There is a perfect FreeBSD Security Monitoring solution available from the portkit: portaudit. Once installed this application polls a database, updated and maintained by the FreeBSD Security Team and ports developers, for known security issues. This poll occurs daily. You’ll find sections like this in your security mails:

 Checking for a current audit database:

Downloading fresh database.
auditfile.tbz                                           71 kB   60 kBps
New database installed.
Database created: Mon Dec 19 03:05:01 CET 2011

Checking for packages with security vulnerabilities:

Affected package: freetype2-2.4.4
Type of problem: freetype — Some type 1 fonts handling vulnerabilities.
Reference: http://portaudit.FreeBSD.org/54075e39-04ac-11e1-a94e-bcaec565249c.html

Affected package: apache-2.2.19
Type of problem: apache — Range header DoS vulnerability.
Reference: http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html

Affected package: php5-5.3.6
Type of problem: php — multiple vulnerabilities.
Reference: http://portaudit.FreeBSD.org/057bf770-cac4-11e0-aea3-00215c6a37bb.html

Affected package: freetype2-2.4.4
Type of problem: freetype2 — execute arbitrary code or cause denial of service.
Reference: http://portaudit.FreeBSD.org/5d374b01-c3ee-11e0-8aa5-485d60cb5385.html

4 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

– End of security output –

If security is important, you should install this application. It is quite easy.

Procedure

1. Update the portkit

# portsnap update

2. Install portaudit

# cd /usr/ports/ports-mgmt/portaudit
# make install clean

3. Initiate portaudit

#portaudit -Fda

Done!

There is a bug in FreeBSD 8.x that can cause the system to freeze when it runs on a Virtual Machine. This happens with SCSI controllers  in occasions there is heavy traffic on the host systems. For instance when a snapshot is taken.

The solution is quite simple: do not use a SCSI controller, but IDE.

In this article I show the steps to keep your FreeBSD 8.x system running and change your virtual controller. Please make sure you make proper backups. It is tricky and shit does happen!

Procedure

1. edit /etc/vstab

#vi /etc/fstab

With a SCSI controller you will find devices like /dev/da0…
For instance:
/dev/da0s1b
/dev/da0s1c
etc.
You need to change the part da0 to ad0, do not change anything else. So you get:
/dev/ad0s1b
/dev/ad0s1c
etc.

Be careful. If you make an error, the system won’t reboot again.
Save the file.

2. shutdown

# shutdown -h now

3. change your virtual controller

Go to your virtual system and modify the controller to IDE and keep the disk you have. Don’t forget to save your settings.

4. start the virtual machine

Start your virtual machine

Now your machine should reboot as never happened. But there is a chance you will get an annoying error messages.

5. Check if you have error message with geometry

#grep GEOM /var/log/messages

Check for a sentence like this occurring after the last reboot:

GEOM: da0s1: geometry does not match label (255h,63s != 16H,63s)

If there is such a error, there is something wrong with the geometry. You usually can fix it with the following steps.

6.  correct geometry

# sysinstall

Go to “Configure”

Go to “Fdisk”

Do “W” (=write) and ignore the Warning

Do not install  the bootmanger (choose “Cancel”)

Exit the install

7. reboot

# reboot

8. check again for a message like GEOM: da0s1: geometry does not match…

# grep GEOM /var/log/messages

You will see the message not occurring after this reboot

If so, you can be happy again.

Now your Virtual System uses an IDE virtual controller.  Now your FreeBSD 8.x system is less prone to freeze errors!

I – Copy the database

1.  check the database, user and the host the WP site is using

a. goto the wordpress root

# cd /home/www

The actual location depends on your installation, replace /home/www appropriate

b. check wp-config.php

# vi wp-config.php

Look for the phrases DB_NAME, DB_USER, DB_PASSWORD and DB_HOST. These define the database name, the database user, the database password and the database host.

In this case we have:

database name: cacomdb
database user: cacom
database password: Muursdfs
database host: 10.1.1.4

c. check the databases on your database server

# mysql -u root -p

Type the root password of the database

Stay within MySQL and give the command

show databases;

Now you should see the database of your WP site within the list.

2. dump your WP database

# cd
# mysqldump -h 10.1.1.4 -u cacom -p cacomdb > cacomdb.sql

Now you should type the database password. The database is dumped to the file cacomdb.sql

3. copy your database dump to your target VPS

# sftp root@46.4.213.254

Replace 46.4.213.254 with the IP of your target VPS.
Type the root password of your VPS and stay within sftp.
Type the following command:

put cacomdb.sql

Now the file is written to the VPS in the home directory of root (/root).

4. create database on your target database

a. login to your target VPS as root

# ssh root@46.4.213.254

b. create database

# mysql -u root -p

Type the root password of MySQL and stay within the MySQL client

create database cacomdb

create user ‘cacom’@'localhost’ identified by ‘secretpasswdx’;

Replace ‘secretpasswdx’ with your password.

grant all on cacomdb.* to cacom;

exit

Exit the MySQL client

c. populate database

# mysql -u cacom -p

Type the password of the created user. In this case: ‘secrestpasswdx’.
Don’t leave the MySQL client.

connect cacomdb;

source cacomdb.sql;

quit;

Now the database is copied.

II – Copy the files

1. Start a shell on the source VPS

# ssh root@45.1.1.2

Replace 45.1.1.2 with the IP of the source VPS

2. Create a tar file

# cd /home

# tar zcvf www.targ.gz www

3. Copy the tar file to the target VPS

# sftp root@46.4.213.254

Do not leave sftp

sftp> put www.tar.gz

sftp > quit

4. Start a shell on the target VPS

# ssh root@46.4.213.254

5. Extract the files

# mv ~/www.tar.gz /home

# cd /home

# tar xzxvf www.tar.gz

Now the files are copied to the target VPS

III – Check Apache configuration

1. Start a shell on the source VPS

# ssh root@45.1.1.2

2. Check the apache configuration

The are several standard apache configurations available. This depends on version, system and the background and taste of the system adminstration. In this article I assume a vhost configuations. This is a popular configuration as this type allows to run several website on one VPS. The configuration file is located in the following directory: /usr/local/etc/apache22/extra

# vi /usr/local/etc/apache22/extra/httpd-vhosts.conf

In this picture above the root directory of the WP site is located in /home/serverxl.org/www

3. Start a shell on the target VPS

# ssh root@46.4.213.254

4. Check and adapt the apache configuration as needed

# vi /usr/local/etc/apache22/extra/httpd-vhosts.conf

5. Check and adapt the configuration of WP as needed

# vi /home/serverxl.org/www/wp-config.php

IV – Modify DNS settings and test

1. Modify the DNS settings so your website’s hostname point to your new VPS

The actual commands differs depending on your domain service provider

Choose a TTL (time to live) of 5 minutes or even less. It can take up to 24 hours before your settings are available wordwide (due to caching mechanisms).

2. Test if it works

# ping www.serverxl.org

Now you should see the new IP

3. Exit your browser

4. Access your website

Now it should work!

Congratulations, job finished. Your websites are now on your new VPS.

1. Stop the database

# /usr/local/etc/rc.d/mysql-server stop

2. Edit /etc/rc.conf

# vi /etc/rc.conf

Add the following line:

mysql_args=”–skip-grant-tables”

Be careful, it is “(minus)(minus)skip-grant-tables” !

3. Start the database

# /usr/local/etc/rc.d/mysql-server start

4. Reset the root password for MySQL

# mysql -uroot

Enter the following commands in the MySQL client:

use mysql;

update user set password=password(“newpassword”) where user=”root”;

exit;

5. Restore orginal /etc/rc.conf

# vi /etc/rc.conf

Remove the line you added in step 2.

6. Restart the database

# /usr/local/etc/rc.d/mysql-server restart

7. Check and be happy again

# mysql -uroot

This should fail.

# mysql -uroot -p

This should work.

Does it work again? Just be happy!

Before you begin
The assumption is that a well configured AMP software suite (Apache HTTP-server, the MySQL database server and PHP) is installed on your general purpose webserver. You can read here how to do this on a FreeBSD VPS.

Procedure
1. Update the ports

# portsnap fetch
# portsnap update

2. Start mysql session

# mysql -uroot -p

Type the password and a MySQL session is started.
Do not end this session, continue with the following commands.

2a. Create WP database

create database mysite;

The name of the database is now mysite, you can change this if you prefer another name.

