FreeBSD - ipfw

Базовая настройка правил

/etc/ipfw.sh

 #!/bin/sh
 
 fwcmd="/sbin/ipfw"
 
 ${fwcmd} -f flush
 ${fwcmd} -f pipe flush
 ${fwcmd} -f queue flush
 
 #---------------------------- localhost --------------------------------------
 ${fwcmd} add allow ip from any to any via lo0
 #-----------------------------------------------------------------------------
 
 # ICMP
 ${fwcmd} add allow icmp from any to any icmptypes 0,3,8,11
 
 # Allow all output traffic
 ${fwcmd} add allow tcp from any to any established
 ${fwcmd} add allow ip from any to any frag
 ${fwcmd} add allow udp from me 123,1024-65535 to any
 ${fwcmd} add allow udp from any to me 123,1024-65535 
 ${fwcmd} add allow tcp from me to any setup
 
 # ssh
 ${fwcmd} add deny ip from "table(0)" to me
 ${fwcmd} add allow tcp from x.x.x.x, x.x.x.x to me 22 setup
 
 # nrpe
 ${fwcmd} add allow tcp from x.x.x.x to me 5666 setup
 
 # web
 ${fwcmd} add allow tcp from any to me 80 setup
 ${fwcmd} add allow tcp from x.x.x.x, x.x.x.x to me 443 setup
 
 # ftp
 # ----------------------------------------------------------------------
 ${fwcmd} add allow tcp from any to me 21 setup
 
 # passive mode
 ${fwcmd} add allow tcp from any to me 49152-65535 setup
 
 # active mode
 ${fwcmd} add allow tcp from me 20 to any setup
 # ----------------------------------------------------------------------

 # VPN protocol
 ${fwcmd} add allow gre from any to any
 
 # deny all other
 ${fwcmd} add 65000 deny ip from any to any

FreeBSD - postfix, courier-imap, postfixadmin

Установка, настройка postfix

 # cd /usr/ports/mail/postfix
 # make showconfig
 ===> The following configuration options are available for postfix-2.7.0,1:
      PCRE=on "Perl Compatible Regular Expressions"
      SASL2=on "Cyrus SASLv2 (Simple Auth. and Sec. Layer)"
      DOVECOT=off "Dovecot SASL authentication method"
      SASLKRB=off "If your SASL req. Kerberos select this option"
      SASLKRB5=off "If your SASL req. Kerberos5 select this option"
      SASLKMIT=off "If your SASL req. MIT Kerberos5 select this option"
      TLS=off "Enable SSL and TLS support"
      BDB=off "Berkeley DB (choose version with WITH_BDB_VER)"
      MYSQL=on "MySQL maps (choose version with WITH_MYSQL_VER)"
      PGSQL=off "PostgreSQL maps (choose with DEFAULT_PGSQL_VER)"
      OPENLDAP=off "OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER)"
      CDB=off "CDB maps lookups"
      NIS=off "NIS maps lookups"
      VDA=off "VDA (Virtual Delivery Agent 32Bit)"
      TEST=off "SMTP/LMTP test server and generator"
 ===> Use 'make config' to modify these settings
 # make install clean

FreeBSD - мониторинг

MRTG

Выполним установку

 # cd /usr/ports/net-mgmt/mrtg/ && make install clean
 # sudo -u xxx mkdir -m 750 /home/www/xxx/public_html/mrtg
 # cfgmaker --global 'WorkDir: /home/www/xxx/public_html/mrtg' --output /usr/local/etc/mrtg/mrtg-xxx.conf root@localhost

/usr/local/etc/mrtg/mrtg-xxx.conf

 EnableIPv6: no
 WorkDir: /home/www/xxx/public_html/mrtg
 
 Title[traffic]: Traffic
 PageTop[traffic]: <H1>Traffic</H1>
 Target[traffic]: `/root/scripts/count.traffic.sh; hostname`
 MaxBytes[traffic]: 50000000
 Options[traffic]: bits,unknaszero,growright
 LegendI[traffic]: &nbsp;input:
 LegendO[traffic]: &nbsp;output:
 YLegend[traffic]: Traffic
 Legend1[traffic]: input traffic
 Legend2[traffic]: output traffic

/root/scripts/count.traffic.sh

 #!/bin/sh
 
 echo "`/sbin/ipfw show 800 | awk '{print $3}'`"
 echo "`/sbin/ipfw show 900 | awk '{print $3}'`"

И, наконец, сгенерим файл index.html:

 # indexmaker /usr/local/etc/mrtg/mrtg.conf > /home/www/xxx.ru/public_html/mrtg/index.html

SNMP

Ссылки

FreeBSD - portaudit

Установка

 # cd /usr/ports/ports-mgmt/portaudit && make install clean

Ежедневное обновление БД известных уязвимостей

 # crontab -e
 @daily /usr/local/sbin/portaudit -Fd

Ссылки

FreeBSD - анализ жестких дисков

Для анализа жестких дисков, поддерживающих технологию S.M.A.R.T., необходимо установить smartmontools.
В FreeBSD имеется порт.

Установка

cd /usr/ports/sysutils/smartmontools && make install clean

Настройка

/usr/local/etc/smartd.conf

 /dev/ad10 -a -W 10,40,45 -m root@localhost -o on -S on -s (S/../.././22|L/../../6/23)
 /dev/ad12 -a -W 10,40,45 -m root@localhost -o on -S on -s (S/../.././22|L/../../6/23)

Логирование

/etc/syslog.conf (строку пихаем в начало)

 local2.*                                        /var/log/smartd.log

/etc/rc.conf

 smartd_enable="YES"
 smartd_flags="-l local2"

Выполним

 touch /var/log/smartd.log
 killall -1 syslogd
 service smartd restart

Ссылки

 
blog.txt · Последние изменения: 2013/01/23 14:51 — Антон Бугреев · []