Computer System Administration
HW1 - Install FreeBSD/Ubuntu & WireGuard
HW2 - Shell script & System Info
HW3 - File Server & ZFS Backup
HW4&5 - Web Service & Firewall
sudo pw addgroup sftp-admin
sudo pw addgroup sftp-users
sysadm, sftp-u1sftp-u2anonymous# This will ask you to enter information about the new user
sudo adduser
# You can check the information about all users by this command:
getent passwd
# Or this command
cat /etc/passwd
# -p: include paths and create directory if not exist
sudo mkdir -p /home/sftp/public
sudo mkdir -p /home/sftp/hidden/treasure
sudo touch /home/sftp/hidden/treasure/secret
# change the ownership from root to sysadm
# <user>:<group>
sudo chown sysadm:sftp-users /home/sftp/hidden
sudo chown sysadm:sftp-users /home/sftp/public
# I am not sure if this is necessary, but this is my settings
sudo chown sysadm:sysadm /home/sftp/hidden/treasure
sudo chown sysadm:sysadm /home/sftp/hidden/treasure/secret
# Modify Permission
# Note: List -> r or x ?
# Note: Download -> r or x ?
sudo chmod 1775 /home/sftp/public
sudo chmod 771 /home/sftp/hidden
sudo chmod 775 /home/sftp/hidden/treasure
sudo chmod 744 /home/sftp/hidden/treasure/secret
# For Part2
sudo mkdir -p /home/sftp/hidden/.exe/
sudo chown sysadm:sftp-users /home/sftp/hidden/.exe
sudo chmod 777 /home/sftp/hidden/.exe
SSH is in /etc/ssh/sshd_config.# There are a lot of comments in the default file, so I only list the necessary parts
# Public Keys for ssh stored in this file in each user's root directory
AuthorizedKeysFile .ssh/authorized_keys
# The flags are for part 2. In part 1, you only need the line until -u 037
# Also, I am not sure whether I need to specify flags because I also did in the ForceCommand
# 022 so that anonymous can download files uploaded by sysadm
Subsystem sftp internal-sftp -u 022 -l VERBOSE -f local0
# Match Block(So hard QAQ)
Match Group sftp-admin
ChrootDirectory /home/sftp
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no # I don't think this is necessary
Match Group !sftp-admin,sftp-users,sftp-anonymous
ChrootDirectory /home/sftp
ForceCommand internal-sftp -u 027 -l VERBOSE -f local0
# X11Forwarding no
# AllowTcpForwarding no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no # I don't think this is necessary
/home/sftp contains these files ( just copy from your root directory )
/home/sftp should be owned by root:wheel/home/judge/.ssh/authorized_keys to each users /home/<username>/.ssh/authorized_keyssudo touch /var/log/sftp.log
sudo touch /var/log/sftp_watchd.log
sudo chmod 644 /var/log/sftp.log
sudo chmod 644 /var/log/sftp_watchd.log
/var/log/sftp.log. Add this line in /etc/syslogd.conf# Please insert tabs between the two column like other lines in the config file.
# You could use local0 ~ local7
local0.* /var/log/sftp.log
/home/sftp)# In /home/sftp
mkdir /dev
# In /home/sftp/dev, this will create a new log as socket.
syslogd -p /home/sftp/dev/log
sftp_watchd Implemented using daemon#!/bin/sh
. /etc/rc.subr
name="sftp_watchd"
rcvar="${name}_enable"
pidfile="/var/run/${name}.pid"
command="/usr/sbin/daemon"
command_args="-c -f -P ${pidfile} -t ${name} -o /var/log/sftp_watchd.log -r /usr/local/sbin/sftp_watchd"
stop_cmd="${name}_stop"
status_cmd="${name}_status"
sftp_watchd_stop() {
if [ -f ${pidfile} ]; then
pid=$(cat ${pidfile})
echo "Kill: ${pid}"
kill ${pid}
kill $((pid+2)) # Remove the tail process, not necessary
return 0
fi
echo "${name} is not running."
}
sftp_watchd_status() {
if [ -f ${pidfile} ]; then
pid=$(cat ${pidfile})
echo "${name} is runnin as pid ${pid}."
return 0
fi
echo "${name} is not running."
}
load_rc_config $name
run_rc_command $1
#!/bin/sh
LOG_FILE="/var/log/sftp.log"
TARGET_DIR="/home/sftp/hidden/.exe"
DEST_LOG_FILE="/var/log/sftp_watchd.log"
tail -n0 -F ${LOG_FILE} | while read line; do
dummy=$(echo ${line} | grep -e 'open /.*/..&\\.exe')
username=""
filepath=""
if [ -n "${dummy}" ]; then
filename=$(echo ${line} | awk -F\\" '{print $2}')
filepath="/home/sftp${filename}"
username=$(ls -al ${filepath} | awk -F' ' '{print $3}')
mv ${filepath} ${TARGET_DIR}
printf "${line%:*}: ${filepath} violate file detected. Uploaded by ${username}.\\n" >> ${DEST_LOG_FILE}
fi
done
/etc/rc.conf to enable auto start ( on boot )# HW1
wireguard_enable="YES"
wireguard_interfaces="wg0"
# HW3
sftp_watchd_enable="YES"
syslogd_enable="YES"
syslogd_flags="-s -l /home/sftp/dev/log"
zfs_enable="YES"
# In my case, ada0 is used for System boot so it is not configurable
# Use `camcontrol devlist` to check configurable hard disks, your newly-added disks should be in the output
# Partition the disks with GPT
gpart create -s gpt ada1
gpart create -s gpt ada2
gpart create -s gpt ada3
gpart create -s gpt ada4
# Add partitions and label them
gpart add -t freebsd-zfs -l mypool-1 ada1
gpart add -t freebsd-zfs -l mypool-2 ada2
gpart add -t freebsd-zfs -l mypool-3 ada3
gpart add -t freebsd-zfs -l mypool-4 ada4
mirror for RAID10# Initialize ZFS pool
zpool create mypool mirror /dev/gpt/mypool-1 /dev/gpt/mypool-2 mirror /dev/gpt/mypool-3 /dev/gpt/mypool-4
mypool on /home/sftp and set lz4 compression, atime=off# Mount ZFS pool
zfs set mountpoint=/home/sftp compression=lz4 atime=off mypool
mypool/public, mypool/hidden datasetzfs create mypool/public
zfs create mypool/hidden
# Please reconfigure these folders(including treasure, secret, .exe) under /home/sftp
zfsbak in any folders in your PATH. I put it in /usr/local/sbin/