FreeBSD
Last modified by Yu Pang Law on 2022/12/14 04:12
8 posts
Jan 24 2023
Jan 24, 2023,
Compiling Custom Kernel
- Update FreeBSD to latest patch
freebsd-update fetch
freebsd-update install - Install git
pkg install git - Updating source file
git clone -o freebsd https://git.FreeBSD.org/src.git /usr/src
cd /usr/src
git checkout stable/13 - prepare custom kernel file
mkdir /root/kernels
cd /usr/src/sys/amd64/conf
cp GENERIC /root/kernels/MYKERNEL
ln -s /root/kernels/MYKERNEL - add/remove options in the MYKERNEL file
- Compile and install MYKERNEL, then reboot
cd /usr/src
make buildkernel KERNCONF=MYKERNEL
make installkernel KERNCONF=MYKERNEL
reboot - Check if MYKERNEL is installed correctly
uname -a
If correct, it should show MYKERNEL
Jan 02 2023
Jan 2, 2023,
Configuring Unbound for whole network
- Install and config unbound as usual. For basic, remote set up check unbound remote resolver setup
- Install bgpq4
- Generate prefix list filter for your AS or AS SET
bgpq4 -4A -h whois.radb.net -F 'access-control: %n/%l allow\n' AS-SET > /usr/local/etc/unbound/prefix.txt - Edit unbound.conf, under server:, add
include: /usr/local/etc/unbound/prefix.txt - Set up cron job to update prefix list and restart unbound periodically
Dec 14 2022
Dec 14, 2022,
Using FreeRadius for Supermicro IPMI
- Create a new FreeRadius Virtual site for Supermicro IPMI (without enabling SQL support)
- Edit /usr/local/etc/raddb/dictionary and add a new attribute
ATTRIBUTE IPMI-radius 26 octets
3. Edit /usr/local/etc/raddb/policy.d/foo and add
foo {
update reply {
# Vendor-Specific = "H=4"
&Attr-26 = 0x483D34
}
}
0x483D34 is Hex Code for String "H=4"
If you need other type of permission (e.g. H=3) just change the string to hex code.
- Edit /usr/local/etc/raddb/users and add the following user
ipmiAdmin Cleartext-Password := "Any-password"
IPMI-radius += "0x483d34"
You can replace ipmiAdmin and authorization type.
- Restart FreeRadius
- Login to Supermicro IPMI and enable Radius support.
Dec 14 2022
Dec 14, 2022,
Install OpenVPN on FreeBSD system
- Update Port Collection
portsnap fetch update
if it is the first time,
portsnap fetch extract - Install OpenSSL
cd /usr/ports/security/openssl
make install clean - Edit /etc/make.conf, and add
DEFAULT_VERSIONS+=ssl=openssl - Install OpenVPN, easyrsa
cd /usr/ports/security/easy-rsa
make install clean
cd /usr/ports/security/openvpn
make install clean - Create Configuration directory and copy sample configuration file
mkdir -p /usr/local/etc/openvpn/easy-rsa
mkdir /usr/local/etc/openvpn/server
cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/ - Edit /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL
set_var EASYRSA_REQ_COUNTRY "HK"
set_var EASYRSA_REQ_PROVINCE "Kowloon"
set_var EASYRSA_REQ_CITY "San Po Kong"
set_var EASYRSA_REQ_ORG "Laws Cloud Infrastructure Limited"
set_var EASYRSA_REQ_EMAIL "demo@example.com"
set_var EASYRSA_REQ_OU "VPN Department"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650 - Initialize PKI
cd /usr/local/etc/openvpn/easy-rsa
sh ./easyrsa.real init-pki - Build CA Certificate, key, certificate file
sh ./easyrsa.real build-ca
sh ./easyrsa.real build-server-full server nopass
sh ./easyrsa.real build-client-full client nopass
sh ./easyrsa.real gen-dh
openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/
- Edit /usr/local/etc/openvpn/server/server.conf
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/issued/server.crt
key /usr/local/etc/openvpn/server/private/server.key # This file should be kept secret
dh /usr/local/etc/openvpn/server/dh.pem
topology subnet
server 192.168.101.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
;comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth sha512
remote-cert-tls client - Create log directory
mkdir /var/log/openvpn/ - Edit /etc/rc.conf and enable OpenVPN
firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em1"
natd_flags="-dynamic -m"
openvpn_enable=YES
openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"
**em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP
ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"
Network adapter name is the string after ifconfig_ (and before = )
- Set up client ovpn profile
client
tls-client
pull
dev tun
proto udp
remote IP-address-of-your-VPN 1194
