From owner-freebsd-i386@FreeBSD.ORG Sat May 19 23:40:01 2012 Return-Path: Delivered-To: freebsd-i386@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF8881065672 for ; Sat, 19 May 2012 23:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B73F88FC19 for ; Sat, 19 May 2012 23:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4JNe1Z4072431 for ; Sat, 19 May 2012 23:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4JNe1aO072430; Sat, 19 May 2012 23:40:01 GMT (envelope-from gnats) Resent-Date: Sat, 19 May 2012 23:40:01 GMT Resent-Message-Id: <201205192340.q4JNe1aO072430@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-i386@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, evgeni Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CC85C1065673 for ; Sat, 19 May 2012 23:36:23 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 7BFA78FC0A for ; Sat, 19 May 2012 23:36:23 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q4JNaL3v058434 for ; Sat, 19 May 2012 23:36:21 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q4JNaLbP058413; Sat, 19 May 2012 23:36:21 GMT (envelope-from nobody) Message-Id: <201205192336.q4JNaLbP058413@red.freebsd.org> Date: Sat, 19 May 2012 23:36:21 GMT From: evgeni To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: i386/168155: authorization error X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: I386-specific issues for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 May 2012 23:40:02 -0000 >Number: 168155 >Category: i386 >Synopsis: authorization error >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat May 19 23:40:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: evgeni >Release: 9.0 >Organization: home gateway + server >Environment: FreeBSD es-server 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:15:25 UTC 2012 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: Installed freebsd 9.0 i386 Configured system as writen in "attached instruction notes" Installed mariadb-server mariadb-client nginx php5 + extentions from ports reboot Then ive coundnt come in by ssh user acount Password: Last login: Sun May 20 03:10:06 2012 from 192.168.2.2 Welcome to Y-eS Server! Cannot open "/lib/libedit.so.7"Connection to 192.168.2.1 closed. cant start maria mysql server too # /usr/local/etc/rc.d/mysql-server start Starting mysql. Cannot open "/lib/libncurses.so.8"/usr/local/etc/rc.d/mysql-server: WARNING: failed to start mysq >How-To-Repeat: mine instruction is in attached files >Fix: Patch attached with submission follows: Инструкция по установке Сервера FreeBSD Настройка рута 
   setenv  PAGER   more
   alias ll        ls -lhAoG
   set prompt = "%{\033[31m%}%B%n%b%{\033[37m%}%B@%b%{\033[34m%}%B%M%b%{\033[37m%}%B:%b%{\033[32m%}%B%/%b%{\033[37m%}%B%#%b "
Настройка хостс ::1 localhost localhost.my.domain 127.0.0.1 localhost localhost.my.domain 10.192.34.5 localhost localhost.my.domain 192.168.1.1 localhost localhost.my.domain 192.168.2.1 localhost localhost.my.domain

Инструкция по установке Сервера FreeBSD

1. Резервное копирование информации

  1. Файловой Системы и файлов настройки.
  2. HTTP
  3. Файлообменика
  4. SQL

2. Установка Системы

Устанавливаем минимальную систему

3. Настройка Системы

  1. Убираем паузу загрузки /boot/default/loader.conf 
    autoboot_delay="2"
beastie_disable="YES"
  2. Добавляем пользователя (обязательно wheel). AddUser
  3. Ограничиваем вход /etc/tty 
    console none                            unknown off secure
ttyv0   "/usr/libexec/getty Pc"         xterm   on insecure
ttyv1   "/usr/libexec/getty Pc"         xterm   off secure
ttyv2   "/usr/libexec/getty Pc"         xterm   off secure
ttyv3   "/usr/libexec/getty Pc"         xterm   off secure
ttyv4   "/usr/libexec/getty Pc"         xterm   off secure
ttyv5   "/usr/libexec/getty Pc"         xterm   off secure
ttyv6   "/usr/libexec/getty Pc"         xterm   off secure
ttyv7   "/usr/libexec/getty Pc"         xterm   off secure
ttyv8   "/usr/local/bin/xdm -nodaemon"  xterm   off secure
ttyu0   "/usr/libexec/getty std.9600"   dialup  off secure
ttyu1   "/usr/libexec/getty std.9600"   dialup  off secure
ttyu2   "/usr/libexec/getty std.9600"   dialup  off secure
ttyu3   "/usr/libexec/getty std.9600"   dialup  off secure
dcons   "/usr/libexec/getty std.9600"   vt100   off secure
  4. Устанавливаем Дату и Время date
  5. Корректируем приветствие /etc/motd 
       Welcome to Y-eS!
  6. /etc/fstab Монтирование и создаем точки 
    /dev/ada0p2	/					ufs	rw	1	1
/dev/ada0p3	none					swap	sw	0	0
/dev/ad5s1a	/mnt					ufs	rw	1	2
/dev/ad6s1a	/usr/local/http/sites/source.y-es.ru	ufs	rw	1	2
  7. /etc/resolv.conf DNS локальной сети 
       nameserver 192.168.248.21
  8. ipfw Firewall & NAT 
    ipfw -q -f flush
ipfw -q add pass all from any to any via lo0
ipfw -q nat 1 config if ale0
ipfw -q nat 2 config if re0
ipfw -q add pass icmp from 10.192.34.5 to 10.192.32.1 icmptype 0,8 out xmit ale0
ipfw -q add pass icmp from 10.192.34.5 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 icmptype 0,8 out xmit ale0
ipfw -q add pass icmp from 192.168.2.1 to 192.168.2.2 icmptype 0,8 out xmit rl0
ipfw -q add pass icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 192.168.2.2 icmptype 0 xmit rl0
ipfw -q add pass icmp from 192.168.1.1 to 192.168.1.0/24 icmptype 0,8 out xmit re0
ipfw -q add pass icmp from 10.192.32.1 to 10.192.34.5 icmptype 0,8 in recv ale0
ipfw -q add pass icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 icmptype 8 in recv ale0
ipfw -q add nat 1 icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 icmptype 0 in recv ale0
ipfw -q add nat 1 icmp from 192.168.2.2 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 icmptype 8 recv rl0
ipfw -q add pass icmp from 192.168.2.2 to 192.168.2.1 icmptype 0,8 in recv rl0
ipfw -q add pass icmp from 192.168.1.0/24 to 192.168.1.1 icmptype 0,8 in recv re0
ipfw -q add pass udp from 10.192.34.5 to 192.168.248.21 53 out xmit ale0
ipfw -q add pass udp from 192.168.248.21 53 to 192.168.2.2 xmit rl0
ipfw -q add pass udp from 192.168.248.21 53 to 192.168.1.0/24 xmit re0
ipfw -q add nat 1 udp from 192.168.248.21 53 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 udp from 192.168.2.2 to 192.168.248.21 53 recv rl0
ipfw -q add nat 1 udp from 192.168.1.0/24 to 192.168.248.21 53 recv re0
ipfw -q add pass tcp from 10.192.34.5 80,443,1024 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to 192.168.100.2,192.168.100.18,192.168.103.218 80,443 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 out xmit ale0
ipfw -q add pass tcp from 192.168.2.1 1024 to 192.168.2.2 out xmit rl0
ipfw -q add pass tcp from 192.168.100.2,192.168.100.18,192.168.103.218 80,443 to 192.168.2.2 out xmit rl0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 192.168.2.2 xmit rl0
ipfw -q add pass tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 192.168.2.2 xmit rl0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 192.168.1.0/24 xmit re0
ipfw -q add pass tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 192.168.1.0/24 xmit re0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 80,443,1024 in recv ale0
ipfw -q add pass tcp from 192.168.2.2 to 192.168.2.1 1024 in recv rl0
ipfw -q add nat 1 tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 192.168.100.2,192.168.100.18,192.168.103.218 80,443 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 192.168.2.2 to 192.168.100.2,192.168.100.18,192.168.103.218 80,443 recv rl0
ipfw -q add nat 1 tcp from 192.168.2.2 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 recv rl0
ipfw -q add nat 1 tcp from 192.168.2.2 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 recv rl0
ipfw -q add nat 1 tcp from 192.168.1.0/24 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 recv re0
ipfw -q add nat 1 tcp from 192.168.1.0/24 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 recv re0
ipfw -q add deny all from any to any
  9. cron Устанавливаем скрипты и настраиваем cron
    /etc/scripts/Daily.sh 
    #!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
export PATH
HOME=/root
export HOME