2b. Create WP database user

create user mysiteusr@localhost identified by ‘secretxyz’;

The name of the user is mysiteusr, you can change this if you would prefer.
You should change the password ‘secretxyz’ in a secret one.

2c. Grant permissions to WP database user

grant all on wpuser.* to mysiteusr@localhost;

2d. Finish the MySQL session

exit;

3. Install WP tarball

# mkdir -p /home/www
# cd /home/www
# fetch http://wordpress.org/latest.tar.gz
# tar zxvf latest.tar.gz
# mv wordpress mysite.com

You should change “mysite.com” with the name you prefer.

4. Fix permissions

# cd /home
# chmod -R www:www  www

5. Edit httpd.conf – enable configuration virtual hosts

# vi /usr/local/etc/apache22/httpd.conf

Search the line with

#Include etc/apache22/extra/httpd-vhosts.conf

and remove the #, so it reads

Include etc/apache22/extra/httpd-vhosts.conf

6. Edit http-vhosts.conf

# cd /usr/local/etc/apache22/extra
# vi httpd-vhosts.conf

Remove the VirtualHost examples (from the first <VirtualHost …> to the last </VirtualHost>.

Type the following lines:

<VirtualHost *:80>
ServerName www.mysite.com
ServerAlias mysite.com
DocumentRoot /home/www/mysite.com
<Directory /home/www/mysite.com>
Optios Indexes FollowSymLinks +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
AddHandler cgi-script .pl .cgi
AddHandler application/x-httpd-php .php .phtml
</Directory>
</VirtualHost>

6. Restart apache

# /usr/local/etc/rc.d/apache22 restart

7. Make sure www.mymysite.com points to IP of your webserver

There are to ways to finish the installation: the proper way, that makes the website visable to the world. And a non-proper way, to finish the installation quick and dirty.

7a. Proper way: create a DNS A record

Create a A-record for the hostname “www” of your domain “mysite.com” with the value of the IP of your webserver, for instance 46.4.213.133. Please contact the documentation of your DNS-provider for further information. Please note there is a TTL (time to live – delay) and upto an additional 24 hours to take worldwide effect.

7b. Non-proper way: trick with hostfile on your client system

A trick to be able to complete the WP installation and configuration is to add the following line to your hostfile (/etc/hosts for Linux or BSD-like systems):

46.4.213.133            www.mysite.com      mysite.com

You shoud replace 46.4.213.133 with the IP of your webserver and mysite.com with your domainname.

Now you have mapped your domainname to the IP of your webserver, either a proper DNS record or the host-file trick, you are able to finisch the configuration.

Please note that your website is only visible from your client now.

7. Complete your WP installation

Start your favorite browser on your client and visit your domain

http://www.mysite.com

8. Follow the instructions of WP and you’re ready

9. Check if WP works

Visit your website again from your client

http://www.mysite.com

Now you should see a beautiful wordpress home page.

Congratulations!!!

If you didn’t create A DNS A-record your website won’t be visible to the world. Don’t forget to finish this last step as soon as possible. If you did the trick with the hostfile, please delete the line once the DNS record is created. It can cause a lot of confusion later.

VPS provider and FreeBSD VPS hosting plan
First you need to select a proper FreeBSD VPS hosting plan from a hosting service provider. The  hosting plan needs to offer stability, full root access, good support, connectivity, a well configured ports collection and, of course, value for your money. This article is based on a lightweight FreeBSD VPS hosting plan offered by Fastup. This plan offers a standard FreeBSD “best practices” configuration. I expect that the steps described in this article will also work for other VPS providers offering similar FreeBSD VPS hosting plans. This articles assumes you have a working install of FreeBSD 7.3 for i386 logged in as root with the ports collection installed.

Before you begin

1. Order a proper FreeBSD hosting plan
2. Learn how to access your server with SSH and access your server (with SSH or PuTTY)
3. Update /usr/ports

# portsnap fetch
# portsnap update

Procedure

1. Installing MySQL

a. Build MySQL from the ports

# cd /usr/ports/databases/mysql51-server
# make install clean -DBATCH

This may take a while. Please relax and enjoy life!

b. Edit /etc/rc.conf

# vi /etc/rc.conf

Add the following line to /etc/rc.conf:

mysql_enable=”YES”

This line will enable mysql and start mysql on boot.

c. Start MySQL manually

Now we will start mysql manually with the following command:

# /usr/local/etc/rc.d/mysql-server start

d. Set password for MySQL

Set the passwor for MySQL with the followingcommand (substitute your own password for ‘your-password’):

# rehash
# mysqladmin -uroot password ‘your-password’

Step 1 completed with success: MySQL is installed!