resolv-retry infinite
nobind
dhcp-option DNS 1.1.1.1
user nobody
group nogroup
persist-key
persist-tun
key-direction 1
tls-auth ta.key 1
compress
verb 3
auth SHA512
remote-cert-tls server
<ca>
content of /usr/local/etc/openvpn/server/ca.crt
</ca>
<cert>
content of /usr/local/etc/openvpn/server/issued/client.crt
</cert>
<key>
content of /usr/local/etc/openvpn/server/private/client.key
</key>
<tls-auth>
content of /usr/local/etc/openvpn/server/ta.key
</tls-auth>
key-direction 1
Optional: (Enable Radius Authen)
- Install OpenVPN Radius Plugin
cd /usr/ports/security/openvpn-auth-radius
make install clean - Copy Sample plugin configure to OpenVPN configuration directory
cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server - Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to
OpenVPNConfig=/usr/local/etc/openvpn/server/server.conf
and bottom, find server { and change the port, IP and secret phase to
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=IP-or-hostname.of.your.radius
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=secret-phase-for-free-radius
} - Edit Openvpn config file (server.conf). Add the following to the end of file
plugin /usr/local/lib/radiusplugin.so /usr/local/etc/openvpn/server/radiusplugin.cnf - Edit Client ovpn file and add the following line
auth-user-pass
Dec 14 2022
Dec 14, 2022,
FreeRadius enable Virtual site with SQL
- Create MySQL/ Postgresql Database and user
- import FreeRadius database schema in
/usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql
/usr/local/etc/raddb/mods-config/sql/main/postgresql/schema.sql - edit sql configuration file and fill in database details
/usr/local/etc/raddb/mods-enabled/sql
server = "hostname-here"
port = 3306
login = "database-login-here"
password = "password-here"
radius_db = "database-name-here" - if more than one database (for different application), copy the whole section, add an instance name and change the database details:
sql {
to
sql instance1 { - copy "default" configuration file to "virtual1" (or any name)
- Edit "virtual1" file. and make the following changes
- Change the virtual site name:
server default {
to
server virtual1 { - Change the port number
port = 55555 - enable sql,
find the following line
# sql
and change to
instance1
"instance1" is the sql instance name added in step 4
- Change the virtual site name:
- Add a client for this virtual host
/usr/local/etc/raddb/clients.conf
client your-device {
ipaddr = 192.168.0.0/24
secret = secretPhrase
virtual_server = virtual1
}
your-device is profile name
ipaddr is IP address (or IP address range) for your device(s). If more than 1, need to use "|" to separate
secret is the passphrase to use the radius service
virtual_server is the virtual site name used in step 5.
- add user into the database
insert into radusergroup (username, groupname, priority) VALUES ('username','groupname', 1);
insert into radcheck (username, attribute, op, value) VALUES ('username', 'Cleartext-Password', ':=', 'password');
{{code}}
9. Restart radiusd
Dec 14 2022
Dec 14, 2022,
FreeRadius configure file
- mods-config - module set up file
- mods-enabled - module configuration file
- site-enabled - default and virtual site configuration file
- radiusd.conf - global configuration file
- clients.conf - client configuration file.
Dec 14 2022
Dec 14, 2022,
Certbot usage (Free SSL certificate generation)
Generate and install SSL certifcate using Certbot:
- Install Certbot from FreeBSD ports and install python:
cd /usr/ports/security/py-certbot
make install clean
cd /usr/ports/lang/python
make install clean - Generate a free SSL
certbot certonly --webroot - Enter the web root and hostname for certificate
- Make change to Apache configration and restart Apache
- Add the following command to cron and run once a day
/usr/local/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot renew
Uninstall an existing SSL certicate generated by Certbot:
certbot delete --cert-name ssl.example.com
where ssl.example.com is the sub-domain that need to be removed.
Dec 14 2022
Dec 14, 2022,
MySQL time zone Database
- Import Time Zone Data to MySQL
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql - Grant "Select" Privileges to MySQL user
GRANT SELECT ON mysql.time_zone_name TO cacti@localhost;
flush privileges;