[GUIDE] FreeBSD MaNGOS (Secure) Install Guide

[antiroot]

Requirements

* Server with FreeBSD 7.3-RELEASE or FreeBSD 8.0-RELEASE (Recommended) A Minimal FreeBSD install works great, don't forget to set your root password and create a normal user account during the install though

* You have direct or ssh access to the machine

* Static IP Address for server

* An Internet Connection used to fetch dependencies

* Root access to get everything started (We'll make it secure at the end)

* csh shell (Default in FreeBSD) Parts of this guide require builtin functions of csh

Recommended

Please use PuTTY or some other ssh client that allows you to copy code from this guide and paste/execute on the server, If you try to type everything yourself you are bound to have problems!

Why Make a FreeBSD Guide?

Because MaNGOS is an educational project and there is a lack of FreeBSD based MaNGOS guides available, users should have a complete guide to build, run, test and develop MaNGOS under FreeBSD.

I will also cover security tips in this guide, as this is a major topic many other guides tend to lack.

If you have a question about an unfamiliar command, ask and I'll explain it

Readme Before Starting

* Code to enter in your terminal/console will be in Code blocks, and can be copy/pasted

* Italic text are notes about the step or code

* The root account is required for the initial portion of the guide

* If you choose to not follow my guide exactly, I may not be able to help with issues you encounter

* At the end of this guide you should have a stable/functional/secure FreeBSD + MaNGOS server

* Anything that says <MySQL Root Password>, <MySQL mangos Password>, or similar

Replace with the appropriate information, and make sure to remove the <> characters

Make sure to use csh

Default root shell in freebsd is csh, however if you change this you will encounter errors. Always make sure to use the csh shell /bin/csh when following this guide (thanks Exelenz)

Step 1 - Getting Dependencies

All dependencies will be installed via ports to insure compatibility

Gain root access

The recommended way is to login as a normal user and su root

or login as root directly, keep in mind this is insecure and bad administration practice

This is a common issue for beginners that do not know the root user is needed to install software

Populate Ports Tree

Important only do Option 1 OR Option 2

Option 1 will make sure you have all the latest security and recommended updates

Option 2 will be completely compatible with this guide

Option 1) Current Ports Tree

This will also give you the most current up-to-date ports tree and may make this guide incompatible with newer ports

Use portsnap update instead of portsnap extract if your upgrading an existing snapshot obtained via portsnap

portsnap fetch ;
portsnap extract ;

Option 2) Old Ports Tree (Current at time of writing this)

If you wish to use the exact ports tree I use in the guide use the following commands

If your server is not in the US, use http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html#CVSUP-MIRRORS to find a mirror near you for the host=cvsup3.us.FreeBSD.org portion

echo '*default [color="Olive"]host=cvsup3.us.FreeBSD.org[/color] \\
*default base=/var/db \\
*default prefix=/usr \\
*default release=cvs tag=. \\
*default delete use-rel-suffix \\
*default compress \\
date=2010.08.12.23.59.59 \\
ports-all' > /root/ports-supfile ;
csup -L 2 /root/ports-supfile ;

Installing CA Root list

cd /usr/ports/security/ca_root_nss ;
make -DWITH_ETCSYMLINK -DBATCH install clean ;

Installing OpenSSL

cd /usr/ports/security/openssl ;
make -DBATCH install clean ;
cp /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf;

Installing MySQL

MySQL 5.1 has ran stable for myself with FreeBSD-7.2, 7.3, 8.0 + MaNGOS

If you use an older/newer version I cannot guarantee this guide will be 100% accurate for you

cd /usr/ports/databases/mysql51-server ;
make -DBATCH install clean ;
echo 'mysql_enable="YES"' >> /etc/rc.conf ;
/usr/local/etc/rc.d/mysql-server start ;

Installing git

git is needed to download the MaNGOS source code from the git repository

cd /usr/ports/devel/git ;
make -DBATCH install clean ;

Installing subversion

subversion is needed to download patches, DB content, etc from 3rd-party svn repositories

cd /usr/ports/devel/subversion ;
make -DBATCH install clean ;

Installing unrar and unzip

We might need both unzip and unrar because some 3rd-party projects use zip others use rar

cd /usr/ports/archivers/unrar ;
make -DBATCH install clean ;
cd /usr/ports/archivers/unzip ;
make -DBATCH install clean ;

(Optional) Installing a Text Editor

I have designed this guide so that a text editor is not needed AT ALL, you only need an editor if you wish to make manual changes to your configuration files! (This guide will not cover that unfortunately)

FreeBSD by default comes with vi

If you want nano

cd /usr/ports/editors/nano ;
make -DBATCH install clean ;

If you want vim

cd /usr/ports/editors/vim ;
make -DBATCH install clean ;

Verify Dependencies

We should have all the dependencies required to build MaNGOS, because the dependencies for MaNGOS were installed transparently with the previous ports that were installed.

