Hi

I am working on setting up a web server with plone (content management). I
have a fair bit (6-7 years) of Linux user and part-time admin experience,
but want to do a good job (a very secure setup which can handle denial of
service, etc. kind of attacks) for this latest project of mine.

I am considering three alternatives - Slackware, FreeBSD and OpenBSD. From a
security and speed point of view for my needs, which do you think is a
better choice ? You may assume my experience with BSD, etc. to be nil,
while with Slackware, I use it as my personal router / firewall and find
its setup easy and secure.

I am also interested in learning about the system I setup, so availability
of good documentation and sizeable, helpful Usenet communities (like the
good folks at comp.os.linux.misc, etc.) would be a big plus. I do not want
too steep a learning curve, as I need to get the first version of the
webpage up in a week or so.

Thanks.

BSD is supposed to be more stable, but slackware's stability has never
seriously been questioned. I would stay away from the more recent
versions until more all bugfixes are in. My advice is use kernel 2.4.22
on Slack 9.1.

A webserver will have holes in it, and it is really the scripts that run
it, the server programs that provide security not so much the distro.
This is the key, that variable in scripts do not allow overloading, so
that root access can be had.
A webserver has to run more or less without much firewall protection,
or port forwarded though a firewall. It may take a good book on
firewalls to get this well figured out. IP Chains might be as good
as tables, so Linux Firewalls by New Riders is comprehensive.

Most free distros are about equal in many respects. Slack provides
kernel support as do other Linux distros for setting up packet filtering
and the like in the kernel compile. BSD has some scripts that are
supposed to make firewalls easier to do, but I doubt that is really
true. I think that setting recompiling your kernel with
a careful read of IP packet options would be de-rigeur. There should be
enough docs in /usr/src/linux and the make menuconfig process to allow
you to figure out what you especially need. I think you would find
kernel recompiling in Slack more basic and trustworthy than the Hat.
It is more part of their meat it would seem. I would look at both
make config AND make menuconfig. The latter is more for overview and
the former for getting it right. For some reason I have found that make
menuconfig leaves out choices that pop out at you in the textual
config.

Slack (net) scripting in /etc/rc.d/rc.inet1 and rc.inet2 is fairly easy
and straightforward compared to RedHat and other sysv types. They have
a fairly workable tool, netconfig, for easy simple network setup.

It would appear that the consensus would be that Squid is the server to
run in a semi-commercial environment. Apache would not be a bad choice
here however. Apache docs take some reading.

I would say a week would be enough time, depending on where you are at
now. You should be able to do it from the on disk linux docs but
visiting the Apache website will probably be in order. They are nicely
explanatory.

EC<:-}

Madhusudan Singh wrote:

> Hi
>
> I am working on setting up a web server with plone (content management). I
> have a fair bit (6-7 years) of Linux user and part-time admin experience,
> but want to do a good job (a very secure setup which can handle denial of
> service, etc. kind of attacks) for this latest project of mine.
>
> I am also interested in learning about the system I setup, so availability
> of good documentation and sizeable, helpful Usenet communities (like the
> good folks at comp.os.linux.misc, etc.) would be a big plus. I do not want
> too steep a learning curve, as I need to get the first version of the
> webpage up in a week or so.
>
> Thanks.

E. Charters wrote:

> BSD is supposed to be more stable, but slackware's stability has never
> seriously been questioned. I would stay away from the more recent
> versions until more all bugfixes are in. My advice is use kernel 2.4.22
> on Slack 9.1.
>
> A webserver will have holes in it, and it is really the scripts that run
> it, the server programs that provide security not so much the distro.
> This is the key, that variable in scripts do not allow overloading, so
> that root access can be had.
> A webserver has to run more or less without much firewall protection,
> or port forwarded though a firewall. It may take a good book on
> firewalls to get this well figured out. IP Chains might be as good
> as tables, so Linux Firewalls by New Riders is comprehensive.
>
> Most free distros are about equal in many respects. Slack provides
> kernel support as do other Linux distros for setting up packet filtering
> and the like in the kernel compile. BSD has some scripts that are
> supposed to make firewalls easier to do, but I doubt that is really
> true. I think that setting recompiling your kernel with
> a careful read of IP packet options would be de-rigeur. There should be
> enough docs in /usr/src/linux and the make menuconfig process to allow
> you to figure out what you especially need. I think you would find
> kernel recompiling in Slack more basic and trustworthy than the Hat.
> It is more part of their meat it would seem. I would look at both
> make config AND make menuconfig. The latter is more for overview and
> the former for getting it right. For some reason I have found that make
> menuconfig leaves out choices that pop out at you in the textual
> config.
>
> Slack (net) scripting in /etc/rc.d/rc.inet1 and rc.inet2 is fairly easy
> and straightforward compared to RedHat and other sysv types. They have
> a fairly workable tool, netconfig, for easy simple network setup.
>
> It would appear that the consensus would be that Squid is the server to
> run in a semi-commercial environment. Apache would not be a bad choice
> here however. Apache docs take some reading.
>
> I would say a week would be enough time, depending on where you are at
> now. You should be able to do it from the on disk linux docs but
> visiting the Apache website will probably be in order. They are nicely
> explanatory.
>
> EC<:-}

Thanks for your response. I have setup webservers with Apache before on RH.
Its not the learning curve associated with Apache that I am worried about,
it is the possible foibles of the BSD's if I should make that choice.

As I stated in my post, I use Slack 10 for my home firewall/router and never
had reason to complain. However, I am now doing this for my organization,
so I guess the webserver would be stressed more, and possibly face more
attacks as well.

http://www.linuxjournal.com/article/4408

Madhusudan Singh wrote:

> Hi
>
> I am working on setting up a web server with plone (content management). I
> have a fair bit (6-7 years) of Linux user and part-time admin experience,
> but want to do a good job (a very secure setup which can handle denial of
> service, etc. kind of attacks) for this latest project of mine.
>
>

Madhusudan Singh wrote:
> Hi
>
> I am working on setting up a web server with plone (content management). I
> have a fair bit (6-7 years) of Linux user and part-time admin experience,
> but want to do a good job (a very secure setup which can handle denial of
> service, etc. kind of attacks) for this latest project of mine.
>
> I am considering three alternatives - Slackware, FreeBSD and OpenBSD. From a
> security and speed point of view for my needs, which do you think is a
> better choice ? You may assume my experience with BSD, etc. to be nil,
> while with Slackware, I use it as my personal router / firewall and find
> its setup easy and secure.
>
> I am also interested in learning about the system I setup, so availability
> of good documentation and sizeable, helpful Usenet communities (like the
> good folks at comp.os.linux.misc, etc.) would be a big plus. I do not want
> too steep a learning curve, as I need to get the first version of the
> webpage up in a week or so.
>
> Thanks.

I have never set up plone on any system, so take my recommendations with
a grain of salt. Almost everything is easy to install in FreeBSD. Since
you have used Slack, you will probably find FreeBSD to be very
comfortable and easy to set up. It is very secure once you set it up
properly, and is very fast too. Linux may have some advantages in
filesystem performance but they are most likely negligible. OpenBSD is
extrememly secure, but there have been known issues with performance.

Plone is in the ports collection in FreeBSD, so it is quite likely to be
*very* easy to install. If you have physical access to the machine, and
can afford to change OS, I say definitely give FreeBSD a shot. I would
say to use FreeBSD anyway since I find everything to be way easier in
FreeBSD than with linux, with the exception of setting up X and gnome
etc., but I know people who have had different experiences.

I would recommend installing FreeBSD on an old PC and really learning
it. You can use it as a test platform, so you don't make mistakes that
can lock you out of your system so you will be well enough versed in it
to run on a production web server.

On Thu, 17 Feb 2005 14:35:46 -0500, Madhusudan Singh wrote:

> Hi
>
> I am working on setting up a web server with plone (content management). I
> have a fair bit (6-7 years) of Linux user and part-time admin experience,
> but want to do a good job (a very secure setup which can handle denial of
> service, etc. kind of attacks) for this latest project of mine.
>
> I am considering three alternatives - Slackware, FreeBSD and OpenBSD. From a
> security and speed point of view for my needs, which do you think is a
> better choice ? You may assume my experience with BSD, etc. to be nil,
> while with Slackware, I use it as my personal router / firewall and find
> its setup easy and secure.

In general I think you should stick with what you are most familiar with,
at least for live/production machines.

All of your possible choices would work just fine for what you intend. As
for the BSD's, I doubt you'll find much to complain about regarding their
security, stability, or performance...They are quit capable. And given
your experience with Linux, you would *probably* feel rather at home
with them...Although in my experience OpenBSD has a few specific
peculiarities, and took a bit more getting used to...
But regardless of how secure they are out of the box, a mistake by an
admin can render that security useless. And that is less likely to happen
when the admin is more familiar with the OS.

Regarding speed...I think most results show the BSD's and Linux to be very
close in performance. This of course will be argued by their respective
zealots until the end of time.
Anyway, whatever you choose, hardware compatibility is ( as I'm sure you
know ) very important, and can have a *huge* impact on performance. Not
every card/adapter/whatever that works well on Linux does on the BSD's...

>
> I am also interested in learning about the system I setup, so
> availability of good documentation and sizeable, helpful Usenet
> communities (like the good folks at comp.os.linux.misc, etc.) would be a
> big plus. I do not want too steep a learning curve, as I need to get the
> first version of the webpage up in a week or so.

FreeBSD has rather good documentation, and the mailing lists and usenet
groups are quite helpful. I'd say in it's current state, the
documentation at www.freebsd.org/handbook is a bit more complete and up to
date than Slackware's. But I've rarely run into an issue on Slack that a
solution couldn't be found...Can't say much about OpenBSD as I have only a
little experience with it, and that was on existing systems...I've never
installed/upgraded it, and have only read as much OpenSBD specific
documentation as I actually needed ( not much ).

And you can of course try them all for only the cost of hardware...I know
for a fact that FreeBSD runs quite well on older machines, so if you have
a spare Pentium around, it could make a good test bed, and you can learn a
bit more about the other OS's.

--
- Matt -

> BSD is supposed to be more stable, but slackware's stability has
never
> seriously been questioned. I would stay away from the more recent
> versions until more all bugfixes are in. My advice is use kernel
2.4.22
> on Slack 9.1.
Never had troubles with slack either, but you made me
curious: why the 2.4.22 when there were remote kernel
vulnerabilities fixed in 2.4.24 and 2.4.29?

no reason.

I like stable vulnerabilities better

EC<:-}

tink wrote:

> curious: why the 2.4.22 when there were remote kernel
> vulnerabilities fixed in 2.4.24 and 2.4.29?
>

Madhusudan Singh wrote:
> Hi
>
> I am working on setting up a web server with plone (content management). I
> have a fair bit (6-7 years) of Linux user and part-time admin experience,
> but want to do a good job (a very secure setup which can handle denial of
> service, etc. kind of attacks) for this latest project of mine.
>
> I am considering three alternatives - Slackware, FreeBSD and OpenBSD. From a
> security and speed point of view for my needs, which do you think is a
> better choice ? You may assume my experience with BSD, etc. to be nil,
> while with Slackware, I use it as my personal router / firewall and find
> its setup easy and secure.
>
> I am also interested in learning about the system I setup, so availability
> of good documentation and sizeable, helpful Usenet communities (like the
> good folks at comp.os.linux.misc, etc.) would be a big plus. I do not want
> too steep a learning curve, as I need to get the first version of the
> webpage up in a week or so.
>
> Thanks.

I must first say I've never used Slackware in my experience however I
can vouch for the impressive high standard of documentation provided
with any *BSD Operating System. Security-wise your best option IMHO
would be OpenBSD. I've heard (although no tested) that FreeBSD is
perhaps a little more efficient with its networking abilities. I have
nothing to support that statement - only rumour as far as I am
concerned. I personally have an OpenBSD router, FreeBSD fileserver,
FreeBSD mailserver which I'll soon be adding webserver packages to.
OpenBSD is quite easy to use and very secure (once you get around pf)
and personally I feel this would be your best option.

Sh4d03

>>>>> "Madhusudan" == Madhusudan Singh <spammers-go-here@spam.invalid> writes:

Madhusudan> Hi I am working on setting up a web server with plone
Madhusudan> (content management).

I host my Plone sites on FreeBSD. It works well. I can find most of
the Zope products I want in the ports tree.

Whether Slackware, FreeBSD, or OpenBSD are suitable server platforms
is largely a matter of opinion. You should probably use the operating
system with which you and your staff are most familiar. I happen to
be most familiar with FreeBSD (though I have to give props and thanks
to Pat and Theo for their efforts). If you want FreeBSD installation
instructions, feel free to refer to my mini-installation HOWTO, found
at http://web.irtnog.org/~xenophon/freebsd/install.

--
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien