want to learn small shell hosting on FreeBSD box..
Hope, I am posting in the right section of forum.
Anyway, I am thinking about to do the small shell hosting free for few friends of mine, before I am ready. It's kind of I am practicing and messing to learn more about them. I am taking my time to learn those. I am wondering what's your recommend? and where/what should I start?
Here's what I am planning to use those follows:
IPF <-- I like this better..
SSH <-- I rather this better than telnet
chroot (http://www.securityfocus.com/infocus/1404/), should I use this method to do the jail or whatever?
I was going to do sftp, but link above said it's not good idea to have sftp. I guess, I am planning to use proftpd instead but how about FTPd. Should I use wget too? Or, I don't need ftp server?
Quota to limit the space, so is it good idea? (I will read 12.5 chapter in FreeBSD handbook about it.)
qmail
tcpserver; disable Inetd because I can remember freebsd recommend it to be disable to get more secure.
Are there anything that I am missing?
Thanks for help, :)
Mezz
>> for few friends of mine
How much do you trust them?
It appears that you are trying to configure a secure environment. But you do need to isolate the two (external/internal) in different perspective.
If they are your close friends, you should start by not worrying too much about internal and first secure the external.
As far as chrooting SSHd (I didn't really read your link), I don't think it's a proper practice.
>> Or, I don't need ftp server?
sftp-server is fine. These days there are many sftp over SSH clients available. If you are worrying about the clear-text password transmittion, then you need to secure all services that send clear-text password, not just FTP. Don't worry, most of them are SSL/TLS-aware. If you heard of stunnel, you should aware that FTP is the only protocol that's incompatible.
>> Quota to limit the space, so is it good idea?
It's not just a decision of how much you trust your users. You can set quota at system level or software level. For example, you definitely don't want to see someone mailbombs your user. So setting a hard quota and soft quota at software level would be more appropriate for that situation.
>> freebsd recommend it to be disable to get more secure
No. Disabling inetd might not be more secure. What I meant is to replace anything that should be started via inetd with tcpserver. Apache, for example, should be running as a standalone daemon. In case you are wondering what I have supervised+tcpserver'ed, just to name a few: smtpd, ftpd, socks5, courier-imap and sshd. Haha, now that you know I am a real djb fan. If you are that worry about security, you should check out each djbware (except publicfile).
>> How much do you trust them?
>> If they are your close friends, you should start by not worrying too much about internal and first secure the external.
I trust them very well, but I am practicing by host friends first before start a small shell hosting with payment. Also, I am going to allow them to attack on my freebsd box to see it's secure. I would say, maybe around 10megs and 20megs with two cheap price for each users. Maybe, 30 to 50 users but I will never know how many users will buy my shell.
From I read, seems like I need to force on stability first and secure second to get FreeBSD box runs well.
>> As far as chrooting SSHd (I didn't really read your link), I don't think it's a proper practice.
Ok, I guess I don't need it.
>> sftp-server is fine. These days there are many sftp over SSH clients available.
Thanks for answer. I personal prefer SSH over sftp, but a lot people rather to use ftp/sftp.
>> If you are worrying about the clear-text password transmittion
Well, should I worry about it asdo the small shell hosting?
>> If you heard of stunnel, you should aware that FTP is the only protocol that's incompatible.
Yes, I heard and aware about them.
>> Haha, now that you know I am a real djb fan.
Hehe, I kind of already knew a little ago by read your previous post in here at http://forums.devshed.com/showthread.php?s=&threadid=27483&forumid=31 . I ever bookmarked few of your post. Also, record few of your posts in the notepad and my head. :)
You said, "I don't trust inetd," which why I said that to disable inted to get more secure. I understand clearly by your explain on the new post in here. Thanks for explain.
>> If you are that worry about security, you should check out each djbware (except publicfile).
Yes, I should and do the research on it too.
Thanks freebsd,
Mezz
>> seems like I need to force on stability first and secure second
I'd say the other way around. Maybe a barely enough security by configuring a IPFILTER_DEFAULT_BLOCK policy, then move on to stability/peformance tuning.
>> should I worry about it asdo the small shell hosting?
Yes. Like qmail, you can enable TLS by applying patch to smtpd. Apache, you can enable mod_ssl. But don't do the hard way, start by learning the basics, then recompile and enhance security. Don't expect to get everything right the first few times.
When you allow shell access, and when your user's clear-text password got stolen/sniffed, then your server could be vulnerable to all kind of attacks.
>> I understand clearly by your explain on the new post in here
Don't just read mine, you need to read thru djb's site.
I guess, that's all for now until I go ahead install/configure tomorrow and when I have the problems then I will make a new topic. Thanks freebsd!!
Anyway, what do you think of http://www.schlacter.net:8500/public/FreeBSD-STABLE_and_IPFILTER.html (How to Build a FreeBSD-STABLE Firewall with IPFILTER by Marty Schlacter)??
7) Just don't use any ISA device at all.
11) The partition layout is lame. Check this -> http://forums.devshed.com/showthread.php?threadid=25110&forumid=31
21P) Don't just enable ntpdate if your ISP doesn't run a ntpd server
---
*) You should condigure SSHd with supervise+tcpserver later on. Don't count on TCP Wrappers.
Do not set security level to 2 initially.
12) Ruleset:
- Don't pass all out on ed0 initially
- Don't return-rst without flags S
- On ed1 don't keep state on any protocol. Just set the following initially:
pass in quick on ed1 all
pass out quick on ed1 all
Keeping state on everything can fill up your state table very easily.
Anyway, his howto isn't that great. You should check out the howto links from official ipf site.
I'm reading through this post with a great deal of interest since I'm thinking about doing similar - like you mezz I'd thought that the best way would be to setup the service just for mates first and then when a reasonable level of security/stability is there, branch out and start to charge.
Anyway, a few things on this... first off I found this article at packetstorm you might be interested in mezz:
http://packetstorm.decepticons.org/papers/firewall/FreeBSD-STABLE_and_IPFILTER.htm
I read through it quickly as I was rebuilding my kernel and found it quite useful 'bookmark' material for installing a secure sshd/http open server.
Also, have you thought about bandwidth restrictions and how to implement some kind of quota checking on a per-user basis - this is one area I have yet to check up on - any info on that?
Finally I'm interested in how you're setting up your server - ie are you collocating, renting dedicated server or (lucky you;)) setting up your own box at home? I'm currently looking into renting space, although collocation sounds quite interesting.
If you are looking into bandwith control, this article might interest you.
That's by far the only thing ipfw has the edge over ipf. The main question is, why is there a need on setting up NATd on the same box? If you are planning to start such a company, you should have plenty of static IPs plus running multiple boxes for different purpose.
If you are planning to start that company from home off your Internet connection and you are in US, try my ISP -> SpeakEasy.net. They are not cheap but they offer some great features which most ISPs don't. The special features include unlimited static IPs (actually there's a limit depending on your package) plus reverse DNS on your IPs (free of charge on request). Reverse DNS is very important (not required) if you are planning to start such a company. Well I'm trying to stay on topic, so if you have DNS question ask in DNS forum.
>> how to implement some kind of quota checking on a per-user basis
A good place to start is to read the handbook on setting up quota. Then read this thread -> partition advice (http://forums.devshed.com/showthread.php?threadid=25110&forumid=31).
Fjodor - thanx again for yet more top info :) Sorry, it's making me look like I never search for anything myself! I just like to find out how others go about doing things I suppose.
Well I read through the info on the dummynet kernel config option for enabling ipfw to act as a bandwidth throttler and that looks most excellent - I'd wondered whether I'd ever get to use ipfw at all having come from a linux platform having only ever used ipchains/iptables and always (mentally) sneering at ipfw for being so inferior - looks like it's way superior in this respect :).
Would/could this dummynet approach be used by hosting companies to keep track of bandwidth usage on a per user/site basis? In the onlamp.com article the author seemed to allude to the fact that the user in question would be charged a lot for eating up bandwidth - a fact the author got at before ipfw was mentioned as a means of throttling the bandwidth consumption... how would that user's bandwidth be measured initially for the purposes of charging for any bandwidth over that agreed in the TOS?
freebsd - "main question is, why is there a need on setting up NATd on the same box? "
I think the link I posted above might have confused things here - I posted the link simply because it had some good info on setting up a secure freebsd box - the NAT/ipf aspect was secondary.
Also as mentioned in this post above, my query referred to bandwidth quota checking - I should have said: how to implement some kind of bandwidth quota checking on a per-user basis.
Thanks in advance,
Jez
munkfish,
The link that you gave, which I already posted it first in my third reply above under freebsd's reply. My link is orignal. I am not going to follow this HOW-TO.
About the bandwidth restrictions, I am not worry about it right now because I am just hosting 10 friends for a month to three months. I don't know, but I am giving myself time to play around with stuffs and learn those too. I will have to learn about it too, because I don't know how to control the bandwidth on each users.
I am setting up on my own box in my basement with 2.5megs (down)/ 300k (up). Few people said that shell hosting don't required a lot of bandwidth like web hosting, so I figure why not to start learn shell hosting on my own box. Also, I rather to play on my box first before I get high speed connection (T1 or more than that) or rent a dedicated server. I don't want to waste my money on rent a dedicated server if I have no clue to do those stuffs or play on it.
freebsd,
Thanks for the ISP link, but hopeful this can be done in my local. Hehe..
mezz - ack! Sorry about that - I didn't see that second external link you posted before I posted the duplicate/mirror page! I looked at your first link to the chroot page, but not the IPF one! Unbelievable coincidence that - I don't know how that happened.
My bad - anyway good luck...
:)
Well munkfish, I don't know how you do this on a per user basis, as I've never done it.
The mod_throttle of apache seem to be able to limit bandwidth on a per user(domain) basis, and the jerkyness the author of that article describe might be fixed by now, scince that article is from july last year. So, scince it might be fixed, and are easy to setup you might give that one a shot.
As for the dummynet, I think that works on a per IP basis... that's the only way I've used it, but that doesn't mean that's the only way. It might be possible to do it on per domain aswell, I do not know scince I've never tried.
Unlike the mod_trhottle, the dummynet option do work very well indeed though, and it works on all parts of the system, not just apache.
I hope you get it to work the way you want it.
And it is indeed to bad that this don't work in IPF! :)
//Fjodor
Yes, I'm quite amazed it isn't implemented in IPF - all other bases seem to be covered more than adequately (says me from my freshly ipnat'd winbloze box via freebsd box!).
Maybe I'm just complicating things - I suppose bandwidth consumption per site could be tracked by monitoring the logfiles created from apache - I'm just curious how it's done 'professionally' :)
>> I'm quite amazed it isn't implemented in IPF
Because Darren suggested ALTQ and all he cares is packet filtering. Don't forget, using dummynet is expensive.
>> by monitoring the logfiles created from apache
That would be very inefficient. Like I said earlier, dummynet is to limit bandwidth on IPs (especially NAT) or particular port. dummynet doesn't speak HTTP Protocol. You should never use dummynet with Apache to control vhost's bandwidth.
You should start here -> http://modules.apache.org/search and type the search keyword, say bandwidth.