configuring base server system: lots of questions

[Littlefield, Tyler]

On 3/16/2014 1:14 PM, Jim Ohlstein wrote:
>
>
> On 3/16/14, 12:23 PM, Littlefield, Tyler wrote:
>> hello:
>> I am pressed on cash, but wanted to switch from Linode (Linux) to BSD. I
>> had a few reasons, mainly that i like BSD quite a lot. I found the
>> soyoustart servers and at least right now for my needs, it's working
>> good. I am in the process of switching everything over--I'll do an
>> install and will end up just wiping everything out and rebuilding this
>> all later when I know exactly what I want to do, so I have a few 
>> questions:
>> 1) I've seen a lot of discussion on ZFS. This server comes with 2 2tb
>> drives on raid, so I assume it's a mirror. Would ZFS be useful in this
>> case, or should I stick to UFS? I want to do a lot of work with jails:
>> jail each individual service. Is this viable? I've also tightened up the
>> kernel a bit and installed a pretty basic firewall. Are there other
>> security concerns I need to worry about? What is the general checklist?
>
> First, don't assume. Find out.
>
Soyoustart's support is sort of lacking--I found this out the fun way, 
when they decided to reboot my server 500 times because I was not able 
to be pinged. I "assume" because there are two 2 tb drives and I have 2 
tb disk space, so a mirror makes sense.

> Using ZFS may depend more on how much RAM you have than the drives. 
> More RAM usually = better ZFS peformance. You should also be able to 
> separate the drives into JBOD mode. If they're in a "software RAID" 
> (as most Soyoustart servers seem to be) then that's good. ZFS and a 
> hardware controller don't always play together most efficiently, or so 
> I have been led to believe. UFS is still a fine file system, but if 
> you have adequate RAM ZFS is more than just a file system.
>
> Soyoustart servers do seem to have lots of RAM, more than enough for a 
> ZFS system with this amount of storage. However, I doubt that you can 
> simply install FreeBSD with ZFS from a Soyoustart OS template. You'd 
> probably need KVM/IPMI, and I don't know if that's available.
>
> As for a security "checklist", every machine is different and 
> everyone's needs are different. Use a firewall that you understand and 
> learn how to write rules. Don't just copy and paste. See below as well.
>
totally understandable. I wrote all the rules myself after reading docs, 
I've dropped it in here if someone wouldn't mind taking a look. I'm not 
going for the highest possible security on this server, but I do want to 
learn and make sure that I am doing things the right way. this is a 
business server where I'll host my customer portal and etc, so I want to 
be doing this right. This is the reason for the jails--to isolate each 
individual service, but I know that a good firewall is the first step on 
the base server. Here's what I've done:
1) Disabled root logins on SSHD and turned off password authentication, 
also set the max tries to 2 for logins. The only way to log in is with 
keys, and a user has to be in the sshusers group, for added security.
2) I tightened up some stuff in sysctl.conf, mainly to prevent other 
users from viewing objects that do not belong to them, prevent them from 
reading dmesg, etc.
3) I set up the following firewall:
if="em0"
tcp_services="{ 22 80 6666}"
set skip on lo
set loginterface $if
antispoof quick for { $if lo }
block in all
pass out from any to any
pass in on $if proto tcp from any to any port $tcp_services
The idea is block by default and just allow what I want through.
4) I installed logwatch and will finish configuring that when I transfer 
my email over to the server for good.
5) Within individual jails, all services that are only localhost are 
bound to their specific loopback addresses.
6) Any other ideas here would be awesome. Again I'm not sure what the 
standard setup would be, I just want to insure that everything is being 
done that I need to.

>
>> 2) When accessing jails, I have a game I am developing that I want to
>> host on this server. There are a few of us that will have access to the
>> running copy--should they just sudo ezjail-admin console game, or is
>> there a more secure method to allow individual users access?
>
> Yes. Use NAT/redirect. That way you can set the SSH port on the jail 
> to something other than what your main FreeBSD install uses, and 
> redirect it directly to the jails SSH daemon. I use pf(4) for this, 
> with the module built into my kernel. There are other ways.
>
Awesome, didn't think of that, thanks.

>> 3) I have 95 some odd updates with portmaster over the last two weeks.
>> Is it viable somehow to just apply security patches? Is there a way to
>> do that, until I have the time to sit down and apply all these updates
>> individually?
>
> Use pkg(8). Unless all 95 have custom options, this will be far more 
> efficient.
>
>> 4) My CFLAGS in make.conf looks like this: CFLAGS+=-O2 -march=native -s
>> is this recommended? If not, what would be a better setup? Usually -O2
>> is a good level since -O3 tends (from what I've heard) to create a lot
>> of cache misses. I wanted it to tune to my processor and strip. I was
>> also looking at using -flto and -flto=8 (Is there a LDFLAGS), but I
>> again wasn't sure if this was recommended.
>
> No. Don't use CFLAGS in your make.conf! Most ports are already 
> optimized properly, and doing so may break some things.
>
Fair enough. I do want to compile for my specific processor, but I 
believe there's a var for that. can I just provide "native"?

>
>> 5) Any other tips/advice would be awesome. I'll be deploying NGinx, php
>> (fastcgi/other ideas), mysql and postfix to start with--possibly with
>> amavis-new for spamassassin and clamav.
>
> If you plan to use nginx with PHP via fastcgi, use php-fpm.
>
>>
>> Thanks in advance for the help,
>>
>


-- 
Take care,
Ty
http://tds-solutions.net
He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave.