FreeBSD8.1安装笔记
这是之前给35服务器装完ESXi之后给虚拟机安装FreeBSD8的过程,整理一下放到这里存档吧。
分区划分
(对/和/var有较大的冗余,因为/usr/home、/var/log都已经独立出来,所以16G的根分区显得非常多):
Filesystem Size Used Avail Capacity Mounted on
/dev/da0s1a 16G 2.7G 12G 19% /
/dev/da0s1d 4.7G 10M 4.3G 0% /var
/dev/da1s1g 40G 20G 16G 56% /data
/dev/da1s1d 29G 17G 9.6G 64% /usr/home
/dev/da1s1e 28G 610M 26G 2% /var/log
/dev/da1s1f 58G 27G 26G 51% /www
/dev/da2s1d 71G 345M 65G 1% /backup
安装的FB8.1虚拟机使用了三块虚拟硬盘:da0纯安装系统和软件,受快照系统影响;da1和da2是日常数据和备份数据,都为独立属性不受快照系统影响。出任何系统问题只需要恢复系统快照即可恢复网站访问。/www中存放网站程序文件以及附件,/data 中存放MySQL数据,/var/log中存放所有日志文件,/usr/home存放用户数据,/backup为备份内容。
补发一些当时重装FreeBSD8.1的笔记。最小化安装FreeBSD8,再通过PORTS安装Apache、Nginx、PHP、MySQL、Memcache等软件
下载Ports
portsnap fetch
更新Ports
portsnap update
更改当前用户使用的Shell:chsh命令永久的将你的shell换为tcsh
改用bash: chsh -s /usr/local/bin/bash
复原csh:chsh -s /bin/csh
一个tcsh配置文件示例
alias h history 25
alias ls ls -FG
umask 22
set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin $HOME/bin)
set prompt='%B%n%b@%U%m%u %S%/%s %#'
set prompt2='%R?'
set prompt3='CORRECT> %B%R%b (y|n|e)?'
set autolist
set history=2048
set savehist = 2048 merge
setenv LANG en_US.ISO8859-1
setenv LC_ALL en_US.ISO8859-1
setenv EDITOR vi
setenv PAGER more
setenv BLOCKSIZE K
安装axel
/usr/ports/ftp/axel/
修改/etc/make.conf (找不到这个文件,就新建) ,加入以下内容换成多线程下载
FETCH_CMD=axel
FETCH_BEFORE_ARGS= -n 5 -a
FETCH_AFTER_ARGS=
DISABLE_SIZE=yes
安装sudo
/usr/ports/security/sudo,sudo的配置文件在/usr/local/etc/sudoers里面。sudo的配置文件不应直接编辑,而应使用 visudo 来进行修改
%wheel ALL=(ALL) ALL
这个命令指定了wheel这个组的所有者可以使用全部的权限。
Defaults:M-gtuiw timestamp_timeout=0, runaspw, passwd_tries=1
这个设置密码在一段时间后自动退出
安装Apache
/usr/ports/www/apache22
cd /usr/src/sys/modules/accf_data;make clean;make;make install;make clean;kldload accf_data(解决可能出现的内核模块问题)
cd /usr/src/sys/modules/accf_http;make clean;make;make install;make clean;kldload accf_http(解决可能出现的内核模块问题)
echo 'apache22_enable ="YES"' >> /etc/rc.conf
echo 'accf_http_load="YES"' >> /boot/loader.conf(解决可能出现的内核模块问题)
安装PHP52
/usr/ports/lang/php52
echo 'AddType application/x-httpd-php .php' >> /usr/local/etc/apache22/httpd.conf
cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini
修改php.ini
open_basedir = /www:/tmp
disable_functions =passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsock
open,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server
display_errors = Off
output_buffering = On
安装php扩展
/usr/ports/lang/php52-extensions
cd /usr/ports/www/eaccelerator
make install clean
在php.ini中添加
zend_extension="/usr/local/lib/php/extensions/no-debug-non-zts-
20060613/eaccelerator.so"
eaccelerator.shm_size="32"
eaccelerator.cache_dir="/data/cache/ea"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
安装MySQL
/usr/ports/databases/mysql50-server/
make WITH_XCHARSET=all
cp /usr/local/share/mysql/my-small.cnf /etc/my.cnf
/usr/local/bin/mysql_install_db --user=mysql
chown -R mysql:mysql /var/db/mysql/
/usr/local/bin/mysqld_safe -u mysql &
mysqladmin -u root password tobethepassword(修改密码)
echo 'mysql_enable="YES"' >> /etc/rc.conf
安装ProFTPD
安装webmin
安装CVSUP
/usr/ports/net/cvsup
ee /usr/share/examples/cvsup/stable-supfile
更新src 一些更新服务器地址
cvsup.freebsdchina.org
cvsup2.freebsdchina.org
cvsup3.freebsdchina.org
cvsup.scivoid.com
cvsup.cn.freebsd.org
更新源码: cvsup -g -L 2 /usr/share/examples/cvsup/stable-supfile
内核配置文件中添加IPF支持 重新编译内核
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
