-------------------------------------------------------------------------------- [FreeBSD 4.8] ・rc.confの設定 ・sysctl.confの設定 プロセスの隠ぺい OutgoingPortのポートレンジを変更する ソケットのバッファサイズをチューニングする ・テンポラリをnodevとnosuidに /tmpをrw,nodev,nosuid ・不要なユーザーアカウントの削除 vipwでtoor,games,news,uucp,xtenをコメントアウト /etc/groupのnews,games,guest,uucp,xten,dialerをコメントアウト ・デーモンプロセス用アカウントの追加 /etc/groupにftp(50),vchkpw(89),mysql(90),nofiles(91),qmail(92)を追加 vipwでftp(50:50),vpopmail(89:89),mysql(90:90),alias(91:91),qmaild(92:91),qmaill(93:91),qmailp(94:91),qmailq(95:92),qmailr(96:92),qmails(97:92)を追加 ・crontabを許可するユーザーを指定 ・直接端末を操作するときにrootパスワードを要求するように console none unknown off insecure ・ホームディレクトリのパーミッションを変更 chmod 0750 /root ・resolv.conf設定 ・motdの編集 ・driftファイルの作成 # touch /etc/ntp.drift ・newsyslog.confの設定 /var/log/error.log 644 7 * @T00 Z /var/log/access.log 644 7 * @T00 Z /var/log/ssl_error.log 644 7 * @T00 Z /var/log/ssl_access.log 644 7 * @T00 Z /var/log/ssl_request.log 644 7 * @T00 Z /var/log/ssl_engine.log 644 7 * @T00 Z ・カーネルリコンパイル # cd /usr/src/sys/i386/conf # /usr/sbin/config NS # cd ../../compile/NS # make depend # make # make install -------------------------------------------------------------------------------- [proftpd-1.2.9.tar.gz] # ftp ftp.proftpd.org anonymousで接続 ftp> cd distrib/source ftp> get proftpd-1.2.9.tar.gz ftp> quit # tar xvzf proftpd-1.2.9.tar.gz # cd proftpd-1.2.9 # ./configure # make # make install # mkdir /var/run/proftpd # chown ftp:wheel /var/run/proftpd # chmod 0700 /var/run/proftpd # mkdir /var/log/proftpd # chown ftp:wheel /var/log/proftpd # chmod 0700 /var/log/proftpd # vi /etc/proftpd.conf # vi /usr/local/etc/rc.d/proftpd.sh # chmod 755 /usr/local/etc/rc.d/proftpd.sh -------------------------------------------------------------------------------- [make-3.80.tar.gz] # tar xvzf make-3.80.tar.gz # cd make-3.80 # ./configure # make # make check # make install -------------------------------------------------------------------------------- [pth-2.0.1.tar.gz] # tar xvzf pth-2.0.1.tar.gz # cd pth-2.0.1 # ./configure # make # make test # make install -------------------------------------------------------------------------------- [openssl-0.9.7d.tar.gz] # tar xvzf openssl-0.9.7d.tar.gz # cd openssl-0.9.7d # ./config --prefix=/usr --openssldir=/usr/local/ssl shared # make # make test # make install # cp /usr/local/ssl/misc/CA.sh /usr/local/ssl/ # /usr/local/ssl/CA.sh -newca # openssl x509 -inform pem -in /usr/local/ssl/demoCA/cacert.pem -outform der -out /usr/local/ssl/demoCA/cacert.der # openssl dgst -md5 rand.txt > rand.dat # openssl genrsa -des3 -out beppers.des -rand rand.dat 1024 # openssl rsa -in beppers.des -out beppers.key # openssl req -new -days 365 -key beppers.key -out beppers.csr # openssl ca -in beppers.csr -keyfile /usr/local/ssl/demoCA/private/cakey.pem -cert /usr/local/ssl/demoCA/cacert.pem -out beppers.crt # openssl genrsa -des3 -out ska-phonics.des -rand rand.dat 1024 # openssl rsa -in ska-phonics.des -out ska-phonics.key # openssl req -new -days 365 -key ska-phonics.key -out ska-phonics.csr # openssl ca -in ska-phonics.csr -keyfile /usr/local/ssl/demoCA/private/cakey.pem -cert /usr/local/ssl/demoCA/cacert.pem -out ska-phonics.crt # openssl genrsa -des3 -out yuzuman.des -rand rand.dat 1024 # openssl rsa -in yuzuman.des -out yuzuman.key # openssl req -new -days 365 -key yuzuman.key -out yuzuman.csr # openssl ca -in yuzuman.csr -keyfile /usr/local/ssl/demoCA/private/cakey.pem -cert /usr/local/ssl/demoCA/cacert.pem -out yuzuman.crt -------------------------------------------------------------------------------- [openssh-3.9p1.tar.gz] # tar