RootBSD 初期時の設定記録

FreeBSD

zsh をインストールする

# whereis zsh
zsh: /usr/ports/shells/zsh
# cd /usr/ports/shells/zsh
# make fetch-recursive
# make install clean
# ps -p $$ -o comm=
csh
# chsh -s /usr/local/bin/zsh
chsh: user information updated
# exit
$ su -
Password:
# vi ~/.zshrc
# source ~/.zshrc

screen をインストールする

# whereis screen
screen: /usr/ports/sysutils/screen
# cd /usr/ports/sysutils/screen
# make fetch-recursive
# make install clean
# vi ~/.screenrc

タイムゾーン(時間帯)を設定する

# cp /usr/share/zoneinfo/Asia/Tokyo /etc/localtime

ntpd を設定する

ntpd サーバは /etc/ntp.conf に記述されている

server 0.freebsd.pool.ntp.org
server 1.freebsd.pool.ntp.org
server 2.freebsd.pool.ntp.org

を利用する。それ以外の NTP サーバーを利用したい場合は、「pool.ntp.org」は、

server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
server 3.north-america.pool.ntp.org

http://www.pool.ntp.org/zone/north-america

を利用する。

# vi /etc/rc.conf
ntpd_enable="YES"
# less /boot/loader.conf
kern.hz="200"

sudo をインストールする

# whereis sudo
sudo: /usr/ports/security/sudo
# cd /usr/ports/security/sudo
# make fetch-recursive
# make install clean
# visudo
%wheel ALL=(ALL) ALL

portupgrade をインストールする

# portsnap fetch && portsnap extract && portsnap update
# whereis portupgrade
portupgrade: /usr/ports/ports-mgmt/portupgrade
# cd /usr/ports/ports-mgmt/portupgrade
# make fetch-recursive
# make install clean

MySQL をインストールする

# whereis mysql51-server
mysql51-server: /usr/ports/databases/mysql51-server
# cd /usr/ports/databases/mysql51-server
# make fetch-recursive
# make install clean
# vi /etc/rc.conf
mysql_enable="YES"
# /usr/local/etc/rc.d/mysql-server start

MySQL の管理者ユーザーにパスワードを設定する。

# mysql -u root
mysql> SELECT `User`, `Password`, `Host` FROM `user` WHERE `User` = 'root';
+------+----------+---------------------+
| User | Password | Host                |
+------+----------+---------------------+
| root |          | localhost           |
| root |          | xkoir.2.rootbsd.net |
| root |          | 127.0.0.1           |
+------+----------+---------------------+
mysql> SET PASSWORD FOR 'root'@'localhost' = password('yourpassword');
mysql> SET PASSWORD FOR 'root'@'xkoir.2.rootbsd.net' = password('yourpassword');
mysql> SET PASSWORD FOR 'root'@'127.0.0.1' = password('yourpassword');
mysql> SELECT `User`, `Password`, `Host` FROM `user` WHERE `User` = 'root';
+------+-------------------------------------------+---------------------+
| User | Password                                  | Host                |
+------+-------------------------------------------+---------------------+
| root | *0480E553996615211F4FD24A263ACACD723FB599 | localhost           |
| root | *0480E553996615211F4FD24A263ACACD723FB599 | xkoir.2.rootbsd.net |
| root | *0480E553996615211F4FD24A263ACACD723FB599 | 127.0.0.1           |
+------+-------------------------------------------+---------------------+

不要なユーザーの削除を行う。

mysql> SELECT `User`, `Password`, `Host` FROM `user` WHERE `Password` = '';
+------+----------+---------------------+
| User | Password | Host                |
+------+----------+---------------------+
|      |          | localhost           |
|      |          | xkoir.2.rootbsd.net |
+------+----------+---------------------+
mysql> DELETE FROM `user` WHERE `Password` = '';
mysql> SELECT `User`, `Password`, `Host` FROM `user` WHERE `Password` = '';
Empty set (0.00 sec)
mysql> exit
Bye

logrotate をインストールする

% whereis logrotate
logrotate: /usr/ports/sysutils/logrotate
% cd /usr/ports/sysutils/logrotate
% sudo make fetch-recursive
% sudo make install clean
% sudo cp /usr/local/etc/logrotate.conf.sample /usr/local/etc/logrotate.conf
% sudo vi /usr/local/etc/logrotate.conf
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 12

# send errors to root
#errors root

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# RPM packages drop log rotation information into this directory
include /usr/local/etc/logrotate.d

#/var/log/lastlog {
#    monthly
#    rotate 1
#}

# system-specific logs may be configured here
% sudo vi /usr/local/etc/logrotated.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/cron {
  sharedscripts
  postrotate
  /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
  endscript
}
% sudo vi /usr/local/etc/logrotated.d/apache22
/var/log/httpd-access.log /var/log/httpd-error.log {
  daily
  rotate 60
  missingok
  sharedscripts
  postrotate
  /bin/killall -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null
  endscript
}
% su -
Password:
# crontabe -e
0 0 * * * root /usr/local/sbin/logrotate /usr/local/etc/logrotate.conf > /dev/null 2>&1

Apache mod_ssl HTTP over SSL を有効にする

OpenSSL の秘密鍵と証明書を作成する。
まずは秘密鍵を生成する。

# cd /etc/ssl/
# ls -l
total 10
-rw-r--r--  1 root  wheel  9472 Nov 21 23:57 openssl.cnf
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: <= パスワードを入力
Verifying - Enter pass phrase for server.key: <= パスワードを入力

Apache の起動時ごとにパスワードを聞かれないようにするために、パスフレーズを削除する。

# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:<= 最初に登録したパスワードを入力
writing RSA key

公開鍵を作成する。

# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Chiyoda-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:rootbsd.com
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <= 何も入力せずにEnterキーで登録
An optional company name []: <= 何も入力せずにEnterキーで登録

証明書を作成する。

# openssl x509 -in server.csr -out server.pem -req -signkey server.key
# chmod 0400 server.*
/etc/ssl# ls -l
total 16
-rw-r--r--  1 root  wheel  9472 Nov 21 23:57 openssl.cnf
-r--------  1 root  wheel   692 Jan 19 21:23 server.csr
-r--------  1 root  wheel   887 Jan 19 21:21 server.key
-r--------  1 root  wheel   936 Jan 19 21:25 server.pem

秘密鍵と証明書へのシンボリックリンクを作成する。

# ln -s /etc/ssl/server.pem /usr/local/etc/apache22/server.pem
# ln -s /etc/ssl/server.key /usr/local/etc/apache22/server.key

httpd.conf を編集して、SSL の設定ファイルを読み込むようにする。

# vi /usr/local/etc/apache22/httpd.conf
# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf

Apachehttpd.conf の簡易編集

% sudo vi /usr/local/etc/apache22/httpd.conf
<Directory "/usr/local/www/apache22/data">
    # Indexes に - を追記し、無効にする
    Options -Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>