rc.conf中添加
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf/ipf.conf"
ipmon_enable="YES"
ipmon_flags="-Ds"
ipnat_enable="YES"
ipnat_rules="/etc/ipf/ipnat.conf"
安装memcache
cd /usr/ports/databases/pecl-memcache
make install clean
安装Squid 并选择[X] SQUID_PF Enable transparent proxying with PF
/usr/ports/www/squid
差不多到这里需要安装的软件全部装完了,这个时候推荐对/www执行一下
find ./ -type f -print0 | xargs -0 chmod u-x,g-x,o-x
这样就可以去除掉所有网站文件的执行权限,并且可以依照情况去除所有网站目录的r权限,这样即使被取得webshell别人也不能对相应的目录进行列表。(推荐将不需要写入的文件夹的写入权限去除,不需要写入的网站文件夹给x权限,需要写入的网站文件夹给wx权限)
至于通过修改/etc/sysctl.conf和/boot/loader.conf文件调优,实际效果并不明显,但多少还是有些效果的。 不过网上一份流传得很广的sysctl.conf文件是有问题的,连FB的大大都专门逐条解释了相应的错误,下一页贴上我现在用的sysctl.conf文件。
相应的意义可以在网上搜索一下
# $FreeBSD: src/etc/sysctl.conf,v 1.8.34.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
kern.ipc.nmbclusters=32768
net.inet.tcp.drop_synfin=1
kern.maxvnodes=8446
security.bsd.see_other_uids=0
kern.ipc.maxsockbuf=262144
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet.icmp.icmplim=200
net.inet.icmp.icmplim_output=0
net.inet.tcp.always_keepalive=1
net.inet.tcp.msl=2000
net.inet.tcp.blackhole=2
kern.ipc.somaxconn=1024
kern.coredump=0
其实IPF配置也是一个大头内容,临时写了一个配置文件,非常简单的内容。需要的可以参考一下,放在下页
默认只开80和443端口
# allow 21
#pass in quick from any to 202.101.208.xx mask 255.255.255.255 port = 21
# allow 22
#pass in quick from any to 202.101.208.xx mask 255.255.255.255 port = 22
# allow 80
pass in quick from any to 202.101.208.xx mask 255.255.255.255 port = 80
# Allow 443
pass in quick from any to 202.101.208.xx mask 255.255.255.255 port = 443
# FTP PASV
pass in quick from any to 202.101.208.xx mask 255.255.255.255 port 2000 >< 2030
# Allow 8081
#pass in quick from any to 202.101.208.xx mask 255.255.255.255 port = 8081
# Allow ECJTU
pass in quick from 202.101.208.aa mask 255.255.255.255 to 202.101.208.xx mask 255.255.255.255
# Allow ECJTU2
pass in quick from 172.16.86.0 mask 255.255.255.0 to 202.101.208.xx mask 255.255.255.255
#pass in all
# Out going
pass out quick from 202.101.208.xx mask 255.255.255.255 to any keep state
pass out all
# ################################################################
# Loopback Interface
# ################################################################
# ----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
# ----------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
# ################################################################
# Inside Interface
# ################################################################
# ----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
# ----------------------------------------------------------------
# pass out quick on le0 all head 1
# pass out quick on le0 proto tcp from any to any keep state group 1
# pass out quick on le0 proto udp from any to any keep state group 1
# pass out quick on le0 proto icmp from any to any keep state group 1
########################################################################
#Allow in all TCP , UDP and ICMP traffic & keep state
########################################################################
#pass in quick on le0 proto tcp from any to any keep state
#pass in quick on le0 proto udp from any to any keep state
pass in quick on le0 proto icmp from any to any keep state
再来一个内核配置文件好了
只有需要的硬件和支持
cpu I686_CPU
ident Holmesian
#Holmesian add this to make the kernel better!