xvzf openssh-3.9p1.tar.gz # cd openssh-3.9p1 # ./configure --prefix=/usr --with-pam --with-ssl-dir=/usr # make # make install -------------------------------------------------------------------------------- [bind-9.2.3.tar.gz] # tar xvzf bind-9.2.3.tar.gz # cd bind-9.2.3 # ./configure --with-openssl=yes # make # make install # /usr/local/sbin/dnssec-keygen -r /dev/urandom -a hmac-md5 -b 512 -n user rndc # vi /etc/rndc.conf options { default-server localhost; default-key "rndc_key"; }; server localhost { key "rndc_key"; }; key "rndc_key" { algorithm hmac-md5; secret "@"; }; @ Krndc.+157+xxxxx.privateから転記 # chown root:wheel rndc.conf # chmod 0400 rndc.conf # vi /etc/named.conf options { directory "/etc/namedb"; pid-file "/var/run/named/named.pid"; auth-nxdomain no; listen-on { any; }; lame-ttl 1800; }; key "rndc_key" { algorithm hmac-md5; secret "A"; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc_key"; }; }; A Krndc.+157+xxxxx.keyから転記 # chown root:bind /etc/named.conf # chmod 0440 /etc/named.conf # mkdir /etc/namedb ・ゾーンファイルの記述 # chown -R root:bind /etc/namedb # chmod 0770 /etc/namedb # chmod 0440 /etc/namedb/* # mkdir /var/run/named # chown bind:wheel /var/run/named # chmod 0700 /var/run/named # mkdir /var/log/named # chown bind:wheel /var/log/named # chmod 0700 /var/log/named -------------------------------------------------------------------------------- [dhcp-3.0.1rc12.tar.gz] # tar xvzf dhcp-3.0.1rc12.tar.gz # cd dhcp-3.0.1rc12 # ./configure # make # make install # touch /var/db/dhcpd.leases # vi /etc/dhcpd.conf # vi /usr/local/etc/rc.d/dhcpd.sh # chmod 755 /usr/local/etc/rc.d/dhcpd.sh -------------------------------------------------------------------------------- [httpd-2.0.50.tar.gz] # tar xvzf httpd-2.0.50.tar.gz # cd httpd-2.0.50 # ./configure --enable-layout=Apache --enable-modules="so ssl dav dav-fs headers info status suexec" --with-mpm=worker --with-ssl=/usr/local/ssl --with-suexec-caller=www --with-suexec-docroot=/home --with-suexec-userdir=public_html --with-suexec-uidmin=1000 --with-suexec-gidmin=1000 --with-suexec-logfile=/var/log/httpd/suexec.log # make # make install # mkdir /var/run/httpd # chown www:wheel /var/run/httpd # chmod 0700 /var/run/httpd # mkdir /var/log/httpd # chown www:wheel /var/log/httpd # chmod 0700 /var/log/httpd # mkdir /var/db/httpd # chown www:wheel /var/db/httpd # chmod 0700 /var/db/httpd # vi /usr/local/apache2/conf/httpd.conf # vi /usr/local/etc/rc.d/httpd.sh # chmod 755 /usr/local/etc/rc.d/httpd.sh -------------------------------------------------------------------------------- [mod_encoding-20020611a] # tar xvzf mod_encoding-20020611a.tar.gz # cp mod_encoding.apache2.20020611a mod_encoding-20020611a/mod_encoding.c # cd mod_encoding-20020611a/lib # ./configure # make # make install # cd .. # ./configure --with-apxs=/usr/local/apache2/bin/apxs --with-iconv-hook=/usr/local/include # make # gcc -shared -o mod_encoding.so mod_encoding.o -Wc,-Wall -L/usr/local/lib -Llib -liconv_hook -liconv # make install -------------------------------------------------------------------------------- [mysql-4.1.7.tar.gz] # tar xvzf mysql-4.1.7.tar.gz # cd mysql-4.1.7 # ./configure --with-mysqld-user=mysql --with-zlib-dir=/usr/local --with-openssl=/usr --with-charset=ujis --with-extra-charsets=ujis # make # make install # ./scripts/mysql_install_db --user=mysql # chown -R mysql:mysql /usr/local/var # cp support-files/my-medium.cnf /etc/my.cnf # vi /usr/local/etc/rc.d/mysqld.sh # chmod 755 /usr/local/etc/rc.d/mysqld.sh # mysqld_safe --user=mysql & # mysqladmin -u root password 'root-password' # mysqladmin -u root -h ns.beppers.jp password 'root-password' -------------------------------------------------------------------------------- [zlib-1.1.4.tar.gz] # tar xvzf zlib-1.1.4.tar.gz # cd zlib-1.1.4 # ./configure # make # make install # make clean # ./configure --shared # make # make install -------------------------------------------------------------------------------- [jpegsrc.v6b.tar.gz] # tar xvzf jpegsrc.v6b.tar.gz # cd jpeg-6b # ./configure --enable-shared --enable-static # make # make install -------------------------------------------------------------------------------- [libpng-1.2.5.tar.gz] # tar xvzf libpng-1.2.5.tar.gz # cd libpng-1.2.5 # cp scripts/makefile.freebsd makefile # make # mkdir /usr/local/include/libpng # make install -------------------------------------------------------------------------------- [freetype-2.1.5.tar.gz] # tar xvzf freetype-2.1.5.tar.gz # cd freetype-2.1.5 # ./configure --enable-shared --enable-static # make # make install -------------------------------------------------------------------------------- [gd-2.0.15.tar.gz] # tar xvzf gd-2.0.15.tar.gz # cd gd-2.0.15 # ./configure --enable-shared --enable-static --with-libiconv-prefix=/usr/local --with-png=/usr/local --with-jpeg=/usr/local --with-freetype=/usr/local # make # make install -------------------------------------------------------------------------------- [php-4.3.9.tar.gz] # tar xvzf php-4.3.9.tar.gz # cd php-4.3.9 # ./configure --with-apxs2=/usr/local/apache2/bin/apxs --enable-versioning --with-openssl=/usr --with-zlib=/usr/local --with-zlib-dir=/usr/local --with-gd=/usr/local --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-freetype-dir=/usr/local --enable-gd-native-ttf --enable-gd-jis-conv --with-iconv=/usr/local --with-imap=/usr/local --enable-mbstring --with-mysql=/usr/local --with-pdflib=/usr/local --with-pgsql=/usr/local/pgsql --enable-zend-multibyte --with-tsrm-pth=/usr/local/bin/pth-config # make # make test # make install # cp php.ini-dist /usr/local/lib/php.ini -------------------------------------------------------------------------------- [phpMyAdmin-2.5.4-php.tar.gz] httpでアクセス可能なディレクトリで展開する # tar xvzf phpMyAdmin-2.5.4-php.tar.gz # cd phpMyAdmin-2.5.4 # vi config.inc.php # mysql -uroot -p'root-password' < pma.sql -------------------------------------------------------------------------------- [qmail-1.03.tar.gz] # tar xvzf qmail-1.03.tar.gz # cd qmail-1.03 # patch < qmail-date-localtime.patch # patch < qmail-large-dns.patch # patch < qmail-smtpd-relay-reject.patch # mkdir /var/qmail # make setup # make check # ./config # cd /var/qmail/alias # touch .qmail-postmaster .qmail-mailer-daemon .qmail-root .qmail-default # chmod 644 .qmail* # chmod 0 /usr/sbin/mailwrapper # chmod 0 /usr/libexec/mail.local # rm /usr/sbin/sendmail # ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail # vi /var/qmail/control/defaultdomain beppers.jp # vi /var/qmail/control/locals localhost ns.beppers.jp ns.ska-phonics.com ns.yuzuman.com # vi /var/qmail/control/me ns.beppers.jp # vi /var/qmail/control/plusdomain beppers.jp # vi /var/qmail/control/rcpthosts localhost ns.beppers.jp beppers.jp ns.ska-phonics.com ska-phonics.com ns.yuzuman.com yuzuman.com # echo "5242880" > /var/qmail/control/databytes # /var/qmail/bin/maildirmake ~alias/Maildir # chown -R alias /var/qmail/alias/Maildir # echo "./Maildir/" > /var/qmail/alias/.qmail # chown -R root:wheel /var/qmail/alias/.qmail -------------------------------------------------------------------------------- [ucspi-tcp-0.88.tar.gz] (tcpserver) # tar xvzf ucspi-tcp-0.88.tar.gz # cd ucspi-tcp-0.88 # make setup # make check # vi /etc/tcp.smtp 192.168.0.