Blue Flower

Monday, 06 July 2015 00:00

Using Webmin to setup DNS

Written by

2) Enter the domain into the "Domain name / network" box.
3) For the master server, type in the domain name as well.
4) You can check the "Create NS record" box if you'd like.
5) You can enter your email address in the appropriate box.
6) Type in the IP address of the server (The external IP address provided by your ISP).
7) Click "Create"

You will then be redirected to the zone page for that domain you just created. (If you weren't, click on the zone for that domain).

Creating A records (Address Records).
1) Click on "Address"
2) Leave the name field blank, and type in the IP address.
3) Click Save.
(The following is dependent on what you want to run the server for.)
4) Type in www for the name, and type in the IP address.
5) Click Save.
6) Type in mail for the name, and type in the IP address.
7) Click Save.
8) Type in ftp for the name, and type in the IP address.
9) Click Save.
10) Type in ns1 for the name, and type in the IP address.
11) Click Save.
12) Type in ns2 for the name, and type in the IP address.
13) Click Save.
14) At the bottom, click "Return to Record Types"

Creating NS records (Name Servers).
1) Click on Name Server
2) For the zone name, type in the domain name (Put a . at the end; for example:
domain.com.
(notice the ending period.. DO Not Forget that)
3) For the name server, type in ns1.domain.com.
(Also notice the period)
4) Click Save.
5) Type in ns2.domain.com.
6) Click Save.
7) Click "Return to Record Types"

Creating an MX Record (Mail Exchange Record).
1) Click Mail Server (If you want a mail server)
[B](Make sure you put the period at the end; mail.domain.com.[/B]
2) For the name, type in the domain
3) For the mail server, type in mail.domain.com
4) Set the priority to what you like.. 10 is usually default. This is more of a concern if you are hosting a lot of domains.
5) Click "Return to Record Types"

This is the bulk of setting up DNS through Webmin. After you are done making any changes, make sure you restart Bind (named). Give it up to 72 hours to propogate... usually less than an hour.

Hope this helps!

Sunday, 05 July 2015 13:11

Installing Samba

Written by

Installing Samba

One of the primary reasons you might want to install Samba is to allow shares on your Network. Not only is Samba much faster than the typical Windows share but I have found a way to have it act as a Backup Domain Controller. What I mean by this is when the Primary Domain Controller is down, The Samba Server will authenticate your users. Your users will not get the error message that there are no controllers available, they will just get logged into the Domain. When it comes back up, The users will be able to use the Primary Domain Controller like they normally would.

First lets install Samba:


# cd /usr/ports/net/samba35
# make config

Running make config will make the Options for Samba come up. Make sure the following boxes are checked:


LDAP
CUPS
WINBIND
UTMP

When that is done, Hit the TAB key and then hit ENTER on the keyboard. Now run the following:


# make install clean

This will take a little while for Samba to install. When it is done, The first thing we want to do is run the the smb.conf file. I will give you the first part of my [GLOBAL] config:


[global]
netbios name = Hostname
workgroup = Workgroup
security = USER
local master = yes
os level = 65
domain master = yes
preferred master = yes
null passwords = no
hide unreadable = yes
hide dot files = yes

The Netbios name is the name you will use when people access your shares. I name mine FreeBSD . The workgroup name will want to be the same name as your domain workgroup so enter that here. Security will be user as we will get into that in a minute. The other settings I would suggest leaving. You can do a man smb.conf to find out what the other settings do.

Now lets get into sharing. I am going to create a share called Data on the /stuff/nelson drive and am going to force the user to be nelson and the group to be nelson.


[data]
comment = Data Drive
path = /stuff/nelson
force user = nelson
force group = nelson
read only = No
guest ok = Yes

The [data] is the actual share name. To connect to this, we would either go to Network Neighborhood and locate the share or type in the UNC name which would be \\FreeBSD\data. Makes sense, right? The comment is any comment for that share. The path is the quite simply the path on the FreeBSD box. The user and group can be a bit tricky. On this one I gave the user and group the same name. What I do when creating a user (below) is I put them in the nelson group. This way that user can/read write to that share. Read only = No means that the user or the group can make changes to the share.

So now that we are done with the share, go ahead and save the changes. We will then want to add the enable_samba=”YES” to /etc/rc.conf as follows:


# echo 'samba_enable="YES"' >> /etc/rc.conf

Now we will want to start Samba:


# cd /usr/local/etc/rc.d
# ./samba start

You should get something like:


Starting SAMBA: removing stale tdbs :
/var/db/samba/connections.tdb
/var/db/samba/locking.tdb
/var/db/samba/messages.tdb
/var/db/samba/sessionid.tdb
/var/db/samba/unexpected.tdb
/var/db/samba/brlock.tdb
Starting nmbd.
Starting smbd.

Then we can confirm it is running by doing:


# ./samba status

You should get something like:


nmbd is running as pid [pid]
smbd is running as pid [pid]

Now if you go to your Network Neighborhood and browse for your FreeBSD Box, you should see it in the list. Woot! The first part of Samba is complete!

The second part of Samba will require you to add all the Domain users on your Windows Server to the FreeBSD server. So lets say we have a user on your Windows Server called nelson. We will want to create a new user on your FreeBSD box called nelson as well.


# adduser
username: nelson

When you get prompted for the Name and UID, just hit Enter.

The group name is the most important. If you have 2 shares in Samba and they’re both different groups, you can add the user to the group manually to /etc/groups if you don’t add the groups to the username when you create them. So lets say for instance we want to add user nelson to the group nobody:


# vi /etc/group

Find the nobody group:


nobody:*:[id]:

The ID will vary. Now to add user nelson to that group, do it like so


nobody:*:[id]:nelson

If you want to add more users to group nobody, separate them by commas like so


nobody:*:[id]:nelson,wolson,ed

So at this time if you just want to add all your users to one group, just type in that group name here. It will be created when the user is created.

When it asks you Invite temp into other groups? Just hit Enter. Hit Enter when it asks for Class as well.

I would suggest to make sure the user cannot login via ssh so I would change their shell to nologin. This will only allow them to access the Samba share from within Windows.

The next four questions just hit Enter on:


Home directory [/home/temp]:
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:

When you type in the password, This will be the same password that the user uses when they Login to the Windows Server. This can get tricky as if the users passwords change, they will need to be changed within Samba on the FreeBSD system. I don’t know how to get this type of information exported to BSD from a Windows box. If the passwords on your Network don’t change, you’re good to go.


Lock out the account after creation? [no]:

Hit ENTER here and then it will then give a summary of all the settings. Just hit Y and then hit Enter. When it asks to add another user, hit N and then hit Enter again. We are done adding the user to your BSD box.

The last thing we need to do is add the user to Samba. If we don’t do this, the user will get prompted to enter a username and password everytime they try to go to the Samba share and we don’t want that to happen. Do the following to add the user to the Samba authentication:


# smbpasswd –a user

It will then ask for the password. This will be the same password that the user uses when they Login to the Windows Server. This can get tricky as if the users passwords change, they will need to be reset using smbpasswd user.

Anytime you make a change to Samba, it’s a good idea to restart the Samba Service:


# cd /usr/local/etc/rc.d
# ./samba restart

That’s it! Samba is installed!

Sunday, 05 July 2015 13:10

Installing TinyDNS

Written by

Setting up a local DNS Server

Why TinyDNS?

Please note: There is no available port for TinyDNS so we are pretty much forced to use the source for this. I humbly apologize! 

One of the main reasons why you would want TinyDNS installed is for a few reasons. The first reason is if you are behind a router/firewall, you should always have a DNS server supporting your local lan. Why do this when I have my ISP? Well, heres the reason why:

If you setup your nameserver on your linux box to be your ISP's DNS server, Name resolution is going to be slower than an internal DNS server based upon your speed. Not only that but you cannot specify your own local names/IPs. It is very common to have network administrators blindly using their ISPs DNS server without knowing an Internal DNS server will not only be faster but can also act as your primary DNS server.

Lets say for instance all your computers behind your router/fireall all are in 192.168.9.x subnets and all your machines are using the ISPs DNS. If you get disconnected from your ISP, POOF! All network connectivity is gone. Lets hope you're not using anything like any accounting programs or what not. I am not saying this is the way all people do it but if you are a first or even second network admin, chances are (Unless it was setup properly beforehand) this is the way it is setup now.

Now, In a managed DNS enviornment, Your router has your DNS information and ALL your DNS requests from your clients are sent to the IP of your linux box. If you get disconnected from the net, all your internal DNS is still working. All your Apps will still be working. As long as you're behind your router/firewall, everything should be working fine.

Let me walk you through the two major parts of djbdns. The first is tinydns, this is the naming server portion. Caching servers, like dnscache send queries to tinydns regarding domains it is authorative to. Ddnscache holds those answers so that if you ask for goodcleanemail.com than I do, the program only makes one trip to antagonism's tinydns server. Dnscache reduces the number of external queries a network makes. Makes sense, right?

Requirements of TinyDNS

Copied with permission from the author.

1) A working FreeBSD Box.
2) At least 2 unused IP addresses. 1 is usually fine.
3) Daemontools - This was installed if you did my qmail install. If not, please install that step!
4) UCSPI-TCP - This was also installed if you did my qmail install. If not, please install that step too!
5) You will want ports 22 (SSH) and 53 (DNS) open. If you don't want anyone outside of your network using your DNS server (Personally, I don't pass this port either) don't forward port 53.

That is about it. When all those requirements have been met, You can now continue.

Installing TinyDNS

First, Lets change to the root dir, download the djbdnsrocks tarball and extract it:


# cd ~root
# fetch http://www.goodcleanemail.com/files/tarballs/djbdnsrocks.tar.gz
# tar zxvf djbdnsrocks.tar.gz
# cd djbdnsrocks

Now lets extract and install djbdns:


# tar zxvf djbdns-1.05.tar.gz
# cd djbdns-1.05
# make
# make setup check

A successful "make setup check" will produce the following output:


# ./install
# ./instcheck

Next, lets run the script that will add the tinydns users/groups to this system:


# ~root/djbdnsrocks/scripts/add_users_freebsd.script

Configuring TinyDNS

For purposes of this HOWTO, example.local is the top level domain and host.example.local is a host on the domain. You can add any amount of top-level domains as you like. Just make sure all the top level domains have a 127.0.0.1 IP address. The local network is 192.168.1.0/24 with host.example.local being the nameserver at 192.168.1.1. To configure tinydns, run the following commands. Replace example.local and host.example.loãal with your chosen domain names:


# /usr/local/bin/tinydns-conf tinydns dnslog /etc/tinydns 127.0.0.1


Starting TinyDNS

Now start the service with the following command:


# ln -s /etc/tinydns /service

You can verify it is running by typing:


# svstat /service/tinydns

If it starts counting up past 2, you should be fine. If not, something isn't working right so check the log here and see what it says:


# vi /service/tinydns/log/main/current

Now lets add your first box to TinyDNS. So lets add the FreeBSD sever first.


# cd /service/tinydns/root/
# ./add-ns example.local 127.0.0.1
# ./add-ns 1.168.192.in-addr.arpa 127.0.0.1
# ./add-host host.example.local 192.168.1.1
# make

Configuring DNSCache

Before you continue, Its possible you may have to type rehash on your console to refresh your shell to run the next command.


# dnscache-conf dnscache dnslog /etc/dnscache 192.168.1.1
# touch /etc/dnscache/root/ip/192.168.1
# echo '127.0.0.1' > /etc/dnscache/root/servers/example.local
# echo '127.0.0.1' > /etc/dnscache/root/servers/1.168.192.in-addr.arpa
# ln -s /etc/dnscache /service

Now edit /etc/resolve.conf to point your server to TinyDNS:


# vi /etc/resolv.conf

Remove all the lines in /etc/resolve.conf and add the following:


nameserver 192.168.1.1

We now need to restart dnscache and tinydns like so:


# svc -t /service/tinydns/
# svc -t /service/dnscache/

Now if you ping your host, you should get a ping response with the correct IP! Thats it! TinyDNS is completed!

Sunday, 05 July 2015 13:09

Installing Apache 2.4

Written by

Getting Apache installed to get a web server running!

Installing Apache2.4

Make sure you update ports and then run the following commands:


# cd /usr/ports/www/apache24
# make install clean

Configuring apache2

Lets edit the httpd.conf file:


# vi /usr/local/etc/apache24/httpd.conf

Scroll down and change the following settings. The optional settings I will put OPTIONAL before the setting:


OPTIONAL: Listen 80 - You can change this default option if you have more than one apache server running on your network

User www - Changes what user apache runs as

Group www - Changes what group apache runs as

ServerAdmin This email address is being protected from spambots. You need JavaScript enabled to view it. - change This email address is being protected from spambots. You need JavaScript enabled to view it. to your email address.

DocumentRoot "/usr/local/www/apache24/data" - I don't usually use the default path. I put my www documents on a seperate drive.

Directory "/usr/local/www/apache24/data" - Change this to the same path as DocumentRoot (See above)

<Directory /usr/local/www/apache24/> Change this to the root of your vhosts folder

DirectoryIndex index.html index.html.var - add any pages you would use. For instance, add index.php if you use php pages

OPTIONAL: #CustomLog /var/log/httpd-access.log combined - I usually leave this commented unless you want to use this to track users looking at your site

ScriptAlias /cgi-bin/ "/usr/local/www/cgi-bin/" - change this to your cgi-bin path

Directory "/usr/local/www/cgi-bin"> - change this to the same path as ScriptAlias /cgi-bin above

OPTIONAL: This will make your directory listings look a lot better

Include etc/apache22/extra/httpd-autoindex.conf

We now need to tell Apache to run on startup. Please run the following:


# echo 'apache24_enable="YES"' >> /etc/rc.conf

Now lets tell apache to start:


# /usr/local/etc/rc.d/apache24 start

If you get no errors, apache should be running. Look at the page by opening a browser to http://localhost or replace localhost with the IP or the actual hostname of the box. If you went with the DocumentRoot defaults, You will see an apache test page until you get your site up and going. If you are behind a router or firewall, make sure you forward the apache port (Port 80) to the FreeBSD box otherwise you won't be able to get there from here.

Configuring SSL

Before you continue on I have a new guide for letsencrypt that allows you to have a free SSL cert. Take a look at https://freebsdrocks.net/index.php/documents/10-installing-applications/154-letsencrypt

Let's get SSL Configured and Installed:

(FROM http://www.bsdguides.org/guides/freebsd/webserver/apache_ssl_php_mysql.php)


# mkdir /usr/local/etc/apache24/ssl.key
# mkdir /usr/local/etc/apache24/ssl.crt
# chmod 0700 /usr/local/etc/apache24/ssl.key
# chmod 0700 /usr/local/etc/apache24/ssl.crt

Create Certificate

Now, you need to understand that one server can hold multiple certificates, but only one per listening IP address. So, if your server is listening on one IP address, you can only have one certificate for the server. Follow me so far? All of your virtual domains can share the same certificate, but clients will get warning prompts when they connect to a secure site where the certificate does not match the domain name. If your server is listening on multiple IP addresses, your virtual hosts have to be IP-based -- not name-based. This is something to consider when creating your certificate.

Change to your root dir by typing in the following command. We want to save this configuration there as a backup.


# cd /root
# openssl genrsa -des3 -out server.key 2048

You will now be prompted to enter in a password. Write this down as you will need it later. We need to make a Certificate Signing Request (CSR):


# openssl req -new -key server.key -out server.csr

Enter your password when it asks for it. Make sure you enter your FQDN for the "Common Name" portion.

Self-signing your Certificate

You could always pay money to Verisign or Thawte for this but it costs $$$. Here is the way to do it:


# openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt

Now your cert is good for 365 days. If you want to make it longer, go right ahead and do so :-)

If you would like more information about SSL Certs, go to http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#aboutcerts

Now we need to copy the certs to the right place:


# cp /root/server.key /usr/local/etc/apache24/ssl.key/
# cp /root/server.crt /usr/local/etc/apache24/ssl.crt/

Now to give them the right permissions as well:


# chmod 0400 /usr/local/etc/apache24/ssl.key/server.key
# chmod 0400 /usr/local/etc/apache24/ssl.crt/server.crt

We will now want to copy the default httpd-ssl.conf from the extras folder to the Includes folder:


# cd /usr/local/etc/apache24/extra
# vi httpd-ssl.conf

Now modify the following:



DocumentRoot "/usr/local/www/data" - Change the path to your httpd.conf document root.

ServerName www.example.com:443 - Change www.example.com to your domain name.

ServerAdmin This email address is being protected from spambots. You need JavaScript enabled to view it. Change this to your email address

ErrorLog /var/log/httpd-error.log - You can leave this or comment it out.

TransferLog /var/log/httpd-access.log - You can leave this or comment it out.

SSLCertificateFile "/usr/local/etc/apache24/ssl.crt/server.crt"

SSLCertificateKeyFile "/usr/local/etc/apache24/ssl.key/server.key"

#SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"

Next we need to open up /usr/local/etc/apache24/httpd.conf and comment out the following three lines:


LoadModule ssl_module libexec/apache24/mod_ssl.so

LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

Include etc/apache24/extra/httpd-ssl.conf

Now run the following:


# /usr/local/etc/rc.d/apache24 stop
# /usr/local/etc/rc.d/apache24 start

The start means it will start in ssl mode to serve both http:// and https:// addresses. This used to be /usr/local/etc/rc.d/apache24 sslstart but that command has been depreciated.

The URL below includes instructions on how to remove the pass phrase prompt when apache starts

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#removepassphrase

Configuring php for Apache

This section is pretty easy. Just run the following:


# cd /usr/ports/lang/php56
# make install clean

We will want to set the time zone in the php.ini. Lets copy the file over and then edit php.ini.


# cd /usr/local/etc/
# cp php.ini-production php.ini
# vi php.ini

Inside the php.ini set the following. If you're not EST then see the following supported timezones:

http://php.net/manual/en/timezones.php

date.timezone = 'America/New_York'

If you do not set the timezone messages will not appear with a timestamp in dovecot.

Next, we want to configure apache to use php5.6


# cd /usr/ports/www/mod_php56
# make install clean

and look for the first AddType section in /usr/local/etc/httpd.conf and add this to next line below the AddType section


AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Next go to DirectoryIndex and make sure index.php is part of it like so:


DirectoryIndex index.php index.html

We now need to load the accf http module as seen below.


# echo 'accf_http_load="YES"' >> /boot/loader.conf

Now rather than rebooting the box, we can load the module manually by running:


# kldload accf_http

and then if you start Apache, You won't get that error.

Now run the following command to restart apache.


# /usr/local/etc/rc.d/apache24 restart

You will now have apache with SSL and PHP support!

Sunday, 05 July 2015 13:09

Installing phpMyAdmin

Written by

phpMyAdmin handles the administration of MySQL over the Web. It can manage a whole MySQL server as well as a single database. For more information please see

http://www.phpmyadmin.net/

To install phpmyadmin, run the following commands

# cd /usr/ports/databases/phpmyadmin211
# make install clean

Leave everything checked other than Improved MySQL support and tab down to OK.

Now you must configure your installation.

# cd /usr/local/www/phpMyAdmin211/
# cp config.sample.inc.php config.inc.php
# vi config.inc.php

Edit the following lines:

$cfg['blowfish_secret'] = 'Password'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
$cfg['Servers'][$i]['controluser'] = 'mysqluser';
$cfg['Servers'][$i]['controlpass'] = 'password';

The last two lines above will be commented and you need to uncomment them. the mysqluser and password are the ones you will want to specify to login to phpmyadmin.

Now to edit the /usr/local/etc/apache22/httpd.conf file:

# vi /usr/local/etc/apache22/httpd.conf

Scroll down where you see the first <Directory> statement:

<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>

And add the following:

Alias /phpmyadmin/ "/usr/local/www/phpMyAdmin211/"

<Directory "/usr/local/www/phpMyAdmin211/">
Options none
AllowOverride Limit

Order Deny,Allow
Deny from all
Allow from 127.0.0.1 .example.com
</Directory>

Exit and then restart Apache:

# apachectl restart

Now to add a user with "superuser" options for mysql, heres how to do it:

# mysql -u root -p

When you get to the mysql> prompt type:

GRANT ALL PRIVILEGES ON *.* TO mysqluser@localhost IDENTIFIED BY 'password' WITH GRANT OPTION;

This is the same user/pass combination that you created in the config.inc.php page.

Now if you go to http://yoursite.com/phpmyadmin you should get a phpmyadmin page. Use the username and password you set above to login.

If you get a forbidden page, You will want to check the Allow from line in the Directory statement above and make sure it lists the network you are coming from. If not, All you will gte is a forbidden message.

Sunday, 05 July 2015 13:08

Installing MYSQL

Written by

Installing the MySql Database Server

Installing Mysql

MySQL is a very fast, multi-threaded, multi-user and robust SQL (Structured Query Language) database server. For more information (Mysql has VERY good documentation I might add) please check out http://www.mysql.com/

All we need to do are a few things. Lets get Mysql installed first. This will install both the client and the server automatically.


# cd /usr/ports/databases/mysql56-server
# make install clean

Configuring mysql

We now need to tell Mysql to come up on startup. To do this, we need to add mysql_enable="YES" to /etc/rc.conf. So lets go ahead and edit /etc/rc.conf and add it!


# echo 'mysql_enable="YES"' >> /etc/rc.conf

Manually starting Mysql

Run the following command to start mysql:


# /usr/local/etc/rc.d/mysql-server start

You will then see Starting mysql. and then it will drop to the next line. See if it's running by using the following command:


# ps -auxw | grep mysql

and you should see something like:


mysql 35843 0.0 0.4 1644 1132 p0 I 10:27PM 0:00.03 /bin/sh /usr/local/bin/mysqld_safe --defaults-extra-file=/var/db/mys
mysql 35861 0.0 10.6 55544 26852 p0 S 10:27PM 0:01.50 /usr/local/libexec/mysqld --defaults-extra-file=/var/db/mysql/my.cnf

Don't worry if you see it cutoff at the end of the first line. This is completely normal. These 2 lines are just telling us mysql is running fine! Mysql is installed and configured!

Now to set the correct users:


# chown -R mysql /var/db/mysql/
# chgrp -R mysql /var/db/mysql/

To ensure the security of the default settings of MySQL, continue with the command below:


# mysql_secure_installation

When prompt with “Enter current password for root” hit enter for none then Y(Yes) to set MYSQL password. You will then be prompted with a series of questions. Just type Y for yes on all of them, see the screen shot below:

Page 19 of 23