At home, the broadband connection is managed by an Alcatel Speedtouch 510 ADSL router. It provides 4 LAN ports, DNS, DHCP server, firewall, NAT etc. I already have four PCs connected permanently, so at some point I'll have to extend the network capability - maybe installing a wireless access point.
So, I'd selected the FreeBSD 4.7 box as my exposed server - its network name is crimson. I use the NAT capabilities of the router to open up ports 80 (http), 25 (smtp) and 22 (ssh) to the outside world. I changed the domain name supplied by the DHCP server to my registered domain. I then realised I hadn't checked if the http server (Apache), sendmail and ssh were the latest versions and if there were any security advisories against any of them. I turned off the port forwarding while I checked this out. It turned out I needed to upgrade them all.
Now I had to investigate the upgrade capabilities of FreeBSD. I'd read a lot on the news groups and various web sites about the ports collection and the use of cvsup. I studied the FreeBSD handbook and decided to take the ports approach. I already had the ports collection, installed at the time I loaded FreeBSD. Firstly, I needed to upgrade the versions of the port stubs on crimson. I followed the steps outlined in the FreeBSD handbook (4.5.1) for the CVSup method of upgrading the ports, which worked perfectly.
pkg_version told me most of my system was out of date, but all I really cared about was the publically exposed software. I started with ssh, which was 3.4 on crimson, with 3.5 as the latest release. The first problem was to decide which openssh port to install; there's openssh and openssh-portable. The second problem was to figure out how one upgraded a port that was actually installed as part of the base operating system. After browsing the bsdforums web site, I came across a message from someone who had tried to upgrade ssh on FreeBSD but had problems. The set of exchanges which followed gave me the two vital bits of information required: first the right port to install was openssh-portable, and the make command needed a -DOPENSSH_BASE_OVERWRITE argument to cause the binaries installed with the original FreeBSD to be overwritten. As root, I changed directory to /usr/ports/security/openssh-portable and issued the following command:
make -DOPENSSH_OVERWRITE_BASE install
This downloads the source, extracts it, compiles it and installs the result. A new package now appeared in the pkg_info list, namely openssh_overwrite_base_3.5p1. Starting up sshd with an illegal argument confirmed it was running the 3.5 version.
Fired up with the success of openssh, I turned my attention to sendmail. The installed version was 8.12.6, but the latest was 8.12.8, which solved a security issue related to mail headers. Sendmail, like ssh, is installed along with the base operating system. Looking inside the make file for sendmail, I could not find any handy definition to tell it to overwrite the original installation. I figured I'd just issue make install and see what happened. Well, it compiled and installed alright, but the original 8.12.6 binaries where untouched. Where had it gone? I tracked it down to /usr/local. Hmm, obviously something had to be passed to make, but what? I issued a make deinstall, to remove what I'd done, half-fearing that it might remove the base versions, but that didn't happen. Only the /usr/local files were eliminated.
Back to google, which led me to freebsddiary.org. This site contains a wealth of information related to FreeBSD installation and administration. Dan Langille seems to be the guy who originates much of the content. My thanks to him for a lot of helpful information.
My first piece of helpful information came from his experience of
upgrading BIND. There are a host of arguments that can be passed to
make to tell it where the resultant binaries and other files should be
installed. The default is usually into /usr/local or equivalent
place. In order to replace the base system sendmail, something like
the following command line needs to be specified in the
/usr/ports/mail/sendmail directory:
make DESTDIR="" PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/mail \ DESTEXEC=/usr/libexec DESTRUN=/var/run DESTBIN=/usr/sbin \ install
After successful completion of the make command, I changed directory
to /etc/mail and issued the command make restart
. This causes
sendmail to restart (surprise). I checked the /var/log/maillog file
and found, to my satisfaction, that sendmail 8.12.8 had been started.