
|
Monday, 14 November 2011 |
A nice and usefull tool for creating GUID partition tables is gdisk, available from FreeBSD's ports and packages:
cd /usr/ports/sysutils/gdisk
make install clean ; rehash
To use it run:
gdisk /dev/ada0
|
|
|
Getting FreeBSD Base Source Code when RELENG TAG is not yet in cvsup/svn |
|
|
Thursday, 10 November 2011 |
A basic cvs config file for getting FreeBSD kernel and base from CVS server is:
cvs-supfile1 * default host=cvsup11.FreeBSD.org
* default base=/usr
* default prefix=/usr
* default release=cvs
* default delete use-rel-suffix
* default tag=RELENG_8_2
* default compress
src-all
ports-all tag=. But what we will gonna do if for example we want RELENG_9_0 version but there's not there yet?
In that case we could fetch FreeBSD current using:
*default release=cvs tag=.
instead of:
*default tag=RELENG_9_0
So our file will be:
cvs-supfile2 * default host=cvsup11.FreeBSD.org
* default base=/usr
* default prefix=/usr
* default release=cvs
* default delete use-rel-suffix
* default release=cvs tag=.
* default compress
src-all
ports-all tag=.
For the same purpose we can also use SVN which is more modern/actual rather than CVS:
svn checkout svn://svn.freebsd.org/base/head /usr/src
But be carefull when doing that, because a newer version might be in head, like for example FreeBSD 10.0.
If the source tree for releng is in SVN we can get it with:
svn checkout svn://svn.freebsd.org/base/releng/9.0 /usr/src
To use svn you must install it from ports (since is not in base):
cd /usr/ports/devel/subversion
make install clean; rehash
You can find more info related to fetching FreeBSD sources from SVN here:
http://wiki.freebsd.org/SubversionPrimer
|
|
Last Updated ( Saturday, 12 November 2011 )
|
|
|
App of the day: Redmine, a Project Management Web Application |
|
|
Tuesday, 08 November 2011 |
If you are looking for a flexibile project management web app, redmine might be the one you are looking for. It is written using Ruby On Rails Framework. For more info visit: http://www.redmine.org/
You cand found it in FreeBSD ports:
cd /usr/ports/www/redmine
make install clean
Then you must configure it.
|
|
|
Start squid in foreground for debugging purpose |
|
|
Monday, 07 November 2011 |
If you want to debug squid you can start it in foreground with the following command:
/usr/local/sbin/squid -NCd1
This is for squid 3.1 (might also work on older versions too).
|
|
|
Quick FreeBSD upgrade |
|
|
Sunday, 16 October 2011 |
Let's say we want to upgrade FreeBSD base (kernel and world) to latest version using FreeBSD's upgrade script, planing to delete packages/ports and rebuild them later.
This asumes that GENERIC kernel is installed.
First we will fetch new FreeBSD base binaries:
freebsd-update -r 8.2-RELEASE upgrade
Then we install them in our system:
freebsd-update install
If we previously had a custom kernel in our sistem we run:
nextboot -k GENERIC
Then we reboot the machine.
|
|
|
Equivalent in FreeBSD for Linux's Watch Command |
|
|
Sunday, 16 October 2011 |
You will discover that watch command from FreeBSD does not serve the same purpose as watch command from Linux. If you are looking for a FreeBSD equivalent to Linux's watch command here it is: cmdwatch.
cd /usr/ports/sysutils/cmdwatch
make install clean ; rehash
cmdwatch looks and works the same as watch command from Linux.
|
|
|
Convert UIF file to ISO file in FreeBSD |
|
|
Friday, 14 October 2011 |
Let's say we have an .UIF file and we want to mount in FreeBSD. To do that we will convert it first to ISO file and then we will mount it using md (memory device).
We install uif2iso from ports:
cd /usr/ports/sysutils/uif2iso
make install clean ; rehash
Then we convert our file to ISO:
uif2iso file.uif file2.iso
Then we mount our iso file:
mdconfig -a -f file2.iso -u md0
mount -t cd9660 /dev/md0 /mnt/iso
|
|
Last Updated ( Friday, 14 October 2011 )
|
|
|
Cannot Delete a File or Directory in FreeBSD |
|
|
Thursday, 06 October 2011 |
If you cannot delete a file or directory in FreeBSD even if you are root then this means the file (or directory) has the schg flag set. This flag sets the file as system imutable, so it could not be deleted.
To be able to delete we can reset the file flags using:
chflags 0 file_name
If multiple files or directories within a directory have this flag set, we can reset all with:
chflags -R 0 dirname
|
|
|
Benchmark a File System in FreeBSD |
|
|
Thursday, 06 October 2011 |
To benchmark a file system in FreeBSD we use bonnie++:
cd /usr/ports/benchmarks/bonnie++
make install clean ; rehash
Then we run bonnie++:
bonnie++ -u 0:0 -d /usr -s 1000
Size defined with parameter -s is in MBytes. For proper results file size must be at least double of RAM. Adjust this parameter accordingly.
There's also bonnie available for benchmark in FreeBSD's ports system.
|
|
Last Updated ( Thursday, 06 October 2011 )
|
|
Journal 