To verify this execute the following command and compare with the dependency list

pkg_info ;

MaNGOS Dependencies You will have more, these are only the ones we need to have

• * autoconf-2.62
  * autoconf-wrapper-20071109
  * automake-1.9.6_3
  * automake-wrapper-20071109
  * libtool-2.2.6b
  * gmake-3.81_4
  * m4-1.4.14_1,1
  * mysql-client-5.1.49
  * openssl-1.0.0_2
  * perl-5.10.1_2
  

Making the Environment See Everything

If you skip this you will get "Command not found" errors when running git,svn,etc

set path = ( $path ) ;

Or just log out and back in

Step 2 - Getting MaNGOS and Compiling

This covers downloading MaNGOS + SD2, patching, configuring, and compiling

Downloading and Patching

cd ~ ;
git clone git://github.com/mangos/mangos.git ;
cd mangos ;
svn co [url]https://scriptdev2.svn.sourceforge.net/svnroot/scriptdev2/[/url] src/bindings/ScriptDev2/ --trust-server-cert --non-interactive ;
git am src/bindings/ScriptDev2/patches/MaNGOS-*-ScriptDev2.patch ;
autoreconf --install --force ;
automake src/bindings/ScriptDev2/Makefile ;
mkdir objdir ;
cd objdir ;

Configuring and Compiling

You may change the --prefix=/opt/mangos path, but it is recommended to keep this the same as this guide

Important you must use gmake to compile MaNGOS on FreeBSD

../configure --prefix=/opt/mangos --sysconfdir=/opt/mangos/etc --enable-cli --enable-ra --datadir=/opt/mangos/data --with-openssl=/usr/local ;
gmake ;
gmake install ;
gmake clean ;
cd /opt/mangos ;

Step 3 - Getting MySQL and the Databases Ready

This covers configuring and securing MySQL and populating the database with data

Important use your own passwords (I will not be held responsible for a hacked DB)

Setting a MySQL Root Password

Replace <MySQL Root Password> with your own password (This is your MySQL superuser/Admin account, do not share your password)

mysqladmin -u root password "[b][color="RED"]<MySQL Root Password>[/color][/b]" ;

Create the MaNGOS Databases

mysql -uroot -p[b][color="RED"]<MySQL Root Password>[/color][/b] < data/mangos/sql/create_mysql.sql ;
mysql -uroot -p[b][color="RED"]<MySQL Root Password>[/color][/b] < data/scriptdev2/sql/scriptdev2_create_database.sql ;

Change the MySQL MaNGOS User's Password

Replace <MySQL MaNGOS Password> with your own password

The MySQL MaNGOS User is created in data/mangos/sql/create_mysql.sql if this ever changes I will update this

echo "UPDATE user SET password=PASSWORD('[b][color="RED"]<MySQL MaNGOS Password>[/color][/b]') WHERE User='mangos';" | mysql -uroot -p[b][color="RED"]<MySQL Root Password>[/color][/b] mysql ;
echo "FLUSH PRIVILEGES;" | mysql -uroot -p[b][color="RED"]<MySQL Root Password>[/color][/b] ;

Populate the MaNGOS Databases

From this point on we will use our MySQL MaNGOS User

This second Code block may be skipped if you plan on using UDB (We drop the mangos database in that step)

mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] characters < data/mangos/sql/characters.sql ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] realmd < data/mangos/sql/realmd.sql ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] scriptdev2 < data/scriptdev2/sql/scriptdev2_create_structure_mysql.sql ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] scriptdev2 < data/scriptdev2/sql/scriptdev2_script_full.sql ;

MaNGOS DB You may skip this if you plan to use UDB (Next step)

mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] mangos < data/mangos/sql/mangos.sql ;

World Database (UDB) (Optional)

I have no experience with other DB projects, and cannot give instructions for others at this time

At time of writing this, UDB was compressed in zip format, if this changes use the appropriate extractor

cd ~ ;
mkdir udb ;
cd udb ;
svn co [url]https://unifieddb.svn.sourceforge.net/svnroot/unifieddb/trunk/[/url] --trust-server-cert --non-interactive ;
unzip trunk/Full_DB/UDB*.zip -d trunk/Full_DB/ ;
echo 'DROP DATABASE IF EXISTS mangos; \\
CREATE DATABASE mangos DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; \\
GRANT ALL PRIVILEGES ON mangos.* TO mangos@localhost WITH GRANT OPTION;' | mysql -uroot -p[b][color="RED"]<MySQL Root Password>[/color][/b] ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] mangos < trunk/Full_DB/UDB*.sql ;

Important Note: This step drops the mangos database!

This is because the World Database (UDB) step is optional and I did not want to remove a required command in the previous step in the event that someone may not use this,

there are conflicts with data/mangos/sql/mangos.sql and queries in UDB for updating tables related to locales_*

Applying World Database Updates

We need to apply the UDB MaNGOS updates, because UDB has downgraded our MaNGOS database

characters, realmd, and scriptdev2 are unaffected, so we do not need to update these

foreach sql_file ( trunk/Updates/*_additions/*mangos*.sql ) ;
echo "Applying Update - $sql_file" ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] mangos < $sql_file ;
end ;

MySQL Will Return Errors

If you got an Error similar to the following while applying the first update

ERROR 1054 (42S22) at line 2: Unknown column 'coulmn_name' in 'db_version'

this is not an error, it means that the update was already applied.

If you get any errors other than that one, then you did not follow the steps exactly

Applying MaNGOS & Scriptdev2 Updates

Only the mangos database should require any updates, because of SD2 and UDB,

however the rest of the updates are still applied as a failsafe incase a commit happened to not have the master sql file updated

cd /opt/mangos ;
foreach sql_file ( data/mangos/sql/updates/*mangos*.sql ) ;
echo "Applying Update - $sql_file" ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] mangos < $sql_file ;
end ;
foreach sql_file ( data/mangos/sql/updates/*characters*.sql ) ;
echo "Applying Update - $sql_file" ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] characters < $sql_file ;
end ;
foreach sql_file ( data/mangos/sql/updates/*realmd*.sql ) ;
echo "Applying Update - $sql_file" ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] realmd < $sql_file ;
end ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] mangos < ~/mangos/src/bindings/ScriptDev2/sql/mangos_scriptname_full.sql ;
foreach sql_file ( data/scriptdev2/sql/updates/*mangos*.sql ) ;
echo "Applying Update - $sql_file" ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] mangos < $sql_file ;
end ;
foreach sql_file ( data/scriptdev2/sql/updates/*scriptdev2*.sql ) ;
echo "Applying Update - $sql_file" ;
mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] scriptdev2 < $sql_file ;
end ;

MySQL Will Return Errors

You will get several lines similar to

ERROR 1054 (42S22) at line 1: Unknown column 'coulmn_name' in 'db_version'

As long as all of these errors occur only on line 1 and state that a column is unknown, this is normal.

This error is the same as the one from Applying World Database Updates it means that SQL the update has already been applied

MaNGOS Realmlist Address

Replace <Your Realm Name> with your desired Realm Name

Replace <Your Realm Address> with your Server's Address (Typically your LAN IP)

echo 'UPDATE realmlist SET name = "[b][color="RED"]<Your Realm Name>[/color][/b]" WHERE id = 1; \\
UPDATE realmlist SET address = "[b][color="RED"]<Your Realm Address>[/color][/b]" WHERE id = 1;' | mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] realmd ;

Step 4 - Data Files

To keep things simple download and install Filezilla FTP Client on your client computer, and connect to your server using SSH (Port 22)

Copy ~/mangos/contrib/extractor/ad.exe and all the files in ~/mangos/contrib/vmap_extract_assembler_bin/ to the client installation directory on your client computer

Run ad.exe and makevmaps_SIMPLE.bat on your client This will take a while to finish

If ad.exe fails to run, Install Microsoft's Visual C++ Redistributable Package (Google for it)

Copy the vmaps/, maps/, dbc/ directories to your MaNGOS data directory on the server

This guide sets this to /opt/mangos/data/

If you use Filezilla in SFTP mode and it complains your user does not have permission, temporarily give your user permission to write to the directory (We will secure this later)

chown [b][color="RED"]<FreeBSD User Account>[/color][/b] /opt/mangos/data/ ;

Step 5 - Editing Configuration Files

The following commands will get everything configured, however if you wish to change any other values you will have to do so manually on your own with vi, vim, or nano

cd /opt/mangos ;

mangos.conf - Change Log Options, Disable Console, Enable RA, Use PID File

sed '/DataDir[ ]*=/ s/"."/"\\/opt\\/mangos\\/data\\/"/; \\
/LogsDir[ ]*=/ s/""/"\\/opt\\/mangos\\/log\\/"/; \\
/PidFile[ ]*=/ s/""/"\\/opt\\/mangos\\/run\\/mangos-worldd.pid"/; \\
/LogLevel[ ]*=/ s/3/0/; \\
/LogFileLevel[ ]*=/ s/0/2/; \\
/Console.Enable[ ]*=/ s/1/0/; \\
/Ra.Enable[ ]*=/ s/0/1/; \\
/Ra.Stricted[ ]*=/ s/1/0/;' \\
etc/mangosd.conf.dist > etc/mangosd.conf ;

realmd.conf - Change Log Options, Use PID File

sed '/LogsDir[ ]*=/ s/""/"\\/opt\\/mangos\\/log\\/"/; \\
/LogFileLevel[ ]*=/ s/0/2/; \\
/PidFile[ ]*=/ s/""/"\\/opt\\/mangos\\/run\\/mangos-realmd.pid"/;' \\
etc/realmd.conf.dist > etc/realmd.conf ;

scriptdev.conf - No Changes (Just need the base for now)

cp etc/scriptdev2.conf.dist etc/scriptdev2.conf ;

All *.conf Files - Set the MySQL Passwords

sed -i "" '/DatabaseInfo[ ]*=/ s/mangos;mangos/mangos;[b][color="RED"]<MySQL MaNGOS Password>[/color][/b]/;' \\
etc/*.conf ;

Create New Directories - Used for PIDs and Logs

mkdir run log ;

Step 6 - Testing MaNGOS for the First Time

At this point you can run/test mangos and everything should work

/opt/mangos/bin/mangos-realmd & ;
/opt/mangos/bin/mangos-worldd & ;

If there were no errors congratulations, Continue to the next steps regarding securing everything, startup/shutdown scripts, and optional configurations

If you would like to test if the client can connect

set your client's realmlist to match your server and login as

Username: ADMINISTRATOR

Password: ADMINISTRATOR

(We will secure this password later)

If you did get an error try and determine what the error was, If you encountered database errors you may have to do all the Database steps from scratch again.

Important!

Stop MaNGOS from running so we can continue

pkill "mangos-*" ;

Step 7 - Securing MaNGOS

Change Passwords of Default Privileged Accounts

echo "UPDATE account SET sha_pass_hash=UPPER(CONVERT(SHA(CONCAT(UPPER(username),':',UPPER('[b][color="RED"]<MaNGOS Administrator Password>[/color][/b]'))) USING latin1)) WHERE username='ADMINISTRATOR';" | mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] realmd ;
echo "UPDATE account SET sha_pass_hash=UPPER(CONVERT(SHA(CONCAT(UPPER(username),':',UPPER('[b][color="RED"]<MaNGOS Moderator Password>[/color][/b]'))) USING latin1)) WHERE username='MODERATOR';" | mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] realmd ;
echo "UPDATE account SET sha_pass_hash=UPPER(CONVERT(SHA(CONCAT(UPPER(username),':',UPPER('[b][color="RED"]<MaNGOS Gamemaster Password>[/color][/b]'))) USING latin1)) WHERE username='GAMEMASTER';" | mysql -umangos -p[b][color="RED"]<MySQL MaNGOS Password>[/color][/b] realmd ;

Creating a System User to Run MaNGOS

The following will create a user and group named mangos

This user/group will be used to run realmd and worldd and will only have access to alter files

located in /opt/mangos/run and /opt/mangos/log

pw group add mangos ;
pw user add mangos -g mangos -d /nonexistent -s /usr/sbin/nologin;
chown -R root:wheel /opt/mangos ;
chown -R root:mangos /opt/mangos/etc/*.conf ;
chmod 640 /opt/mangos/etc/*.conf ;
chown -R mangos:mangos /opt/mangos/log ;
chown -R mangos:mangos /opt/mangos/run ;
chmod 750 /opt/mangos/log ;

Continued in next post!

[antiroot]

Step 7 - Securing MaNGOS (Continued)

FreeBSD MaNGOS rc Script (Start/Stop Script)

This is a very simple script currently able to handle a single worldd and/or realmd instance.

Eventually this will be rewritten to handle multiple realms/worlds

Important!

The code below is not the script, but the commands to generate the script. Execute the entire code block the same way all previous commands have been executed!

