Joe-Ma Help with Unix, Apple, Web, Mikrotik and Cisco

Configuring Mailscanner Mailwatch and Postfix for FreeBSD The Install guide is here I have split the install guide and the configuration guide as they are pretty involved and might cause confusion if they where put together. I will start off with the easier stuff like clamav and then move on to spamassassin and postfix and then finally to mailscanner and mailwatch. if you have not already read the Install Guide Which might be helpful to newcomers here is a summery of what has been installed. Apache and php - this is for the Mailwatch web frontend. Mysql - This is where mailscanner will log info and where your black and white lists will live. Mailwatch - Mailwatch is the web front end to help monitor and manage Mailscanner. Spamassassin - This is the system that checks the mail content looking for spam. Clamav - the Antivirus scanner that Mailscaner will use Mailscanner - The server that uses all of the above to keep your mail clean and spam free. Ok now that that is over: Confi...

Installing postfix, mailscanner and mailwatch on FreeBSD I have setup a number of servers using mailscanner and postfix to do antispam and antivirus checking. This particular example will show you how to set the server up as a mail gateway. i.e. all inbound and outbound mail will go via this server. You can also use the server as a pop3/imap4 server and doing so, does make life a little easier as you don't have to worry about the transport and relay_hosts files. At a later stage I will show that info too..... when I get a chance. This my seem strange but as there is quite a bit involved in installing and configuring I am splitting this into two How-To's this one, The install How-To and the configuration How-To First off its probably best to start on a new install of FreeBSD. Once you have done the initial portsnap fetch and portsnap extract Right here we go. Two things you might want to do is force your NIC to 100MB full duplex and install lsof Type in ifconfig and check if the...

There are many things to take into account when it comes to trying to secure anything not only PHP or Apache or Postfix or anything else 1. You and your users still need to be able to use it 2. The server can be as secure as possible but a few lines of bad code can really screw up your morning. There are a few things to keep in mind when configuring the php.ini file Firstly its probably not a bad idea to chroot your apache server, there are a few very good examples on how to do this on the web Just do a search in google or something in your php.ini file add the following safe_mode = On safe_mode_gid = Off expose_php = Off register_globals = Off display_errors = Off log_errors = On error_log = "filename" safe_mode = On By switching on the safe_mode, you have just made your server probably twice as secure as it was before. Safe mode will ensure that only the owner of the file or script is able to read or execute that file or script Here is an example -rw-rw-r-- 1 joeuser j...

Sometimes you need more than one address aliased to a network interface on a server. for instance if you want to use ssl pages in apache each ssl certificate should have its own IP address and each VirtualHost that runs on port 443 should have a unique IP address. You can get around thins by changing the port from 443 to something like VirtualHost:4430 vhost info VirtualHost:4431 vhost info VirtualHost:4432 But you are not using default ports and it might be a problem out in the real world sure you could do the above in side your own network Anyway thats not what this is about this is to Alias other IP's to your NIC on your FreeBSD server all you have to do is edit the /etc/rc.conf file defaultrouter="10.10.10.1" hostname="mysrv.mydom.com" ifconfig_em0="inet 10.10.10.4 media 100baseTX mediaopt full-duplex netmask 255.255.255.0" ifconfig_em0_alias0="10.10.10.7 netmask 0xffffffff" ifconfig_em0_alias1="10.10.10.8 netmask 0xffffffff" if...

Tacacs+ Install and Config Guide What is TACACS As per wikipedia Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Installing Tacacs on FreeBSD This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform. You may also want to check out my Rancid How-To Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/ run a "make install clean" Once installed vi /usr/local/etc/rc.d/tac_plus.sh Then Change the following line from NO to YES tac_plus_enable=$ Save the file, then vi /e...

Setting up and Installing Rancid on FreeBSD for Cisco Products What is Rancid? Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change. here is an example of the output =================================================================== retrieving revision 1.29 diff -u -4 -r1.29 mpls-jhb-pe1 @@ -288,9 +288,9 @@ ! interface Serial0/0 description Link to Client X bandwidth 2048 - ip address 192.168.1.244 255.255.255.254 + ip address 192.168.1.234 255.255.255.254 ip route-cache flow ip tcp header-compression iphc-format ip tcp compression-connections 256 ! ip ospf message-digest-key 1 md5 the - symbol represents what was removed the + symbol represents what was added The abo...

One of the things I love about FreeBSD is the ports directory. The ability to install and upgrade any port simply by going to /usr/ports/porttype/portname i.e. /usr/ports/www/apache13 then all you have to do is type in make and make install or in many cases make install clean and you are on your way. The system connects to various mirror sites and downloads the entire source needed to install the port. Of course it can become a little painful if you are trying to install 3 identical ports on 3 different servers or trying to upgrade a port that is on 5 or 6 or more servers. I don’t mind running the portupgrade pkg-name command 5 or 6 times, but the problem is the server downloads the source package 5 or 6 times depending on how many servers that port needs to be installed or upgraded on. So how to save time and bandwidth for port upgrades? Well that’s simple, but as always you have to take in to account some possible security issues. The way we have used here is to use NFS, which by no ...

Often when debugging a problem or looking through your logs you will see the apache status codes For Example xxx.xxx.xxx.xxx - - [28/Jul/2006:13:49:28 +0200] "GET /news.php HTTP/1.1" 200 807 "http://www.joe-ma.co.za/news.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060703 FreeBSD/amd64 Minefield/3.0a1" Successful Client Requests 200 OK 201 Created 202 Accepted 203 Non-Authorative Information 204 No Content 205 Reset Content 206 Partial Content Client Request Redirected 300 Multiple Choices 301 Moved Permanently 302 Moved Temporarily 303 See Other 304 Not Modified 305 Use Proxy Client Request Errors 400 Bad Request 401 Authorization Required 402 Payment Required (not used yet) 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable (encoding) 407 Proxy Authentication Required 408 Request Timed Out 409 Conflicting Request 410 Gone 411 Content Length Required 412 Precondition Failed 413 Request Entity Too Long 414 Request URI...

Installing and configuring ProFTPD Installing and configuring ProFTPD so that a web user can login and be jailed to their home directory is very simple Firstly install proftpd via your FreeBSD Ports Directory Once installed copy the proftpd.conf sample file to proftpd.conf Edit the file and uncomment #DefaultRoot ~ as per below # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ Then edit the proftpd startup script in /usr/local/etc/rc.d/ And change proftpd_enable=$ to proftpd_enable=$ edit your /etc/rc.conf file and add proftpd_enable="YES" Then start proftpd via the startup script You should now be able to login as a user you created and you should only see your directory you should not be able to go back from /home/myuser to /home for instance This is great for keeping clients in their vhost directory so that the can not traverse other directories.