#IPF
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
#options NFSCLIENT # Network Filesystem Client
#options NFSSERVER # Network Filesystem Server
#options NFSLOCKD # Network Lock Manager
#options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat (sgtty)
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options P1003_1B_SEMAPHORES # POSIX-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options MAC # TrustedBSD MAC Framework
options FLOWTABLE # per-cpu routing cache
#options KDTRACE_HOOKS # Kernel DTrace hooks
options INCLUDE_CONFIG_FILE # Include this file in kernel
# To make an SMP kernel, the next two lines are needed
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
# CPU frequency control
device cpufreq
# Bus support.
device acpi
device eisa
device pci
# Floppy drives
#device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
#device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
#device atapifd # ATAPI floppy drives
#device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
device ahd # AHA39320/29320 and onboard AIC79xx devices
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
device amd # AMD 53C974 (Tekram DC-390(T))
device hptiop # Highpoint RocketRaid 3xxx series
device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
device mpt # LSI-Logic MPT-Fusion
#device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
device trm # Tekram DC395U/UW/F DC315U adapters
device adv # Advansys SCSI adapters
device adw # Advansys wide SCSI adapters
device aha # Adaptec 154x SCSI adapters
device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
device bt # Buslogic/Mylex MultiMaster SCSI adapters
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
device amr # AMI MegaRAID
device arcmsr # Areca SATA II RAID
device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device ciss # Compaq Smart RAID 5*
device dpt # DPT Smartcache III, IV - See NOTES for options
device hptmv # Highpoint RocketRAID 182x
device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
device iir # Intel Integrated RAID
device ips # IBM (Adaptec) ServeRAID
device mly # Mylex AcceleRAID/eXtremeRAID
device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device mfi # LSI MegaRAID SAS
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device uart # Generic UART driver
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to sio, uart and/or ppc drivers):
#device puc
# PCI Ethernet NICs.
#device de # DEC/Intel DC21x4x (``Tulip'')
#device em # Intel PRO/1000 Gigabit Ethernet Family
#device igb # Intel PRO/1000 PCIE Server Gigabit Family
#device ixgb # Intel PRO/10GbE Ethernet Card
device le # AMD Am7900 LANCE and Am79C9xx PCnet
#device ti # Alteon Networks Tigon I/II gigabit Ethernet
#device txp # 3Com 3cR990 (``Typhoon'')
#device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
#device ae # Attansic/Atheros L2 FastEthernet
#device age # Attansic/Atheros L1 Gigabit Ethernet
#device alc # Atheros AR8131/AR8132 Ethernet
#device ale # Atheros AR8121/AR8113/AR8114 Ethernet
#device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device dc # DEC/Intel 21143 and various workalikes
#device et # Agere ET1310 10/100/Gigabit Ethernet
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
#device lge # Level 1 LXT1001 gigabit Ethernet
#device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet
#device nfe # nVidia nForce MCP on-board Ethernet
#device nge # NatSemi DP83820 gigabit Ethernet
#device nve # nVidia nForce MCP on-board Ethernet Networking
#device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le')
#device re # RealTek 8139C+/8169/8169S/8110S
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sge # Silicon Integrated Systems SiS190/191
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device stge # Sundance/Tamarack TC9021 gigabit Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vge # VIA VT612x gigabit Ethernet
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device sn # SMC's 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
# Wireless NIC cards
#device wlan # 802.11 support
#options IEEE80211_DEBUG # enable debug msgs
#options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
#options IEEE80211_SUPPORT_MESH # enable 802.11s draft support
#device wlan_wep # 802.11 WEP support
#device wlan_ccmp # 802.11 CCMP support
#device wlan_tkip # 802.11 TKIP support
#device wlan_amrr # AMRR transmit rate control algorithm
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device ath # Atheros pci/cardbus NIC's
#device ath_hal # pci/cardbus chip support
#options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
#device ath_rate_sample # SampleRate tx rate control for ath
#device ral # Ralink Technology RT2500 wireless NICs.
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device pty # BSD-style compatibility pseudo ttys
device md # Memory "disks"
#device gif # IPv6 and IPv4 tunneling
#device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
options USB_DEBUG # enable debug msgs
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
device uhid # "Human Interface Devices"
device ukbd # Keyboard
#device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
#device urio # Diamond Rio 500 MP3 player
# USB Serial devices
device u3g # USB-based 3G modems (Option, Huawei, Sierra)
device uark # Technologies ARK3116 based serial adapters
device ubsa # Belkin F5U103 and compatible serial adapters
device uftdi # For FTDI usb serial adapters
device uipaq # Some WinCE based devices
device uplcom # Prolific PL-2303 serial adapters
device uslcom # SI Labs CP2101/CP2102 serial adapters
device uvisor # Visor and Palm devices
device uvscom # USB serial support for DDI pocket's PHS
# USB Ethernet, requires miibus
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cdce # Generic USB over Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
#device udav # Davicom DM9601E USB
# USB Wireless
#device rum # Ralink Technology RT2501USB wireless NICs
#device uath # Atheros AR5523 wireless NICs
#device ural # Ralink Technology RT2500USB wireless NICs
#device zyd # ZyDAS zb1211/zb1211b wireless NICs
# FireWire support
device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)
device fwip # IP over FireWire (RFC 2734,3146)
device dcons # Dumb console driver
device dcons_crom # Configuration ROM for dcons