目前位置:
回首頁
相關問答[日期]:2022/07/28 [瀏覽人數]:308
FreeBSD 12.3
welcome
<install> <shell> <Live cd>
選<install>
keymap selection選United States of America
設定網域
[輸入網域]
選擇套件:game可不選,src要選,32bit相容選安裝
設定partition
選擇硬碟
按<Create>建立Partition Table
->GPT
使用自動設定
或
MENU
freebsd-ufs
一開始直接選freebsd-ufs
Mountpoint設定
/
freebsd-swap
及
home,/usr,/var,/var/mail,/backsys,建第一項时會問:是否設定boot,選[是]就可.
選完後會要求確認-><Commit>
建立完成後按<Commet>
會開始Format並安裝系統.
編譯新的核心
cd /usr/src/sys/amd64/conf
cp GENERIC SERVER
ee SERVER
加入允許防火牆設定
device ispfw
#config SERVER
#cd ../compile/SERVER/
#make cleandepend ; make depend
#make
#make install
#cd /usr/src
#make buildkernel KERNCONF=SERVER
#make installkernel KERNCONF=SERVER
使用UTF-8
ee /etc/profile
加入
LC_CTYPE=en_US.ISO8859-1; export LC_CTYPE
LC_CTYPE=zh_TW.UTF-8; export LC_ALL
LANG=zh_TW.UTF-8; export LANG
putty設定
選項->字元編碼->UTF-8
#sync;sync;reboot
port更新
系統內建portsnap
ee /etc/portsnap.conf
port更新
第一次使用 Portsnap 時需先取得 Ports System 的 Snapshot 並解開,鍵入如下指令即可
#portsnap fetch extract
日後要更新時 /usr/ports (Port Tree) 則執行如下指令即可
#portsnap fetch update
安裝 perl
#cd /usr/ports/lang/perl5.36
若出現無法安裝,請先解除安裝,再重裝一次
make deinstall
make install clean
或
make install clean BATCH=yes install
安裝webmin
# cd /usr/ports/sysutils/webmin/
# make install clean BATCH=yes install
# /usr/local/lib/webmin/setup.sh
Web server port (default 10000):[enter]
Login name (default admin):[enter]
Login password:[輸入密碼]
Password again:[輸入密碼]
Use SSL (y/n): y
ee /etc/rc.conf
加入
webmin_enable="YES"
echo 'webmin_enable="YES"' >> /etc/rc.conf
或sysrc webmin_enable="YES"
OPENSSL
cd /usr/ports/security/openssl
選SSE2,ASM,ZLIB,MD2(MD2不選samba會出現錯誤)
make install clean BATCH=yes install
MYSQL
MarriaDB安裝
cd /usr/ports/databases/mariadb103-server
10.3預設GSSAPI,安裝會出錯設定GSSAPI_NONE不安裝GSSAPI
若出現mariadb103-client ...GSSAPI options or OpenSSL....
切換至client目錄
#cd /usr/ports/databases/mariadb103-client
#make config
#make install clean BATCH=yes install
先安裝GSSAPI options or OpenSSL 並用make config 改為GSSAPI_NONE,安裝完再安裝-server
若出現/usr/ports/devel/readline錯誤,先至這個目錄解除安裝,再重安裝
make install clean
安裝時若出現[/!\ WARNING /!\
You have security/openssl installed but do not have DEFAULT_VERSIONS+=ssl=openssl set in your make.conf]
請輸入
#echo 'DEFAULT_VERSIONS+=ssl=openssl' >> /etc/make.conf
#make install clean BATCH=yes install
在/etc/rc.conf加入
mysql_enable="YES"
echo 'mysql_enable="YES" ' >> /etc/rc.conf
#/usr/local/etc/rc.d/mysql-server start
----------------------------------------------------
Installing MariaDB/MySQL system tables in '/var/db/mysql' ...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following command:
'/usr/local/bin/mysql_secure_installation'
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.
You can start the MariaDB daemon with:
cd '/usr/local' ; /usr/local/bin/mysqld_safe --datadir='/var/db/mysql'
You can test the MariaDB daemon with mysql-test-run.pl
cd '/usr/local/mysql-test' ; perl mysql-test-run.pl
Please report any problems at http://mariadb.org/jira
The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
Starting mysql.
