Andy's Blog » qq 85960902, V55_GBK, camerar8e, 7UTY, freebsd11手册, electricwsy, C09U » [21Andy.com原创] FreeBSD服务器配置手册 - 系统篇

[21Andy.com原创] FreeBSD服务器配置手册 - 系统篇

07年我一直租用美国Softlayer的服务器, 使用FreeBSD, 直接拿真实的服务器来学习.
这是我用了好像是半个月时间, 把服务器重装了50次以上FreeBSD才得出来的笔记, 过程中一步步记录下来的, 现在分享给大家.
基本按它操作, 你就能架一台FreeBSD的WEB服务器了, 主要是跑Apache和MySQL.
也许对你有参考价值.如果你用SoftLayer的服务器, 以下我的笔记, 你基本只需要照抄COPY就可以了.

freebsd_note

系统配置

设置DNS
===========================================
ee /etc/resolv.conf
nameserver 10.0.80.11
nameserver 10.0.80.12

设置cvsup
===========================================
cp /usr/share/examples/etc/make.conf /etc/make.conf
ee /etc/make.conf
加入
------------------------------------------

WITHOUT_X11=yes
WITHOUT_IPV6=yes
WITHOUT_PRINT=yes
WITH_MOD_DAV_SVN=yes    #devel/subversion
WITH_APACHE2_APR=yes    #devel/subversion
WITH_BERKELEYDB=db42    #www/apache22
WITH_CHARSET=utf8           #database/mysql50-server
WITH_XCHARSET=gbk           #database/mysql50-server
WITH_WEBALIZER_CONV=yes #www/webalizer
WITH_GEOIP=yes          #www/webalizer
WITHOUT_BANNER=yes      #ftp/pure-ftpd
WITH_UTF8=yes           #ftp/pure-ftpd

------------------------------------------

CPUTYPE=nocona
MASTER_SITE_OVERRIDE?="http://mirrors.service.softlayer.com/freebsd/distfiles/${

SUP_UPDATE= YES
SUP=            /usr/bin/csup
SUPFLAGS=       -g -L 2
SUPHOST=        cvsup.service.softlayer.com
SUPFILE=        /usr/share/examples/cvsup/standard-supfile
PORTSSUPFILE=   /usr/share/examples/cvsup/ports-supfile
DOCSUPFILE=     /usr/share/examples/cvsup/doc-supfile

------------------------------------------

cd /usr/src
make update

ee /usr/share/examples/cvsup/standard-supfile
ee /usr/share/examples/cvsup/ports-supfile
        *default host=cvsup.service.softlayer.com
cvsup -L 2 -h cvsup.service.softlayer.com /usr/share/examples/cvsup/standard-supfile
cvsup -L 2 -h cvsup.cn.freebsd.org /usr/share/examples/cvsup/standard-supfile
rehash
cvsup -L 2 -h cvsup.service.softlayer.com /usr/share/examples/cvsup/ports-supfile
cvsup -L 2 -h cvsup.cn.freebsd.org /usr/share/examples/cvsup/ports-supfile
rehash
cvsup -g -L 2 ports-supfile

安装axel
===========================================

cd /usr/ports/ftp/axel
make install clean;rehash

ee /etc/make.conf
FETCH_CMD=axel
FETCH_BEFORE_ARGS= -n 10 -a
FETCH_AFTER_ARGS=
DISABLE_SIZE=yes

MASTER_SITE_OVERRIDE?=\
http://mirrors.service.softlayer.com/freebsd/distfiles/${DIST_SUBDIR}/\
ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/${DIST_SUBDIR}/
MASTER_SITE_OVERRIDE?=${MASTER_SITE_BACKUP}

-------------------------------------------
中国的设置

ee /etc/make.conf
MASTER_SITE_OVERRIDE?=\
http://ports.hshh.org/${DIST_SUBDIR}/\
http://ports.cn.freebsd.org/${DIST_SUBDIR}/
MASTER_SITE_OVERRIDE?=${MASTER_SITE_BACKUP}

alex命令用法

#alex -n 10 -o /home/kennycx/

安装wget
===========================================

cd /usr/ports/ftp/wget/;make install clean

ee /etc/make.conf
FETCH_CMD=wget
FETCH_BEFORE_ARGS= -c -t 1
FETCH_AFTER_ARGS=
DISABLE_SIZE=yes
MASTER_SITE_OVERRIDE?=\
http://mirrors.service.softlayer.com/freebsd/distfiles/${DIST_SUBDIR}/\
ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/${DIST_SUBDIR}/
MASTER_SITE_OVERRIDE?=${MASTER_SITE_BACKUP}

wget命令用法

-b后台 -O指定目录 -t重试 -c断点
#wget -r -p -np -k http://www.21andy.com
-r递归 -p网页图片等 -np不搜索上层目录 -k绝对链接转相对

