[Essence] FreeBSD-FAQ (2)

3: I am now learning how to use FreeBSD. Where should I start?

Resources for newbies
Http://www.freebsd.org/projects/newbies.html

 

4: Where can I get the FreeBSD CD?
Ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/

 

5: How should I install FreeBSD?

Http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/install.html)
Http://www.freebsd.org.cn/snap/doc/zh_CN.GB2312/books/handbook/install.html)

 

6: Are there any FreeBSD tutorials?

The best authority is the handbook officially provided by FreeBSD.
Http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html)
Http://www.freebsd.org.cn/snap/doc/zh_CN.GB2312/books/handbook)

In addition, Wang Bo's usage Daquan and technical insider are also good books.

 

7: how to compile the FreeBSD kernel?
Http://www.freebsd.org/doc/en_US .. k/kernelconfig.html)
Http://www.freebsd.org.cn/snap/doc/zh_CN.GB2312/books/handbook/kernelconfig.html)

 

8: how to install software under FreeBSD?
Http://www.freebsd.org/doc/en_US... handbook/ports.html)
Http://www.freebsd.org.cn/snap/doc/zh_CN.GB2312/books/handbook/ports.html)

 

9: How to manage system accounts?
Http://www.freebsd.org/doc/en_US... handbook/users.html)
Http://www.freebsd.org.cn/snap/doc/zh_CN.GB2312/books/handbook/users.html)

 

10: There is a command Foo. I want to know its details. What should I do?
Run 'man foo' with the 'man 'command, and you can also check the http://www.freebsd.org/cgi/man.cgi

 

11: Why can't I use root to connect to my Telnet/FTP?
Using root to connect to telnet/FTP is a bad idea and is very insecure.
FreeBSD disables this method by default. You can use another user to telnet to the system and then su becomes root.
In addition, we strongly recommend that you use more secure ssh/SFTP instead of Telnet/FTP.

 

12: Why can't I su root?
Only users in the wheel group can su be the root user.

 

13: My root password is lost. What should I do?
Restart FreeBSD. When there is a countdown, press any key (except enter), enter 'boot-S', and run '#/sbin/Mount-a' first after entering the system ', now you can use 'passwd' to change the root password.

 

14: How can I check my system's ports and programs?
Netstat and PS will help you.

 

15: I found that my system has opened a port XX. How can I disable it?
Install lsof, use 'lsof-in' to check which program opened the port, and then close the corresponding process (PS & kill ).

16: What should I do when the system starts automatically?
Put what you want to put in/etc/rc. Local. If you don't see this file, create it by yourself.
In addition, you can save your command. SH and put it in/usr/local/etc/rc. d/, do not forget to make it executable.

 

17: I modified/boot/loader. the system cannot be properly guided after Conf. When the machine starts to load/boot/defaults/loader. what should I do if the machine stops responding when conf (not loaded? (Provided by night coders)

When the machine starts, press any key (except press Enter) when the "-" prompt appears to enter the "Boot:" prompt, enter: boot kernel, and the machine starts to start.

 

18: How do I modify the information displayed during my Telnet logon? (Provided by night coders)

# Vi/etc/gettytab
Edit:
Default:
: CB: Ce: CK: LC: FD #1000: Im = welcome to Windows 2000 servern: SP #1200:
: If =/etc/issue:
Save and exit.
Try to telnet your FreeBSD again and it will show:
Welcome to Windows 2000 Server
Login:

19: Are there any XXX software under ports? Under which directory?

CD/usr/Ports
Make search key = xxx | grep ^ path:
If you want to search by software name
Make search name = xxx
Do not enter spaces after name and key.

 

20: What is the relationship between FreeBSD release, stable, and current?

FreeBSD has two main branches: one is the stable Branch and the other is the current branch.
Stable branches are tested over a long period of time (generally from one year
Two years), the system branch that fixes the main problem. There is usually no serious system-level error on this branch, and the main structure of the system is not modified. But it does not mean that the stable branch is static.
, The stable branch often adds many peripheral updates, such as from 4.4 to 4.8, FreeBSD has undergone a huge change, such as using softupdate
Support for upgrades of series devices and FireWire devices, as well as an upgrade of the stdin/stdout library. These updates are all performed in the current branch.
After a long period of test, the stable branch is added if the evaluation does not affect the system security. The current branch can actually become freebsdng, which will be large here
A lot of new technologies and new code, but these code is in the experimental nature, can not guarantee stability and efficiency, just for developers to test. Release is the release version of FreeBSD
When stable and current develop to a stage, a release version will be released after a batch of goals are achieved. before 5, FreeBSD will only be released on the stable branch.
Release version, but more current versions may be released in the future.

 

21: How can I move a system to a new hard disk?
Http://bbs.chinaunix.net/viewthread.php? Tid = 639085 & extra = Page % 3d1

 

22: Why am I already root, but I still have no permission to modify and upgrade the system?

Securelevel

FreeBSD kernel has a concept called securelevel. When someone is talking about whether this is perfect
The Mechanism has already prevented most "script kiddiez ". Securelevel indicates that when your kernel is running
. Each of the other regions has different protection and authentication mechanisms. These are the man pages of Init:

The kernel runs with four different levels of security. Any superuser
Process can raise the security level, but only init can lower it.
Security levels are:
The kernel can be implemented using four different security methods. Any superuser process can improve security
Wait, but only init can reduce it. The four types of equivalence points are:

-1 permanently insecure mode-always run the system in level 0 mode.
Never Secure Mode-switch to level 0!

0 insecure mode-immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
Insecure mode-"cannot be changed" and "can only be appended" can be changed. All
Devices can be canceled according to their permission limits.

1 secure mode-the system immutable and system append-only flags may
Not be turned off & #59; disks for mounted filesystems,/dev/MEM, and
/Dev/kmem may not be opened for writing.
Security Mode-the flag "cannot be changed" and "can only be appended" cannot be canceled
System,/dev/MEM, And/dev/kmem cannot be merged.

2 highly secure mode-same as secure mode, plus disks may not be
Opened for writing (partition t by Mount (2) Whether mounted or not.
His level precludes tampering with filesystems by unmounting them,
But also inhibits running newfs (while the system is multi-user.
High Security Mode-similar to the safe mode, it adds more, no matter whether the hard disk is mounted or not,
Not Mount (2. It prevents a transaction system from being attacked during umount.
Commit. In addition, newfs (is not allowed in multi-user mode (.

If the security wait is initially-1, the init will keep the original response. Otherwise, in single user mode,
Init will change the security wait to 0, and it will run at 1 in multiuser mode. If you want
The multiuser mode is to wait for worker 2 to run. You can first enter single user mode, Zookeeper/etc/rc,
Use sysctl for more actions.

If your system only runs the web server, you can safely increase the securelevel to 2.
But if you want to run X server, changing your securelevel to 1 or higher will cause some problems. Because
X server must input/dev/MEM and/dev/kmem, but securelevel 1 does not allow you to do so.
One solution is to increase the securelevel after activating X server. But I 'd say, if
When you run X server, you already have other security issues to consider, not just securelevel.
The following command shows your current securelevel setting value.

# Sysctl Kern. securelevel

If you want to improve your securelevel:
# Sysctl-W Kern. securelevel = x
X can be 0, 1, or 2.

When securelevel is 1, you may have some problems when making world. Because "make
Install "will add immutable flag on the kernel:

# Ls-Lo/kernel
-R-XR-x 1 root wheel schg 1061679 Jun 30/kernel

"Schg" flag will prevent you from installing the new kernel:

NFR # ID
Uid = 0 (Root) gid = 0 (wheel) groups = 0 (wheel), 2 (kmem)

NFR # sysctl Kern. securelevel
Kern. securelevel: 2

NFR # rm-RF/kernel
RM:/kernel: operation not permitted

NFR # mv/kernel/tmp/
MV: Rename/kernel to/tmp // kernel: operation not permitted

If you are at securelevel 1 or 2, then the schg flag cannot be changed.

# Chflags noschg/kernel
Chflags:/kernel: operation not permitted

It is worth noting that/boot. config can be used to change the system settings when you are on the machine. It is necessary to prevent malicious tampering.
You should do this:

# Touch/boot. config
# Chflags schg/boot. config

You can check whether the system hosts have schg flag.

# Ls-Lo/sbin | grep schg
-R-x ------ 1 Bin schg 204800 Jul 19 20:38 init
# Ls-Lo/bin | grep schg
-R-Sr-XR-x 1 root bin schg 192512 Jul 19 20:36 RCP

Let's look back at the issue of fixing the system! Since the entire queue has reached immutable flags, why not keep the entire
I/sbin and/bin are both set to schg flag !? This will give crack a little setback to your system.
(When your system is set, is the current securelevel used?