----------------------------------------------
#/usr/local/bin/mysql_secure_installation
----------------------------------------------
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):剛設增完成沒有密碼按<enter>
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
Enter current password for root (enter for none):剛設增完成沒有密碼按<enter>
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
----------------------------------------------
新增/var/db/mysql/my.cnf
[mysqld]
port = 3306
socket = /tmp/mysql.sock
skip-external-locking
key_buffer = 512M
max_allowed_packet = 32M
table_cache = 2048
sort_buffer_size = 64M
read_buffer_size = 256M
read_rnd_buffer_size = 32M
myisam_sort_buffer_size = 128M
thread_cache_size = 16
query_cache_size = 256M
thread_concurrency = 8
log-bin=mysql-bin
server-id = 88
binlog_format = row
default-storage-engine = MyISAM
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
[isamchk]
key_buffer = 512M
sort_buffer_size = 512M
read_buffer = 4M
write_buffer = 4M
[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 4M
write_buffer = 4M
[mysqlhotcopy]
interactive-timeout
================================
apache24安裝
#cd /usr/ports/www/apache24
#make install clean
或
#make install clean BATCH=yes install
ee /etc/rc.conf
加入apache24_enable="YES"
echo 'apache24_enable="YES"' >> /etc/rc.conf
或
#sysrc apache24_enable="YES"
設定/etc/hosts
192.168.0.7 xx.com.tw xx
192.168.0.7 xx.com.tw.
若安裝時出現某ports已經安裝可改成
make FORCE_PKG_REGISTER=yes install clean
若出現部分模組無法裝如:
Stop.
make[1]: stopped in /usr/ports/databases/db5
*** Error code 1
可以用
#cd /usr/ports/databases/db5
#make clean rmconfig-recursive
# make install clean
若正常後回apache再安裝一次
如果還是不行直接使用package安裝
#pkg install db5
安裝 PHP安裝
安裝7.4版
cd /usr/ports/lang/php74
勾選ZTS
make config
make install clean BATCH=yes install
設定要安裝的extensions
#cd /usr/ports/lang/php74-extensions
#make config
#make install clean
pdf安裝時會要求確認,可能會中斷,可以切換pdf的安裝目錄下make install clean,
/usr/ports/print/pecl-pdflib
make install clean
再回到/usr/ports/lang/php74-extensions重下make install clean BATCH=yes install
#cd /usr/ports/www/mod_php74
#make config 勾選ZTS
#make install clean
--------------------------
Make sure index.php is part of your DirectoryIndex.
You should add the following to your Apache configuration file:
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
******************************************************************************
If you are building PHP-based ports in poudriere(8) or Synth with ZTS enabled,
add WITH_MPM=event to /etc/make.conf to prevent build failures.
******************************************************************************
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/apache24/libphp7.so
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
https://www.php.net/
------------------------------
若不能安裝可以使用pkg install mod_php74
將/usr/local/etc/php.ini-development-->copy 成/usr/local/etc/php.ini
# cp /usr/local/etc/php.ini-development /usr/local/etc/php.ini
php.ini修改
-------
#ee /usr/local/etc/php.ini
short_open_tag = On
max_execution_time = 180
max_input_time = 120
memory_limit = 1024M
error_reporting = E_ALL & ~E_NOTICE
post_max_size = 50M
upload_max_filesize = 60M
date.timezone = "Asia/Taipei"
修改httpd.conf
ee /usr/local/etc/apache24/httpd.conf
加入
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
加入
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
找到加入index.htm index.php
<IfModule dir_module>
DirectoryIndex index.html index.htm index.php
</IfModule>
/usr/local/etc/rc.d/apache24 start
執行若出現
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the ServerName...
設定/etc/hosts
#cd /usr/local/www/apache24/data
新增一個info.php
<?
echo phpinfo();
?>
重啟apache24
/usr/local/etc/rc.d/apache24 restart
開啟網頁http://IP/info.php若安裝extensions都顯示就已經成功了
composer是PHP的相關連檔案管理工具,須php5.3.2以上版本才支援,
例如要安裝PhpWord就可以使用這個工具來安裝,
安裝composer
XXXXXXcd /usr/ports/devel/php-composer
#2022.7.27V1已經停止支援
cd /usr/ports/devel/php-composer2
make install clean
安裝ftp功能
cd /usr/ports/ftp/proftpd
#make config
#make install clean BATCH=yes install
修改/etc/rc.conf
加入proftpd_enable="YES"
#sysrc proftpd_enable="YES"
-----------2021.6.11
安裝dovecot,popa3d適用於較小型的MAIL SERVER,占用資源較小,但人數多時效能不高
若不用MAIL SERVER不用安裝
安裝 dovecot
#cd /usr/ports/mail/dovecot
勾選MYSQL
#make install clean BATCH=yes install
#cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
/etc/rc.conf加入
dovecot_enable="YES"
#sysrc dovecot_enable="YES"
建立 SSL 相關資料
# openssl req -new -x509 -nodes -out /tmp/public.pem -keyout /tmp/private.pem -days 3650
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:KH City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wgate
Organizational Unit Name (eg, section) []:KH
Common Name (eg, YOUR name) []:wgate.tw
Email Address []:tien@localhost
# cd /etc/ssl/ ; mkdir certs private ; chmod 700 certs private
# cp /tmp/public.pem /etc/ssl/certs/dovecot.pem ; cp /tmp/private.pem /etc/ssl/private/dovecot.pem
#
#cd /usr/local/etc/dovecot
#cp -Rp example-config/ .
預設設定
ee /usr/local/etc/dovecot/dovecot.conf
#ssl
ee /usr/local/etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = /etc/ssl/certs/dovecot.pem
ssl_key = /etc/ssl/private/dovecot.pem
#master
ee /usr/local/etc/dovecot/conf.d/10-master.conf
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service imap {
#vsz_limit = $default_vsz_limit
#process_limit = 1024
}
service pop3 {
#process_limit = 1024
}
service auth {
unix_listener auth-userdb {
#mode = 0666
#user =
#group =
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
service auth-worker {
#user = root
}
service dict {
unix_listener dict {
#mode = 0600
#user =
#group =
}
}
#認證
ee /usr/local/etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login
!include auth-system.conf.ext
#maildir
ee /usr/local/etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
namespace inbox {
inbox = yes
}
protocol !indexer-worker {
}
啟動
# /usr/local/etc/rc.d/dovecot start
安裝samba4.13
samba410安裝有問題
cd /usr/ports/net/samba413
#make config
CUPS不用選其他皆可選
#make install clean BATCH=yes install
* Your configuration is: /usr/local/etc/smb4.conf
* All the relevant databases are under: /var/db/samba4
* All the logs are under: /var/log/samba4
* Provisioning script is: /usr/local/bin/samba-tool
ee /etc/rc.conf
加入
samba_server_enable="YES"
sysrc samba_server_enable="YES"
如果無法安裝成功,可以先執行
#make clean rmconfig-recursive
再執行
#make install clean
安裝phpMyAdmin管理程式
cd /usr/ports/databases/phpmyadmin5
make config
#make install clean BATCH=yes install
-------------------------------
phpMyAdmin5-php74-5.1.0 has been installed into:
/usr/local/www/phpMyAdmin
Please edit config.inc.php to suit your needs.
To make phpMyAdmin available through your web site, I suggest
that you add something like the following to httpd.conf:
For Apache versions earlier than 2.4:
Alias /phpmyadmin/ "/usr/local/www/phpMyAdmin/"
<Directory "/usr/local/www/phpMyAdmin/">
Options none
AllowOverride Limit
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 .example.com
</Directory>
For Apache version 2.4.x or above:
Alias /phpmyadmin/ "/usr/local/www/phpMyAdmin/"
<Directory "/usr/local/www/phpMyAdmin/">
Options None
AllowOverride Limit
Require local
Require host .example.com
</Directory>
SECURITY NOTE: phpMyAdmin is an administrative tool that has had several
remote vulnerabilities discovered in the past, some allowing remote
attackers to execute arbitrary code with the web server's user credential.
All known problems have been fixed, but the FreeBSD Security Team strongly
advises that any instance be protected with an additional protection layer,
e.g. a different access control mechanism implemented by the web server
as shown in the example. Do consider enabling phpMyAdmin only when it
is in use.
在apache的httpd.conf加入目錄別名
Alias /phpmyadmin/ "/usr/local/www/phpMyAdmin/"
<Directory "/usr/local/www/phpMyAdmin/">
Options None
AllowOverride Limit
#Require all granted
Require local
Require host .wgate.tw
Require ip 192.168.0 192.168.1
</Directory>
cd /usr/local/www/phpMyAdmin
cp config.sample.inc.php config.inc.php
ee config.inc.php
把$cfg['Servers'][$i]['auth_type'] = 'cookie';
改為$cfg['Servers'][$i]['auth_type'] = 'http';
pear安裝
#cd /usr/ports/devel/pear
#make install clean BATCH=yes install
pear install Mail
pear install Mail_mime
pear install Mail_mimeDecode
pear install Net_pop3
pear install OLE-1.0.0RC3
pear install Spreadsheet_Excel_Writer-0.9.4
portupgrade安裝
# cd /usr/ports/ports-mgmt/portupgrade
# make install clean
或
make install clean BATCH=yes install
rsync ports安裝
#cd /usr/ports/net/rsync
#make install
或make install clean BATCH=yes install
會出現選擇畫面,選擇預設就可以了
設定啟動
ee /etc/rc.conf
加入rsyncd_enable="YES"
sysrc rsyncd_enable="YES"
安裝denyhosts
#cd /usr/ports/security/denyhosts
#make install clean
#ee /etc/rc.conf
加入denyhosts_enable="YES"
syslogd_flags="-c"
#ee /etc/hosts.allow
加入
sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow
touch /etc/hosts.deniedssh
#ee /usr/local/etc/denyhosts.conf
該檔已經有預設定的設定調整如下
# 設定需要分析 Log 檔案位置
#
# FreeBSD or OpenBSD
SECURE_LOG = /var/log/auth.log
# Redhat or Fedora Core:
#SECURE_LOG = /var/log/secure
# SuSE:
#SECURE_LOG = /var/log/messages
#
# 我們要阻擋的 IP 寫入到的檔案
#
HOSTS_DENY = /etc/hosts.deniedssh
#
# 我們要清除 hosts.deniedssh 裡面的 entries
# 'm' = minutes
# 'h' = hours
# 'd' = days
# 'w' = weeks
# 'y' = years
# 格式:i[dhwmy] i 是數字
PURGE_DENY = 5d
#
# 我們要阻擋的服務:sshd
#
BLOCK_SERVICE = sshd
#
# 如果該帳號不存在 /etc/passwd 嘗試超過5次失敗,就阻擋該ip登入此服務
#
DENY_THRESHOLD_INVALID = 5
#
# 如果該帳號存在 /etc/passwd 嘗試超過10次失敗,就阻擋該ip登入此服務
#
DENY_THRESHOLD_VALID = 10
#
# 阻擋 root 帳號錯誤登入次數,不過這對 FreeBSD 沒影響
# 因為 FreeBSD 架設完成,是不能遠端利用 root 登入的
DENY_THRESHOLD_ROOT = 1
#
# 把 deny 的 host 或者是 ip 紀錄到 Work_dir 裡面
# 盡量把這資料夾改變到 root 帳號以外不能存取的地方
#
WORK_DIR = /usr/local/share/denyhosts/data
#
# 設定 deny host 寫入到該資料夾
#
DENY_THRESHOLD_RESTRICTED = 1
#
# 當 DenyHOts 啟動的時候寫入 pid,已確保服務正確啟動,防止同時啟動多個服務
#
LOCK_FILE = /var/run/denyhosts.pid
#
# 這裡可以設定 denyhost 寄發 email 給管理者
#
ADMIN_EMAIL = tien@localhost
#
# 如果設定了 ADMIN_EMAIL 下面就要設定 smtp 的 host
#
SMTP_HOST = localhost
SMTP_PORT = 25
# 發信的 header
SMTP_FROM = DenyHosts <nobody@localhost>
# 發信標題
SMTP_SUBJECT = DenyHosts Report
#
# DenyHosts log 紀錄檔案
#
DAEMON_LOG = /var/log/denyhosts
#/usr/local/etc/rc.d/denyhosts start
freebsd 可使用ClamAV做為防毒程式
#cd /usr/ports/security/clamav
#make config
make install clean BATCH=yes install
設定rc.conf
#ee /etc/rc.conf
新增
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
clamav_milter_enable="YES"
#sysrc clamav_clamd_enable="YES"
#sysrc clamav_freshclam_enable="YES"
#sysrc clamav_milter_enable="YES"
先執行/usr/local/etc/rc.d/clamav-freshclam start
#freshclam
---------------------------
ClamAV update process started at Sun Oct 11 09:36:54 2020
daily database available for download (remote version: 25953)
Time: 21.8s, ETA: 0.0s [========================>] 108.19MiB/108.19MiB
Testing database: '/var/db/clamav/tmp.7b2107feb5/clamav-a6eb5016f90859fe92c3f16af73295f9.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 25952, sigs: 4329215, f-level: 63, builder: raynman)
main database available for download (remote version: 59)
Time: 22.4s, ETA: 0.0s [========================>] 112.40MiB/112.40MiB
Testing database: '/var/db/clamav/tmp.7b2107feb5/clamav-43e4597996d3442ea8cf2ef6a4ab5255.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory
------------------------------------
若出現上面的WARNING,是因為尚未執行過clamav-clamd,未產生sock,執行下面的啟動掃毒程式就會生成.sock
會開始更新病毒碼
然後再執行clamav
#/usr/local/etc/rc.d/clamav-clamd start
查詢執行狀態
#clamdtop
掃描病毒
#clamscan -r /目錄
#clamscan -r -i /目錄
-r:含子目錄
-i:只顯示中毒檔
--bell:中毒發出聲音
--remove:中毒檔直接刪除