编译内核

===========================================
查看硬件
-------------------------------------------

sysctl -a
sysctl -a | grep "^dev.*des"
pciconf -lv

cd /usr/src/sys/i386/conf
cp GENERIC andy
ee andy

/usr/sbin/config andy
cd ../compile/andy;make cleandepend;make depend
cd /usr/src
make buildkernel KERNCONF=andy;make installkernel KERNCONF=andy

再去掉这些
-------------------------------------------

device         usb             #  Bus (required)
device          ugen            # Generic
options         QUOTA
options         CONSPEED=19200
options         MD_ROOT                 # MD is a potential root device
device          scbus           # SCSI bus (required for SCSI)
device         ch              # SCSI media changers

再加上
-------------------------------------------

options         SOFTUPDATES
options         PMAP_SHPGPERPROC=401
options         DEVICE_POLLING
options         HZ=1000
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP

把这些加在loader中
-------------------------------------------

ee /boot/loader.conf
ee /boot/defaults/loader.conf

-------------------------------------------

kern.maxusers="1024"
kern.ipc.nsfbufs="32768"
kern.ipc.maxsockets="32768"
net.inet.tcp.tcbhashsize="2048"
kern.ipc.nmbclusters="0"

SoftLayer内核文件(精简版)
-------------------------------------------

machine         i386
cpu             I686_CPU
ident           andy
options         SCHED_4BSD
options         PREEMPTION
options         INET
options         FFS
options         SOFTUPDATES
options         UFS_ACL
options         UFS_DIRHASH
options         COMPAT_43
options         COMPAT_FREEBSD4
options         COMPAT_FREEBSD5
options         KTRACE
options         SYSVSHM
options         SYSVMSG
options         SYSVSEM
options         ADAPTIVE_GIANT
options         SMP
options         PAE
options         PMAP_SHPGPERPROC=401
options         DEVICE_POLLING
options         HZ=1000
options         ACCEPT_FILTER_DATA
options         ACCEPT_FILTER_HTTP
#options         SOFTUPDATES
device          apic
device          pci
device          ata
device          atadisk
options         ATA_STATIC_ID
device          scbus
device          da
device          atkbdc
device          atkbd
device          kbdmux
device          vga
device          sc
device          agp
device          pmtimer
device          em
device          loop
device          random
device          ether
device          pty
device          md
device          bpf
device          usb

SoftLayer内核文件
-------------------------------------------

#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
#    http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.429.2.13 2006/10/09 18:41:36 simon Exp $

machine         i386
#cpu            I486_CPU
#cpu            I586_CPU
cpu             I686_CPU
ident           andy

# To statically compile in device wiring instead of /boot/device.hints
#hints          "GENERIC.hints"         # Default places to look for devices.

#makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols

options         SCHED_4BSD              # 4BSD scheduler
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
#options        INET6                   # IPv6 communications protocols
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big directories
#options         MD_ROOT                 # MD is a potential root device
#options        NFSCLIENT               # Network Filesystem Client
#options        NFSSERVER               # Network Filesystem Server
#options        NFS_ROOT                # NFS usable as /, requires NFSCLIENT
#options        MSDOSFS                 # MSDOS Filesystem
#options        CD9660                  # ISO 9660 Filesystem
#options         PROCFS                  # Process filesystem (requires PSEUDOFS)
#options         PSEUDOFS                # Pseudo-filesystem framework
#options         GEOM_GPT                # GUID Partition Tables.
options         COMPAT_43               # Compatible with BSD 4.3 [KEEP THIS!]
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
#options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
options        KTRACE                  # ktrace(1) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queuesoptions         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
#options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
#options        KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         ADAPTIVE_GIANT          # Giant mutex is adaptive.
options         SMP
#options         CONSPEED=19200
#options         QUOTA
options         PMAP_SHPGPERPROC=401
options         DEVICE_POLLING
options         HZ=1000
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP

device          apic                    # I/O APIC

# Bus support.
#device         eisa
device          pci

# Floppy drives
#device         fdc

# ATA and ATAPI devices
device          ata
device          atadisk         # ATA disk drives
#device         ataraid         # ATA RAID drives
#device         atapicd         # ATAPI CDROM drives
#device         atapifd         # ATAPI floppy drives
#device         atapist         # ATAPI tape drives
options         ATA_STATIC_ID   # Static device numbering

