Posts Tagged ‘freebsd’

FreeBSD Housekeeping

Monday, April 13th, 2009

So, since I’ve had to mess around with Arigeitsu so much anyway, I decided to take the next 48 hours or so real slow, and just relax and make sure everything’s done right. I’ve finally gotten over the stress of making Murmur work on FreeBSD so now it’s time to get down to some good old fashioned sysadmin stuff. I thought I’d post about it here as a list of good things to do to a new FreeBSD box – who knows when I might need to consult it myself to jog my memory. :)

So, since the machine came equipped with 1TB of disk space over two identical drives, and I decided I didn’t need that much space, we elected to configure the machine in a RAID-1 mirror. We haven’t yet had the joy of having a drive crash in a mission critical server (though I’ve lost a couple of drives in my Windows desktops over the years!) and while we do maintain off-site backups, RAID-1 will help us prevent outages in the event of a drive failure.

RAID is of course no use whatsoever unless you actually monitor the disks, so I installed sysutils/smartmontools to keep an eye on things. David Andrzejewski has a much better howto than I could ever write so go consult that instead.

Next up, I live by the rule of “if it ain’t broke, don’t fix it” when it comes to software and while I try to be subscribed to the security mailing list of every piece of software we use, sometimes things slip by. ports-mgmt/portaudit is a good way to keep an extra eye on things, and you can configure periodic to run a daily check of it:

echo 'daily_status_security_portaudit_enable="YES"' >> /etc/periodic.conf

Now this next bit tripped me up once when we had to reboot Zubat: If you mis-configure an SSL certificate on Apache, it can hang the boot process while it waits for you to enter the pass phrase. The bad part is, by default, Apache tries to start before the SSH daemon. So I edit the /usr/local/etc/rc.d/apache22 script and add sshd to the REQUIRE line, like so:

# REQUIRE: LOGIN cleanvar sshd

Finally, we enable the stock FTP daemon on localhost. We simply enable inetd, ensuring that the built in ftpd is the only thing listed, and leave the rule allowing it out of the firewall. This way we still enforce SFTP/SCP for our users, but things like auto-updates for WordPress work. :)

That’s about all I can think of right now, I’ll edit this post and add more as I go along.

Tags:
Posted in Internet | No Comments »

Say Hello to Arigeitsu!

Saturday, April 11th, 2009

On Thursday, we began making a tough decision – what to do about Xatu. If you’ve been following Sabrienix’s Twitter, which is where we store our status updates, we’ve had a spot of bother with him lately. The uptime stats linked in the previous post look awful because of him and Vaporeon (but Vaporeon’s outage was my fault), and basically the underlying cause is this: FreeBSD 7′s disk performance under XenServer sucks.

No one who currently works for Sabrienix has a good enough knowledge in Linux for us to run it for our web services – we’re pretty much a FreeBSD shop. I have about a decade of experience of administering, programming and troubleshooting FreeBSD so we have a certain amount of confidence in running it – unfortunately Xatu’s datacenter doesn’t support FreeBSD “officially”, so we ran FreeBSD under XenServer.

They brought it to our attention that there was an un-supported method for installing FreeBSD on their machines, so we organized to have a new server set up that I could put FreeBSD natively on… the difference is astounding. On identical hardware, Apache can take over 100x as many hits – not to mention we got rid of the Hypervisor from RAM.

The new server is named Arigeitsu – we decided to not be quite so obvious about naming our servers after Pokemon and go with romanized Romaji names from now on – and if you’re reading this then you’re loading off him instead of Xatu. I’ve moved a couple of my personal sites over for a test to see how things go, and so far I’m pretty impressed.

Right now I’m working on getting Murmur compiled, so we can do away with Wurmple as well as Xatu (though I have a good many sites to migrate from Xatu first). It’s going to be a long weekend, but the results will be worth it in the end.

Tags: ,
Posted in Internet | No Comments »

Haha @ FreeBSD telnetd

Saturday, February 14th, 2009

… and here we were almost a year ago making fun of Solaris for letting silly things slip in. The good news is almost no one uses telnet anymore, and if they do they probably deserve to get owned.

Here’s a hurried patch confirmed to plug this hole, but do so in a messy manner. What’s funny is there’s an entire function called scrub_env() that (on cursory inspection) looks like it’s sole purpose is to prevent shit like this, and for some reason it doesn’t.

--- sys_term.c~ 2009-02-13 23:58:26.000000000 -0500
+++ sys_term.c  2009-02-13 23:58:26.000000000 -0500
@@ -1221,6 +1221,7 @@
if (altlogin == NULL) {
altlogin = _PATH_LOGIN;
}
+ unsetenv("LD_PRELOAD");
execv(altlogin, argv);
 
syslog(LOG_ERR, "%s: %m", altlogin);

WordPress munges the code formatting – it’s just here so you can see what’s going on. In the very unlikely event you run telnetd and want to patch it, you can download the patch.

Update: Disregard that patch, FreeBSD released an advisory and they did a much more elegant solution in their patch.

Tags: ,
Posted in Internet | No Comments »