Anonymous FTP 用のユーザ ftp を作成

# /usr/sbin/sysinstall
Configure - Netoworking - Anon FTP

# ll /var/ftp/*
/var/ftp/etc:
total 46
-rw-r--r--  1 root  operator     27 Aug 25 23:31 ftpmotd
-r--r--r--  1 root  operator    311 Aug 25 23:30 group
-r--r--r--  1 root  operator    125 Aug 25 23:33 localtime
-r--r--r--  1 root  operator  40960 Aug 25 23:30 pwd.db

/var/ftp/incoming:
total 0

/var/ftp/pub:
total 0

ftpの設定ファイルなど

/etc/ftpusers - 歓迎されない/制限を受けるユーザのリスト。
/etc/ftpchroot - chroot される一般ユーザのリスト。
/etc/ftphosts - 仮想ホストのための設定ファイル
/etc/ftpwelcome - welcome メッセージ。
/etc/ftpmotd - login 後の welcome メッセージ。
/var/run/nologin - 内容を表示し、アクセスを拒否します。
/var/log/ftpd - 匿名による転送のログファイル。
/etc/localtime - $HOME/etc/localtime ローカルタイム定義ファイル

ftpchroot機能を使う

# vi /etc/ftpchroot
userhoge
userhoge2

ローカルタイム定義ファイル
chrootを使うと/etc/localtimeが読めなくなるため設定をする

# mkdir /home/userdir/etc
# cp /etc/localtime /home/userdir/etc/localtime

inetdの設定やログ設定

# vi /etc/rc.conf
inetd_enable="YES"

# vi /etc/inetd.conf
ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l

# vi /etc/syslog.conf
ftp.info                                        /var/log/xferlog

# vi /etc/newsyslog.conf
/var/log/xferlog                        600  7     100  *     JC

反映させます

# kill -HUP `cat /var/run/syslog.pid`
# kill -HUP `cat /var/run/inetd.pid`

Posted: 8月 26th, 2006 under ftpd.
Comments: none

Big Brother管理ユーザーの作成

# adduser bb

Big Brother System and Network Monitor – Downloadからソースをダウンロード

$ cd ~
$ tar xzvf bb-1.9i.tar.gz
$ tar xvf BBSVR-bb1.9i-btf.tar

コンパイル

$ cd bb1.9i-btf/install
$ ./bbconfig freebsd

Do you agree to the terms of this license (y/n): y

Thank you, installation continuing...

---> We'll configure for freebsd...

        Big Brother needs it's own user id.  If your BB user doesn't exist,
        you'll have to create it then re-run bbconfig.

What will be the user ID for BB [bb]: bb
---> BB will only run from user 'bb'

        Making sure BBHOME  is writable...

---> OK, /usr/home/bb/bb1.9i-btf is fine...

        When you set up your machines, you should use Fully Qualified
        Domain names, this means you use the whole name, like www.bb4.com,
        instead of just 'www'.  This is recommended.

Use FQDN (y/n): [y] y
---> Good, we'll use FQDN

        Big Brother creates HTML pages with the status of your network.
        You'll need a web server to publish this information.

What host will be the BBDISPLAY [tiesto.vm.selfip.com]: tiesto.vm.selfip.com
---> OK... tiesto.vm.selfip.com will be a BBDISPLAY

        Big Brother sends important messages to a pager server.  This
        machine will at a minimum to be able to send mail.

What host will be the BBPAGER [tiesto.vm.selfip.com]:
---> OK... tiesto.vm.selfip.com will be a BBPAGER

        Some questions regarding the current host
        (tiesto.vm.selfip.com) will be asked.

Is this host a BBDISPLAY host (y/n): [y] y

Is this host a BBPAGER host (y/n): [y] y

Enter the default e-mail address to send notifications to: [root@localhost]

        Since Big Brother produces results to be displayed on web
        pages, we need to know where to view these results.

Enter the base URL for BB [/bb]:
---> OK... Big Brother will live under http://localhost/bb

        Big Brother also uses CGI scripts to create dynamic output.
        What directory do these scripts live in?

Enter CGI directory [/home/www/httpd/cgi-bin]: /usr/local/www/apache22/cgi-bin/
---> OK... CGI scripts will live at /usr/local/www/apache22/cgi-bin/

Enter the base URL of the CGI scripts [/cgi-bin]:
---> OK... The base URL location of CGI scripts is in /cgi-bin

--------------------------------------------------------

--> UPDATING runbb.sh
--> UPDATING bbsys.local
--> CHECKING COMMAND PATHNAMES
*** Verifying pathnames to necessary commands...
*** The following changes need to be made...
        --> /usr/sbin/nslookup changed to /usr/bin/nslookup
*** Making changes...

*** We've noticed that we've set some of the pathnames wrong
*** by default here.  May we mail a summary of the paths we
*** missed back to info@bb4.com so we can update our installs?
[y/n]
y
*** Please enter the OS name and version:
freebsd
*** Mail sent, thanks!
*** Done.
--> UPDATING bbdef.sh
--> UPDATING URL location
--> INSTALLING CGI scripts

        BB needs to set the group name of the www/rep directory
        to the group name of the web server by using its user name

Enter web server user id [nobody]: www

        You may override the group name determined by the previous step.