# SCSI Controllers
#device         ahb             # EISA AHA1742 family
#device         ahc             # AHA2940 and onboard AIC7xxx devices
#options        AHC_REG_PRETTY_PRINT    # Print register bitfields in debug
                                        # output.  Adds ~128k to driver.
#device         ahd             # AHA39320/29320 and onboard AIC79xx devices
#options        AHD_REG_PRETTY_PRINT    # Print register bitfields in debug
                                        # output.  Adds ~215k to driver.
#device         amd             # AMD 53C974 (Tekram DC-390(T))
#device         isp             # Qlogic family
#device         ispfw           # Firmware for QLogic HBAs- normally a module
#device         mpt             # LSI-Logic MPT-Fusion
#device         ncr             # NCR/Symbios Logic
#device         sym             # NCR/Symbios Logic (newer chipsets + those of `ncr')
#device         trm             # Tekram DC395U/UW/F DC315U adapters

#device         adv             # Advansys SCSI adapters
#device         adw             # Advansys wide SCSI adapters
#device         aha             # Adaptec 154x SCSI adapters
#device         aic             # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
#device         bt              # Buslogic/Mylex MultiMaster SCSI adapters

#device         ncv             # NCR 53C500
#device         nsp             # Workbit Ninja SCSI-3
#device         stg             # TMC 18C30/18C50

# SCSI peripherals
device          scbus           # SCSI bus (required for SCSI)
#device         ch              # SCSI media changers
device          da              # Direct Access (disks)
#device         sa              # Sequential Access (tape etc)
#device         cd              # CD
#device         pass            # Passthrough device (direct SCSI access)
#device         ses             # SCSI Environmental Services (and SAF-TE)

# RAID controllers interfaced to the SCSI subsystem
#device         amr             # AMI MegaRAID
#device         arcmsr          # Areca SATA II RAID
#device         asr             # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device         ciss            # Compaq Smart RAID 5*
#device         dpt             # DPT Smartcache III, IV - See NOTES for options
#device         hptmv           # Highpoint RocketRAID 182x
#device         rr232x          # Highpoint RocketRAID 232x
#device         iir             # Intel Integrated RAID
#device         ips             # IBM (Adaptec) ServeRAID
#device         mly             # Mylex AcceleRAID/eXtremeRAID
#device         twa             # 3ware 9000 series PATA/SATA RAID

# RAID controllers
#device         aac             # Adaptec FSA RAID
#device         aacp            # SCSI passthrough for aac (requires CAM)
#device         ida             # Compaq Smart RAID
#device         mfi             # LSI MegaRAID SAS
#device         mlx             # Mylex DAC960 family
#device         pst             # Promise Supertrak SX6000
#device         twe             # 3ware ATA RAID

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
#device         psm             # PS/2 mouse

device          kbdmux          # keyboard multiplexer

device          vga             # VGA video card driver

#device         splash          # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device          sc

# Enable this for the pcvt (VT220 compatible) console driver
#device         vt
#options        XSERVER         # support for X server on a vt console
#options        FAT_CURSOR      # start with block cursor

device          agp             # support several AGP chipsets

# Power management support (see NOTES for more options)
#device         apm
# Add suspend/resume support for the i8254.
device          pmtimer

# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device         cbb             # cardbus (yenta) bridge
#device         pccard          # PC Card (16-bit) bus
#device         cardbus         # CardBus (32-bit) bus

# Serial (COM) ports
#device         sio             # 8250, 16[45]50 based serial ports

# Parallel port
#device         ppc
#device         ppbus           # Parallel port bus (required)
#device         lpt             # Printer
#device         plip            # TCP/IP over parallel
#device         ppi             # Parallel port interface device
#device         vpo             # Requires scbus and da

# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device         puc

# PCI Ethernet NICs.
#device         de              # DEC/Intel DC21x4x (``Tulip'')
device          em              # Intel PRO/1000 adapter Gigabit Ethernet Card
#device         ixgb            # Intel PRO/10GbE Ethernet Card
#device         txp             # 3Com 3cR990 (``Typhoon'')
#device         vx              # 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
#device         miibus          # MII bus support
#device         bce             # Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device         bfe             # Broadcom BCM440x 10/100 Ethernet
#device         bge             # Broadcom BCM570xx Gigabit Ethernet
#device         dc              # DEC/Intel 21143 and various workalikes
#device         fxp             # Intel EtherExpress PRO/100B (82557, 82558)
#device         lge             # Level 1 LXT1001 gigabit Ethernet
#device         nge             # NatSemi DP83820 gigabit Ethernet
#device         nve             # nVidia nForce MCP on-board Ethernet Networking
#device         pcn             # AMD Am79C97x PCI 10/100(precedence over 'lnc')
#device         re              # RealTek 8139C+/8169/8169S/8110S
#device         rl              # RealTek 8129/8139
#device         sf              # Adaptec AIC-6915 (``Starfire'')
#device         sis             # Silicon Integrated Systems SiS 900/SiS 7016
#device         sk              # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device         ste             # Sundance ST201 (D-Link DFE-550TX)
#device         stge            # Sundance/Tamarack TC9021 gigabit Ethernet
#device         ti              # Alteon Networks Tigon I/II gigabit Ethernet
#device         tl              # Texas Instruments ThunderLAN
#device         tx              # SMC EtherPower II (83c170 ``EPIC'')
#device         vge             # VIA VT612x gigabit Ethernet
#device         vr              # VIA Rhine, Rhine II
#device         wb              # Winbond W89C840F
#device         xl              # 3Com 3c90x (``Boomerang'', ``Cyclone'')

# ISA Ethernet NICs.  pccard NICs included.
#device         cs              # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device         ed              # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device         ex              # Intel EtherExpress Pro/10 and Pro/10+
#device         ep              # Etherlink III based cards
#device         fe              # Fujitsu MB8696x based cards
#device         ie              # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device         lnc             # NE2100, NE32-VL Lance Ethernet cards
#device         sn              # SMC's 9000 series of Ethernet chips
#device         xe              # Xircom pccard Ethernet

# Wireless NIC cards
#device         wlan            # 802.11 support
#device         wlan_wep        # 802.11 WEP support
#device         wlan_ccmp       # 802.11 CCMP support
#device         wlan_tkip       # 802.11 TKIP support
#device         an              # Aironet 4500/4800 802.11 wireless NICs.
#device         ath             # Atheros pci/cardbus NIC's
#device         ath_hal         # Atheros HAL (Hardware Access Layer)
#device         ath_rate_sample # SampleRate tx rate control for ath
#device         awi             # BayStack 660 and others
#device         ral             # Ralink Technology RT2500 wireless NICs.
#device         wi              # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device         wl              # Older non 802.11 Wavelan wireless NIC.

# Pseudo devices.
device          loop            # Network loopback
device          random          # Entropy device
device          ether           # Ethernet support
#device         sl              # Kernel SLIP
#device         ppp             # Kernel PPP
#device         tun             # Packet tunnel.
device          pty             # Pseudo-ttys (telnet etc)
device         md              # Memory "disks"
#device         gif             # IPv6 and IPv4 tunneling
#device         faith           # IPv6-to-IPv4 relaying (translation)

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device          bpf             # Berkeley packet filter

# USB support
#device         uhci            # UHCI PCI->USB interface
#device         ohci            # OHCI PCI->USB interface
#device         ehci            # EHCI PCI->USB interface (USB 2.0)
device         usb             # USB Bus (required)
#device         udbp            # USB Double Bulk Pipe devices
#device          ugen            # Generic
#device         uhid            # "Human Interface Devices"
#device         ukbd            # Keyboard
#device         ulpt            # Printer
#device         umass           # Disks/Mass storage - Requires scbus and da
#device         ums             # Mouse
#device         ural            # Ralink Technology RT2500USB wireless NICs
#device         urio            # Diamond Rio 500 MP3 player
#device         uscanner        # Scanners
# USB Ethernet, requires miibus
#device         aue             # ADMtek USB Ethernet
#device         axe             # ASIX Electronics USB Ethernet
#device         cdce            # Generic USB over Ethernet
#device         cue             # CATC USB Ethernet
#device         kue             # Kawasaki LSI USB Ethernet
#device         rue             # RealTek RTL8150 USB Ethernet

# FireWire support
#device          firewire        # FireWire bus code
#device         sbp             # SCSI over FireWire (Requires scbus and da)
#device          fwe             # Ethernet over FireWire (non-standard!)