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" # /usr/local/bin/tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp -------------------------------------------------------------------------------- [checkpassword-0.90.tar.gz] # tar xvzf checkpassword-0.90.tar.gz # cd checkpassword-0.90 # vi conf-home /usr/local # make # make setup # make check -------------------------------------------------------------------------------- [relay-ctrl-3.1.1.tar.gz] (POP Before SMTP) # tar xvzf relay-ctrl-3.1.1.tar.gz # cd relay-ctrl-3.1.1 # make # ./installer # mkdir /var/spool/relay-ctrl # mkdir /var/spool/relay-ctrl/allow # chmod 700 /var/spool/relay-ctrl # chmod 777 /var/spool/relay-ctrl/allow # mkdir /etc/relay-ctrl # echo "/var/spool/relay-ctrl/allow" > /etc/relay-ctrl/RELAY_CTRL_DIR # echo '900' > /etc/relay-ctrl/RELAY_CTRL_EXPIRY # echo ':allow,RELAYCLIENT='@beppers.jp'' >> /etc/relay-ctrl/RELAY_CTRL_RELAYCLIENT # crontab -e */5 * * * * /usr/local/bin/envdir /etc/relay-ctrl /usr/local/bin/relay-ctrl-age -------------------------------------------------------------------------------- [vpopmail-5.2.1.tar.gz] # tar xvzf vpopmail-5.2.1.tar.gz # cd vpopmail-5.2.1 # mkdir /home/vpopmail # chown vpopmail:vchkpw /home/vpopmail # ./configure --enable-roaming-users=y --enable-relay-clear-minutes=15 # make # make install-strip # vi /home/vpopmail/etc/tcp.smtp 192.168.0.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" # /usr/local/bin/tcprules /home/vpopmail/etc/tcp.smtp.cdb /home/vpopmail/etc/tcp.smtp.tmp < /home/vpopmail/etc/tcp.smtp # chown vpopmail:vchkpw /home/vpopmail/etc/* # crontab -e */5 * * * * /home/vpopmail/bin/clearopensmtp 2>&1 > /dev/null # /home/vpopmail/bin/vadddomain beppers.jp root-password # /home/vpopmail/bin/vadddomain ska-phonics.com root-password # /home/vpopmail/bin/vadddomain yuzuman.com root-password -------------------------------------------------------------------------------- [daemontools-0.76.tar.gz] # mkdir -p /package # chmod 755 /package # chmod +t /package # cd /package # tar xvpfz /usr/local/src/daemontools-0.76.tar.gz # cd admin/daemontools-0.76 # ./package/install # mkdir /var/qmail/services # mkdir /var/qmail/services/qmail # chmod +t /var/qmail/services/qmail # vi /var/qmail/services/qmail/run #!/bin/sh exec env - PATH="/var/qmail/bin:$PATH" qmail-start ./Maildir/ # chmod 755 /var/qmail/services/qmail/run # mkdir /var/qmail/services/qmail/log # vi /var/qmail/services/qmail/log/run #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail # chmod 755 /var/qmail/services/qmail/log/run # mkdir /var/log/qmail # chown qmaill:nofiles /var/log/qmail # chmod 700 /var/log/qmail # mkdir /var/qmail/services/pop3d # chmod +t /var/qmail/services/pop3d # vi /var/qmail/services/pop3d/run #!/bin/sh PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin exec tcpserver -HR -l ns.beppers.co.jp -v 0 pop3 /var/qmail/bin/qmail-popup ns.beppers.co.jp /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1 # chmod 755 /var/qmail/services/pop3d/run # mkdir /var/qmail/services/pop3d/log # vi /var/qmail/services/pop3d/log/run #!/bin/sh exec /usr/local/bin/setuidgid qmailp /usr/local/bin/multilog t /var/log/pop3d # chmod 755 /var/qmail/services/pop3d/log/run # mkdir /var/log/pop3d # chown qmailp:nofiles /var/log/pop3d # chmod 700 /var/log/pop3d # mkdir /var/qmail/services/smtpd # chmod +t /var/qmail/services/smtpd # vi /var/qmail/services/smtpd/run #!