Buat directory log mysql, misal
mkdir /var/log/mysql
chown mysql:mysql /var/log/mysql

Tambahkan baris berikut pada config file mysql my.cnf

[mysqld_safe]
log-error=/var/log/mysql/error.log

# The MySQL server
[mysqld]
log-error=/var/log/mysql/error.log

restart mysql

Lumayan ada ilmu baru hasil diskusi dengan admin sebelah dan baca manual PF.
Rulenya sbb :

out_if = bce0
table persist
pass quick from 10.10.3.0/29
block quick from

pass in on $int_if proto { tcp } from any to 10.10.7.4 port 80 flags S/SA keep state \
(max-src-conn 2, max-src-conn-rate 5/5, overload flush global)

Penjelasan sbb :
max-src-conn number
Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.

max-src-conn-rate number / interval
Limit the rate of new connections to a certain amount per time interval.

Bagi saya yg awam sulit sekali memahami maksudnya, Hiks..
So dicoba aja testing dengan rule diatas saya coba sebagai berikut :

Saya membuka http://10.10.7.4 di 5 tab firefox dan saya reload dalam waktu bersamaan.Dan halaman masih bisa dibuka.
Akan tetapi jika saya buka 6 halaman http://10.10.7.4 dengan browser berbeda maupun browser yg sama maka saya cek :

# pfctl -t bruteforces -Tshow
10.10.7.1

IP saya terjaring dalam rule tsb.

Kemudian rule coba saya ubah
pass in on $int_if proto { tcp } from any to 10.10.7.4 port 80 flags S/SA keep state \
(max-src-conn 1, max-src-conn-rate 5/5, overload flush global)

max-src-conn nya saya set 1 saja.

Saya coba buka http://10.10.7.4 pada 1 tab saja di firefox dan coba buka halaman tsb di chrome.
Alhasil :
# pfctl -t bruteforces -Tshow
10.10.7.1

Saya coba juga buka dengan IP berbeda, ternyata ip ke 2 langsung kena jaring

# pfctl -t bruteforces -Tshow
10.10.7.10

Saya menyimpulkan sbb :
max-src-conn : berapa banyak browser yg akan di launch untuk mengakses web kita ternyata.
Tidak membedakan IP. oh ternyata sekali buka browser dan akses itu dihitung 1 TCP connection hehe..
max-src-conn-rate a/b : dalam b detik berapa a tab yg akan dibuka/direfresh.
ada juga max-src-node : asumsi saya ini melimit berapa banyak ip yg boleh mengakses, tidak disarankan kalau web kita untuk umum.

1. Optimasi Kernel
Setelah instalasi yg perlu di perhatikan adalah kompile kernel.
Buang device2 yang tidak diperlukan. eth driver, pcmcia dll.
1. DIsable IPv6
2. DISABLE NFS

Untuk option tambahan mgkn bisa ditambahkan pada kernel sbb :

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFILTER
options IPFILTER_LOG

#### PF OPTION ####
device pf
device pflog
device pfsync


2. Setting SSHD
ee /etc/ssh/sshd.config

Port 1234
Protocol 2
MaxAuthTries 2
MaxSessions 8
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
UseDNS no
Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers user1
AllowUsers user2


3. Setting TTYS
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off insecure
#
ttyv0 "/usr/libexec/getty Pc" cons25 on secure
# Virtual terminals
ttyv1 "/usr/libexec/getty Pc" cons25 on secure
ttyv2 "/usr/libexec/getty Pc" cons25 on secure
#ttyv3 "/usr/libexec/getty Pc" cons25 on secure
#ttyv4 "/usr/libexec/getty Pc" cons25 on secure
#ttyv5 "/usr/libexec/getty Pc" cons25 on secure
#ttyv6 "/usr/libexec/getty Pc" cons25 on secure
#ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure

Saran dari Dru Lavigne sbb :

General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

Ketik perintah berikut :

# /usr/sbin/update-inetd --disable telnet

Untuk meremove service di linux sewaktu startup ada bbrp cara :

1. # update-rc.d -f NAMASERVICE remove
contoh :
# update-rc.d -f exim4 remove

2. Install rrconf
# apt-get install rcconf
tunggu proses selesai, ketik :
# rcconf

Tinggal check/uncheck yg ga perlu aja, kayak msconfig gitu..

Kalo di FreeBSD, tinggal cek aja isi /etc/rc.conf atau cek didirectory /usr/local/etc/rc.d

Wokeh.. selamat berbahagia..

Cara membunuh/kill semua proses pada suatu daemon adl sbb :

ps -ax | grep "/usr/local/sbin/httpd" | awk '{print $1}' | xargs kill

atau kalau mau lihat process owner idnya

ps -aux | grep "/usr/local/sbin/httpd" | awk '{print $2}' | xargs kill


nb : bedanya cuman di awk row nya aja..

kalo tiba2 fbsd ngadat n masuk mountroot, gimana donk ?
1. perhatikan kabel HD yg terpasang apakah sudah di set primary?
2. perhatikan jumper HD, sbg master atau slave wkt instalasi.

Kalau sistem msk single mode dan hanya read only mode. Sedangkan kita butuh ngedit /etc/fstab buat ngedit mount pointnya, caranya sbb :

mount -t ufs rw /dev/ad0s1a / (mounting root, nm partisi sesuiakan)

Sunlink bukan merk sabun cuci maupun shampo..
Sunlink di freebsd digunakan untuk memblok delete permission dgn kata lain smua user tidak bisa menghapus file yg telah di sunlink.

Perintahnya :
# chflags sunlink ojodidel.txt

Untuk menonaktifkan sunlink sbb :

# chflags nosunlink ojodidel.txt

Untuk mengetahui jenis shell yang sedang kita gunakan ketik :
# echo $SHELL
/bin/csh

atau dgn perintah berikut :

office-mlg# ps -p $$
PID TT STAT TIME COMMAND
59155 p0 S 0:00.04 /bin/csh

Untuk melihat shell apa saja yang tersedia di FreeBSDBox-mu ketik :
# more /etc/shells
/bin/sh
/bin/csh
/bin/tcsh
/usr/local/bin/bash

Ada satu tips lagih.. coba aja :

chmod 0750 `which curl` 2 > & - ; chmod 0750 `which fetch` 2 > & - ; chmod 0750 `which wget` 2 > & -

#!/bin/bash
USERS="$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}'
/etc/passwd2 | cut -d: -f1)"
for u in $USERS
do
pw lock $u
done

Where
NF : Total number of record (so only continue if we have more than one record in password file)
$1 : First field in /etc/master.passwd
$2 : Second filed in /etc/master.passwd
$1 !~ /^[#+-]/ : It compares first field (user login name) and make sure it does not starts with either +,- or # symbol

How does it work?
1) Awk statement read each line in /etc/master.passwd where fields separated by : symbol
2) Account has no password if password field ($2) in /etc/master.passwd is empty

Once you found all such passwordless account., you can Lock user account with the following command:
pw lock {username}

# pw lock s2099msFor unlocking the account use:
pw unlock {username}

# pw unlock s2099ms

"ls -G", "ls -F" atau "ls -FG"
Gunakan untuk directory listing berwarna ;)

'set autolist'
pada tcsh shell digunakan u/ scr otomatis menampilkan semua kemungkinan saat melakukan ekspansi file/directory

'set autologout = 30'
jika idle lbh dari 30 menit akan dilogout (u/ tcsh shell)

`set filec'
mengaktifkan (file completion) dlm tcsh dengan menekan TAB

`set watch = (0 any any)'
Untuk mengaktifkan notifikasi jika ada user log in/out.

set prompt = '%n@%m:%/%# '
contoh tampilan rahm@server:/usr# u/ bold sbb : set prompt = '[%B%m%b] %B%~%b%# '

grep "string" filename1 [filename2 filename3 ...]
mencari suatu string dari suatu file

Setting alias u/ memendekkan perintah
alias lf="ls -FA"
alias ll="ls -lA"
alias su="su -m"

di csh or tcsh, spt ini :
alias lf ls -FA
alias ll ls -lA
alias su su -m
ketik 'alias' untuk melihat daftar alias yang ada

Lihat /etc/rc untuk melihat loading system.

whereis 'namaprog'
Gunakan untuk mencari binary, manual atau source dir. dari suatu program.

