Hi Titan, > I have quite a predicament. I have been tasked with setting up an FTP > server for the research group I'm involved with. The problem is once > I'm gone someone with no *NIX experience will be maintaining the > server. I've been considering using OpenBSD because it looks like it > can go far longer without updates than Windows and Linux servers and > looks to be very secure.
A properly administered OpenBSD server requires an operating system update at least once a year. Additionally, it requires patching once in a few months - of course, frequencies vary. Patching and updates are not difficult for someone who knows basic Unix system administration, but a person with no Unix experience will quite possibly fail at the task. > In your experience, would it be possible for someone with no *NIX > experience to maintain a simple FTP server? Possible, yes, after considerable learning effort. Easy, no. > How long would you trust an unpatched OpenBSD server to go unhacked? If you talk about authenticated FTP (with passwords), until anybody with basic networking skills and root access to any host where your FTP traffic passes by actually cares to hack it. That person will probably be able to change the data on the FTP server only, not to corrupt the operating system, if it was set up properly and if it does not run any other services. If you talk about anonymous FTP (read access for everyone, optionally with a _seperate_ public upload area), the server may be safe for several years, even unpatched, if it runs no services except stock ftpd. Bugs in OpenBSD ftpd and basic networking are not found that often. Yet, bugs *may* be found at any time, and the server may happen to need updates at any time - with bad luck, even a few days after deployment. In case you are talking about FTP with plain text passwords, better drop the whole project or use SFTP instead. If it must be plain text FTP and money for licences is not an issue, your colleague is probably better off with a Windows Server. FTP is terribly insecure anyway, so Windows or OpenBSD makes hardly any difference from a security standpoint, and people usually administer system they know well better than ones they see for the first time. In case you are talking about anonymous FTP only, i would rather suggest Debian GNU/Linux than OpenBSD _for_this_particular_task_. If you know what you are doing, OpenBSD is much easier to use than Debian (imho, but i won't argue about it here) - but if you have no experience whatsoever, your chances may be better to get # apt-get dist-upgrade right once a month than to compile OpenBSD errata patches correctly when needed. Yours, Ingo -- Ingo Schwarze <[EMAIL PROTECTED]> usta.de / studis.de sysop
