(Administrator guide for initial system configuration)
Some tasks below require text editor. You can use vi, pico, vim or nedit (last in X11 env.). To set terminal type (xterm, for example), type in ‘setenv TERM <type>’ (in tcsh) or ‘TERM=<type>;export TERM’ (in sh, bash and ksh). If you are not familiar with ‘vi’, I recommend ‘pico’. (I use ‘red’ but it is not well known and documented).
This document describes initial FreeBSD setting. Skip it, if you use another OS, or if you already have configured OS.
Login onto the server using console and ‘root’.
Edit file /etc/rc.conf, change IP address, mask, default router and host name. For example:
# -- sysinstall generated deltas –
# Thu Nov 14 15:14:04 2002
# Created: Thu Nov 14 15:14:04 2002
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.11.1"
hostname="xxx.xxxxxxx.com"
ifconfig_fxp0="inet 192.168.11.130 netmask 255.255.255.0 media 100baseTX mediaopt full-duplex"
Be advices, that some variables can be defined few times – remove all except
last one, and edit it.
You can use ‘sysinstall’ instead of manual file editing (some options, such as Full-Duplex, must be configured manually). Read FreeBSD handbook for the details.
Configure time zone, using /stand/sysinstall tool (FreeBSD, 2.9.8 Setting The Time Zone).
Verify ntp and ntpdate configuration in /etc/rc.conf file. For example:
xntpd_enable="YES"
xntpd_program="/usr/sbin/ntpd"
xntpd_flags="-p /var/run/ntpd.pid -c
/etc/ntp.conf"
And file /etc/ntp.conf:
server
192.5.5.250
server
209.81.9.7
server
165.227.1.1
driftfile /var/tmp/ntp.driftfile
enable monitor
enable ntp
enable stats
Configure DNS resolver(s) in /etc/resolv.conf file. For example (change values!):
domain amc.portera.com
search portera.com net.exigengroup.com
amc.portera.com exigengroup.com
nameserver 10.200.5.21
nameserver 10.21.10.25
Now start WEB browser (IE or Mozilla) and open WEBMIN page:
WEBMIN was configured to allow ‘root’ and root password (with full privileges).
Now, open ‘System -> Users and groups’ and add your own account. Remember, that members of ‘wheel’ (gid=0) group have ‘sudo root’ privilege. Be careful with home directory and password(s).
Notice: Only those, who will administrate THIS server, should be created here. User account is not required to use ‘snmpstat’ system and it’s components.
Verify, that you are created in ‘WEBMIN’ (WEBMIN -> Webmin users). If not, create account. Mark it to use Unix password here, for example:
Now, verify that you can login, using ‘slogin’, and can run ‘sudo’ (do not try to login as ‘root’ user thru ‘ssh’):
bash-2.05a$ slogin yyyyy -l zzzzz
Password:
Last login: Tue Apr 20 11:17:56 2004 from 10.48.127.44
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.4-STABLE (EXIGEN) #0: Fri Nov 16 14:55:53 PST 2001
Welcome to FreeBSD!
…
bash-2.05$ sudo -s
Password:
bash-2.05#
Now, return to the WEB browser again and verify access to the public web page on the server – http://server_name/ . Open index file in editor, and correct host name so that this page provides correct references to WEBMIN and to SNMPSTAT web pages – see file /usr/local/www/data/index.html:
Find all instances of mis-ysj.exigengroup.com and replace then onto the server’s name (sorry, index is not active and can not do this by itself).
Now, open home page and verify link to snmpstat (very first link) and to webmin (in the end).
Last step – verify snmpstat web interface and configure users here. Open https on port 8100 (home page have link to it, as ‘Integrated page’):
Login as ‘admin’, password is the same as for root.
You will see something like this:
Most likely, you will have many red objects, and will see ‘active’ screen as a default. Turn off sound, by clicking ‘quiet’ button, and open ADMIN page:
To create a new user, enter his name into the ‘New’ field and press <ENTER>:
Now , check groups for this user:
· monitor allows access to monitoring pages;
· docs allows documentation access;
· read allows read access to snmpstat;
· write permits writing tickets in snmpstat;
· mrtg permits mrtg pages;
· logs permits access to system logs;
· dns permits normal access to DNS (now it permits read and zone changes);
· dnsadmin permits FULL access to dns (including configuration);
· config permits access to CCR (Cisco Configurations);
· saveconfigs allows to save configurations into the CCR;
· admin allows to create / delete / modify other users, except other admins;
· super allows unrestricted access (sometimes dangerous, for example, he can remove himself);
· tacacs allows access on the routers, if you use snmpstat to generate tacacs files;
· tacacs_7 can be used to control tacacs better.
Group assignments can be different (you can control access by editing .htaccess files in local directories).
Do not forget to enter password 2 times, and click ‘Add’ or ‘Modify’.
Create yourself with ‘admin’ privilege, and create other people with (at least) read, monitor, logs privilege.
To verify, close all browser windows and start browser again, now open ‘Integrated page’ (https port 8100) and login as yourself. verify, that you can (still) create / modify users in ‘ADMIN’ page.
Step 1 – verify that you can send e-mail:
mailx -v –s ‘test’ your_address
If it does not work, check /etc/mail/sendmail.cf (carefully), paying attention to ‘DS’ line (configure smart relay if necessary and try again). Be sure, that you received this e-mail.
Step 2 – forward ‘root’ e-mail to your mail box:
echo ‘your_address’ > ~root/.forward
echo test | mailx –v –s ‘test2’ root
After it, you will receive daily sanity check report, daily security report and monthly reports from this server.
Now, you can start stage II – configuring CCR and ‘snmpstat’ systems.