/bin/sh PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin tcpserver -HR -l ns.beppers.co.jp -v -u 92 -g 91 -x /home/vpopmail/etc/tcp.smtp.cdb 0 smtp /var/qmail/bin/qmail-smtpd 2>&1 # chmod 755 /var/qmail/services/smtpd/run # mkdir /var/qmail/services/smtpd/log # vi /var/qmail/services/smtpd/log/run #!/bin/sh exec /usr/local/bin/setuidgid qmails /usr/local/bin/multilog t /var/log/smtpd # chmod 755 /var/qmail/services/smtpd/log/run # mkdir /var/log/smtpd # chown qmails:nofiles /var/log/smtpd # chmod 700 /var/log/smtpd # ln -s /var/qmail/services/qmail /service/qmail # ln -s /var/qmail/services/pop3d /service/pop3d # ln -s /var/qmail/services/smtpd /service/smtpd -------------------------------------------------------------------------------- [ezmlm-0.53.tar.gz] (ezmlm + ezmlm-idx) # tar xvzf ezmlm-0.53.tar.gz # tar xvzf ezmlm-idx-0.40.tar.gz # mv ezmlm-idx-0.40/* ezmlm-0.53/ # rmdir ezmlm-idx-0.40 # cd ezmlm-0.53 # patch < idx.patch # make # make man # cp ezmlmrc.jp ezmlmrc # make setup -------------------------------------------------------------------------------- [autorespond-2.0.2.tar.gz] (autoresponder) # tar xvzf autorespond-2.0.2.tar.gz # cd autorespond-2.0.2 # perl -pi -e 's|INSTALL_GID = root|INSTALL_GID = wheel|g' Makefile # perl -pi -e 's|strcasestr|str_casestr|g' autorespond.c # make # make install -------------------------------------------------------------------------------- [qmailadmin-1.0.6.tar.gz] # tar xvzf qmailadmin-1.0.6.tar.gz # cd qmailadmin-1.0.6 # ./configure --enable-htmldir=/usr/local/apache2/htdocs/ --enable-cgibindir=/usr/local/apache2/cgi-bin/ # make # make install-strip -------------------------------------------------------------------------------- net-snmp URI: http://net-snmp.sourceforge.net/ # tar xvzf net-snmp-5.0.8.tar.gz # rm net-snmp-5.0.8.tar.gz # cd net-snmp-5.0.8 # ./configure Default version of SNMP to use (3): 1 System Contact Information (root@beppers.jp): root@beppers.jp System Location (Unknown): Bepper's Location to write logfile (/var/log/snmpd.log): /var/log/snmpd.log Location to write persistent information (/var/net-snmp): /var/net-snmp # make # make install # vi /etc/snmpd.conf # chmod 0600 /etc/snmpd.conf # vi /usr/local/etc/rc.d/snmpd.sh # chmod 755 /usr/local/etc/rc.d/snmpd.sh -------------------------------------------------------------------------------- [mrtg-2.9.29.tar.gz] # tar xvzf mrtg-2.9.29.tar.gz # cd mrtg-2.9.29 # ./configure --prefix=/usr/local --with-gd-lib=/usr/local/lib --with-gd-inc=/usr/local/include --with-z-lib=/usr/local/lib --with-z-inc=/usr/local/include --with-png-lib=/usr/local/lib --with-png-inc=/usr/local/include # make # make install # mkdir /var/run/mrtg # chown www:wheel /var/run/mrtg # chmod 0700 /var/run/mrtg # mkdir /var/log/mrtg # chown www:wheel /var/log/mrtg # chmod 0700 /var/log/mrtg # mkdir /var/db/mrtg # chown www:wheel /var/db/mrtg # chmod 0700 /var/db/mrtg # vi /etc/mrtg.conf # vi /usr/local/etc/rc.d/mrtg.sh # chmod 755 /usr/local/etc/rc.d/mrtg.sh # /usr/local/bin/indexmaker /etc/mrtg.conf > /usr/local/apache2/htdocs/mrtg/index.html # chown www /usr/local/apache2/htdocs/mrtg/index.html # cd /etc/cron.daily # vi analog #! /bin/sh analogdir=/var/www/analogdir/ dnstrandir=/usr/local/bin/ urldecodedir=/usr/local/bin/ if [ -d $analogdir ]; then cd $analogdir if [ -x $dnstrandir/dnstran ]; then $dnstrandir/dnstran /var/log/apache/access.log* fi if [ -x /usr/bin/analog ] && [ -x $urldecodedir/urldecode.pl ]; then /usr/bin/analog $urldecodedir/urldecode.pl < analog.html > analognew.html fi fi # chmod 755 analog