Table des matières

OpenBSD Config Post Install

How To BSD

Sites intéressants


Ou se trouve le fichier pour les dépôts

more /etc/pkg.conf
installpath = http://ftp.halifax.rwth-aachen.de/openbsd/6.7/packages/amd64/

Afficher la variable environnement PKG_PATH 

echo $PKG_PATH

Modifier la variable environnement PKG_PATH (méthode préférée) 

export PKG_PATH="http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(arch -s)/"
pkg_add -u



Manipuler les packages

Installer des packages 

pkg_add rsync

Rechercher un package 

pkg_info -Q unzip
pkglocate unzip

Mettre à jour un package 

pkg_add -u unzip

Supprimer un package 

pkg_delete screen

Voir tous les paquets installés 

pkg_check

Afficher les informations à propos d'un package 

pkg_info unzip



Post-Install

Mettre le système à jour 

syspatch
pkg_add -u

Installation des outils 

pkg_add -v bash mc nano pkg_mgr htop

Utilisation du bash 

chsh -s /usr/local/bin/bash
chsh -s /usr/local/bin/bash aiko



Méthode1 avec un simple httpd

Lors de l'installation de OpenBSD, celui-ci installe par défaut un serveur web?
Cela limite le nombre de trous de sécurité :-) 

mkdir /var/www/htdocs/mon_super_site
chown -R www:daemon /var/www/htdocs/mon_super_site
vi /etc/httpd.conf

types { include "/usr/share/misc/mime.types" }

server "chezmoi.tld" {
        listen on * port 80
        root "/htdocs/mon_super_site"
}
rcctl enable httpd
rcctl start httpd



Service PHP_FPM

pkg_add php-7.3.11

modification du fichier /etc/httpd.conf 

vi /etc/httpd.conf

server "chezmoi.tld" {
        listen on * port 80
        root "/htdocs/monsupersite"
        directory index index.php

        location "*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }
}
rcctl enable php73_fpm
rcctl start php73_fpm

Création d'un fichier info.php pour test 

vi /var/www/htdocs/mon_super_site/info.php
<?php phpinfo(); ?>

PHP fonctionne alors que le serveur de base de donnée n'est pas installé et que les extensions de modules ne sont pas installé non plus !

;-)

Installation des modules PHP si besoins 

pkg_add -v php-bz2-7.3.11 php-zip-7.3.11 php-curl-7.3.11 php-gd-7.3.11 php-gmp-7.3.11 php-intl-7.3.11
pkg_add -v php-mysqli-7.3.11 php-pcntl-7.1.33 php-pdo_dblib-7.1.33 php-pdo_mysql-7.3.11 php-pdo_sqlite-7.3.11
pkg_add -v php-shmop-7.3.11 php-soap-7.3.11 php-sqlite3-7.3.11 php-xmlrpc-7.3.11 php-xsl-7.3.11 php-zip-7.3.11

Créer tous les lien symboliques 

ln -s /etc/php-7.3.sample/* /etc/php-7.3/
rcctl restart php73_fpm

;-)



Méthode2 avec Apache2

Installation du serveur Apache 

pkg_add -v apache-httpd-2.4.41
rcctl enable apache2
rcctl start apache2

Installation du module apache pour la liaison php 

pkg_add -v php-apache-7.3.11

Création du lien symbolique pour lier le module PHP à Apache 

ln -s /var/www/conf/modules.sample/php-7.3.conf /var/www/conf/modules/

Modification de la configuration Apache 

vi /etc/apache2/httpd2.conf

LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so
LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so
LoadModule rewrite_module /usr/local/lib/apache2/mod_rewrite.so

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

Redémarrage du php73_fpm service et apache2 

rcctl restart php73_fpm && rcctl restart apache2

Création d'un fichier info.php pour test 

vi /var/www/htdocs/mon_super_site/info.php
<?php phpinfo(); ?>

PHP fonctionne alors que le serveur de base de donnée n'est pas installé et que les extensions de modules ne sont pas installé non plus !

;-)

Configuration de Apache2

httpd2.conf





MySQL

Installation du serveur mariadb-server

pkg_add -v mariadb-server-10.3.18v1

The following new rcscripts were installed: /etc/rc.d/mysqld
See rcctl(8) for details.
Look in /usr/local/share/doc/pkg-readmes for extra documentation.

