版本:FreeBSD-6.0
1、安装选项:标准安装,选“standard”,boot选项也选“standard”,使用整个硬盘安装系统,下面就是分区了,以4G的硬盘为例(本系统只是为了装DNS服务):
/ 512M
swap 512M
/home 512M
/tmp 512M
/usr 2048M
下面就是安装包的选项了:
首先选择“Minimal”,再在Custom选项里选:base、man、catman、proflibs、src、ports.
下面就开始安装了,安装快完成时要配置一些服务和IP等等。
注:FreeBSD-6.0在安装时,配置了IP后,还需要选择安装perl 5.8.7
2、FreeBSD重起以后,就开始对其进行初始配置了:
freebsd#ee /etc/ssh/sshd_config
打开允许root登录和key验证
FreeBSD下产生KEY命令:
freebsd#ssh-keygen -b 1024 -t dsa
下面提示KEY的存放位置,KEY密码。
最后将产生一对KEY,默认放在/root/.ssh/下。
id_dsa是在PC上用的
id_dsa.pub是在
服务器上用的
Key验证设置:
freebsd#ee /etc/ssh/sshd_config
去PermitRootLogin yes前的“#”
去PubkeyAuthentication yes前的“#”
AuthorizedKeysFile /root/.ssh/id_dsa.pub
去前面“#”并改KEY的位置。
在SecureCRT里,设置用public key验证就可以了。
freebsd#ps x //记录下sshd的那个进程号,如果80
freebsd#kill -HUP 80 //重起sshd
3、改一些初始设置:
freebsd#cd
freebsd#ee .cshrc
在set path那一行下面增加:set autolist
再改“'hostname -s'”为“%B%m[%/]”改完后重新登录,
freebsd[/root]# 下面还以freebsd#为例。
4、更新cusvp:
freebsd#cd /usr/ports/net/cvsup-without-gui
freebsd#make clean
freebsd#make install
安装过程中出现要不要安装样例,选不安装。
更新完后就开始编译内核了。
更新 ports:
freebsd# cvsup -gL 2 -h cvsup.freebsdchina.org /usr/share/examples/cvsup/ports-supfile
当内核编失败时,无法起kernel,进入单用户模式:
ok boot kernel.GENERIC //用通的内核起动系统
5、安全配置:
freebsd# ee /etc/rc.conf
加入:
kern_securelevel_enable="YES"
kern_securelevel="-1" //这里先配置为“-1”,服务器安装完成后,改为“2”,再重起机器
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
sendmail_enable="NONE"
tcp_drop_synfin="YES"
inetd_enable="NO"
sshd_enable="YES"
check_quotas="NO"
keyrate="fast"
tcp_keepalive="YES"
log_in_vain="YES"
保存,退出。
freebsd# chflags schg /bin/*
freebsd# chflags schg /sbin/*
freebsd# /etc/syslog.conf
请找到 security 的项目,并将它修改成下面这样:
security.*;auth.info /var/log/security
freebsd# ee /etc/mail/aliases
加入:
root: [email=wanglin.
sun@163.com]wanglin.
sun@163.com[/email]
freebsd# newaliases //让设定生效
这样,所有寄给 root 的信件,都会自动转给所设定的信箱。root 每天会收到 "daily run output" 及 "security check output" 这二封信,这是依照我们在 /etc/defaults/periodic.conf 中所设定的定时执行工作输出的结果。
freebsd# echo root > /var/cron/allow
freebsd# chmod 600 /var/cron/allow
freebsd# chmod 600 /etc/crontab
freebsd# ee /etc/sysctl.conf
加入:
# Max TCP wait send buffer space
net.inet.tcp.sendspace=65536
# Max TCP receive buffer space
net.inet.tcp.recvspace=65536
# Max UDP wait send buffer space
net.inet.udp.maxdgram=65535
# Local connect data send space
net.local.stream.sendspace=65535
# Speed up network protocol
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
# Max buffer space
kern.ipc.maxsockbuf=2097152
# Max files in system
kern.maxfiles=65536
# Max files can open at one time
kern.maxfilesperproc=32768
# Deny ICMP redirect
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
# Avert ICMP broadcast storm
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
# Limit send ICMP rate
net.inet.icmp.icmplim=100
# Security parameter
net.inet.icmp.icmplim_output=0
# Disconnet unnormal TCP sensions
net.inet.tcp.always_keepalive=1
# "0" is best
net.inet.ip.intr_queue_maxlen=10000
# Avert DOS attack,default:30000
net.inet.tcp.msl=7500
# Avert DOS attack
net.inet.tcp.syncookies=1
# drop disconnected TCP packet
net.inet.tcp.blackhole=2
# drop disconnected UDP packet
net.inet.udp.blackhole=1
# Buffer for network connect
net.inet.tcp.inflight.enable=1
# add connect route to route table , but need memory
#net.inet.ip.fastforwarding=0
# connect sesions,default:128,recommend:1024-4096,the number biger ,the memory request biger.
kern.ipc.somaxconn=32768
# forbid ueser look others process
security.bsd.see_other_uids=0
# configure kernel secure level
kern.securelevel=2
# record any TCP connect
net.inet.tcp.log_in_vain=1
# record any UDP connect
net.inet.udp.log_in_vain=1
# Avert udp packet attack
net.inet.udp.checksum=1
# physical memory for thread , need 256M memory or bigger
kern.ipc.shm_use_phys=1
# shmid memory for thread
kern.ipc.shmmax=67108864
# Max thread
kern.ipc.shmall=32768
# no record when program breakdown
kern.coredump=0
# local data receive and send space
net.local.stream.recvspace=65536
net.local.dgram.maxdgram=16384
net.local.dgram.recvspace=65536
# packet max length,ADSL:1452。
net.inet.tcp.mssdflt=1460
# packet min length,ADSL:1452
net.inet.tcp.minmss=1460
# Max local data
net.inet.raw.maxdgram=65536
# local receive data space
net.inet.raw.recvspace=65536
#ipfw dynamic law number,default : 4096,bigger number can avert virus send much TCP connect
net.inet.ip.fw.dyn_max=65535
# configure ipfillter firewall TCP connect idle time,default:8640000 (120 hours)
net.inet.ipf.fr_tcpidletimeout=864000
零碎的命令:
1、删除ports安装
软件方法:
以wu-ftpd为例:
freebsd#cd /usr/ports/ftp/wu-ftpd
freebsd#make clean
freebsd#make deinstall
freebsd#uname -a //查看系统信息
2、常用的服务开机自动运行:
pureftpd_enable="YES"
apache21_enable="YES" //apache 2.1
apache_enable="YES" //apache 1.3
3、安装F-port工具:
freebsd#cd /usr/ports/security/f-port
freebsd#make clean
freebsd#make install
F-port是常用的端口查看工具
4、安装nmap工具:
freebsd#cd /usr/ports/security/nmap
freebsd#make clean
freebsd#make install
nmap是常用的扫描工具
加载光驱:
freebsd# mount -t cd9660 /dev/acd0a /mnt
PORTS安装软件的几种方法:
freebsd# cd /usr/ports/www/apache13
freebsd# pkg_add -v xyz.tbz //直接安装
freebsd# pkg_delete -v xyz.tbz //删除
freebsd# make install //编译安装
