Once you got your FREESCO box up and running, you can leave it as it is. But really, how fun is that? This document present some ideas of what to do with your new box. Have fun!
//Fredrik f.oberg@hotpop.com
This section contains the things EVERYBODY should do in order to keep their FREESCO secure and stable.
In the FREESCO support forums (http://forums.freesco.org) new patches are announced. This is also where you find instructions on how to download and install them. By installing these patches, you ensure your box is as good (and safe!) as it gets. Hence, be sure to check out the currently available patches for your FREESCO version!
Here are some tips on how to increase the security on your FREESCO.
Ftp is insecure as both user id and password is sent as uncryptated text. This means that with a sniffer it is pretty easy to get access to a certain account. While it might be acceptable to take this risk for a normal user, it is unacceptable for root. Hence I have disabled ftp access for root on my box. This is done by modifying the startup script for the ftp-server (/rc/rc_ftpd). The original startup line looks like this:
fork pure-ftpd $D -A -b -c $FTPCON -C 2 -B -D $ANON -H -I 15 -m 10 -s -S $FTPPORT -Z
With PureFTP you can specify the lowest uid that is allowed to use ftp. Root has uid 0 so we should only allow users with a uid of 1 or higher. To use this configuration, just add a -u 1 to the startup line and restart the server with rc_ftpd restart. Try to log in as root (or any other user with uid 0), if everything went ok, you should not be able to log in.
For more information about denying ftp users see this thread.
By default, most Linux system have a root user with full access to the whole system. For a hacker, it is enought to try to figure out the password for this user in order to get access to the system. To make it harder for the hackers one might add a new user with the same privilages as root, and then delete/disable the root user. Now the hacker must guess the userid of the root user as well as the password. Here are instructions for disabling the root user on your FREESCO.
[ ${BIGMEM:-y}$LOGNAME = yroot ] && exec ile
Either replace the word yroot with the name of your new root user (including a leading y) or just remove everything exept the y. The later approach will make ile availabe for all users, while the first approach limits ile to the new root user.
[ ${BIGMEM:-y}$LOGNAME = ynewrootname ] && exec ile
or
[ ${BIGMEM:-y}$LOGNAME = y ] && exec ile
This approach was suggested by Thasaidon in this thread, and the ile fix was provided by Lightning here.
Here are some really usefull stuff, however, none of this is really necessary
Get a free domain name!
Goto http://dyndns.org and register your FREE domain. Then log in to your FREESCO box and enable the DynDNS client.
The perfect way to administrate your box remote! Latest version on my box is 3.7.1p1 by Dingetje. See this thread. After installation, remeber to
ipfwadm -I -a deny -P tcp -W $INET -D 0.0.0.0/0 $PORT -y -o
by putting a # at the beginning of the line. This is a firewall rule which denies ssh connections from Internet. By commenting it out, you will be able to connect to your FREESCO from another machine on the Internet.
type rc_masq restart
. This will restart the firewall and remove the above rule.rc_opensshd restart
Of course you need a webserver! Pretty easy to install, instructions are here. To summarize:
pkg -i http://freesco.no-ip.org/openssl/openssl-0.9.6g_user_nadegda
perl: can't load library 'libm.so.5'
However, if libm.so.5 exists in /pkg/lib
, you can safely ignore this message.
pkg -i http://dingetje.homeip.net/beta/0.3.x/apache_1.3.27_dingetje
httpd.conf
, you might want to add a ServerTokens directive. This will prevent your server from sending version info, etc which might increase security a bit.These are some packages I can't live without. Check them out! They are linked to a Danish mirror of FREESCOsoft, but please goto the main FREESCOsoft site and select YOUR nearest mirror
This section describes how to modify you PATH environment variable. This is useful when you want to have easy access to scripts and binaries not located in the “standard” directories. One example of this is when you write your own scripts and put them in one of your own directories. When running such a script, you have to type
/the/whole/path/to/the/script
in order to run in. Another example is if you install a package such as mySQL which comes with a bin directory full of accessories. To access this stuff, you have to remember and type the correct path, ie
/usr/local/mySQL/bin/mysqladmin
By adding the directories to your PATH, you don't have to give the full path when running the script/binary. Instead of typing the above, you can simply type
mysqladmin
at the prompt.
For now, suppose you have your own scripts stored in /mnt/disk2/binaries
and you want to include that directory in the path. Also suppose you have mySQL installed and that you want to add the bin directory (/usr/local/mySQL/bin
) to the path as well.
The PATH variable is set in the profile file, located in /etc/
, so in order to modify the variable, we must edit that file. The first thing to do is to create new environment variables for the directories you want to add to your path. Environment variables are created with the scructure
VARIABLE_NAME=variable_value
There should be no space between the equal sign and the variable name or the variable value. To declare the necessary variables, just add the following at beginning of the file (just after the #!/bin/sh
line):
MYBIN=/mnt/disk2/binaries MYSQL=/usr/local/mySQL/bin
A bit down in the file there is a line starting with
export TTY="`tty`" TERM=linux PS1 PATH=/boot/bin:...
Move the cursor to this line and place it just after the equal sign after the “PATH” word. Here you insert the values of your environment variables. To get the value out of the variables, you must add the $ sign just before the variable. After the variable, add a colon. Note: no spaces should be added! This means that after editing the line, it should look like this:
export TTY="`tty`" TERM=linux PS1 PATH=$MYBIN:$MYSQL:/boot/bin:...
Save your work and re-login. If you done it all correctly, you should be able to access your scripts without typing the whole path as well as accessing the mySQL binaries just like this:
[Linux] mysqladmin
The final step is to make your profile survive a reboot. Right now it is only stored in /etc/
which is RAM, so it will be rewritten in next reboot. To make your profile permanent, just copy it to /boot/etc/
.
This is just for fun!
Not very necessary but pretty cool! Go to http://uptimes.hostingwired.com and register. Then follow this instruction on how to setup the client on your machine. When editing upclient.conf
, replace www.uptimes.nu with uptimes.hostingwired.com.
Note you need a PHP enabled webserver in order to run this package!
This is a cool package, keeping track of your uptime history. You call a PHP script which can create images like this: Uptime. Just follow these instructions.
After installation, run crontab and insert the following line:
* * * * * /usr/local/upla/upla_track 1>/dev/null 2>/dev/null
This will make UpLa calculate your uptime every minute. You can start, stop and restart the package with /pkg/rc/rc_upla. When calling you PHP script, you can modify the layout of the generated image with the arguments chart
, key
, font
and time
in the URL. For example, this
upla.php?chart=y&key=y&time=y
query string will produce the image below