System Admin Simplified

The following procedure demonstrates how to use tcpdump to sniff and log packets going in and out of a machine's network interfaces. ========== 1. Identify the network interfaces available. user@host: $ tcpdump --list-interfaces 1.wlp6s0 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.enp5s0 [Up] 2. Set the sniffing tool to listen on a network interface for packets and send the output to a file for easy review later. 2.1. To and from a target port, such as HTTP, regardless of host. user@host: $ sudo tcpdump -A -i any -l -s 0 -vvv tcp port 80 > mytcpdumpout.txt 2>&1 2.2. To and from a target host, regardless of port. user@host: $  sudo tcpdump -A -i any -l -s 0 -vvv host nameOfMachine > mytcpdumpout.txt 2>&1 2.3. The flags used to adjust the behavior of tcpdump are as follows. [ -A ] prints packets in ASCII format and make them readable, excluding data link layer headers. [ -i any ] c...

cURL is a command-line tool that connects to a uniform resource locator (URL) for data transfer. Although this tool is commonly used to quickly check if websites are up and running, it can also be used to time the response of services. This may help administrators gather data for analysis to match against baseline response times for performance tuning. cURL has many options or flags available to adjust its behavior. For the purpose of timing, the following flags shall be utilized. [ -k ] tells cURL to disable peer verification of the SSL/TLS certificate. This is useful for connecting to URLs that have  self-signed certificates . [ -s ] tells cURL to operate in silent mode. This suppresses standard error messages and the progress meter. [ -o /dev/null ] tells cURL to dump its standard output to the null device. All messages are effectively discarded and no output file is produced. [ -w '%{time_total}\n' ] tells cURL to write the declared variables to standard output after all tr...

Home Assistant is an open-source home automation system powered by Python, primarily intended to run on single-board computers like the Raspberry Pi, with Linux as the host operating system. The following procedure shows how to run Home Assistant Core on FreeBSD servers, on either physical or virtual machines. ========== 1. PREPARING THE SERVER 1.1. Update the package list and upgrade the existing packages. root@host: # pkg update && pkg upgrade -y 1.2. Install Python and other required packages. root@host: # pkg install python38 py38-sqlite3 openssl autoconf libffi rust 1.3. Create a system account with disabled login (-w no), a dedicated home directory (-m), and some informational text (-c comment). root@host: #  pw useradd homeassistant -w no -m -c "Home Assistant" 1.3.1. If groups for hardware input/output are present, append the system account. Else, skip this step for now. root@host: #  pw groupmod gpio -m homeassistant root@host: #  pw groupmod i2c -m ...

The following procedure enables FreeBSD programs to start automatically after booting, without requiring users to log in first. This method is useful when automating custom daemons to act as servers with user-specific privileges. This is almost identical to the Linux procedure , except for one redirection parameter excluded here. ========== 1. Edit the user crontab file. user@host: $ crontab -e 2. Add the @reboot line with the desired command. # BEGIN CODE @reboot /myfolder/mydaemon.sh > /dev/null & # "> /dev/null" discards standard output by redirecting to the null device. # Terminating with "&" executes the command in the background. # END CODE 3. Save and exit crontab, then reboot the machine. ========== The default shell configured in an account's environment variables is used by crontab to process the listed commands. In Linux crontab , the default Bourne Again shell (bash) accepts parameters like "2>&1" which redirects standa...

IPFW is one of several firewalls included in FreeBSD by default. It has a command-line tool to handle the policies for incoming and outgoing connections. In the configurations discussed here, network connections "from any to any" are deliberately avoided to prevent potential bounce attacks from happening, if the server is not intended to act as a router. Instead, a request/respond or incoming/outgoing rule pair is adopted to direct the flow of network traffic. The main objective is to set up IPFW to block unauthorized remote access to unsecured ports on the server. But if attackers manage to break in through a vulnerability on some programs running on authorized incoming ports, the outgoing restrictions will prevent massive data exfiltration, stopping intruders dead in their tracks. A similar approach can be done on Debian-based Linux distributions using UFW . ========== 1. STRICT CONFIGURATION 1.1. Create a custom shell script for IPFW commands. root@host: #  ee /etc/...

