FreeBSD 9: Shared Object “libutil.so.8” not Found

Problem

After upgrading to FreeBSD 9, whenever I try to use ports to install something, I will get following error:

$ cd /usr/ports
$ make search name=nano
The search target requires INDEX-9. Please run make index or make fetchindex.

Then, I whenever I run make index command, it will prompt following error:

$ cd /usr/ports
$ make index
Generating INDEX-9 - please wait.. Shared object "libutil.so.8" not found, required by "perl ""Makefile". line 29: warning "/usr/local/bin/perl -V::usethreads" returned non-zero status

What happen?

During FreeBSD upgrade from version 8.2 to the new release 9.0, it seems like FreeBSD has deleted the old library after the second time of freebsd-update install command execution. This is usually happen when you are doing major release version upgrade.

Solution

We need to create symlink to the new libutil.so for FreeBSD 9 under /lib directory:

$ cd /lib
$ ln -s libutil.so.9 libutil.so.8

Then we need to run again to “make index” command. Make index will create the index (which then use for us to lookup ports collection) by looking at your current ports tree:

$ cd /usr/ports
$ make index
Generating INDEX-9 - please wait.. Done.

Now you should able to use ports as usual. Cheers!

FreeBSD: Upgrade from 8.2 to 9.0

If you use this command to upgrade to latest release FreeBSD 9.0:

$ freebsd-update -r 9.0-RELEASE upgrade

You might see following error:

The update metadata is correctly signed, but
failed an integrity check.
Cowardly refusing to proceed any further.

This error indicate that it cannot accept % and @ characters which appear in FreeBSD 9 . To overcome this, run following command:

$ sed -i '' -e 's/=_/=%@_/' /usr/sbin/freebsd-update

Now start the upgrade process:

$ freebsd-update -r 9.0-RELEASE upgrade

Accept all prompted values and follow the wizard. This process downloads all files and patches required for upgrade so it takes time. You might need to press ‘Enter’ once to check /etc/hosts file. Once complete, run following command to start installing the updates:

$ freebsd-update install

After a while, you should see the system will prompt something as below:

Installing updates...rmdir: ///boot/kernel: Directory not empty
 
Kernel updates have been installed. Please reboot and run "/usr/sbin/freebsd-update install"
again to finish installing updates.

Reboot the server:

$ init 6

Once up, it will boot to FreeBSD 9. Run again the installation command:

$ freebsd-update install

After the process completed, the system will ask you to build back all your application which installed using ports. Once done, you need to rerun again the above command to complete the upgrade process and you should something like below:

$ freebsd-update install
Installing updates... Done

Your update should be completed now. To check the new version, run following command:

$ uname -r
9.0-RELEASE

Source: http://lists.freebsd.org/pipermail/freebsd-stable/2011-October/064321.html

FreeBSD: Setup IP and Port Redirection using NAT

Yesterday, our development team has deliver the new website in new server. This website is replacing our old website and really need to point to the new server immediately. Since my boss do not want to afford any data inconsistency cause by DNS propagation, I need to use this method to redirect all connections  to port 80 for old server to port 80 at new server. Once redirected, only then I will need to change the DNS records to the new server. This will result zero DNS propagation time.

I will use the most simple way to achieve this objective by using IPFirewall as firewall and natd as address/port redirector. Both package should have come by default in FreeBSD.

Variables I used is:

OS: FreeBSD 8.0 64bit
Old server main IP: 202.188.90.11
Old web server IP: 202.188.90.12
New web server IP: 202.188.100.77
Domain: mywebsite.net

1. Since we want to make this FreeBSD server as router, we need to make sure it has 2 interface setup. One is for us to connect via public network and another one is for IP redirection. Make sure you have following IP setup in /etc/rc.conf:

ifconfig_em0="inet 202.188.90.11 netmask 255.255.255.0"
ifconfig_em1="inet 202.188.90.12 netmask 255.255.255.0"

2. Restart the network interface and check whether the IP is embedded into the interface or not:

$ /etc/rc.d/netif restart
$ ifconfig | grep inet
        inet 202.188.90.11 netmask 0xffffff00 broadcast 202.188.90.255
        inet 202.188.90.12 netmask 0xffffff00 broadcast 202.188.90.255

3. In this case I am going to use em1 as the interface to receive connection for web server (since the domain is pointed to this IP/interface). Add following line to /etc/rc.conf using text editor:

gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="em1"
natd_flags="-f /etc/natd.conf"

4. If you see the configuration above, we specify natd_flags to read configuration from /etc/natd.conf. So we need to create this file and put some rules into it using text editor:

port 8668
interface em1
redirect_port tcp 202.188.100.77:80 202.188.90.12:80

5. Sadly, we need to reboot the server to make this new route works. Reboot as follow:

$ init 6

6.  Lets check whether all the required application is running:

$ ps aux | grep natd
root    858  0.0  0.2 14256  1628  ??  Ss   11:37AM   0:00.01 /sbin/natd -f /etc/natd.conf -n em1
$ ipfw list
00050 divert 8668 ip4 from any to any via em1
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any

7. Now, lets browse the website, http://mywebsite.net and see where it goes. It should load the website in new server, 202.188.100.77. We just redirect the website to the new server without any worries on DNS propagation!

FreeBSD: Update Ports

FreeBSD has a lot of variety applications available via port. For me, this is the best thing so far in FreeBSD, plus simplicity, configurable and stability. Portsnap is a tool to let us get the distributed FreeBSD ports tree, in a simple way, we update the ports and get the latest stable version from the main tree.

To update ports, run following command:

portsnap fetch update

Once done, we need to extract them so it will update what available under /usr/ports:

portsnap extract

Attention: It might takes long time depending on your connection speed and hardware specs. You can grab a cup of coffee and watch Youtube to wait for this process to complete.

FreeBSD: NginX+PHP 5.3 FastCGI (FPM) Installation

NginX (pronounced “engine x”), is a high performance web server and a reverse proxy server. This server is well-known for its low memory footprint rather than Apache. You can refer here for Nginx vs Apache Performance Benchmark result. Nginx is way too better for Apache.

Popular websites that run on Nginx are SourceForge, WordPress, and Hulu. By making Nginx run in FreeBSD, you can deliver light, efficient, powerful, stable and secure web server in a simple way.

What is PHP? I think you all already know and no need to explain further. The PHP handler we will use is FastCGI Process Manager (FPM), is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. This setup will surely deliver high-performance web service with low specs hardware.

OS: FreeBSD 8 64bit
Nginx version: 0.8.54
PHP version: 5.3.6
Website: http://mydomain.net/
Website IP: 192.168.60.2
Web directory: /home/mydomain/public_html

1. Lets start by installing Nginx web server:

cd /usr/ports/www/nginx
make install clean

Once installation start, it will prompt nginx module selection page. You can select any Nginx module you want, but for me, I will select following module to be compiled right away:

[X] HTTP_MODULE               Enable HTTP module
[X] HTTP_ADDITION_MODULE      Enable http_addition module
[X] HTTP_CACHE_MODULE         Enable http_cache module
[X] HTTP_DAV_MODULE           Enable http_webdav module
[X] HTTP_FLV_MODULE           Enable http_flv module
[X] HTTP_GEOIP_MODULE         Enable http_geoip module
[X] HTTP_GZIP_STATIC_MODULE   Enable http_gzip_static module
[X] HTTP_IMAGE_FILTER_MODULE  Enable http_image_filter module
[X] HTTP_PERL_MODULE          Enable http_perl module
[X] HTTP_RANDOM_INDEX_MODULE  Enable http_random_index module
[X] HTTP_REALIP_MODULE        Enable http_realip module
[X] HTTP_REWRITE_MODULE       Enable http_rewrite module
[X] HTTP_SECURE_LINK_MODULE   Enable http_secure_link module
[X] HTTP_SSL_MODULE           Enable http_ssl module
[X] HTTP_STATUS_MODULE        Enable http_stub_status module
[X] HTTP_SUB_MODULE           Enable http_sub module
[X] HTTP_XSLT_MODULE          Enable http_xslt module

If you receive any prompt after that, just accept all values if you want to have a complete setup, or else select what you want, if you know what you are doing.

2. Web server installation done. Make sure Nginx is enabled by adding following line to /etc/rc.conf:

nginx_enable="YES"

Continue reading “FreeBSD: NginX+PHP 5.3 FastCGI (FPM) Installation” »

FreeBSD 8 – 10 Applications Need to be Installed

FreeBSD is well-known for its stability and security features offered. Though my statement might not be agree by some of the hardcore LINUX system administrator, this operating system is widely used by big company as the core platform of their system. Yahoo, Apache, Cisco, Apple, Juniper, NetApp are some of them.

FreeBSD is using port for package management. Its similar to yum, apt-get and yast2 but it is BSD-style. To install port, it just take 3 easy steps:

  1. Login to the server via console/SSH
  2. Lets say if you want to install nano, navigate to the /usr/ports/editors/nano
  3. Run ‘make’, then ‘make install’ then ‘make clean’ (to remove make files after installation complete)

I will list out all my first-need-to-be-installed application with ports directory and reasons in FreeBSD 8:

Text Editor: nano
Location: /usr/ports/editors/nano
Reason: Easy to use text editor with many direct functions. You may need it to edit many files, especially if it is new server.
———————————————

Terminal: screen
Location: /usr/ports/sysutils/screen
Reason: Manage multiple terminal windows in one session. You may need this to install many other applications in a same time.
———————————————

AntiVirus: clam-av
Location:/usr/ports/security/clamav
Reason: Even FreeBSD is well-known in security, don’t care about it. Protection first. Especially when the server is connected to a public network.
———————————————

Browser: lynx
Location: /usr/ports/www/lynx
Reason: When you are in terminal mode, sometimes you need to download files that using cookies from a website, lynx will act like a normal browser in text mode.
———————————————

Continue reading “FreeBSD 8 – 10 Applications Need to be Installed” »

MySQL General Security Guidelines

1. Do not ever give anyone (except MySQL root accounts) access to the user table in the mysql database! This is critical!

2. Learn the MySQL access privilege system. The GRANT and REVOKE statements are used for controlling access to MySQL. Do not grant more privileges than necessary. Never grant privileges to all hosts.
Checklist:

  • Try mysql -u root. If you are able to connect successfully to the server without being asked for a password, anyone can connect to your MySQL server as the MySQL root user with full privileges! Review the MySQL installation instructions, paying particular attention to the information about setting a root password.
  • Use the SHOW GRANTS statement to check which accounts have access to what. Then use the REVOKE statement to remove those privileges that are not necessary.
  • Do not store any plain-text passwords in your database. If your computer becomes compromised, the intruder can take the full list of passwords and use them. Instead, use MD5(), SHA1(), or some other one-way hashing function and store the hash value.
  • Do not choose passwords from dictionaries. Special programs exist to break passwords. Even passwords like “xfish98” are very bad. Much better is “duag98” which contains the same word “fish” but typed one key to the left on a standard QWERTY keyboard.
  • Another method is to use a password that is taken from the first characters of each word in a sentence (for example, “Mary had a little lamb” results in a password of “Mhall”). The password is easy to remember and type, but difficult to guess for someone who does not know the sentence.

3. Invest in a firewall. This protects you from at least 50% of all types of exploits in any software. Put MySQL behind the firewall or in a demilitarized zone (DMZ).
Checklist:

  1. Try to scan your ports from the Internet using a tool such as nmap. MySQL uses port 3306 by default. This port should not be accessible from untrusted hosts. Another simple way to check whether or not your MySQL port is open is to try the following command from some remote machine, where server_host is the host name or IP address of the host on which your MySQL server runs:
    shell> telnet server_host 3306
  2. If you get a connection and some garbage characters, the port is open, and should be closed on your firewall or router, unless you really have a good reason to keep it open. If telnet hangs or the connection is refused, the port is blocked, which is how you want it to be.
  3. Do not trust any data entered by users of your applications. They can try to trick your code by entering special or escaped character sequences in Web forms, URLs, or whatever application you have built. Be sure that your application remains secure if a user enters something like
    "; DROP DATABASE mysql;"

    This is an extreme example, but large security leaks and data loss might occur as a result of hackers using similar techniques, if you do not prepare for them. A common mistake is to protect only string data values. Remember to check numeric data as well. If an application generates a query such as:

     SELECT * FROM table WHERE ID=234

    when a user enters the value 234, the user can enter the value 234 OR 1=1 to cause the application to generate the query:

    SELECT * FROM table WHERE ID=234 OR 1=1

    As a result, the server retrieves every row in the table. This exposes every row and causes excessive server load. The simplest way to protect from this type of attack is to use single quotation marks around the numeric constants:

    SELECT * FROM table WHERE ID='234'

    If the user enters extra information, it all becomes part of the string. In a numeric context, MySQL automatically converts this string to a number and strips any trailing non-numeric characters from it.

Continue reading “MySQL General Security Guidelines” »

Using Screen to Manage Multiple Displays in one SSH Session

Screen is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells. Screen is very useful to help you administer server via SSH or console. It allows multiple shell session to be controlled by single SSH session.

As server administrator, Screen usually being used to:

  • Create multiple windows with each of the window is running different command
  • Create 2 windows. One window managing local server, another one is managing other remote server
  • Share window with other user remotely. They can see what you type and run in the shell via SSH

Lets install Screen first via SSH (in this example I will use Putty) and I will show you on how to use and take advantages by having this application installed:

RedHat/CentOS/Fedora:

yum install screen -y

Ubuntu/Debian:

apt-get install screen

FreeBSD:

cd /usr/ports/sysutils/screen
make
make install clean

notes: (on FreeBSD, they might have some prompt, just accept the default value)

Installation done. I will show some example so you can follow and understand on how we should use Screen:

1. Type following command to start screen:

[[email protected] ~]# screen

2. You have enter first window of your screen. Run following command:

[[email protected] ~]# top

3. Now, press ‘Ctrl-A-C’ in the keyboard. This will create another window next to it. Run following command afterwards:

[[email protected] ~]# netstat -na

4. Now, press another ‘Ctrl-A-C’ in the keyboard. This will create another windows next to 2nd window (the netstat window). Run following command:

[[email protected] ~]# dmesg

Continue reading “Using Screen to Manage Multiple Displays in one SSH Session” »