2. Installing Apache

a. Build Apache from the ports

# cd /usr/ports/www/apache22
# make install clean -DBATCH

b. Edit /etc/rc.conf

Add the following line:

apache22_enable=”YES”

3. Installing PHP

a. Build PHP from the ports

# cd /usr/ports/lang/php5
# make install clean

Make sure the APACHE option (Build apache module) option is ticked when configuring the build. All other options should not be changed. This take a lot of time, another coffee.

b. Install the php5-extensions

# cd /usr/ports/lang/php5-extensions
# make config

Make sure you enable (1) MySQL database support, (2) MySQLi database support, (3) GD library support and (4) ZLIB support. Leave the other default options untouched!

# make install clean -DBATCH

c. Install the php.ini file

# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

You could also take the development version php.ini-development if you prefer.

d. Edit your Apache configuration file httpd.conf

# vi /usr/local/etc/apache22/httpd.conf

Add the following lines to the end of the file, just before the include statement:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Search for the line that reads:

DirectoryIndex index.html

and add index.php so it reads

DirectoryIndex index.php index.html

Enable language settings by searching for the line

#Include etc/apache22/extra/httpd-languages.conf

and removing the # comment mark so it reads:

Include etc/apache22/extra/httpd-languages.conf

e. Edit your Apache configuration file httpd-languages.conf

# vi /usr/local/etc/apache22/extra/httpd-languages.conf

Add the following line to the end of the file:

AddDefaultCharset On

f. Add you hostname to /etc/hosts

# vi /etc/hosts

Add your ‘hostname’ and your ‘hostname’.localdomain this file, so it maps to the IP of your machine.

This leads, for instance, to the addition of the following line:

46.4.213.254    freebsdx_vm14     freebsdx_vm14.localdomain

In the example above the hostname is “freebsdx_vm14″ and the IP is 46.4.213.254.

g. Restart sendmail

Restart sendmail for the changes of the hostfile to take effect

# /etc/rc.d/sendmail restart

h. Start Apache

# /usr/local/etc/rc.d/apache22 start

i. Check your connectivity

Start your favorite browser from a computer connected to the internet and visit the URL:

http://<yourip>

Now you should see: “It works!”.

If there are no errors: you’re done. Apache with PHP is installed!

Congratulations. Your perfect FAMP server is up and running!

SSH server running on the common port 22 are subject to many worm-attacks, usually brute force. You can find these attacks in your /var/log/auth.log (or similar logfile like secure.log, depending on your specific operating system). An example how these attacks show up in your logfile:

Dec 20 13:02:47 freebsdx_vm14 sshd[70497]: Invalid user admin from 75.147.8.209
Dec 20 13:02:50 freebsdx_vm14 sshd[70537]: Invalid user stud from 75.147.8.209
Dec 20 13:02:51 freebsdx_vm14 sshd[70563]: Invalid user trash from 75.147.8.209
Dec 20 13:02:52 freebsdx_vm14 sshd[70585]: Invalid user aaron from 75.147.8.209
Dec 20 13:02:53 freebsdx_vm14 sshd[70601]: Invalid user gt05 from 75.147.8.209
Dec 20 13:02:55 freebsdx_vm14 sshd[70621]: Invalid user william from 75.147.8.209
Dec 20 13:02:56 freebsdx_vm14 sshd[70643]: Invalid user stephanie from 75.147.8.209

You can use DenyHosts to help to prevent these annoying attacks.

In this posting I explain how to install and configure this software on FreeBSD.

Procedure

1. install denyhosts from the ports

# cd /usr/ports/security/denyhosts
# make install clean
# vi /etc/rc.conf

2. edit /etc/rc.conf

Add the following lines:

denyhosts_enable=”YES”
syslogd_flags=”-s -c”

3. edit rules in /etc/hosts.allow

# vi /etc/hosts.allow

Add # to the line

ALL : ALL : allow

at the beginning of the file, so it reads

#ALL : ALL : allow

Add these lines or uncomment the right ones, so we have:

sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow

4. create empty /etc/hosts.deniedssh file

# touch /etc/hosts.deniedssh

5. edit /usr/local/etc/denyhosts.conf

# vi /usr/local/etc/denyhosts.conf

Uncomment the line

#BLOCK_SERVICE=sshd

so it reads

BLOCK_SERVICE=sshd

6. restart syslogd

# /etc/rc.d/syslogd restart

7. start denhosts

# /usr/local/etc/rc.d/denyhosts start

Now everything should work properly.
You can review and change the configuration of this program by editing denyhosts.conf.

The cause is a default timeout of 30 seconds as defined in /etc/defaults/rc.conf. It seems to me a very short time.

How to set the watchdog timeout

You can set the time-out by adding the following line to your /etc/rc.conf:

rcshutdown_timeout=”300″

In this case the time-out is set to 300 seconds. That worked fine for my application.

NTOP makes use of the RRDTool package. This package is used to store and display time-series data. In this case the package is used to display all kind of network traffic data with graphs. The procedure is that we first install the RRDTool and then the NTOP package.

I. Installing RRDTool

1. Prepare installation of RRDTool

Login as root and type the folowing commands:

yum install cairo-devel libxml2-devel pango-devel pango libpng-devel
yum install freetype freetype-devel libart_lgpl-devel

Please pay attention to the _ and the – in libart_lgpl-devel!

2. Download latest rrdtool

cd /opt
wget http://oss.oetiker.ch/rrdtool/pug/rrdtool-1.4.4.tar.gz

3. Untar the tar ball

tar -zxvf rrdtool-1.4.4.tar.gz

4. Configure

cd /opt/rrdtool-1.4.4
./configure –prefix=/usr/local/rrdtool

5. Compile and install

make
make install

Congratulations, first part completed…

II. Install NTOP

1. Prepare installation of NTOP

yum install libpcap libpcap-devel gdbm gdm-devel
yum install GeoIP libevent libevent-devel

2. Download the ntop tarball

cd /opt
wget http://downloads.sourceforge.net/project/ntop/ntop/ntop-3.3.10/ntop-3.3.10.tar.gz

I do not recommend to download newer versions for CentOS 5.x. These versions need Python26 and the installation could interfere with the proper functioning of your CentOS system.

3. Configuration of ntop

cd ntop-3.3.10
./autogen.sh –prefix=/usr/local/ntop

4. Compile and install

make
make install

5. Create ntop user

useradd -M -s /sbin/nologin -r ntop

6. Setup directory permissions

chown ntop:root /usr/local/var/ntop
chown ntop:ntop /usr/local/share/ntop

7. Set ntop admin password

ntop -A

8. Start ntop

ntop -d -L -u ntop -P /usr/local/var/ntop –skip-version-check –use-syslog=daemon

9. Viewing ntop stats

You can view the ntop stats with

http://localhost:3000

See how good it looks:

Recently I found too many open ports on my remote CentOS server. You can use the excellent program nmap to do a portscan. The following command gave me insight to my open ports from a client.

nmap -sS 1.1.1.1

You should replace 1.1.1.1 with the remote IP of your server.
The result:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-18 22:59 CEST
Interesting ports on static.129.213.4.46.clients.your-server.de (46.4.213.129):
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
111/tcp open rpcbind
135/tcp filtered msrpc
5900/tcp open vnc
5901/tcp open vnc-1
5902/tcp open vnc-2
5903/tcp open vnc-3
5904/tcp open unknown

For maximum security all unnecessary ports should be closed down. You can do this with the following steps.

1. login to your server

ssh root@1.1.1.1

Replace 1.1.1.1 with the remote IP of your server

2. start tool for CentOS firewall settings

system-config-securitylevel-tui

3. adjust firewall settings

I usually enable the firewall but disable SELLinux. This fine-grained security mechanism adds to security but is difficult to use and error-prone. The next step is to customize the settings.

I enabled SSH, HTTP, HTTPS and cleared the setting under “Other ports”.

Juist press the button OK 2x and your are ready.

4. recheck open ports on your clients

nmap -sS 1.1.1.1

The result:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-19 06:04 CEST
Interesting ports on static.88-198-27-6.clients.your-server.de (88.198.27.6):
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Job done, ready.