#options IPFIREWALL
#options IPFIREWALL_VERBOSE
#options IPFIREWALL_VERBOSE_LIMIT=10
#options IPFIREWALL_DEFAULT_TO_ACCEPT
#options IPSTEALTH

安全

设置远程登录安全
============================================
私钥方法
------------------------------------------

ssh-keygen -t dsa
cd /root/.ssh
mv id_dsa.pub authorized_keys
cat id_dsa

把id_dsa取到本地得用puttygen这个工具转换一下,选择,导出私钥
ee /etc/ssh/sshd_config

port 6222
Protocol 2
PermitRootLogin yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
/etc/rc.d/sshd restart

ee /etc/profile
export TMOUT=3600
设定成一个小时
ee /etc/ssh/sshd_config
ClientAliveInterval=60
表示每一分钟,sshd都和ssh client打个招呼,看看他还在不在

设置防火墙 IPFW
===========================================
# ee /etc/rc.conf

firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"

# ee /etc/sysctl.conf

net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5

# ee /etc/ipfw.rules
------------------------------------------

ipfw -q -f flush
cmd="ipfw -q add"
pif="lnc0"
$cmd 00100 allow all from any to any via lo0
$cmd 00200 check-state
$cmd 00300 allow tcp from any to 53 out via $pif keep-state
$cmd 00400 allow udp from any to 53 out via $pif keep-state
$cmd 00500 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00600 allow tcp from any to me 80 in via $pif setup limit src-addr 10
$cmd 00700 allow tcp from any to any 443 out via $pif setup keep-state
$cmd 00800 allow tcp from any to me 443 in via $pif setup limit src-addr 10
$cmd 00900 allow tcp from any to any 25 out via $pif setup keep-state
#$cmd 01000 allow tcp from any to me 25 in via $pif setup limit src-addr 1
$cmd 01100 allow tcp from any to any 110 out via $pif setup keep-state
#$cmd 01100 allow tcp from any to me 110 in via $pif setup limit src-addr 1
$cmd 01200 allow tcp from any to any via $pif setup keep-state uid root
$cmd 01300 allow icmp from any to any out via $pif keep-state
#$cmd 01300 allow icmp from any to any in via $pif keep-state
$cmd 01400 allow tcp from any to any 21 out via $pif setup keep-state
$cmd 01500 allow tcp from any to any 21 in via $pif setup limit src-addr 2
$cmd 01600 allow tcp from any to any 6222 out via $pif setup keep-state
$cmd 01700 allow tcp from any to any 6222 in via $pif setup limit src-addr 2
$cmd 60000 deny log all from any to any


# ee /etc/rc.conf
firewall_enable="YES"
firewall_script="YES"
firewall_script="/etc/ipfw.rules"
# ee /etc/ipfw.rules
------------------------------------------
# server
cmd="ipfw -q add"
ipfw -q -f flush
ks="keep-state"

#loopback
$cmd 10 allow all from any to any via lo0
$cmd 20 deny all from any to 127.0.0.0/8
$cmd 30 deny all from 127.0.0.0/8 to any
$cmd 40 deny tcp from any to any frag

# stateful
$cmd 50 check-state
$cmd 60 allow tcp from any to any established
$cmd 70 allow all from any to any out keep-state
$cmd 80 allow icmp from any to any

# services
$cmd 110 allow tcp from any to any 21 in
$cmd 120 allow tcp from any to any 21 out
$cmd 130 allow tcp from any to any 6222 in
$cmd 140 allow tcp from any to any 6222 out
$cmd 150 allow tcp from any to any 25 in
$cmd 160 allow tcp from any to any 25 out
$cmd 170 allow udp from any to any 53 in
$cmd 175 allow tcp from any to any 53 in
$cmd 180 allow udp from any to any 53 out
$cmd 185 allow tcp from any to any 53 out
$cmd 200 allow tcp from any to any 80 in
$cmd 210 allow tcp from any to any 80 out
$cmd 220 allow tcp from any to any 110 in
$cmd 230 allow tcp from any to any 110 out
#$cmd 240 allow udp from any to any 123 in
#$cmd 250 allow udp from any to any 123 out
$cmd 260 allow tcp from any to any 443 out
$cmd 270 allow tcp from any to me 443 in

# deny log
$cmd 999 deny log all from any to any

禁止一般用户查看系统日志
===========================================
# chmod g-w,o-r /var/log/*;chmod 600 /etc/syslog.conf;chmod 600 /etc/newsyslog.conf

对bin和sbin进行安全保护
===========================================
# chflags schg /bin/*;chflags schg /sbin/*

禁止一般用户使用crontab
===========================================
# ee /var/cron/allow
root
# chmod 600 /var/cron/allow

优化

网络优化
===========================================
ee /etc/sysctl.conf
-------------------------------------------
kern.ipc.somaxconn=32768
kern.ipc.maxsockbuf=2097152
kern.maxfiles=65536
kern.maxfilesperproc=65536
net.inet.icmp.icmplim=100
net.inet.ip.check_interface=1
net.inet.ip.redirect=0
net.inet.tcp.blackhole=2
net.inet.tcp.always_keepalive=0
net.inet.tcp.delayed_ack=1
net.inet.tcp.msl=2500
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=65535
net.local.stream.sendspace=65535
net.local.stream.recvspace=65535
#kern.securelevel=0
---------------------------------------
HELVIN
kern.maxusers="1024"
kern.ipc.nsfbufs="32768"
kern.ipc.maxsockets="32768"
net.inet.tcp.tcbhashsize="2048"
kern.ipc.nmbclusters="0"
---------------------------------------
kern.securelevel=0
这个最好配到 /etc/rc.conf 里面。
net.inet.tcp.always_keepalive=1
访问量大的时候通常我们不会希望这样设置。或者至少应该把keepalive的时间缩短。
net.inet.tcp.delayed_ack=0
通常这样改无非让网络更拥堵一些而已。
net.inet.tcp.blackhole=2

系统编辑器默认设置
===========================================
ee /.cshrc
加入
setenv LSCOLORS ExGxFxdxCxegedabagExEx
setenv CLICOLOR yes
setenv LC_ALL zh_CN.eucCN
setenv LANG zh_CN.eucCN
setenv LC_CTYPE zh_CN.eucCN
set prompt = '[%B%[email protected]%m%b] %B%~%b%# '

# source ~/.cshrc

VIM 编辑器
===========================================
whereis vim
cd /usr/ports/editors/vim
make install clean
cd /usr/local/share/vim/vim71
cp vimrc_example.vim ~/.vimrc
cd ~;ee .vimrc
加入
"Chinese GBK support
set fileencodings=utf8,gbk

配置中文环境
===========================================
ee /.cshrc
setenv EDITOR ee
setenv LC_ALL zh_CN.GBK
setenv LANG zh_CN.GBK
setenv LC_CTYPE zh_CN.GBK

# cd /usr/ports/chinese/cce/
# make install clean ; rehash

装完后

lrwxr-xr-x  1 root  wheel    40 11  5 03:15 config.inc.php -> /usr/local/www/phpMyAdmin/config.inc.php
lrwxr-xr-x  1 root  wheel    44 11  3 23:34 httpd-mpm.conf -> /usr/local/etc/apache22/extra/httpd-mpm.conf
lrwxr-xr-x  1 root  wheel    47 11  3 20:55 httpd-vhosts.conf -> /usr/local/etc/apache22/extra/httpd-vhosts.conf
lrwxr-xr-x  1 root  wheel    34 11  3 20:50 httpd.conf -> /usr/local/etc/apache22/httpd.conf
lrwxr-xr-x  1 root  wheel    22 11  3 21:28 php.ini -> /usr/local/etc/php.ini
ln -s /usr/local/www/phpMyAdmin/config.inc.php
ln -s /usr/local/etc/apache22/extra/httpd-mpm.conf
ln -s /usr/local/etc/apache22/extra/httpd-vhosts.conf
ln -s /usr/local/etc/apache22/httpd.conf
ln -s /usr/local/etc/php.ini
ln -s /usr/local/etc/vsftpd.conf

太长了, 后面是MySQL + Apache + PHP部份的配置, 待续

Incoming search terms:

Tags: 配置, 教程, 手册, freebsd

本文地址: http://blog.21andy.com/20090513/1276.html

4 评论 to “PHP开源CMS之MODx”

  1. 枯木 于 2009-06-23 12:17:13 发表:

    FreeBSD笔记 能不能发份我给我 最近正在学习FreeBSD
    邮箱:[email protected]

  2. dodo 于 2009-11-27 14:19:29 发表:

    我也想要一份FreeBSD笔记
    [email protected]
    谢谢啦

  3. Roy 于 2010-01-20 14:50:04 发表:

    想学习 能不能给一份 [email protected] 谢谢

  4. ETiV 于 2010-07-02 02:36:06 发表:

    找了好久...

    请问这份笔记还有吗?
    我也是才学习FreeBSD的, 可配置的内容太多了. 有些苦手.

    如果还有的话, 麻烦发到我的EMail
    WP后台可以看见 :-)