MT6 FreeBSD

From The Network People, Inc. - Wiki
Jump to navigation Jump to search

Deprecated

This page has moved to GitHub.




Mail Toaster 6
Start Installation
FreeBSD Upgrade
DNS Upgrade
MySQL Upgrade
ClamAV Upgrade
AVG Upgrade
SpamAssassin Upgrade
Rspamd Upgrade
dspam Upgrade
Vpopmail Upgrade
Haraka Upgrade
Haproxy Upgrade
webmail Upgrade
Monitor Upgrade
testing

Install FreeBSD 10

FreeBSD jails are an excellent way to segregate services (+security+) while consuming minimal resources. Even more so when combined with ZFS.

On the [virtual] machine, install the latest version of FreeBSD 10 from FreeBSD-10.N-RELEASE-amd64-disk1.iso, where N is the latest available version. During the install, select the appropriate keyboard map (usually default), and hostname. Disable all the optional installs and use an automatic ZFS-on-root file system. If you only have one disk, use the default stripe method. Enable boot time services ssh, ntpd, and powerd.

Prepare the Host

Apply security updates

After installation and reboot, update the system with the latest security updates and an up-to-date ports tree: 

freebsd-update fetch install
portsnap fetch update || portsnap fetch extract

Local customizations

Add yourself a user account, install sudo, and log in via SSH to continue. 

adduser
pkg install -y sudo
echo 'matt ALL=(ALL) NOPASSWD: ALL' >> /usr/local/etc/sudoers

change root shell to bourne (or bash)

Install bash or switch to sh for this session: 

sh

NTPd

It is very important for mail systems to have accurate clocks. If you didn't during the OS install, enable the built-in ntpd daemon. 

grep -q ntpd_enable /etc/rc.conf || echo 'ntpd_enable="YES"' >> /etc/rc.conf
grep -q ntpd_sync_ /etc/rc.conf || echo 'ntpd_sync_on_start=YES' >> /etc/rc.conf
/etc/rc.d/ntpd restart

To increase security, edit /etc/ntp.conf and comment out the two lines under 'only allow time queries' and uncomment the entries under the description that says, 'block all unauthorized access'. For even greater security, consider installing openntpd from ports instead.

disable network services that bind to *

grep -q syslogd_flags /etc/rc.conf || echo 'syslogd_flags="-ss"' >> /etc/rc.conf 
service syslogd restart

grep -q sendmail_enable /etc/rc.conf || echo 'sendmail_enable="NO"' >> /etc/rc.conf
service sendmail onestop

Edit /etc/ssh/sshd_config and set the ListenAddress directive to the primary IP address of the jail host. Then restart sshd: 

service sshd restart

Confirm that nothing besides ntpd is listening on all IP addresses: 

sockstat | grep \* | grep -v 123
root     sshd       707   3  tcp4   10.0.1.7:22           *:*

All is well.

devfs ruleset enabling BPF

This permits the jailed p0f daemon to inspect the raw packets and fingerprint the remote OS. 

tee -a /etc/devfs.rules <<EO_DEVFS
[devfsrules_jail_bpf=7]
add include \$devfsrules_hide_all
add include \$devfsrules_unhide_basic
add include \$devfsrules_unhide_login
add path zfs unhide
add path 'bpf*' unhide
EO_DEVFS


NAT & port mapping

Add PF firewall rules which:

  • route incoming POP3, and IMAP connections to the vpopmail jail
  • route incoming SMTP to the smtp jail
  • establish NAT, permitting each jail to make outbound connections
grep -q pf_enable /etc/rc.conf || echo 'pf_enable="YES"' >> /etc/rc.conf
export NETIF=`netstat -i | awk 'NR==2{print $1;exit}'`
export EXTIP=`ifconfig $NETIF | grep inet | grep -v fe80 | awk '{ print $2 }' | sed 'N;s/\n/ /'`
grep -q bruteforce /etc/pf.conf || tee -a /etc/pf.conf <<EO_PF_RULES
ext_if="$NETIF"
table <ext_ips> { $EXTIP }
table <bruteforce>  persist

