 |
 |
FreeBSD or OpenBSD for a web server?
|
|
|
|
|
Forum Regular
Join Date: Jun 2003
Status:
Offline
|
|
Would FreeBSD or OpenBSD be the best for a web server? I've heard that OpenBSD has the best security, which is extremely impartment
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2002
Location: Portland, OR
Status:
Offline
|
|
I haven't installed either one in a while, but I used to find that FreeBSD was a heck of a lot easier to install/configure to my liking than OpenBSD. I think the serious security focus of OpenBSD discourages them from shipping some of the niceties that we have come to expect from most of the other free unixes. That said, for a webserver it might be the best choice, especially if you aren't going to be behind a firewall.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
OpenBSD is the most secure OS in the world. Period.
With that said, a properly configured FreeBSD, NetBSD, or Linux server can be secure as well. You have to make sure that whatever you choose, you turn off all the services you don;t desperately need. No SAMBA, no ftp, no telnet, no finger, etc. If possible, reduce the open ports to web (80) and ssh (22) and that's it. Then, turn on the ipfw/ipchains firewall and only allow incoming traffic on those two ports.
|
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Oct 2002
Status:
Offline
|
|
Originally posted by iStudent 2003:
...which is extremely impartment
What do you mean by "extremely important"...
Are you going to be handling customer
s personal files like medical, legal or financial data, or just that you don't want to see goat sex on your front page one morning?
If you want plug-n-play security, there isn't any. You need to engage in active counter-hackering if you're protecting sensitive data. Subscribe to the security lists and stay abreast of all exploits, constantly monitor your logs and accounts, enforce strict random and expiring passwords etc. Because in the end (as long as it's not M$) the greatest weakness is human users.
|
|
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Jun 2003
Status:
Offline
|
|
This is for one of my college classes, we have to make the most secure web server as we possible can.
That's why I wondering what BSD version I should use.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Sep 2003
Location: Pittsburgh, Pennsylvania
Status:
Offline
|
|
Originally posted by iStudent 2003:
Would FreeBSD or OpenBSD be the best for a web server? I've heard that OpenBSD has the best security, which is extremely impartment
Hands down OpenBSD. I've been using it for about 3 years now. It supports a lot of advanced security mechanisms out of the box. It has built in support for cryptography accelerators, it also supports encrypting the swap partition with only one change in a configuration file.
Others here have said that installation is hard to do, I disagree. I would say that OpenBSD was the easiest Unix I have installed. The only hard part is the hard drive partitioning, and if you are dedicating a whole machine to the webserver task it is even easier.
OpenBSD also provides a very very powerful packet filter package (pf). Pf is able to take action dynamically if a certain event is triggered. It also has bandwidth limiting and all sorts of other nifty things.
If you are trying to design a secure webserver I would offer this advice. Use SSL, only have the ports you need open, port 22 for ssh (remote shell encrypted), and 443 (for encrypted web traffic). The more ports open the more trouble you have.
Nate
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by iStudent 2003:
This is for one of my college classes, we have to make the most secure web server as we possible can.
That's why I wondering what BSD version I should use.
You could always use MacOS 9 and WebStar. Very secure. No exploits ever.
|
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2001
Location: New York
Status:
Offline
|
|
Originally posted by Arkham_c:
You could always use MacOS 9 and WebStar. Very secure. No exploits ever.
Yeah, I've heard the same. Bulletproof. Apparantly the army used to use it. Stability is another issue, but security wise, that's THE best.
|
|
|
| |
|
|
|
|
|
|
|
Admin Emeritus  Join Date: Nov 2000
Location: New Yawk
Status:
Offline
|
|
I think FreeBSD is easier to set up and stuff like that, and for general use I really like it a lot more than OpenBSD; on the other hand, considering that your assignment is specifically about security, I think OpenBSD just makes a lot more sense. It's built for security, so it's really the right tool for the job.
I suppose you could try out the NSA's Security-Enhanced Linux. I dunno what the details of the project are, but it's open for anyone to use. I'd guess that OpenBSD was still a better pick though.
And as for the tougher install process...well, it's not built for newbs, and it is a *little* harder than the FreeBSD install, but it's really not that bad at all. Most of it is extremely straightforward. Just ask questions on the mailing lists or on irc.freenode.net #openbsd or something and I'm sure you'll be fine.
|
|
"Do not be too positive about things. You may be in error." (C. F. Lawlor, The Mixicologist)
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: May 2003
Location: Santa Barbara
Status:
Offline
|
|
"The safest Web site is a bare-bones Macintosh running a bare-bones Web server."
-- W3C
(Remember, they're referring to the "less capable" OS 9 -- not OS X!)
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Jan 2002
Location: Melbourne, Australia
Status:
Offline
|
|
And in context that's really flattering to our, "less capable", OS of choice, especially considering it doesn't qualify the fact that it is referring to OS9.
Unix systems, with their large number of built-in servers, services, scripting languages, and interpreters, are particularly vulnerable to attack because there are simply so many portals of entry for hackers to exploit. Less capable systems, such as Macintoshes and special-purpose Web server boxes, are less easy to exploit. The safest Web site is a bare-bones Macintosh running a bare-bones Web server. See Servers, Q20 for details.
BTW the US Army page is now hosted on OS X by WebStar, see: http://uptime.netcraft.com/up/graph/?host=www.army.mil.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Aug 2003
Status:
Offline
|
|
Originally posted by Arkham_c:
You could always use MacOS 9 and WebStar. Very secure. No exploits ever.
I would not rely on that. It's a bit like saying Windows 95 is secure because there hasn't been any exploits in a couple of years. Only because it is not supported anymore, and no one is really actively trying to exploit it.
As for setting up a secure web server, OpenBSD also gets my vote.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Location: New York
Status:
Offline
|
|
Originally posted by RayX:
I would not rely on that. It's a bit like saying Windows 95 is secure because there hasn't been any exploits in a couple of years. Only because it is not supported anymore, and no one is really actively trying to exploit it.
As for setting up a secure web server, OpenBSD also gets my vote.
I would. There used to be a contest to "hack a mac" web server running WebStar. No one won.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