Ctrl-D
Gunakan untuk exit/logout dr shell.

"du -s * sort -n "
U. list directory dan sizenya.

Mixer
U. mengatur volume peripheral sound.

pkg_add -r
automatically download and install binary packages and it's dependency.


Mencari port tertentu?, ketik berikut pada dir. /usr/ports
"make search port="
or
"make search key=""


swapinfo
menampilkan virtual memory

"zcat" atau "zmore"
U/ membaca file terkompresi tanpa ekstraksi

du /partition_or_directory_name sort -rn head
Untuk melihat 10 file terbesar dlm dir. / partisi

file namafile
Untuk melihat apakah textfile, exe atau tipe file lain.

col -bx <> newfile
Untuk meremove karakter ^M pada DOS file

lock -p
Untuk melock terminal.

dig -x IP-address
U. melihat hostname suatu ip

Tambahkan berikut pada C Shell u/ melindungi core files dari penulisan.
limit coredumpsize 0

"leave +hhmm"
Untuk men-set reminder terminal

"sockstat -4l"
Need to see which daemons are listening for connection requests? Use
for IPv4, and "sockstat -l" for IPv4 and IPv6.

": > filename"
Untuk mengosongkan file

ls -R / more
melihat seluruh directory sistem


translated from : http://nixdoc.net/FreeBSD-Tips/

find /directory -name "namafile" -mtime +30 xargs rm atau
find /directory -name "namafile" -mtime +30 -type f -exec rm {}\;

Perintah diatas akan mencari file 30 hari n older dan akan menghapusnya.

-mtime n : kondisi True jika isi file modified n days ago.
Type Description
b : A block special device file
c : A character special device file
d : A directory
f : A plain file (SV only)
p : A named pipe (FIFO) (SV only)
l : A symbolic link to a file
s : A socket (BSD only)

In case of attacks, you can fiddle up with the following values:

net.inet.tcp.msl (on my machine, 10000. default is 30000)
net.inet.tcp.keepidle (default 10000)
net.inet.tcp.keepintvl (default 7500)
net.inet.tcp/udp.blackhole (turn on for DoS)
net.inet.tcp.tcbhashsize (push up to a reasonable value)


--------------------------------------------------------------------------------

For a better performance, you should mess up with:

kern.ipc.somaxconn (my machine = 4096, default. 128)
kern.ipc.maxsockets
net.inet.ip.intr_queue_maxlen
kern.maxfiles (65535, 16424 as default)
vfs.vmiodirenable (set to 1, 0 is the default)
net.inet.tcp.sendspace (see tuning(7) for more explanations)
net.inet.tcp.recvspace
option NMBCLUSTERS in the kernel (check how many clusters you use with netstat -mb -- don't overtune it, on my busiest webservers the number of used clusters never went above 2256, so 8192 should be enough for all servers), and, of course, maxusers. Well, that era has ended. Right now I discovered a
2827/16384/16384 mbuf clusters in use (current/peak/max)
on a webserver, so I'm gonna bump it to 32k. Also, I'm going to reduce the net.inet.tcp.sendspace from 32k to 16k, because the web traffic means a lot of small files. In case you find out you're just about to run out of NMBCLUSTERS (ex. 6301/8100/8704 mbuf clusters in use (current/peak/max) -- on one of my servers), in case of a webserver, and cannot recompile a new kernel with a bumped NMBCLUSTERS, then set KeepAlive to off in your Apache, and this will save you some clusters by removing many FIN_WAIT_2 connections (More here).
kern.ipc.shm_use_phys -- turn to 1 if the main application of your server uses shared memory, it has improved the activity of my web server.
netstat -f inet can give you valuable informations. For example, a lot of connections with Send-Q != 0 means that your server is storing datas into the mbufs, because the uplink is saturated or (more often) the clients are too 'slow' to receive datas. Non-null values for Recv-Q, on the other hand, means that your server is too slow in serving the requests, which increase the number of mbufs for incoming connections.
net.inet.tcp.msl -- take it down from the default 30,000 to something like 10,000 or even less if you notice too many TIME_WAIT connections in netstat -f inet
net.inet.tcp.inflight_enable -- for bandwidth delay limiting (TCP connections). Read more about in tuning(7).


--------------------------------------------------------------------------------

Firewalling with IPF gave me quite some problems, mostly related to the state table. The customers experienced some broke connections (browser hanging forever when loading up a page), even though the channel was not full (bandwidth-wise). What you can do in a situation like this is play with:

net.inet.ipf.fr_tcpidletimeout=7200 (I like to leave this higher, though, because it kills my idle ssh sessions on the servers as well -- and I hate logging in each other hour or so).
net.inet.ipf.fr_tcpclosewait=120
net.inet.ipf.fr_tcplastack=120
net.inet.ipf.fr_tcptimeout=240
net.inet.ipf.fr_tcpclosed=60
net.inet.ipf.fr_tcphalfclosed=300
net.inet.ipf.fr_udptimeout=90
net.inet.ipf.fr_icmptimeout=35
More about this values here.
You can check how many states are active by looking into the output of ipfstat -s (active). I experienced values growing from 0 to approx. 4000 and then 0 again, which meant the state table got full, and was resetted. You can also carefully increment the number of states in '/usr/include/netinet/ip_state.h' (IPSTATE_SIZE and IPSTATE_MAX -- in my case IPSTATE_MAX was set to 4013, which made the table reset like I said before, at a value approx. equal to 4000). You have to set these two values at resonable values (not too high, don't overtune!), they need to be prime values, and IPSTATE_MAX should be approx. 70% of IPSTATE_SIZE. More infos can be found here.
One other thing that one might do is remove any unnecessary 'keep state's from the firewall configuration. For example, Apache communicates with the clients on port 80 exclusively, so if you 'pass all from any to $my_host port = 80', then you don't need keep states.
As about the NAT using IPFilter, you might consider defining LARGE_NAT in src/contrib/ipfilter/ip_nat.h and src/sys/contrib/ipfilter/netinet/ip_nat.h.
One other problem that I had, having the same source, was that FTP transfers of a zillion+ files would just stall from time to time (after about 100 transferred files). Reason was that the state table was becoming full, and was 'cleaned up' by the kernel, which meant lost state. Freeing the unneeded 'keep states' from the firewall rules, and twaking the parameters above made this problem dissapear as well.
A very nice feature of FreeBSD's kernel is also the DEVICE_POLLING kernel option, which basically means that the system will not treat any interrupt coming from the network cards independently, but rather 'poll' the devices at certain intervals of times. That saves a lot of system activity. You might also consider tweaking with the "option HZ", and also enabling 'kern.polling.enable' and 'kenr.polling.user_frac'. Unfortunately, DEVICE_POLLING works only with certain NICs, but I've experienced very good results with the Intel EtherExpress (fxp). You can see the performance on some snapshots of my firewall here.


--------------------------------------------------------------------------------

Special settings:

In order to run ipf and ipfw on the same machine (ipf for firewall, ipfw for traffic shaping), you can do the following:
ipf -f a_file, where a_file contains something like: "pass out quick proto tcp from x.x.x.x to y.y.y.y port = z flags S keep state"
ipfw add pipe 10 ip from x.x.x.x to y.y.y.y
ipfw pipe 10 config bw 10Kbit/s queue 50KBytes


http://www.nsrc.org/freebsd-tips.html