# default route to the internet for jails on loopback IPs
nat on \$ext_if from 127.0.0.1/8 to any -> (\$ext_if)

# POP3 & IMAP traffic to vpopmail jail
rdr proto tcp from any to <ext_ips> port { 110 143 993 995 } -> 127.0.0.8

# SMTP traffic to the Haraka jail
rdr proto tcp from any to <ext_ips> port { 25 465 587 } -> 127.0.0.9

# HTTP traffic to HAproxy
rdr proto tcp from any to <ext_ips> port { 80 443 } -> 127.0.0.12

block in quick from <bruteforce>
EO_PF_RULES
/etc/rc.d/pf restart
pfctl -f /etc/pf.conf

Check /etc/pf.conf and make sure the detected network interface and IP address are the ones you prefer.

jail.conf

Install a jail.conf file with the settings needed for each jail. 

pkg install -y ca_root_nss
fetch -o /etc/jail.conf http://mail-toaster.org/install/mt6-jail-conf.txt
grep -q jail_enable /etc/rc.conf || tee -a /etc/rc.conf <<EO_JAILENABLE
jail_enable="YES"
jail_list="dns mysql vpopmail webmail haproxy clamav avg rspamd spamassassin haraka dspam monitor"
EO_JAILENABLE
fetch -o /usr/local/sbin/jailmanage http://www.tnpi.net/computing/freebsd/jail_manage.txt
chmod 755 /usr/local/sbin/jailmanage

Review the contents of /etc/jail.conf, making changes as desired or necessary.

patch rc.d/jail

So that jail shutdown order is reversed. This patch is currently making it's way through the FreeBSD review/acceptance process. 

fetch -o - http://mail-toaster.com/install/mt6-jail-rcd.txt | patch -d /

create jail 'base'

Set TARGET and MIRROR as preferred and create the base jail as a template: 

export MIRROR="ftp://ftp.freebsd.org"
export TARGET="10.2-RELEASE"
zfs create -o mountpoint=/jails zroot/jails
zfs create zroot/jails/base
fetch -o - $MIRROR/pub/FreeBSD/releases/`uname -m`/$TARGET/base.txz | tar -C /jails/base -xvpJf -

It will take a couple minutes to download the archive and extract it.

update base jail

sed -i .bak -e 's/^Components.*/Components world kernel/' /jails/base/etc/freebsd-update.conf
freebsd-update -b /jails/base -f /jails/base/etc/freebsd-update.conf fetch install

configure base jail

mkdir /jails/base/usr/ports
export BASE_ETC=/jails/base/etc
cp /etc/resolv.conf $BASE_ETC
cp /etc/localtime $BASE_ETC
tee -a $BASE_ETC/make.conf <<EO_MAKE_CONF
WITH_PKGNG=yes
WRKDIRPREFIX?=/tmp/portbuild
EO_MAKE_CONF
sysrc -f $BASE_ETC/rc.conf \
   sendmail_enable=NONE \
   cron_flags='\\$cron_flags -J 15' \
   syslogd_flags=-ss
service jail start base
pkg -j base install -y pkg vim-lite sudo bash ca_root_nss
jexec base chpass -s /usr/local/bin/bash

See also: Install bash

base configuration from within

jexec base bash

install SSL/TLS certificate

Install SSL certificate

return to the host environment

exit

make a filesystem for each jail

service jail stop base
zfs snapshot zroot/jails/base@10.2
for i in dns mysql clamav spamassassin dspam vpopmail haraka webmail monitor haproxy rspamd avg;
do
   zfs clone zroot/jails/base@10.2 zroot/jails/$i
done

Start Jails

service jail start

admire the jails

# jls
JID  IP Address      Hostname                Path
   3  127.0.0.3       dns                /jails/dns
   4  127.0.0.4       mysql              /jails/mysql
   5  127.0.0.8       vpopmail           /jails/vpopmail
   6  127.0.0.10      webmail            /jails/webmail
   7  127.0.0.12      haproxy            /jails/haproxy
   8  127.0.0.5       clamav             /jails/clamav
   9  127.0.0.14      avg                /jails/avg
  10  127.0.0.13      rspamd             /jails/rspamd
  11  127.0.0.6       spamassassin       /jails/spamassassin
  12  127.0.0.9       haraka             /jails/haraka
  13  127.0.0.7       dspam              /jails/dspam
  14  127.0.0.11      monitor            /jails/monitor

Continue to DNS

Follow the install steps in the right side navigation bar.

Retrieved from "https://www.tnpi.net/w/index.php?title=MT6_FreeBSD&oldid=4157"