StartTime=`date +%s`

echo -e `date`"\n"`id`

echo es`date +"%d"` | pw mod user es -h 0
if [ $? -eq 0 ];then echo 'User Password: Changed'; else echo 'User Password: Error';fi

echo root'"$Symbol"`date +"%d"` | pw mod user root -h 0
if [ $? -eq 0 ];then echo 'Root Password: Changed'; else echo 'Root Password: Error';fi

echo -e 'Done in '$((`date +"%s"` - $StartTime))' seconds'"\n"
exit
    /etc/scripts/Weekly.sh 
    #!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
export PATH
HOME=/root
export HOME

StartTime=`date +"%s"`

echo -e `date`"\n"`id`

if [ "`df | grep /mnt`" ]; then echo 'Mount: Was Mounted';
else
 count=1
 while [ $count -le 5 ]
 do
  mount /dev/ad6s1a /mnt
  if [ $? -eq 0 ]
  then
   echo "Mount: Done in $count try"
   break
  else
   count=$(($count+1))
   sleep 3
   if [ $count -eq 6 ]; then echo 'Mount: Time Out, Abourting!'; exit; fi
  fi
 done
fi

dd if=/dev/ad4 of=/mnt/mbr.`date +"%Y-%m-%d"` bs=512 count=1
dump -0aLf - / | gzip -9 > /mnt/dump.root.`date +"%Y-%m-%d"`.gz
dump -0aLf - /usr | gzip -9 > /mnt/dump.usr.`date +"%Y-%m-%d"`.gz
dump -0aLf - /var | gzip -9 > /mnt/dump.var.`date +"%Y-%m-%d"`.gz
if [ "`df | grep /dev/ad5s1a`" ]; then dump -0aLf - /usr/local/http/source.y-es.ru | gzip -9 > /mnt/dump.source.`date +"%Y-%m-%d"`.gz; fi
mysqldump --user='MySQL-Dump' --password='Es1312456131!MySQL-Dump' --all-databases | gzip -9 > /mnt/dump.sql.`date +"%Y-%m-%d"`.gz

chmod 600 /mnt/dump.*.`date +"%Y-%m-%d"`.gz /mnt/mbr.`date +"%Y-%m-%d"` 
ls -lhAoG /mnt/mbr.`date +"%Y-%m-%d"` /mnt/dump.*.`date +"%Y-%m-%d"`.gz

count=1
while [ $count -le 5 ]
do
 umount /mnt
 if [ $? -eq 0 ]
 then
  echo "Umount: Done in $count try"
  break
 else
  count=$(($count+1))
  sleep 3
  if [ $count -eq 6 ];then echo 'Umount: Time Out';fi
 fi
done

echo -e 'Done in '$((`date +"%s"` - $StartTime))' seconds'"\n"
exit
    Логи 
    es@y-es:/usr/home/es#touch /var/log/log.Daily.sh /var/log/log.Weekly.sh
es@y-es:/usr/home/es#chmod 600 /var/log/log.Daily.sh /var/log/log.Weekly.sh
    crontab 
    1,31 * *  *  * /bin/sh /root/cron/reqular.sh >> /var/log/log.cron.reqular 2>&1
0    0 *  *  * /bin/sh /root/cron/daily.sh   >> /var/log/log.cron.daily   2>&1
10   0 *  *  1 /bin/sh /root/cron/weekly.sh  >> /var/log/log.cron.weekly  2>&1
30   1 28 *  * /bin/sh /root/cron/monthly.sh >> /var/log/log.cron.monthly 2>&1
  10. /etc/ssh/sshd Удаленный доступ 
    VersionAddendum v1.0
Port 1024
Protocol 2
PermitRootLogin no
MaxAuthTries 3
MaxSessions 3
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers es
  11. /etc/rc.conf Основные настройки 
    hostname="es-server"
dumpdev="NO"
update_motd="NO"
defaultrouter="10.192.32.1"
ifconfig_ale0="inet 10.192.34.5 netmask 255.255.252.0"
ifconfig_rl0="inet 192.168.2.1 netmask 255.255.255.252"
ifconfig_re0="inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"
sshd_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/root/firewall"
#kern_securelevel_enable="YES"
#kern_securelevel="3"
mysql_enable="YES"
nginx_enable="YES"
php_fpm_enable="YES"
  12. /etc/sysctl.conf Ограничиваем пользователей 
    security.bsd.see_other_uids=0
  13. permitions Ограничиваем Доступ к важным системным файлам 
    es@y-es:/usr/home/es#chmod -R 700 /root
es@y-es:/usr/home/es#chmod 600 /etc/rc.conf \
/etc/sysctl.conf \
/etc/ttys \
/etc/motd \
/etc/resolv.conf \
/etc/fstab \
/etc/hosts \
/etc/crontab
  14. reboot Перезагружаем

