[nycbug-talk] fave BSD tips/tricks?

George Rosamond george at ceetonetechnology.com
Mon Aug 24 15:59:44 EDT 2009 

Charles Sprickman wrote:
> On Mon, 24 Aug 2009, Dru Lavigne wrote:
> 
>> I'm finishing up an article for BSD mag on BSD tips and tricks. Anyone 
>> have a favourite tip or trick they'd like to see in this article?
> 
> I have two non-spectacular "tips" relating to jails:
> 
> -Shamelessly stolen from George R., /usr/ports/ports-mgmt/jailaudit a very 
> handy tool to report on all vulnerabilities in all jails.  Output comes 
> with the main host's daily run.

nice :)

It's specifically useful in the context that you have jail admins who 
don't check their dailies.

There's lots more in terms of FBSD jail-specific stuff. . . but I'm not 
sure if that's what Dru wants.

> 
> -Up until FBSD 7.1, multiple IPs in a jail were not possible without a set 
> of external patches.  As of 7.2 this is included.  It works flawlessly 
> (tested a box with a few hundred IPs in two jails).  Additionally, ezjail 
> can deal with this, just add the IPs, separated by commas, to the "export 
> jail_php4_web_bway_net_ip=" line.

cool.

DL, are you looking for general Unix/bsd stuff?

How about some stuff on how people handle their dailies?  I'd be curious 
to hear.  I mean, for those who actually *read* them :)

off the top of my head. . .

RAID STATUSES DAILY

I get lots of dailies. . . and always add the following to cron on its 
own: status of RAIDs on the local box.  Every blob or BSD software raid 
solution has its 'status' check, and seeing an email specific on that 
makes me sleep better.

LOGGER

I also use logger(1) more and more now. . . it's great put into scripts 
to see when certain stages were hit, like in updating the base source.

So I might have:

/usr/bin/logger -i -t SOURCE "starting buildworld"

after running buildworld.

RC VERBOSITY

I also like to have lots of verbosity when not unwieldy. . . for 
instance, on FreeBSD, I always have

rc_debug="YES"
rc_info="YES"

in /etc/rc.conf

SSHD

As some people know (and sometimes mock:), I don't run sshd on tcp/22 in 
general. . . The load of brute force zombies can be high. . . using an 
alternate port for sshd isn't about more security, since I hardly fear 
brute force zombies since I use keys, but about not wasting CPU on them.

Another thing I regularly do is put the netblocks of countries not being 
ssh'd from that are also frequently hosting zombie'd boxes, and use 
tcp-wrappers to block them.

XORG LIBARIES

Servers don't usually need X11 . . . so make sure you put:

WITHOUT_X11=yes

in /etc/make.conf

before you install ports.

Post 7.0 FreeBSD, man src.conf

MAIL & BIG JOBS

It's nice to know when certain tasks or scripts are completed when 
you're not local to the box.

So often I'll "&& mail. . ." to the end of single instance rsyncs, etc., 
to know when something is done.

Gee.  I love the toolbox-ishness of Unix.

And while spork gave credit to me on jailaudit, I'm sure there are 
others out there who deserve credit on at least some of these. . . eg, 
ike with logger.

g

More information about the talk mailing list