Category: FreeBSD

Posted on

Protecting a FreeBSD Server

In Episode 048 of the BSD Now podcast, Allan referenced a great blog post on twisteddaemon listing basic security steps to perform after a new install. The checklist is also a good guide for a mature server checkup, which I recently did with a production server. Besides confirming sshd was configured correctly for public-key login only, I found forgotten open ports related to ntpd and ftp enabled (neither of which I need anymore), and I also found syslogd was opening a port for remote logging (all of which have now been disabled).

In addition to the checklist, Allan also recommended using a tool like denyhosts to reduce ssh door knocking. I’ve never quantified the time being wasted checking the door, but I’m running older hardware and my server log lists several hundred to upwards of a thousand knocks per day, so it may be significant.

Installing denyhosts was pretty simple with the help of On How to Install denyhosts on FreeBSD. The only issue I had was how to include at least one allowed port to prevent accidentally locking myself out. I never connect to the server from a static IP address, and it’s not readily clear to me what addresses would cover my travels around town. However, the server is in the basement, so it’s not an issue so long as I’m not travelling.

I’ll let you know in a couple weeks how my server logs are looking, and if my 2G single-core P4 is feeling less stressed (and behaving snappier).

Other references:

Posted on

Hosting PHP Apps on Apache using PHP-FPM

Here are notes from some research I did a while back on using php-fpm with Apache and Nginx. dalescott.net will likely never reach traffic levels where it would benefit, so I’m staying with Apache 2.2 and mod_php for now.

php-fpm

  • http://php-fpm.org
    • project site, code now included in php
  • http://php.net/manual/en/install.fpm.php
    • discusses fpm but does not include specific install or config instructions (some posts though)

Apache

  • Google: apache+mod_proxy+fcgi+php
  • Google: apache+php+php-fpm+freebsd
  • TODO: add references etc to blog post on same topic

Project docs

  • http://wiki.apache.org/httpd/PHP-FPM
  • http://httpd.apache.org/docs/current/mod/mod_proxy_fcgi.html
  • http://httpd.apache.org/docs/current/mod/mod_proxy.html

Blogs, tutorials, and forums

  • http://www.howtoforge.com/using-php5-fpm-with-apache-2.4-mod_proxy_fcgi-module-on-fedora-18
  • http://garajau.com.br/blog/2013/12/apache-2-4-and-php-fpm-using-mod_proxy_fcgi
  • http://www.binarytides.com/setup-apache-php-fpm-mod-proxy-fcgi-ubuntu
  • http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
  • http://www.rodrigocalado.com.br/famp-instalando-o-apache-2-4-php-5-5-mysql-5-6-no-freebsd-9-x-9-2-release/
    • Need to translate (Spanish? Italian?)
  • http://www.janoszen.com/2013/04/29/setting-up-apache-with-php-fpm/
  • http://forum.nginx.org/read.php?3,172673
    • nginx forum, but discusses Apache2, php-fpm, FastCGI
    • also see referenced post http://forum.nginx.org/read.php?3,131665,144226#msg-144226
  • http://www.hosting.com/support/linux/configure-apache-to-use-php-fpm/
    • Configure Apache to use PHP-FPM
  • http://funcptr.net/2010/11/14/apache-mod_fastcgi-and-php-with-php-fpm/
  • http://harold.internal.org/tag/freebsd/
    • Apache with PHP-FPM, chroots and per-vhost UIDs
  • http://www.yiiframework.com/doc/guide/1.1/en/quickstart.apache-nginx-config
    • tcp port

Nginx

Google: nginx+PHP+php-fpm+freebsd

Blogs, tutorials, and forums

  • http://arstechnica.com/series/web-served
    • nginx, php, php-fpm, ….
    • VERY detailed
    • uses tcp port to communicate with php-fpm
  • http://blog.bobbyallen.me/2013/01/05/install-nginx-mysql-php-apc-and-memcached-on-freebsd-9-0
    • uses tcp port to communicate with php-fpm
    • provides nginx.conf file (downloadable)
    • intended use FuelPHP framework
  • http://blog.secaserver.com/2011/07/freebsd-nginx-php-fastcgi-installation
    • uses tcp port with php-fpm
  • http://fendyhussain.wordpress.com/2012/11/23/freebsd-nginx-with-php5
    • uses fastcgi (not fpm)
  • http://till.klampaeckel.de/blog/archives/44-Nginx+PHP+FastCGI-Testing-your-web-application-with-bleeding-edge-PHP.html
    • uses fastcgi
  • http://www.defcon1.org/html/nginx.html
    • installing nginx with PHP FPM on FreeBSD 8.x-9.0
    • uses fastcgi
  • http://www.howtoforge.com/installing-nginx-with-php5-and-php-fpm-and-mysql-support-lemp-on-debian-wheezy
    • discusses both unix sockets and tcp port config with fpm
  • http://www.howtoforge.com/installing-nginx-with-php5-and-php-fpm-and-mysql-support-lemp-on-ubuntu-12.10
  • http://www.yiiframework.com/wiki/153/using-yii-with-nginx-and-php-fpm
    • describes unix sockets on BSD for better performance (but must use tcp sockets with Linus due to kernel bug/issue)
  • http://www.yiiframework.com/doc/guide/1.1/en/quickstart.apache-nginx-config
    • tcp port
  • http://bin63.com/how-to-install-nginx-and-php-fpm-on-freebsd
Posted on

Configuring Git

I needed to configure Git on a new server recently (no GUI), and couldn’t remember my typical configuration.

Disable Output Color-Coding

Many developers can’t live without color-coded command-line output, but I find at best it’s hard to read and distracting, and at worst absolutely incompressible with high ambient lighting and some screen glare. To disable color-coded command line output from Git:

$ git config --global color.ui false
$ git config --global color.diff false
$ git config --global color.status false
$ git config --global color.branch false
$ git config --global color.interactive false

Ignore File-Mode Changes

Git may report that executable files (e.g. shell scripts) have been modified based on differences in file mode interpretation between Unix and Windows systems. If the mode of a file is set to executable and committed to a Git repository in a Unix environment, and then the repository cloned into a Windows environment, the file will be reported by Git in Windows as having been modified – based on its mode. This is the result of subtle differences between a Unix file system and a Windows file system. Committing the “modified” file in Windows and pushing the repository changes back to the Unix repository will result in the file not being executable in Unix (until its file mode is set back to executable).

If this is an issue for you, set your Windows global Git config (~/.gitconfig) to ignore file mode changes (but first, check that your global configuration will not be overridden by a repository configuration).

Check your global and local configs:

$ git config --global core.filemode
$ cd gitrepo
$ git config core.filemode

Set configuration to ignore file mode changes:

$ git config --global core.filemode false
$ cd gitrepo
$ git config core.filemode false
Posted on

Removing Ports No Longer Required

I replaced Postfix with ssmtp recently, and wanted to check my FreeBSD server for any installed ports that are no longer needed. Thanks to Chris on the FreeBSD mail list, I have added some new portmaster flags to my tookit.

First, you may want verify your ports index by rebuilding it:

# cd /usr/ports
# make index

Next, list the ports installed, grouped by:

  • Root ports (No dependencies, not depended on)
  • Trunk ports (No dependencies, are depended on)
  • Branch ports (Have dependencies, are depended on)
  • Leaf ports (Have dependencies, not depended on)
# portmaster -l

Finally, delete the leaf ports that you know you don’t need on their own:

# portmaster -e portname

Thanks, Chris.