On Thu, May 03, 2001 at 03:08:34PM -0700, Bob Miller wrote:
> Several people suggested that I colo my own box at Willamette.NET. If
> I were to do that, what distro is the best starting point for building
> a server? This box would be a pure server, with the following
> services initially:
>
> DNS
> Apache
> mail with some sort of mailing list handler
> ssh
>
> I don't particularly want to install Mandrake, then strip everything
> off. I don't know Debian well enough to set it up right. What else
> is a good alternative?
>
Why, OpenBSD of course. Apache and sendmail are part of the base
system. Being parts of the base system, they go through thorough
security audits, something you don't get from any other OS.
OpenSSH is actually developed on and for OpenBSD, I'm currently
using OpenSSH 2.9. How many years before that makes it into Debian's
"stable" dist?
The base also includes bind 4.9, which has been audited, but I'd opt
for djbdns from the ports collection. (According to OpenBSD developers,
BIND8 is too much of a security nightmare to even attempt to audit.
And BIND9 isn't much better. But you new that :)
Probably the best reason for installing OpenBSD on servers is that the
system has gone through a thorough security audit, and it is installed
"secure by default", which means you'll have to do a little work to
get services started, not a lot of work to make sure services aren't
started. "Hardening" an OpenBSD system basically consists of disabling
inetd and portmap if you don't need the BSD "r" tools; that's pretty
much it.
Being an OpenBSD zealot, I'd be more than happy to spend a couple hours
helping OpenBSD onto a server :)
The only bummer is that OpenBSD 2.9 is scheduled to start shipping June 1.
I'm getting my sources through CVS, the tree freeze is in full effect,
only minor changes mostly dealing with documentation before the RELEASE
tag is set. Several people have reported on [EMAIL PROTECTED] that they
are running prerelease (referred to as -current in OBSD speak :) builds
in heavy production environments. Some are even running java servlets
with blackdown-jdk linux binaries with OpenBSD's new RedHat 6.2 emulation.
On the other hand, people also report using OpenBSD 2.7 in production
and see absolutely no need to update.
Cool Server Stuff in OpenBSD 2.9
Base system:
OpenSSH 2.9
Perl 5.6.0
Apache 1.3.19
WIDE ftpd 6.5/OpenBSD
Sendmail 8.11.3/8.11.3
BIND 4.9.8-REL
Ports/Packages:
Daemontools 0.70
Ucspi-tcp 0.88
Djbdns 1.05
Libtai 0.60
Cdb 0.75
Publicfile 0.52
Qmail 1.03
Ezmlm 0.53
Checkpassword 0.90
Dot-forward 0.71
Fastforward 0.51
Mess822 0.58
Qmailanalog 0.70
Serialmail 0.75
Mysql 3.23.37
Openldap 2.0.7
Postgresql 7.1
Mod_frontpage 1.51
Mod_perl 1.25
Php 4.0.4pl1
There is also a very wide selection of network management and analysis
tools, as well as other goodies. Check out:
http://www.openbsd.org/cgi-bin/cvsweb/
Look under ports/mail, ports/net, and ports/security for more details.
There's a little <select> box at the bottom of the pages to choose
which release (2_9, 2_8, etc) you want to look at.
The new softupdate and dirpref code in 2.9 is simply amazing. Quoting
http://www.openbsd.org/29.html, "Some tests show a 60x improvement in
filesystem speed. If there is one reason to upgrade to 2.9, this is
it." I haven't done any real benchmarks, but the difference is obviuos
and immediately noticeable.
One of the niceties of OpenBSD is that you can rebuild your system with
a simple '# cd /usr/src && make obj && make build'. And then you can
package your system for redistribution with '#cd /usr/src/etc && make
release'. (The softupdate stuff shows it's true colors here :)
I've been meaning to 'make release' and burn a few CDs to bring to the
clinics, but Thursday evenings usually aren't good for me. If anyone
is interested in a CD and some help getting set up, just let
me know...
<[EMAIL PROTECTED]>
PS I have up to date sources ready to build for 2.8 & 2.9.
