What to do with your new FREESCO

Once you got your FREESCO box up and running, you can leave it as it is. But really, how fun is that? This document present some ideas of what to do with your new box. Have fun!

//Fredrik f.oberg@hotpop.com

Necessary stuff

This section contains the things EVERYBODY should do in order to keep their FREESCO secure and stable.

Install patches

In the FREESCO support forums (http://forums.freesco.org) new patches are announced. This is also where you find instructions on how to download and install them. By installing these patches, you ensure your box is as good (and safe!) as it gets. Hence, be sure to check out the currently available patches for your FREESCO version!

Top

Increasing security

Here are some tips on how to increase the security on your FREESCO.

Disable ftp for root

Ftp is insecure as both user id and password is sent as uncryptated text. This means that with a sniffer it is pretty easy to get access to a certain account. While it might be acceptable to take this risk for a normal user, it is unacceptable for root. Hence I have disabled ftp access for root on my box. This is done by modifying the startup script for the ftp-server (/rc/rc_ftpd). The original startup line looks like this:

fork pure-ftpd $D -A -b -c $FTPCON -C 2 -B -D $ANON -H -I 15 -m 10 -s -S $FTPPORT -Z

With PureFTP you can specify the lowest uid that is allowed to use ftp. Root has uid 0 so we should only allow users with a uid of 1 or higher. To use this configuration, just add a -u 1 to the startup line and restart the server with rc_ftpd restart. Try to log in as root (or any other user with uid 0), if everything went ok, you should not be able to log in.

For more information about denying ftp users see this thread.

Top

Disable root account

By default, most Linux system have a root user with full access to the whole system. For a hacker, it is enought to try to figure out the password for this user in order to get access to the system. To make it harder for the hackers one might add a new user with the same privilages as root, and then delete/disable the root user. Now the hacker must guess the userid of the root user as well as the password. Here are instructions for disabling the root user on your FREESCO.

  1. Log in as root and create a new normal user with useradd <newrootname>
  2. Open the password file (/etc/passwd) and change the privileges of the new user from 500:100 to 0:0. Also change the home directory of the user to /
  3. Only if you installed the opensshd-package and use AllowUsers in /pkg/etc/sshd_config: Add the new user in the AllowUsers statement. Do NOT remove the root user from this section yet! If you do, and anything goes wrong, you might be locked out from your box! Then restart sshd with rc_opensshd restart
  4. Log in as the new user and edit the password file again. Now change the shell for the root user from /bin/sh to /bin/false. This should make it impossible for the root to login.
  5. Try to log in as root. If everything is correct, you should not be able to log in. Log in with your new user and copy the password file from /etc/passwd to /boot/etc/ to make the changes permanent.
  6. Only if you installed the opensshd-package and use AllowUsers in /pkg/etc/sshd_config: Now it is safe to remove root from the AllowUsers section. Remember to restart sshd.
  7. If you use ile, you will notice that it doesn't work with your new user. To fix this, edit /etc/profile. Look for the line that says
    [ ${BIGMEM:-y}$LOGNAME = yroot ] && exec ile

    Either replace the word yroot with the name of your new root user (including a leading y) or just remove everything exept the y. The later approach will make ile availabe for all users, while the first approach limits ile to the new root user.

    [ ${BIGMEM:-y}$LOGNAME = ynewrootname ] && exec ile

    or

    [ ${BIGMEM:-y}$LOGNAME = y ] && exec ile
  8. Log out and back in again to verify ile works as it should.
  9. Copy /etc/profile to /boot/etc/ to make it survive a reboot

This approach was suggested by Thasaidon in this thread, and the ile fix was provided by Lightning here.

Top

Usefull stuff

Here are some really usefull stuff, however, none of this is really necessary

Get a free domain name!

Goto http://dyndns.org and register your FREE domain. Then log in to your FREESCO box and enable the DynDNS client.

Top

Install SSH

The perfect way to administrate your box remote! Latest version on my box is 3.7.1p1 by Dingetje. See this thread. After installation, remeber to

  1. edit /pkg/rc/rc_opensshd and comment out
    ipfwadm -I -a deny -P tcp -W $INET -D 0.0.0.0/0 $PORT -y -o

    by putting a # at the beginning of the line. This is a firewall rule which denies ssh connections from Internet. By commenting it out, you will be able to connect to your FREESCO from another machine on the Internet.

  2. At the prompt, type rc_masq restart. This will restart the firewall and remove the above rule.
  3. If you want to restrict which users that can ssh to your box, edit /pkg/etc/sshd_config and add a AllowUsers section with the user names that should be able to log on. AllowUsers and DenyUsers can combined and DenyUsers have precedence. After doing this, you need to restart ssh by typing rc_opensshd restart

Top

Install Apache

Of course you need a webserver! Pretty easy to install, instructions are here. To summarize:

  1. Patch your kernel, see this thread.
  2. Install OpenSSL using
    pkg -i http://freesco.no-ip.org/openssl/openssl-0.9.6g_user_nadegda
  3. Install Perl, get it from FREESCOsoft, here is a direct link to the Danish mirror (the mirror closes to me). When installing, you might get an error saying
    perl: can't load library 'libm.so.5'

    However, if libm.so.5 exists in /pkg/lib, you can safely ignore this message.

  4. Install Apache using
    pkg -i http://dingetje.homeip.net/beta/0.3.x/apache_1.3.27_dingetje
  5. Go through /usr/local/apache/conf/httpd.conf and change/add the ServerName setting for both the normal and the SSL web server. Change it to the address of your server.
  6. (optional) While editing httpd.conf, you might want to add a ServerTokens directive. This will prevent your server from sending version info, etc which might increase security a bit.
  7. Edit /boot/pkg/usr/local/lib/php.ini and set cookie_domain to your address.
  8. (optional) If you want your server to be accessable to the world, enter the setup and change option 44.
  9. Use rc_httpd restart to reboot Apache and make all changes take effect.
  10. (optional) If you have enabled you server to the world, restart the firewall with rc_masq restart
  11. (optional) If you want to reduce the memory footprint of Apache, follow Dingetje's tips to disable mod_mp3, mod_perl and https.

Top

Various packages

These are some packages I can't live without. Check them out! They are linked to a Danish mirror of FREESCOsoft, but please goto the main FREESCOsoft site and select YOUR nearest mirror

  • e2fs For serious disk management, use the e2fs package!
  • top Jepp, you definitively want top.
  • findutils FREESCO lack some utilities for finding and greping, but this package helps a lot.
  • Dingetje utils You DO need this one!

Top

Modifying your PATH

This section describes how to modify you PATH environment variable. This is useful when you want to have easy access to scripts and binaries not located in the “standard” directories. One example of this is when you write your own scripts and put them in one of your own directories. When running such a script, you have to type

/the/whole/path/to/the/script

in order to run in. Another example is if you install a package such as mySQL which comes with a bin directory full of accessories. To access this stuff, you have to remember and type the correct path, ie

/usr/local/mySQL/bin/mysqladmin

By adding the directories to your PATH, you don't have to give the full path when running the script/binary. Instead of typing the above, you can simply type

mysqladmin

at the prompt.

For now, suppose you have your own scripts stored in /mnt/disk2/binaries and you want to include that directory in the path. Also suppose you have mySQL installed and that you want to add the bin directory (/usr/local/mySQL/bin) to the path as well.

The PATH variable is set in the profile file, located in /etc/, so in order to modify the variable, we must edit that file. The first thing to do is to create new environment variables for the directories you want to add to your path. Environment variables are created with the scructure

VARIABLE_NAME=variable_value

There should be no space between the equal sign and the variable name or the variable value. To declare the necessary variables, just add the following at beginning of the file (just after the #!/bin/sh line):

MYBIN=/mnt/disk2/binaries
MYSQL=/usr/local/mySQL/bin

A bit down in the file there is a line starting with

export TTY="`tty`" TERM=linux PS1 PATH=/boot/bin:...

Move the cursor to this line and place it just after the equal sign after the “PATH” word. Here you insert the values of your environment variables. To get the value out of the variables, you must add the $ sign just before the variable. After the variable, add a colon. Note: no spaces should be added! This means that after editing the line, it should look like this:

export TTY="`tty`" TERM=linux PS1 PATH=$MYBIN:$MYSQL:/boot/bin:...

Save your work and re-login. If you done it all correctly, you should be able to access your scripts without typing the whole path as well as accessing the mySQL binaries just like this:

[Linux] mysqladmin

The final step is to make your profile survive a reboot. Right now it is only stored in /etc/ which is RAM, so it will be rewritten in next reboot. To make your profile permanent, just copy it to /boot/etc/.

Top

Fun stuff

This is just for fun!

Track your uptime

Not very necessary but pretty cool! Go to http://uptimes.hostingwired.com and register. Then follow this instruction on how to setup the client on your machine. When editing upclient.conf, replace www.uptimes.nu with uptimes.hostingwired.com.

Top

UpLa

Note you need a PHP enabled webserver in order to run this package!

This is a cool package, keeping track of your uptime history. You call a PHP script which can create images like this: Uptime. Just follow these instructions.

After installation, run crontab and insert the following line:

* * * * * /usr/local/upla/upla_track 1>/dev/null 2>/dev/null

This will make UpLa calculate your uptime every minute. You can start, stop and restart the package with /pkg/rc/rc_upla. When calling you PHP script, you can modify the layout of the generated image with the arguments chart, key, font and time in the URL. For example, this

upla.php?chart=y&key=y&time=y

query string will produce the image below

Top

 
freesco/howtos/what_to_do_with_your_new_freesco.txt (32268 views) · Last modified: 2005/09/14 00:49 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki