Creating a Headless Application Server
Purpose:
I suppose I get a little paranoid about users, including network managers, accessing a server on the physical machine.
I understand that they can screw up a system remotely; however, I feel that it is at least a little safer to not allow people to touch a server.
FreeBSD gives me the advantage of starting out with no GUI and no console access.
I place set up a SPLASH screen with our company's logo.
I know it only takes a keystroke to get the screen to go away but it is at least another step to make them stop and think about what they are about to do. I never have figured out why a server needs to be using a lot of the system resources either.
To me a server should be doing as little unnecessary stuff as possible.
This is one reason I prefer to use FreeBSD.
Even if you select the default settings, FreeBSD has fewer processes starting (around 23) than any Windows server and from what I can tell most Linux distributions as well.
When I configure FreeBSD in appliance mode, before I set up the applications that I want to run on the server, there are approximately 10 processes that will run when the computer starts.
This document will explain the steps to turn FreeBSD into a Headless Appliance Server.
It is assumed that we have already loaded the operating system with the network using DHCP and can access the server using an SSH client.
We will be
changing the IP address
of the server to 192.168.0.2/24 with 192.169.0.1 as the router,
using a PCX splash screen,
removing access to the console
and
stopping the internal email processes.
Changing the IP address
While there are options for using DHCP to reserve an IP address, it is more common to give servers a static IP so it can be accessed even if the DHCP server is not running.
FreeBSD stores the configuration for the network settings in the file /etc/rc.conf.
It applies the settings as it goes, which means that if it finds DHCP first it applies that configuration then changes it to any new addresses that appeat in the file.
A person could cat the directive to the end of the file and the address would be set correctly.
I personally do not like to have a bunch of unused commands in the file so I will explain how to edit the file.
It should be noted that my set up is a Virtual Box server on a Windows 7 computer. The driver that FreeBSD is utilizing is em.
You will need to find the name of the actual driver you computer is using.
This can be accomplished by running the command grep ifconfig /etc/rc.conf.
If the network was not set up when the operating system was loaded you could find the driver by using the command dmesg | grep -i ethernet.
You can edit the file using any file editor,I will be using sed.
The sed command is sed -i '' "s/search\ string/replace\ string/g".
This tells sed to edit the file in place (-i ''), and change "s/" the search string with the replace string for everyinstance in the file "/g".
You will need to remember to identify special characters with a backslash (\) or you could have problems.
To change the ip address and default router you can issue the command:
sed -i '' 's/^ifconfig_em0.*/ifconfig_em0=\"inet 192.168.0.2 netmask 255.255.255.255\"/' /etc/rc.conf
sed -i '' 's/^defaultrouter.*/defaultrouter=\"192.168.0.1\"/g' /etc/rc.conf
Configuring a Splash Screen
As I stated earlier, we use a PCX file of our company's logo for a splash screen for all of our FreeBSD servers.
You should copy the file to an acceptable path, for this demonstration I am placing a copy in the /boot directory.
The requirements of the splash screen picture are:
- must be either in PCX or BMP format
- resolution of 256-colors
- without the VESA driver loaded the pic can only be 320 x 200
- with the VESA driver loaded the pic can be up to 1024x768
Once the file is moved over to the server you need to create or edit the file /boot/loader.conf.local.
By default the file does not exist.
If present the OS will use the configuration to amend the configuration in /boot/loader.conf.
You do not want to edit the loader.conf file as it may be overwritten when the system is upgraded and it would be very bad if you messed the file up while editing.
echo 'bitmap_load="YES"' >>/boot/loader.conf.local
echo 'splash_pcx_load="YES"' >>/boot/loader.conf.local
echo 'bitmap_name="/boot/Logo.pcx"' >>/boot/loader.conf.local
Configuring a Splash Screen #2
Care needs to be taken when playing around with the drivers, it is possible to make the system unstable to the point it is faster to reload than recover.
With FBSD10.1, the VESA driver needed to be loaded to support a larger logo:
echo 'vesa_load="YES"'>>/boot/loader.conf.local
With FBSD11, the VESA driver does not need to be loaded and will cause problems if you attempt it. On the otherhand; the console driver is set to vt
and needs to stay as syscons for this method to work :
echo 'kern.vty = "sc"' >> /boot/loader.conf.local needs to be included.
The commands are the same if you are using a BMP file with the exception of the splash_pcx_load which would be splash_bmp_load.
Remove Console Access
Before you do this you will need to make certain you can access the server remotely. You may want to have Webmin set up as well as SSH.
Make certain that if you are using SSH, that you have a user that can log onto the server.
If there comes a time when you are required to access the server at the console, you can restart the server into Single user mode.
This operation requires us to edit the /etc/ttys file. As with the other operation, you can use any text editor you want, I will provide the sed command to make the changes.
The objective is to comment out all lines that start with the letters ttyv.
To do this we add the hash # at the beginning of the line.
Later you may decide to uncomment one of the lines to allow for some access.
If you leave ttyv0 commented and uncomment ttyv1, you can use the alt F2 combo to switch to the console that allows logins.
sed -i '' "s/ttyv/#ttyv/g" /etc/ttys
Stopping Internal Email
One the few services that is running on a newly installed FreeBSD server is sendmail.
It uses the server to send messages to the root user.
Unfortunately, I do not log onto the server as root to check the messages.
I also do not need my regular e-mail so I do not wish to have the messages sent outbound.
I would like to read the messages to aid in troubleshooting if necessary.
To allow the saving of messages, redirect the common messages to a file for investigation at a later time.
This example will save the messages to the local log file, they could be saved on a different logging server if desired.
There are three files that will need to be edited. The first will be /etc/rc.conf where we will disable the sendmail services.
The second file /etc/defaults/periodic.conf, we will redirect the messages from the mail to the file /var/log/periodic.log.
Finally we will create/edit the /etc/make.conf file to prevent sendmail from beig loaded in the future.
As we are creating the make.conf file and adding to the rc.conf file I will use the echo command.
I will use sed to edit the periodic file.
echo #sendmail disable>>/etc/rc.conf
echo 'sendmail_enable="NO"'>>/etc/rc.conf
echo 'sendmail_submit_enable="NO"'>>/etc/rc.conf
echo 'sendmail_outbound_enable="NO"'>>/etc/rc.conf
echo 'sendmail_msp_queue_enable="NO"'>>/etc/rc.conf
sed -i '' "s/root/\/var\/log\/periodic.log/g" /etc/defaults/periodic.conf
echo "NO_SENDMAIL=true" >> /etc/make.conf
