Hardening production servers

Paul Smith paul at cnt.org
Tue Jul 8 13:01:05 PDT 2003


Greetings,

Apologies if this is not the appropriate list, but my questions are about
best practices in maintaining production servers (so I believe I can justify
a post in -stable, short of a -release list :)

I maintain a modest installation of 6 FreeBSD servers. They're CVSUP'd to
RELENG_4_8 (I make buildworld on each individually) and I portupgrade ports
as necessary. In an attempt to mature and harden this installation, I'm
wondering what is the best approach for keeping production servers patched
and with the latest ports. I know that compiling everything on each box is
poor security practice and a unnecessary drain on resources. But I'm confused
as to how to go about compiling world and the ports on a separate machine and
how to then distribute to the production servers. Should I compile ports as
packages? Which directories are appropriate for NFS export? Each machine is
i386, so there should be any architecture issues, but each has its own
hardware configuration, so how would I building a custom kernel work?

My selfish goal is to reduce maintenance time and effort by centralizing 
patches and updates, and my overall goal is to enhance security and
reliability on the production servers by removing compiling tools. Thanks in
advance for any advice on this matter.

Cheers,
Paul

-- 
Paul Smith <paul at cnt.org>
Webmaster/Systems Administrator
Center for Neighborhood Technology
Chicago, Illinois USA


More information about the freebsd-stable mailing list