Installation des bases de données nécessaires au fonctionnement

/usr/local/bin/mysql_install_db

Installing MariaDB/MySQL system tables in '/var/mysql' ...
OK


PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following commands:

'/usr/local/bin/mysqladmin' -u root password 'new-password'
'/usr/local/bin/mysqladmin' -u root -h obsd-1.home.lan password 'new-password'

Alternatively you can run:
'/usr/local/bin/mysql_secure_installation'

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.

You can start the MariaDB daemon with:
/etc/rc.d/mysqld start

Please report any problems at http://mariadb.org/jira

The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
rcctl enable mysqld
rcctl start mysqld
mysqld(ok)

Configuration du serveur 

/usr/local/bin/mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] Y
New password: ********
Re-enter new password: ********
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Test du service mysqld 

mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 10.3.18-MariaDB OpenBSD port: mariadb-server-10.3.18v1

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.002 sec)

MariaDB [(none)]>

:-P


Configuration de MySQL

MariaDB [(NONE)]> UPDATE mysql.user SET USER = 'panoramix', Password = PASSWORD('123456') WHERE USER='root';
Query OK, 3 ROWS affected (0.158 sec)
ROWS matched: 3  Changed: 3  Warnings: 0
 
MariaDB [(NONE)]> FLUSH PRIVILEGES;
Query OK, 0 ROWS affected (0.010 sec)
 
MariaDB [(NONE)]> exit
Bye
MariaDB [(NONE)]> GRANT ALL PRIVILEGES ON *.* TO 'panoramix'@'192.168.1.0/255.255.255.0' IDENTIFIED BY '123456' WITH GRANT OPTION;
Query OK, 0 ROWS affected (0.033 sec)
 
MariaDB [(NONE)]> FLUSH PRIVILEGES;
Query OK, 0 ROWS affected (0.001 sec)
 
MariaDB [(NONE)]> exit
Bye
MariaDB [(NONE)]> GRANT SELECT, INSERT, UPDATE, DELETE ON wikinuxbsd.* TO 'asterix'@'localhost' IDENTIFIED BY '123456';
Query OK, 0 ROWS affected (0.010 sec)
 
MariaDB [(NONE)]> FLUSH PRIVILEGES;
Query OK, 0 ROWS affected (0.001 sec)
MariaDB [(NONE)]> SHOW GRANTS FOR 'asterix'@'localhost';
+----------------------------------------------------------------------------------------------------------------+
| Grants FOR asterix@localhost                                                                                   |
+----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'asterix'@'localhost' IDENTIFIED BY PASSWORD '*DC61CFCC9D17AF95840EC5D8797B7220810374DF' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `wikinuxbsd`.* TO 'asterix'@'localhost'                                |
+----------------------------------------------------------------------------------------------------------------+
2 ROWS IN SET (0.005 sec)



MySQL commandes utiles

MySQL

Lister les bases

SHOW DATABASES;

Autoriser une connexion MySQL depuis une machine autre que localhost

/etc/my.cnf
# bind-address = 127.0.0.1 (mettre la ligne en commentaire)
rcctl restart mysqld
 
CREATE User 'aiko'@'127.0.0.1' IDENTIFIED BY 'a';
CREATE User 'aiko'@'localhost' IDENTIFIED BY 'a';

GRANT ALL PRIVILEGES ON *.* TO 'aiko'@'localhost' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'aiko'@'127.0.0.1' WITH GRANT OPTION;

FLUSH PRIVILEGES;
FLUSH HOSTS;

SELECT USER();
  
mysql -u aiko -h 127.0.0.1 -p
SELECT USER();

CREATE USER 'conex'@'10.10.10' IDENTIFIED BY 'a';
CREATE USER 'conex'@'*' IDENTIFIED BY 'a'; (ou de n'importe quel réseaux)
CREATE database db_conex;

GRANT ALL ON db_conex.* TO 'conex'@'10.10.10.10';
GRANT ALL ON db_conex.* TO 'conex'@'*'; (ou de n'importe quel réseaux)

FLUSH PRIVILEGES;
FLUSH HOSTS;
  
SHOW databases;
SELECT USER();
  
mysql -u conex -p
ERROR 1045 (28000): Access denied for user 'conex'@'localhost' (using password: YES)

Connexion depuis une machine distante

mysql -h adresse_ip_de_votre_serveur -u nom_utilisateur -p'mot_de_passe'

MySQL Gestion des utilisateurs

creer-modifier ou supprimer un utilisateur avec la console

Vérifier la liste des utilisateurs

mysql> SELECT Host,User FROM mysql.user;

Créer un utilisateur

mysql> CREATE USER ‘aiko’@’localhost’;

Créer un utilisateur avec password

mysql> CREATE USER ‘aiko’@’localhost’ IDENTIFIED BY ‘password’;

Renommer un utilisateur

mysql> RENAME USER ‘aiko’@’localhost’ TO ‘btsig’@’localhost’;

Supprimer un utilisateur

mysql> DROP USER ‘aiko’@’localhost’;

Attribuer un mot de passe à un utilisateur

mysql> SET PASSWORD FOR ‘aiko’@’localhost’ = PASSWORD(‘mot_de_passe’);

créez un utilisateur et l'autoriser à réaliser certaines opérations sur la base de données

MySQL Démarrage & Status

Démarrage manuel

mysqld_safe

Se connecter à MySQL

mysql -u root -p

Savoir si le serveur fait un .sock (si il run)

ls /var/run/mysql/mysql.sock

Savoir si le serveur à démarré

mysqladmin -u root -p ping
Enter password: 
mysqld is alive

Arrêter le serveur proprement

mysqladmin -u root -p shutdown  (gentil avec le p'tit)

Changer le mot de passe root

/usr/local/bin/mysqladmin -u root password '123456789' (le mot de passe est entre les '')

Ajouter un utilisateur

CREATE USER 'aiko'@'localhost' IDENTIFIED BY '123456';

Opération sur database

Afficher les database

 SHOW DATABASES;

Sectionner une database

 USE madatabase;

Renommer une database

mv database newdatabase

:-P


phpMyAdmin

Installation de phpMyAdmin-4.5.5.1p0

pkg_add phpMyAdmin-4.5.5.1p0
quirks-2.241 signed on 2016-07-26T16:56:10Z
phpMyAdmin-4.5.5.1p0:php-5.6.23p0: ok 
phpMyAdmin-4.5.5.1p0:php-mysqli-5.6.23p0: ok
phpMyAdmin-4.5.5.1p0:libmcrypt-2.5.8p2: ok
phpMyAdmin-4.5.5.1p0:libltdl-2.4.2p1: ok
phpMyAdmin-4.5.5.1p0:php-mcrypt-5.6.23p0: ok
phpMyAdmin-4.5.5.1p0:jpeg-1.5.0p0v0: ok
phpMyAdmin-4.5.5.1p0:t1lib-5.1.2p0: ok
phpMyAdmin-4.5.5.1p0:php-gd-5.6.23p0: ok
phpMyAdmin-4.5.5.1p0: ok
The following new rcscripts were installed: /etc/rc.d/php56_fpm
See rcctl(8) for details.
Look in /usr/local/share/doc/pkg-readmes for extra documentation.

:-P


Samba

pkg_add samba-4.4.5 

quirks-2.241 signed on 2016-07-26T16:56:10Z
samba-4.4.5:tdb-1.3.9: ok
samba-4.4.5:libtalloc-2.1.7: ok
samba-4.4.5:libdaemon-0.14p1: ok
samba-4.4.5:dbus-1.10.8v0: ok
samba-4.4.5:gdbm-1.12: ok
samba-4.4.5:dbus-daemon-launch-helper-1.10.8: ok
samba-4.4.5:avahi-0.6.31p24: ok
samba-4.4.5:libtasn1-4.8: ok
samba-4.4.5:p11-kit-0.23.2p0: ok
samba-4.4.5:gmp-5.0.2p3: ok
samba-4.4.5:libnettle-3.2: ok
samba-4.4.5:libidn-1.32p1: ok
samba-4.4.5:gnutls-3.4.14: ok
samba-4.4.5:cups-libs-2.1.4: ok
samba-4.4.5:cyrus-sasl-2.1.26p17: ok
samba-4.4.5:openldap-client-2.4.44: ok
samba-4.4.5:py-dnspython-1.12.0p0: ok
samba-4.4.5:tevent-0.9.28p0: ok
samba-4.4.5:popt-1.16p1: ok
samba-4.4.5:ldb-1.1.26p0: ok
samba-4.4.5:libexecinfo-0.3v0: ok
samba-4.4.5:openpam-20141014: ok
samba-4.4.5:samba-util-4.4.5: ok
samba-4.4.5:gamin-0.1.10p21: ok
samba-4.4.5: ok
The following new rcscripts were installed: /etc/rc.d/avahi_daemon /etc/rc.d/avahi_dnsconfd /etc/rc.d/messagebus /etc/rc.d/nmbd /etc/rc.d/samba /etc/rc.d/samba_ad_dc /etc/rc.d/saslauthd /etc/rc.d/smbd /etc/rc.d/winbindd
See rcctl(8) for details.
Look in /usr/local/share/doc/pkg-readmes for extra documentation.
rcctl enable samba
rcctl start samba

:-P

Configuration du serveur

nano /etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server string = Samba Server
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
server role = standalone server
log file = /var/log/samba/smbd.%m
max log size = 50
dns proxy = no
syslog = 0
security = user
map to guest = Bad Password
guest account = aiko
obey pam restriction = no
unix password sync = yes
domain logons = no

[nfs0]
path = /nfs0
guest ok = no
writable = yes
browseable = yes
valid users = aiko

Ajout de l'utilisateur valide

pdbedit -a -u aiko

Restart du serveur

rcctl restart samba

:-P


Deux possibilités pour démarrer des services au boot

Exemple avec Samba 

#!/bin/sh
nano /etc/rc.local
echo Initiation de Samba
if [ -f /etc/rc.d/samba ] ; then /etc/rc.d/samba start ; fi

Démarrer le service samba au boot

rcctl enable samba
rcctl start samba

On va plutôt privilégier le démarrage par rcctl ce qui évitera de créer un fichier en plus :-)

:-P


Serveur pure-ftpd

pkg_add pure-ftpd
pure-ftpd-1.0.42:libsodium-1.0.10: ok
pure-ftpd-1.0.42: ok
The following new rcscripts were installed: /etc/rc.d/pure_ftpd
See rcctl(8) for details.
 
groupadd -g 1001 ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd spy1 -u ftpuser -g ftpgroup -d /var/www/website/local/igalerie/albums/spy1/
rcctl enable pure_ftpd
rcctl start pure_ftpd

;-)

Serveur DHCP

pkg_add isc-dhcp-server-4.3.4
quirks-2.241 signed on 2016-07-26T16:56:10Z
isc-dhcp-server-4.3.4: ok
The following new rcscripts were installed: /etc/rc.d/isc_dhcpd /etc/rc.d/isc_dhcrelay
See rcctl(8) for details.


Serveur sFTP

vim /etc/ssh/sshd_config
 
Match User ftp
    ForceCommand internal-sftp
    ChrootDirectory /ftp_jail
chown root:ftp /ftp_jail
chmod 750 /ftp_jail

J'ai tester mais cela ne donne pas ce que je recherche !

J'ai plutôt utiliser un groupe au lieu d'un seul utilisateur qui est ftp
J'ai aussi chrooter le répertoires des utilisateurs Les utilisateurs sont tous “nologin” 

vim /etc/ssh/sshd_config
 
1)
Match Group chroot
    ForceCommand internal-sftp
    ChrootDirectory /vftp/home/%u/
 
2)
vim /etc/adduser.conf
# default HOME directory ("/home")
#home = "/home"
home = "/vftp/home/."
 
3)
groupadd chroot
 
4)
ln -s /var/www/website/le_site/ joe
 
5)
adduser 
Use option ``-silent'' if you don't want to see all warnings and questions.
 
Reading /etc/shells
Check /etc/master.passwd
User ftpuser: illegal shell: ``/etc''
Check /etc/group
 
Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: joe
Enter full name []: joe
Enter shell bash csh git-shell ksh nologin sh [nologin]: nologin
Uid [1001]: 
Login group delbadog [delbadog]: 
Login group is ``joe''. Invite joe into other groups: guest no 
[no]: chroot

Cela permet à un utilisateurs de passer par sFTP pour déposer ses pages sur son hébergeur

Comment désactiver l'écran d'un portable ?

echo "display.screen_off=60000" >> /etc/wsconsctl.conf

How To BSD