# Chflags schg/bin /*
# Chflags schg/sbin /*

However,/sbin may be changed to another name, and then a new/sbin is created.
The schg flag of/bin is a reasonable idea. We can change/sbin and/bin in the following ways.
Schg flag:

# Chflags schg/bin /*
# Chflags schg/sbin /*

These schg flag cases will make you have problems in "Make World.
("Make installworld" is also)

No matter what, it is best to "make world" in single user mode ". Related to "makr world"
For more information, see the following website:

Http://www.nothing-going-on.demon.co.uk/FreeBSD/make-world/make-world.html

Now you have already set up your system to run only the necessary services, and your system is also running
Mount the file, and the kernel securelevel of the combined kernel is small?
Related man pages: Init (, chflags (1), sysctl (.

23: How can I know whether the system is operating normally and whether it is under attack?

Since FreeBSD is a multi-user system, the administrator needs to perform routine maintenance, especially for Network
Once the server system is shut down due to lack of maintenance, it will cause great losses. Even if
User's FreeBSD system also needs to execute these indispensable maintenance tasks, only because the system is for personal use,
Therefore, the maintenance requirements are not so high, and the maintenance tasks are easier.
System Logs
System Logging provides a detailed audit of system activities, which are used to evaluate and review system operations
Row environment and various operations. In general, logging includes recording the User Logon Time, logon location, and
If used properly, log records can be used to provide system administrators with information about attacks or
Intrusion attempts and other useful information.
BSD provides a variety of detailed log records, as well as a large number of tools and utilities related to logs. These audit records
Recording is usually automatically generated by the program and is part of the default setting. It can help Unix administrators find the existing
Is very useful for system maintenance. There are other log records that need to be set by the Administrator to take effect.
Most log files are stored in the/var/log directory, except for
In addition, it includes some application software log files. Of course, other subdirectories under the/var directory will also record some
Other types of log files depend on the specific application settings.
$ Ls/var/log
Adduser maillog.5.gz sendmail. st.1
Dmesg. Today maillog.6.gz sendmail. st.10
Dmesg. Yesterday maillog.7.gz sendmail. st.2
Httpd-access.log (messages sendmail. st.3)
Httpd-error.log messages.0.gz sendmail. st.4
Kerberos. Log messages.1.gz sendmail. st.5
Lastlog messages.2.gz sendmail. st.6
LPD-errs messages.3.gz sendmail. st.7
Maillog messages.4.gz sendmail. st.8
Maillog.0.gz messages.5.gz sendmail. st.9
Maillog.1.gz news setuid. Today
Maillog.2.gz PPP. Log setuid. Yesterday
Maillog.3.gz sendmail. St userlog
Maillog.4.gz sendmail. st.0 wtmp
System logon log
The system will save the logon records of each user, including the user's name and the start and end time of logon.
And where to log on to the system. They are saved to/var/log/lastlog,/var/log/wtmp, And/
In the var/run/utmp file, these three files Save the login data of these users in binary format.
The/var/run/utmp file stores the logon records of the current system user.
The user enters and leaves the system constantly changing, and it will not keep a long record for the user, only keep online at that time
User records. Programs in the system that need to query the current user status, such as WHO and W, need to access this file.
Utmp may not include all accurate information, and user logon sessions will be terminated due to some unexpected errors.
Utmp records, so utmp records are not trustworthy.
While/var/log/wtmp stores all login and exit information, as well as system startup and shutdown records. Therefore
As the normal running time of the system increases, the size of the system will increase. The increasing speed depends on the System user login.
Number of records. Therefore, you can use this log to view the user's logon records.
And display the user's logon records in reverse order.
Tty or time. The AC command also uses data in wtmp to generate a report, but its display side
Type is different. It can display information based on the user (Ac-p) or by date (ap-d), so that the administrator can obtain
Obtain useful abnormal information, such as a user who is usually not active suddenly logging on and connecting for a long time.
I have reason to suspect that this account has been stolen.
Note: Since x window opens multiple terminal windows at the same time, it will make the user login connection time fast
Add.
The lastlog file stores the last logon information of each user, including the logon time and location.
Files are generally used only by login programs. the user's uid is used to find the corresponding records in the lastlog file and then report
The Last Logon Time and terminal TTY. Then, the login program updates the file with a new record.
These three files are saved in binary format. Therefore, you cannot directly view the content of these files.
Related commands. Of course, you can also access these three files through a program. This requires you to understand the data structure they use.
. Utmp and wtmp use the same data structure, while lastlog uses another data structure, which can be man
To query the specific structure. If the number of users in the system is large, the size of the wtmp file will increase rapidly.
When the space of the system/var file system is insufficient, the file system is fully occupied. The system does not take the initiative to control
The size of this file, so this requires administrator intervention, need to be manually cleared in a timely manner, or write shell scripts regularly
Save and clear.
The system can also provide the accounting statistics function. To enable the system's accounting function, you must use the accton command,
Note: The accton must follow the name of the accounting log file as a parameter, and the accton without parameters will be disabled.
.
After the accounting function is enabled, you can use lastcomm to check information about all commands executed in the system,
Including the command to be executed, the user to execute the command, the user's terminal tty, the command Completion Time, And the execution time.
. The output from lastcomm can also help administrators check possible intrusion behaviors.
In addition, you can use the AC command to query the user's connection time report, and the SA command to query the processing of user consumption
Time Report.
Syslog log records
Initially, syslog was designed only for Sendmail, because it provides a central control
System point, making sys log very easy to use and easy to configure, so many programs today use syslog To send their records
Recording information. Syslog is a powerful logging method that not only saves logs in local files, but also
To send syslog records to another host on the network according to the settings.
Syslogd daemon is started in syslog-enabled systems.
Listen to the internet socket on port 514 (UDP) to obtain the syslog record. The process in the local machine uses sysl
The og system calls and sends Sy slog records, and syslogd saves them to the correct file or sends them to the network.
Run syslogd on another host.
The syslogd setting file is/etc/syslog. conf, which defines the target of the message. A message can
When multiple targets are reached, they may also be ignored.
# $ ID: syslog. conf, V 1.9 21:59:55 Nate exp $
#
# Spaces are not valid field separators in this file.
# Consult the syslog. conf (5) manpage.
*. Err & #59; Kern. debug & #59; Auth. Notice & #59; mail. crit/dev/console
*. Notice & #59; Kern. debug & #59; lpr.info & #59; mail. crit & #59; news. Err/var/log/messages
Mail.info/var/log/maillog
Lpr.info/var/log/lpd-errs
Cron. */var/cron/log
*. Err Root
*. Notice & #59; news. Err Root
*. Alert Root
*. Emerg *
! PPP
*. */Var/log/PPP. Log
Syslog. conf configuration can be divided into two parts: the first part is used to distinguish the message type, and the other is used
Set the message sending destination. Generally, the message type includes the producer of the message. For example, Kern indicates that the kernel is generated.
Auth indicates the message generated by the authentication system, and so on. It also includes the message level. For example, emerg indicates
Important emergency information. alert indicates the system alarm status, crit indicates the critical status, and err indicates the general error message.
Information, warning indicates warning information, notice indicates prompt information, but not an error, info indicates general information,
Debug indicates debugging information, so the type of a message may be: Kern. debug, mail.info,
Wildcard * can be used for matching.
From the preceding syslog. conf settings, we can see that the system is running normally with a lot of important information, such as errors.
Information *. Err, kernel debugging information Kern. debuf, authentication report Auth. Notice, etc.
And some important information is output to the/var/log/messages file.
Stored in the/var/log/mail log file, and the printed records are/var/log/lpd-errs, so that the administrator can
Query related records based on these files for statistics or system problems. Here, the ME recorded by Syslog is used.
The ssages file contains the root login information, user attempts to log on multiple times, and so on, which is very important to system security.
Therefore, after the system is attacked, attackers attempt to clear related files according to the settings in syslog. conf.
Your logon records. Therefore, you can try to send syslogs to another system with higher security requirements.
Computer, or output to some device files, such as printing the output immediately on the printer.
The system periodically checks the messages and maillog files output by Syslog using newsyslog.
Save it as a ghost file, such as messages.1.gz.
Other logs
In addition to system logon and Syslog records, some other applications use their own logging methods.
.
The system automatically checks the system's security settings every day, including the inspection of the execution file of setuid and setgid.
The result is output to the/var/log/security. Today file. The administrator can
Y. yeste rday file comparison, looking for changes in system security settings.
If the system uses Sendmail, the sendmail. St file stores the Sendmail System in binary format.
Information.
When the system starts, the kernel detection information is output to the screen.
Analyzes the hardware status in the system. Generally, use the D mesg command to view the detection information output at the last startup.
. This information is also stored in the/var/log/dmesg. Todd ay file.
Dmesg. Yesterday is the last startup detection information. By comparing the two files, you can see the system hardware.
And Kernel configuration changes.
LPD-errs records the error messages generated by LPD in the system.
In addition, various shells also record the history of commands used by users, which are recorded using files in the user's main directory.
The history of these commands. Generally, the file name is. History (CSH), or. Bash-history.