After enabling HTTPS on the web server in FreeBSD, remote users can be redirected to this secure protocol by automatically rewriting the URL. ========== 1. Log in to "root". Regular users must be part of the "wheel" group in order to do this. user@host: $ su - 2. Open the Apache main configuration file. root@host: # ee /usr/local/etc/apache24/httpd.conf 3. Find and uncomment the following Apache directives. # BEGIN CODE # ... LoadModule rewrite_module libexec/apache24/mod_rewrite.so # Apache rewrite engine Include etc/apache24/Includes/*.conf # Custom configuration files # ... # END CODE 4. Create a custom config file in the "Includes" directory. root@host: # ee /usr/local/etc/apache24/Includes/myrewrite.conf 5. Place the following code in the custom config file. # BEGIN CODE # ... RewriteEngine On # Enables directives for rewriting. RewriteCond %{HTTPS} !=on # Verifies that the connection is not yet in HTTPS. RewriteRule ^/?(.*) https://%{SERVER_NAME}/$...

The following procedure activates HTTPS for the Apache web server in FreeBSD. This secure protocol uses TLS/SSL certificates to encrypt the data transferred between the remote user and the web server. Sensitive information is protected from being captured by malicious actors using sniffing tools along the network route. ========== 1. PREREQUISITES 1.1. Make a self-signed SSL certificate. [  Details  ] 2. ACTIVATION 2.1. Log in to "root". Regular users must be part of the "wheel" group in order to do this. user@host: $ su - 2.2. Open the Apache main configuration file. root@host: # ee /usr/local/etc/apache24/httpd.conf 2.3. Find and uncomment the following Apache directives. # BEGIN CODE # ... LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so # Needed by the "SSLSessionCache" directive in httpd-ssl.conf # ... LoadModule ssl_module libexec/apache24/mod_ssl.so # Needed by the "SSLCipherSuite" directive in httpd-ssl.conf # ... ...

The following procedure shows how to apply self-signed certificates to the Apache web server in FreeBSD. After  creating and installing the TLS/SSL certificate/key pair, they can be utilized to secure FreeBSD web services with encryption during the development and testing process. It is important to keep in mind that self-signing may be deemed UNTRUSTWORTHY in a production environment. ========== 1. Log in to "root". Regular users must be part of the "wheel" group in order to do this. user@host: $ su - 2. Go to the directory containing the Apache site configuration files. root@host: # cd /usr/local/etc/apache24/extra 3. BACK UP the default HTTPS configuration file for the secure site. root@host: # cp httpd-ssl.conf httpd-ssl-conf.back 4. Open the default HTTPS configuration file. root@host: # ee httpd-ssl.conf 5. Find and modify the following Apache directives. # BEGIN CODE # ... SSLCertificateFile "/usr/local/etc/apache24/server.crt" # The self-signe...

Hide server details from potential online threats in a few easy steps. ========== 1. Log in to "root". Regular users must be part of the "wheel" group in order to do this. user@host: $ su - 2. Open the Apache main configuration file. root@host: # ee /usr/local/etc/apache24/httpd.conf 3. Find and uncomment the following Apache directive. # BEGIN CODE # ... Include etc/apache24/extra/httpd-default.conf # Default config for the Apache web server. # ... # END CODE 4. Open the Apache default settings configuration file. root@host: # ee /usr/local/etc/apache24/extra/httpd-default.conf 5. Find and modify the following Apache directives. # BEGIN CODE # ... ServerTokens Prod # "Prod" reduces Apache info sent by the server in its HTTP response header. # ... ServerSignature Off # "Off" removes info on server, host, and port from error pages and other auto-generated docs. # ... # END CODE 6. Open the PHP configuration file. root@host: # ee /usr/local/etc/ph...