Enter group name [www]: www

--> SETTING WRITE PERMISSION FOR OWNER AND GROUP FOR www/rep
--> CHANGING THE GROUP ID OF www/rep
--> UPDATING pager scripts

--------------------------------------------------------

--------------------------------------------------------

--> Done.  Now do
                chown -R bb /usr/home/bb/bbvar /usr/home/bb/bb1.9i-btf
                su - bb
                        to continue installation using that user ID

Now compile Big Brother

                cd /usr/home/bb/bb1.9i-btf/src
                make
                make install

--------------------------------------------------------

インストール

$ su
# chown -R bb /usr/home/bb/bbvar /usr/home/bb/bb1.9i-btf

# cd /home/bb/bb1.9e-btf/src
# make
# make install

ディレクトリの権限変更など

# ln -s /usr/home/bb/bb1.9i-btf/www /usr/local/www/apache22/data/bb

# cd /home/bb/test/bb1.9i-btf/www
# chgrp www rep

監視対象の設定

$ vi /usr/home/bb/bb1.9i-btf/etc/bb-hosts

group-compress <B>INTRA Segment</B>
192.168.15.1    gw.vm.selfip.com
192.168.15.105  tiesto.vm.selfip.com # BBNET BBDISPLAY BBPAGER ftp smtp pop3 telnet ssh http://vm.selfip.com/
192.168.15.115  land.vm.selfip.com http://192.168.15.115/

group-compress <H3><I>Web Servers</I></H3>
206.223.157.122 banana2848.maido3.com http://www.2ch.net/
61.200.161.48   www.kddi.com # noping http://www.kddi.com/
61.206.46.13    www.japan-telecom.co.jp # noping http://www.japan-telecom.co.jp/
61.208.134.143  www.ntt.com # noping http://www.ntt.com/

Big Brotherの起動や確認

# su - bb -c "/usr/home/bb/test/bb1.9i-btf/runbb.sh start"
Starting Big Brother

-> BBOUT.OLD file has over 2000 lines
-> Consider removing it to save space...

        Starting Big Brother Daemon (bbd)...
        Starting Network tests (bb-network)...
        Starting Display process (bb-display)...
Big Brother 1.9i started

# ps ax|grep bb
68764  ??  Is     0:00.00 /usr/home/bb/bb1.9i-btf/bin/bbd
68772  p1  S      0:00.00 /bin/sh /usr/home/bb/bb1.9i-btf/runbb.sh start
68775  p1  S      0:00.00 /bin/sh /usr/home/bb/bb1.9i-btf/runbb.sh start
68778  p1  S+     0:00.00 grep bb

# su - bb -c "/usr/home/bb/test/bb1.9i-btf/runbb.sh stop"
Stopping Big Brother...
kill: 69451: No such process
kill: 68775: No such process
kill: 69346: No such process
kill: 69403: No such process
kill: 69404: No such process
kill: 69405: No such process
kill: 68775: No such process
kill: 68980: No such process

Posted: 8月 20th, 2006 under Big Brother.
Comments: none

気休めセキュリティ

# vi /usr/local/etc/apache22/httpd.conf
<Files mt-config.cgi>
<Limit GET>
deny from all
</Limit>
</Files>

<Files mt.cgi>
    order deny,allow
    deny from all
    allow from 192.168.20.120
</Files>

# cd /usr/local/www/apache22/cgi-bin/mt
# chmod 000 mt-check.cgi mt-upgrade.cgi

# vi /usr/local/www/apache22/cgi-bin/mt/mt-config.cgi
AdminScript ****-mt.cgi

mt.cgiへのリンクを隠蔽

# vi /usr/local/www/apache22/cgi-bin/mt/mt-config.cgi
CGIPath http://www.your-site.com/path/to/mt/
AdminCGIPath https://www.your-site.com/path/to/admin/

エントリー・アーカイブの出力フォーマットを変える

%y/%m/%d-%h%n.php
2006/08/19-0013.php(例)

アーカイブページにタイトルと日付の一覧を出力するようにする
(例：サンプル

<div id="content">
<div class="blog">

<h2 class="date">アーカイブ</h2>
<div class="entry">
   <ul class="archive-list">
      <MTArchiveList>
         <li class="archive-list-item">>a href="<$MTArchiveLink$>"><$MTArchiveTitle$></a> <$MTArchiveDate format="%x"$></li>
      </MTArchiveList>
   </ul>
</div>

他準備中

Posted: 8月 19th, 2006 under Movable Type.
Comments: none

秘密鍵の生成

# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024
Generating RSA private key, 1024 bit long modulus
.....................++++++
.............................................................++++++
e is 65537 (0x10001)

CSR/証明書発行要求書の生成

# /usr/bin/openssl req -new -days 365 \
    -key /usr/local/etc/apache22/server.key \
    -out /usr/local/etc/apache22/server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Posted: 8月 19th, 2006 under Apache.
Comments: none