echo '#\\!/bin/sh\\
#\\
# $FreeBSD: mangos-server.sh,v 0.1 2010/06/03 16:09:17 antiroot Exp $\\
# AUTHOR: antiroot aka geekspark\\
# DATE: 2010/06/03 16:09:17\\
\\
# PROVIDE: mangos-worldd mangos-realmd\\
# REQUIRE: LOGIN mysql\\
# KEYWORD: shutdown\\
\\
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf\\
# to enable these services\\
#\\
# For both mangos-worldd and mangos-realmd\\
#mangos_enable="YES"\\
# or, separately as:\\
#mangosworldd_enable="YES"\\
#mangosrealmd_enable="YES"\\
#\\
# Running mangos as root is unsafe\\
# The following variable allows you to change\\
# the user that mangos will run as\\
# username mangos is default*\\
#mangos_user="mangos"\\
\\
. /etc/rc.subr\\
\\
name=mangos\\
rcvar=$(set_rcvar)\\
\\
# Only Edit These Options\\
name_prefix="mangos"              #prefix for binaries/pids\\
mangos_daemons="realmd worldd"    #binaries/pids without prefix/suffix\\
homedir="/opt/mangos"             #path to mangos install dir\\
bindir="${homedir}/bin"           #path to mangos/bin dir\\
rundir="${homedir}/run"           #path to mangos/run dir\\
# Do Not Edit Below This Line\\
\\
load_rc_config "${name}"\\
mangos_user=${mangos_user:="mangos"}\\
extra_commands="status"\\
start_cmd="mangos_cmd"\\
stop_cmd="mangos_cmd"\\
restart_cmd="mangos_cmd"\\
status_cmd="mangos_cmd"\\
rcvar_cmd="mangos_rcvar_cmd"\\
command_args="> /dev/null 2>&1 &"\\
\\
mangos_enable=${mangos_enable:=NO}\\
\\
if [ -n "${rcvar}" ] && checkyesno "${rcvar}"; then\\
   mangosworldd_enable=${mangosworldd_enable=YES}\\
   mangosrealmd_enable=${mangosrealmd_enable=YES}\\
fi\\
eval real_${rcvar}="\\${${rcvar}:=NO}"   ${rcvar}=YES\\
mangosworldd_enable=${mangosworldd_enable:=NO}\\
mangosrealmd_enable=${mangosrealmd_enable:=NO}\\
\\
mangos_rcvar_cmd() {\\
   unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd"\\
   echo "# ${name}"\\
   if [ -n "${rcvar}" ]; then\\
       if checkyesno "real_${rcvar}"; then\\
           echo "\\$${rcvar}=YES"\\
       else\\
           echo "\\$${rcvar}=NO"\\
       fi\\
   fi\\
   mangos_cmd "${_rc_prefix}${rc_arg}" ${rc_extra_args}\\
}\\
\\
mangos_cmd() {\\
   local name rcvar command pidfile mangos_daemons\\
   unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd"\\
   if [ "${rc_arg}" = "stop" ] ; then\\
       mangos_daemons=$(reverse_list ${mangos_daemons})\\
   fi\\
   for name in ${mangos_daemons}; do\\
       command="${bindir}/${name_prefix}-${name}"\\
       pidfile="${rundir}/${name_prefix}-${name}.pid"\\
   name=${name_prefix}${name}\\
   eval ${name}_user=${mangos_user}\\
   rcvar=$(set_rcvar)\\
       run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}\\
   done\\
}\\
\\
run_rc_command "$1"' > /usr/local/etc/rc.d/mangos-server ;
chmod 555 /usr/local/etc/rc.d/mangos-server ;
echo 'mangos_enable="YES"' >> /etc/rc.conf ;

Step 8 - Optional Configurations

mangos.conf (Optional) - Enable Vmap LOS and Height

You will want this if you don't want creatures going through walls

cd /opt/mangos ;
sed -i "" '/vmap.enableLOS[ ]*=/ s/0/1/; \\
/vmap.enableHeight[ ]*=/ s/0/1/;' \\
etc/mangosd.conf ;

MySQL With Sockets (Optional)

If you disable Networking in MySQL you will need this

scriptdev.conf states: "Unix sockets: experimental, not tested" I have been using Sockets since I first compiled MaNGOS around the time of revision 9139 and I have had zero issues

cd /opt/mangos ;
sed -i "" '/DatabaseInfo[ ]*=/ s/127.0.0.1;3306/.;\\/tmp\\/mysql.sock/;' \\
etc/*.conf ;

mangos.conf (Optional) - Enable SOAP

Useful for PHP scripts

cd /opt/mangos ;
sed -i "" '/SOAP.Enabled[ ]*=/ s/0/1/; \\
/SOAP.IP[ ]*=/ s/127.0.0.1/0.0.0.0/;' \\
etc/mangosd.conf ;

mangos.conf (Optional) - Enable Full Two Side Interaction

This only partially works, Client changes have made Two Sided Groups not work as intended

cd /opt/mangos ;
sed -i "" '/AllowTwoSide.Interaction.Chat[ ]*=/ s/0/1/; \\
/AllowTwoSide.Interaction.Channel[ ]*=/ s/0/1/; \\
/AllowTwoSide.Interaction.Group[ ]*=/ s/0/1/; \\
/AllowTwoSide.Interaction.Guild[ ]*=/ s/0/1/; \\
/AllowTwoSide.Interaction.Auction[ ]*=/ s/0/1/; \\
/AllowTwoSide.Interaction.Mail[ ]*=/ s/0/1/; \\
/AllowTwoSide.WhoList[ ]*=/ s/0/1/; \\
/AllowTwoSide.AddFriend[ ]*=/ s/0/1/;' \\
etc/mangosd.conf ;

Step 9 - Starting MaNGOS Securely for the First Time

/usr/local/etc/rc.d/mangos-server start ;

MaNGOS should now be running in the background as a true daemon, owned by the system user mangos

Since we disabled the console in Step 5, we won't be able to see the text flashing by, however you can read the log file located at /opt/mangos/log/Server.log to monitor its progress or research a bug

View the last 10 lines of the log file

tail /opt/mangos/log/Server.log ;

Once your log file displays Starting Remote access listner on port 3443 on 0.0.0.0 You will be abe to connect to MaNGOS through your client or RA

Step 10 - Creating User Accounts

Conecting to MaNGOS RA

With console disabled, we need to use RA to create user accounts

telnet 127.0.0.1 3443 ;

Username: ADMINISTRATOR

Password: <MaNGOS Administrator Password>

Once logged in you will be greeted with the prompt

mangos>

and will be able to execute all console commands availabe to a normal MaNGOS console session.

Creating an Account

Replace $account and $password with a username and password of your choice.

.account create [b][color="RED"]$account[/color][/b] [b][color="RED"]$password[/color][/b]

Exiting MaNGOS RA

quit must be fully typed unlike other MaNGOS commands

quit

FreeBSD MaNGOS (Secure) Install - Complete

You should have a completely functional MaNGOS Server running securely under FreeBSD.

Notes

* If your server ever reboots intentionally or accidentally, MaNGOS will start back up via it's rc script

* All MySQL passwords stored in configuration files cannot be viewed or altered by any normal system user

* The system user mangos can only be accessed by the root account when the rc script is executed

* The MaNGOS console cannot be accessed by a normal user without using RA and knowing the MaNGOS Administrator password

This guide/installation method is in a constant evolving process as I learn new more efficiency and security tricks. If anyone feels I've missed something please let me know and I'll make sure to get the guide updated.

TODO: Only thing left is to make a guide on how to update based off of this guide (Its half finished currently just working out a cleaner way for maintaining custom patches)

[Toinan67]

Very complete guide, congratulations antiroot

I'm sure it will help a lot of people, and not only FreeBSD users.

[willisoady]

Hi Antiroot!

Absolutelly awesome guide! Really useful. I was wondering though, I've setup my useraccount for the realmd and world servers but when I run 'top' it still says that the user is 'root'. Is that okay?

P.S. Maybe you could include instructions on how to make an automatic MySQL backup script in your guide. =)

EDIT: Ignore me, after a restart things started working. I found one problem though, with your current script my server attempted to start the servers before MySQL was started. You need to modify it to "REQUIRE: DAEMON, mysql"

Regards,

Will

[antiroot]

@willisoady, You are completely correct about the "REQUIRE: DAEMON, mysql" I have edited the guide to have the new change, thanks for the catch.

I had that added on my live server but not in my development server that i used while making this guide. This guide has taken about a month and a half to get it to the state its in now (issues with some ports that needed to be updated in order to function correctly for a seamless non-interactive install)

Automatic MySQL backups will be part of my Upgrade guide (since with a base install there's usually no need for a backup) my live server is currently running my update method and has worked flawlessly everytime except when Level1.cpp and other chat related files had some changes, but it was my fault with one of my custom patches I created. I hope to have the Upgrade based off of this install guide up within the week.

[clint]

Thank's for this tutorial

Very helpfull for me as i'm running a freebsd 8 server.

Perhap's a good idea to make this a sticky ?

[antiroot]

Aside from myself, clint is the only other person I know of that has used my guide. I think some more users are required before making it a sticky. Not to mention I need to set up a FreeBSD 8.1 server and make sure the guide is compatible since 8.1 is the newest stable release

[Exelenz]

Hi Antiroot!

Thanks for great guide!

Now i have a server with FreeBSD 8.1 AMD64 installed, and will try to do it.

Wait my report ))

UPD:

Dependencies installed, but I select first way, and use current ports versions, so:

autoconf-2.62 (I have 2.67)

autoconf-wrapper-20071109 (This)

automake-1.9.6_3 (I have 1.9.6_4 and 1.10.3, errrr, is that normal?)

automake-wrapper-20071109 (This)

libtool-2.2.6b (I have 2.2.10)

gmake-3.81_4 (Exactly)

m4-1.4.14_1,1 (I have 1.4.15,1)

mysql-client-5.1.49 (I have 5.1.50_1)

openssl-1.0.0_2 (Yep)

perl-5.10.1_2 (This)

-------------------------------------------------------

Sorry for my english, I'm Russian.

[Exelenz]

UPD:

At step 2, stage "Configuring and Compiling", when

gmake

I have very many identic warnings - screenshot included:

And when 'gmaking' was completed, I see this situation:

Is that very bad? Can I fix file Object.h manually?

[Exelenz]

Step 3, stage "Applying World Database Updates"

foreach sql_file ( trunk/Updates/*_additions/*mangos*.sql ) ;
echo "Applying Update - $sql_file" ;
mysql -umangos -p<MySQL MaNGOS Password> mangos < $sql_file ;
end ;

I think, its my mistake here, isn't it?

UPD:

Yes, problem in shell. I change shell and now its work perfect.

[Exelenz]

All right, good job!

Server is working good!

Little bugfix for your guide:

Step 7 stage "Changing passwords"

echo "UPDATE account SET sha_pass_hash=UPPER(CONVERT(SHA(CONCAT(UPPER(username),':',UPPER('<MaNGOS Moderator Password>'))) USING latin1)) WHERE username='GAMEMASTER';" | mysql -umangos -p<MySQL MaNGOS Password> realmd ;

echo "UPDATE account SET sha_pass_hash=UPPER(CONVERT(SHA(CONCAT(UPPER(username),':',UPPER('<MaNGOS Gamemaster Password>'))) USING latin1)) WHERE username='MODERATOR';"

[antiroot]

Thanks Exelenz

Added text stating /bin/csh is required for guide to function

Fixed typo in Step 7

Once I get a FreeBSD 8.1 server setup I'll update the dependencies list and other parts of the guide.. Hard to find spare time and spare parts to get a new server up and running unfortunately

Edit:

It should be noted that I've tested this guide under FreeBSD 7.1, 7.2, 8.0 with a physical host, virtual host (vmware), and also within FreeBSD Jails and so far has worked in all cases

[Exelenz]

Yep, firstly I worked in bash, and have troubles with foreach statement... But google help me, I switch shell to csh and now all right!

(I'm not professional in FreeBSD, I think it can be done with bash shell... but how? =) )

I use this guide in virtual machine and in quite strong server. In server - all right, work good. At virtual machine installing crashed twice at step 2, stage "compiling", but I think, problem in VM - 256mb RAM, 10GB HDD and so on. A some kind of tortures for this small machine, isn't it? =)

I have a little question. In server I use FreeBSD8.1 AMD64, is correct to use this

../configure --prefix=/opt/mangos --sysconfdir=/opt/mangos/etc --enable-cli --enable-ra --datadir=/opt/mangos/data --with-openssl=/usr/local ;

configuration settings in this case? Its good server - 2 x XEON, 22GB RAM, fast HDD and so on. May be I must reconfigure it?

Thank you, this guide very usefull!!

[antiroot]

I chose to make this guide using csh because it is the default shell in FreeBSD, it could be redone to work with bash unfortunately bash uses different syntax than csh which makes the foreach loops incompatible. I'll try and create a companion guide using bash when i set up my new FreeBSD 8.1 server so that users will have a choice of which shell they are more comfortable with.

glad to hear you got it working using my guide as a reference

[freghar]

I chose to make this guide using csh because it is the default shell in FreeBSD, it could be redone to work with bash unfortunately bash uses different syntax than csh which makes the foreach loops incompatible. I'll try and create a companion guide using bash when i set up my new FreeBSD 8.1 server so that users will have a choice of which shell they are more comfortable with.

glad to hear you got it working using my guide as a reference

Well classic Bourne Shell (real /bin/sh, not symlink to bash/csh/whatever) supports "for" loops like

for my_var in *
do
   echo $my_var
done;

(which lists all files/directories in the current directory)

That functionality is implemented in bash/ash/dash/.. as well, but csh/tcsh simply has to use foreach.

Anyway -- what's so "secure" about this guide, if I may ask? I found no steps how to make mangos run in a jail / how to add rules for TrustedBSD (MAC, similar to SELinux) / etc.

[antiroot]

The secure parts (which there are still more to add) are

• * running mangos as a user other than root
  * changing default passwords for ingame default accounts
  * changing default passwords for mysql
  * removes the need for the console (or screen) to be used (only a problem with local based intruders ie small children that are fascinated by the clicking sound of the keyboard, etc)
  * alter permissions of config files so other uses cannot access them (although i did just realize that log files are readable by any user, which can show them the mysql user/pass.. might need to use touch to pre-create the log files and set their permissions to prevent that)
  

Really it's not that this guide makes it impenetrable, only that it covers the basics of making it more secure than just a regular compile-and-run guide.

From how I describe daemons/services most other guides don't treat MaNGOS this way as most seem to run MaNGOS in the foreground. This guide aims to daemonize it and make it look and feel more like a real server (I do see the benefits of running it in the foreground for dubug purposes however). There is still quite a bit this guide needs, unfortunately there is also a lack of time for me to spend doing this

As far as which shell is best, since this is a FreeBSD guide, in which root's default shell is csh in FreeBSD, and the root account is needed to build/install dependencies and mangos, alter file permissions, configure initial mysql install.. it seemed logical to use csh.

I do like the idea of making it compatible with /bin/sh (maybe just throw instructions in on how to switch shells before hand of course)

And as far as a guide explaining building a FreeBSD jail to cram all of this in, FreeBSD jails are beasts far beyond the scope of a mangos guide. and making a FreeBSD+jail+mangos guide would be 75% jail explanation/guide. My mangos server runs within a jail no problem, so it is doable, just difficult for beginners. and I don't think the devs/mods would like a 4-5 post thread explaining something non-mangos related (especially when the FreeBSD Handbook and manpages explain jails quite well)

Same goes for firewall rules, etc.. OS forums, maillists, handbooks, manpages describe all these things very well

[freghar]

alter permissions of config files so other uses cannot access them (although i did just realize that log files are readable by any user, which can show them the mysql user/pass.. might need to use touch to pre-create the log files and set their permissions to prevent that)

To be honest, installing mangos into /opt is - in my opinion - rather bad idea. I compile and run mangos under "mangos" user, in the home directory itself (/home/mangos/install). That way no other user can access data files / logs / backups / sources / ..., it's a lot easier to manage multiple "backups" (as in "versions") of mangos datadirs as well.

Anyway, you can't touch empty logfiles since mangos is able to use time "stamps" in log file names. I'd simply restrict read access to logs directory.

[antiroot]

You're right, /opt is a bad place.. in FreeBSD the common thing is for non base system data to go into /usr/ and /usr/local/

Still that doesn't prevent other users from access, and as you said a /home folder would be a nice way to go about it

I used /opt to keep it similar to other guides since they all seemed to use that for the install directory

I was actually unaware of "LogTimestamp" in the confs until you mentioned that, I think I may take your advice and change the directory permissions for the logs dir, and also enable the LogTimestamp feature (since Server.log gets overwritten on every restart, making debugging difficult)

Thanks for all your opinions freghar, I'll see about revamping my guide and hopefully changing/implementing some better ways to do things

[borgotech]

Hi, this is my script and it work very well under FreeBSD 8.2 amd64. There are two files, one is the script, named mangos_autocompile and another file is the config file namned mangoscnf. Change the path of "where you want to install your core" in mangoscnf file, .... chmox +x mangos_autocompile and execute it.

[== ==]
mangos_autocompile

#!/bin/sh

#

. mangoscnf

echo "-----------------------------------"

echo "- Mangos Autocompiler by me.. :-) -"

echo "-----------------------------------"

echo "Cleaning up directories of old Mangos souces"

if [ -e $SOURCES ]; then

rm -r $SOURCES

else

mkdir $SOURCES

cd $SOURCES

echo "... old sources cleaned up ..."

fi

echo "############################ "

echo "Downloading MANGOS Core ...."

echo "############################"

git clone $SOURCES_GIT $SOURCES

echo "######################################### "

echo "Downloading Script Engine ScriptDev2 ...."

echo "######################################### "

git clone $SOURCES_GIT_SD2

echo "Mangos and Script Engine have been downloaded"

echo "######################################## "

echo "Applying Script Engine patch to Core ..."

echo "######################################## "

cd $PATCHES_DIR

FILENAME=`ls | grep .patch`

PATCH_FILE=$FILENAME

patch -d ${SOURCES} -p1 < ${PATCH_FILE}

#git apply $PATCHES_DIR/$PATCH_FILE

cd $SOURCES

echo "############### "

echo "configuring ..."

echo "############### "

automake $SOURCES/src/bindings/ScriptDev2/Makefile

mkdir build

cd build

cmake ../ -DPREFIX=$INSTALL_DIR -DDEBUG=0 -DPCH=0 -DTBB_USE_EXTERNAL=0 -DUSE_STD_MALLOC=0 -DACE_USE_EXTERNAL=1

echo "###############################"

echo "Configuration completed."

echo "Entering compilation process..."

echo "###############################"

make -j$CORES

echo "##########################################"

echo "Core compilation completed, installing ... "

echo "##########################################"

make install

echo "Cleaning ...."

make clean

echo "Done."

[== ==]
--------------------------------------------------

[== ==]
mangoscnf

#######################

########CONFIG#########

# Where will be install Core.

INSTALL_DIR="/usr/home/user/mangos_server"

#

# The copilation source directory..

SOURCES="/usr/home/user/mangos_src"

# Mangos Core source GIT repository

SOURCES_GIT="git://github.com/mangos/mangos.git"

# ScriptDev2 GIT repository

SOURCES_GIT_SD2="git://github.com/scriptdev2/scriptdev2.git $SOURCES/src/bindings/ScriptDev2"

#

# ScriptDev2 patch file directory

PATCHES_DIR="$SOURCES/src/bindings/ScriptDev2/patches"

#

# Nr. of cores+1 Ex: dual core=2+1

CORES=3

#########END###########

#######################

[== ==]
-----------------------------------------------------------------------