5

Looking for an checklist for an "small company freebsd/jail server".

Having pretty common starting point:

  • FreeBSD jail (remote/headless) for the company:
    • public web, email, ftp server, and
    • private (maybe in the future partially public) wiki (foswiki)
  • 4 physical persons, (6 email addresses) + one admin - others will never use ssh)
  • have already done usual hardening on the host side (like pf, sshguard etc).
  • my major components are: dovecot, exim, apache22, proftpd, perl5.14.

Looking for an checklist, what I shouldn't forget. My plan right now includes:

  • openssl self-signed certificates for exim, dovecot and proftpd (wildcard keys)
  • openssl self-signed certificate for apache (later will go for "trusted-signed" key)
  • User accounts

but are there any other recommendations?

related:

cajwine
  • 183
  • 1
  • 5

1 Answers1

3

This is really one of the classic virtual server questions - the only difference is you're saying "jail" instead of "VM".
If you remove the word "jail" from your question do you know what to do? (If so you can stop reading :-)


A specific checklist is by definition Too Localized to be answered on Server Fault -- It's intensely specific to your environment. I can tell you that your checklist for setting up a jail should be pretty much identical to your checklist for setting up a server (with the caveat that you won't be doing any kernel-related stuff, and the addition of some jail-specific steps which you should be familiar with already -- If not the FreeBSD handbook has a pretty comprehensive Jails chapter which should cover it.)

Do you already have a checklist for setting up a regular server?
If not, it should include things like:

  • Adding local user accounts
  • Installing commonly used packages
  • Setting up network user accounts (NIS, LDAP, etc.) if you use them
  • Applying local configuration (NTP, DNS, etc.)
  • Setting up & configuring the servers you want to run (Web, Mail, etc.)

Your full checklist may also include some stuff that's not relevant to jails, like:

  • Partitioning your disk (usually jails are monolithic though other configurations are possible)
  • Installing a custom kernel / configuring loadable modules
  • Configuring IPMI or other lights-out management controllers

Which you'd usually do on the host machine as you would for any other system.

Write down what you do for your next server build.
If you missed stuff add it to the list as you fix it.

Eventually you will have a comprehensive, site-specific checklist (probably several. I have one for web servers, one for DB servers, one for mail servers...).

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • Thank you for the answer. Pretty please, can you add answer at least about the SSL certificates? Or how (and where) to ask the above two questions (ssl+users) for getting answer? Really badly need answer for how i should continue. Thank you again for your time. – cajwine Sep 27 '12 at 15:22
  • @cajwine You'd be better off cutting that question out and asking it separately (it's really separate from how you'd set up a server or jail - it's mail system specific. Also the answer varies depending on whether you value security or convenience more :-). Your question about user accounts could also be a separate question along the lines of "How should I manage user accounts in [describe your environment here]?" if you still have questions about that aspect. – voretaq7 Sep 27 '12 at 15:26
  • Thank you, going to try formulate two different (universally applicable) questions. So, please delete this bad qst. (i can't) – cajwine Sep 27 '12 at 15:28
  • Can you edit it? – Hennes Sep 27 '12 at 19:05
  • @cajwine This question isn't bad on its own -- I did some minor trimming to pull the other two items out (definitely ask them as separate questions if you haven't because they're great too) but you may as well leave this one and keep the rep it's gaining you :) – voretaq7 Sep 27 '12 at 19:11