The following steps provide all directories and files in the "data" folder with the appropriate ownership and permissions to ensure smooth operation of the web server. This also prevents unauthorized users from viewing and modifying them. ========== 1. Log in to "root". Regular users must be part of the "wheel" group in order to do this. user@host: $ su - 2. Change ownership of all items to user "root" and group "www". root@host: # chown -R root:www /usr/local/www/apache24/data 3. Change permission modes to 750 for directories only. User "root" can (r)ead, (w)rite, and e(x)ecute directories. Users included in the group "www" can (r)ead and e(x)ecute but NOT write to directories. All other users are excluded. root@host: # find /usr/local/www/apache24/data -type d -exec chmod 750 {} + 4. Change permission modes to 640 for files only. User "root" can (r)ead and (w)rite but NOT execute files. Users included i...

After installing FreeBSD, regular users are not allowed to log in as the "root" user via the "su -" command. The following procedure shows how to grant superuser access for administrative convenience, assuming that the regular user knows the superuser password. ========== 1. Access "root" from login screen. login: root Password: 2. Add a user to the "wheel" group. root@host: # pw groupmod wheel -m username 3. Check if such user has been added to the "wheel" group. root@host: # pw groupshow wheel /* The added user needs to log out and log in again for the changes to take effect. */ 4. Remove a user from the "wheel" group. root@host: # pw groupmod wheel -d username 5. Log out from "root". root@host: # exit ========== REFERENCES 1. The FreeBSD Documentation Project. FreeBSD Handbook. Section 3.3, "Users and Basic Account Management".  https://docs.freebsd.org/en/books/handbook/basics/#users-synopsis ==========

The following procedure activates HTTPS for the Home Assistant server. The secure protocol uses TLS/SSL certificates to encrypt the data transferred between user and server. Although it is possible to make this home automation system, whether in  Linux or  FreeBSD , accessible over the Internet, Home Assistant is usually operated within private networks, either physical or virtual. In this case, self-signed certificates may be acceptable to use and quicker to deploy. ========== 1. Log in as the system account. 1.1. Linux, with $HOME "bin" included in $PATH (-i) of system account (-u). user@host: $ sudo -i -u homeassistant 1.2. FreeBSD, coming from "root" superuser. root@host: # su - homeassistant 2. Go to the Home Assistant configuration directory. user@host: $ cd ~/.homeassistant 3. Make a directory for SSL certificates. user@host: $ mkdir ssl 4. Ensure that only the system account and members of its group can access the directory. user@host:...

The need for TLS/SSL certificates may arise when developing server projects that need encryption, like the Apache web server on  Debian-based  or Red Hat-based Linux distributions, on the  FreeBSD  operating system, and the Home Assistant  home automation system. The following procedure shows how to create and install self-signed certificates, if acquiring them from a Certificate Authority (CA) is either too expensive or too complicated. It is important to keep in mind, however, that self-signing may be deemed UNTRUSTWORTHY in a production environment. ========== 1. Create the certificate and key. 1.1.  [OPTION A] One-step process, skipping the Certificate Signing Request (CSR). user@host: $  openssl req -new -x509 -days 36500 -nodes -keyout server.key -out server.crt 1.2.  [OPTION B] Separate CSR for submission to CAs, if planning to legitimize later on. 1.2.1. Generate keys for the CSR. user@host:...

Content management systems like Drupal require specific web server directives in order to work properly. The following steps enable Apache to recognize .htaccess files containing those specific web server directives. The steps outlined here require the use HTTPS for better security on both Debian-based Linux distributions and the FreeBSD operating system . ========== 1. DEBIAN-BASED LINUX DISTRIBUTIONS 1.1. Go to the directory containing the Apache site configuration files. user@host: $ cd /etc/apache2/sites-available 1.2.  BACK UP the default HTTPS configuration file for the secure site. user@host: $ sudo cp 000-default-ssl.conf 000-default-ssl-conf.back 1.3. Open the default HTTPS configuration file. user@host: $ sudo nano 000-default-ssl.conf 1.4. Find the "DocumentRoot" section and add the "Directory" block marked "For Drupal" as follows. # BEGIN CODE <IfModule mod_ssl.c>         <VirtualHost _default_:443> # .....