4. Установка Серверов

  1. MySQL 
    es@y-es:/usr/home/es#cd /usr/ports/databases/mysql55-server/ && make && make install
  2. PHP 
    es@y-es:/usr/home/es#cd /usr/ports/www/spawn-fcgi/ && make && make install
es@y-es:/usr/home/es#cd /usr/ports/www/php5/ && make && make install (+fpm)
es@y-es:/usr/home/es#cd /usr/ports/www/php5-extensions/ && make && make install (+fileinfo,mysql,mbstring,iconv-sqlite3)
  3. NGINX 
    es@y-es:/usr/home/es#cd /usr/ports/www/nginx/ && make && make install

5. Настройка Серверов

1. NGINX

  1. Логи 
    es@y-es:/usr/home/es#touch /var/log/log.nginx.access=localhost \
 /var/log/log.nginx.access=www.y-es.ru \
 /var/log/log.nginx.access=wgm.y-es.ru \
 /var/log/log.nginx.error \
 /var/log/log.nginx.error=localhost \
 /var/log/log.nginx.error=www.y-es.ru \
 /var/log/log.nginx.error=wgm.y-es.ru
es@y-es:/usr/home/es#chmod 600 /var/log/log.nginx.access=localhost \
 /var/log/log.nginx.access=www.y-es.ru \
 /var/log/log.nginx.access=wgm.y-es.ru \
 /var/log/log.nginx.error \
 /var/log/log.nginx.error=localhost \
 /var/log/log.nginx.error=www.y-es.ru \
 /var/log/log.nginx.error=wgm.y-es.ru
  2. /usr/local/etc/nginx/nginx.conf 
    user www www;
worker_processes 1;
error_log /var/log/log.nginx.error;
events {worker_connections 1024;}
http
{include mime.types;
 default_type application/octet-stream;
 log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
 access_log /var/log/log.nginx.access main;
 sendfile on;
 keepalive_timeout 0;
 server
 {listen 10.192.34.5:80;
  server_name localhost 192.168.1.1 192.168.2.1 10.192.34.5 188.134.16.64;
  charset utf-8;
  access_log  /var/log/log.nginx.access=localhost main;
  error_log /var/log/log.nginx.error=localhost;
  error_page 403 404 500 502 503 504 /index.html;
  if ($host = 'y-es.ru'){rewrite ^/(.*)$ http://www.y-es.ru/ permanent;}
  location /
  {root /usr/local/http/localhost;
   index index.html;}}
 server
 {listen 10.192.34.5:80;
  server_name www.y-es.ru;
  access_log /var/log/log.nginx.access=www.y-es.ru main;
  error_log /var/log/log.nginx.error=www.y-es.ru;
  error_page 403 404 500 502 503 504 /error.html;
  location /
  {root /usr/local/http/www.y-es.ru;
   index index.html;}
  location ~ \.php$ {deny all;}
  location ~ \.html$
  {fastcgi_pass 127.0.0.1:9000;
   fastcgi_param SCRIPT_FILENAME /usr/local/http/www.y-es.ru/index.php;
   include fastcgi_params;}}
 server
 {listen 10.192.34.5:80;
  server_name wgm.y-es.ru;
  access_log /var/log/log.nginx.access=wgm.y-es.ru main;
  error_log /var/log/log.nginx.error=wgm.y-es.ru;
  error_page 404 500 502 503 504 /index.html;
  location /
  {root /usr/local/http/wgm.y-es.ru;
   index index.html;}
  location ~ \.php$ {deny all;}
  location ~ \.html$
  {fastcgi_pass 127.0.0.1:9000;
   fastcgi_param SCRIPT_FILENAME /usr/local/http/wgm.y-es.ru/data/data.php;
   include fastcgi_params;}}}
  3. php-fpm
php-fpm security.limit_extensions = php.ini date.timezone = "Europe/Moscow" date.default_latitude = 59.57 date.default_longitude = 30.19 >Release-Note: >Audit-Trail: >Unformatted: