|
Opinions on server build...
I know I have a LOT of research ahead of me AND I'm not sure I'm really going about my end result in the 'proper' fashion ~ but I want to try and be efficient. Hopeing I can get some edumacated thoughts on if I'm shooting in the right direction or if I should try alternatives.
I'm looking to have an End Result of a Mail/HTTP/FTP server that's also a firewall and router. I'm planning on using RH 9.0 distro sendmail for the mail server apache for HTTP FTP is part of the distro (or is it?) IPtables + masq. for the firewall and routing efforts tripwire for my change management/IDS I'm pretty sure I should put the firewall/router on one box and the servers on another but I'm Trying to appease the SO by limiting the number of boxes sitting in out dining room. TIA |
Not bad, I would dump the built in ftp and go for something more secure like vsftp. I might also dump sendmail and go with postfix.
I would also recommend looking at Engarde Linux as a possible alternative. It has been stripped down to only the basics for security (i.e. no X server, no default services running, etc...). I personally use it as a firewall/ids/e-mail/website server and it works great. It incorporates the differences of what I mentioned at the top of this post. There is a free community version if you don't want to buy the commercial version. They just released the "Feint" release which includes the 2.4 kernel with iptables. And you can use LIDS or grsecurity as your IDS. The only problem would be that you would need a second machine (standard PC w/ browser) to administer it through the web interface. If you decide to go with RH, then just remember to install the "minimal version" and add exactly what you need, nothing more. That would provide about the same effect. HTH Jeremiah |
You may also look into SME server (http://www.e-smith.org) as a pre-packaged alternative to building your own ;)
|
vsftpd is included in RH 9.0.
You sound like you've got a good handle on things, but I'd recommend reading "Building Secure Servers With Linux; Michael D. Bauer; O'Reilly". Really good section on building a perimeter network. While what you're planning will work, there are caveats, and he presents the pros/cons of different perimeter configurations. |
Muy Bueno.. This is the kind of stuff I was looking for. :) While I know enough to talk somewhat intelegently about what I want, actually knowing the specifics of what's best (much less what's available) and applying it will be a different story all together.
As for that O'Reilly publication ~ great, I have Aweful insomnia.. need something to help me get to sleep. :P Edit: Looking at the SME server, it looks like this would be a good all-in-one type deal with the exception of the mail aspect. I've never run a mail server before but the UserGuide sure does make it look like it just Collects mail from an existing pop/webmail account and doesn't actually SERVE mail. Maybe I'm wrong (please, someone look and try to verify one way or another) ~ with that one exception it looks pretty good though. Looking at EnGuarde, this seems like the best way for a relitive nooB to get started. I have a laptop I can load a full version of RH 9.0 to 'play' with and see if I can't swing my SO over away from all that MS stuff (tired of figguring out how to uninstall the crap I don't want and skirting the Warez issues). Tanks again! Though more input is always welcome/appreciated |
I'd use Red Hat 9. Why ? Personally because i'm very used to it and i cant custom configure it very quickly without getting into too much trouble. Any doubt i have, its easy to get support because there are a lot of RH users out there, and there are lots and lots of tutorials/how to's RH-based. I always used RH for webserving,ftp,ssh,mail,firewall/routing and always been happy with it. Recently i installed and configured a Slackware distro with the same set of services, but that was just for a change and to begin learning other distros.
If you do a minimum install, its kind of easy to add things as you need them, without breaking things.... the key things to remember are: always have your system patched (easy if you use Red Hat's up2date), take a lot of time configuring your iptables, choose daemons that are known by its security. |
Binary Distros and the Long Haul...
Hey, it sounds like you have a pretty good handle on how to build a new server.
My only caution with RedHat (and other Distros) is KEEPING it running. I run a data center with about 9 Linux servers (and a few with that "other" OS). When I put it together back in 2001, I was using RedHat 7.1. Now, 2 years later, I've been having to reinstall the operating system every 9 months, on average. Theoretically, RPM should be able to upgrade an maintain my system, but in practice machines gather Cruft. I've had uninstalled packages return from the grave, upgrades to RPM requiring upgrades to GLIBC, which requires an upgrade to RPM, et cetera. It doesn't help that RedHat is now giving each release a 6 month shelf life. So left with the unenviable choice of leave a box vulnerable, upgrade and pray something doesn't break (again), or nuking the boxes periodically and starting from scratch, I, well, picked another approach. Not to plug, but you may want to try out Gentoo. It's not perfect, but I find it easier to keep running in practice. The system works by downloading the source for your software, compiling, and linking it against whatever library is present in your system. The process is a little slow, but it's a lot better than praying that RPM update to fix a vulnerability doesn't itself upgrade a library and in the process breaks some other useful part of your system. Plus the init system is sexier, it uses DevFS and tmpfs, and if an "ebuild" doesn't exist for the software you need, it's fairly easy to write one. (I have.) |
Re: Binary Distros and the Long Haul...
Quote:
For newbies i still recomend Red Hat... by the time the 6 pass, the user already has broken up a few things and the systems calls for a clean install anyway... so ... it ends being a good thing for learning linux. After the simpler distros (Red Hat,Mandrake) are dominated, then its time for a more mature distribution. This is just me talking because i always end up with Red Hat somehow :P I need more free time to learn Debian,free or openBSD. |
Follow-up
Thanks for the information so far. Well, my 'weekend' (Tuesday and Wednesday for now) was spent playing with the box, trying to figgure out just what I want and what seems to work best.
I started with the SME Server v5.6. It installs nicely, very easy for the semi-newbie (I've loaded various distros of RH ove the past couple of years only to not have time to get vey famaliar). It walks you though the setup nicely, but the end result seems a little bloated and slow. I'm running a dual PIII 500 w/ 1024mb of ram ~ so bloated and slow are 2 things I shouldn't be experiencing. I was less than impessed with the interface and was unable to get it to network locally with my one other desktop, much less reach the outside world via my DSL (bridged, no PPoE). Next came EnGarde which was also easy to install, and didn't seem so bloated locally. I was able to get it up and going with the web interface easily (networked to the local desktop), and I liked what little I saw of the interface. To bad it took 1+ minute for each action to go through 6' of Cat5, be processed and return to my browser. This was completely unbearable and when it refused to connect with the outside world I scratched it too. Finally came Debian at the prompting of a database guru I work with. Install was straightforward but also a Huge pain in the butt. I have my 2 computers hooked up through a KVM, and everytime I'd switch from the Debian install back to my Windoze box, it would lock up the install. I eventually got through the base install and was left with a Very stripped verson of the kernel but no easy to use interface. I'm looking up the necessary basic info on adding a second eth to try and get it out to the web. From there it looks as if the apt-get command will make life pretty simple for adding the few things necessary. This is a much less 'newbie friendly' way to get the end result I want ~ but I like being in the nitty-gritty of what's going on and having total control. Because of that, based on how I feel about Debian after playing with it somemore I'll probably give Gentoo a shot aswell. So, the gist of it? To many compromises with the 'prebuilt' ideas that I don't want to live with. To get what I want requires more work a steeper learning curve and no pretty web interface ~ but that's an acceptable tradeoff for myself. I would like to hear more thought though ~ so bring them on. Maybe others are looking for something similar. Shoot, maybe I just need to make the learning curver even steeper and create my own mini-distro. :P yea right. |
| All times are GMT -5. The time now is 12:58 AM. |