A short question, is BSD the best platform for hosting web services (FTP/httpd/php/perl/mysql, considering allowing users access via sshd, starting from scratch)? If so which BSD would be best, given the (minimal) scenario above. Any comments on potential pitfalls for a first time hoster (as I would be)?
Thanks in advance,
Jez
FreeBSD is fine.
I am starting with FreeBSD and I have gatered that FreeBSD is the best choice (for me)
Mizzory - are you running a dedicated server for hosting? If so what kind of deal do you have and is it paying yet?
My main concern is getting 'cracked' straight off because I've allowed users shell access and missed something obvious in the meantime - still I suppose that's what learning's about :)
Perhaps I should give out free accounts first before charging for hosting services, see how it pans out.
Yahoo, Hotmail, world largest ftp server company and others are running FreeBSD boxes, so FreeBSD is doing fine..
OpenBSD has the best track record for security. It is a bit more spartan than FreeBSD emphasising robustness and security over boatloads of features. The web design firm I work for uses OpenBSD on 3 out of 4 servers. (Some people just *need* linux.)
OpenBSD 3.0 comes with audited versions of ftpd, httpd, sendmail, and sshd. Making it very easy to use SSL if you are going to be hosting secure pages. Running MySQL and PHP is a breeze.
OpenBSD 2.x is fine as well. But their decision to removed IP Filter made me migrate two OpenBSD boxes to NetBSD.
OpenBSD 3.0 comes with a very unstable/imature packet filter (pf). Personally, I think it needs another year to be ready. As a result, many OpenBSD have migrated to another OSes. I know Darren (author of IP Filter) has made a new version of ipf to run on obsd3.0. It's usable but not quite ready.
He was asking about hosting not firewalling. All pf / ipf arguments aside, OpenBSD is great for that. And I'm running 2 pf boxes that have not given me any trouble (for the record :D )
>> He was asking about hosting not firewalling
Since you brought up security, I was just telling people OpenBSD 3.0 is using a very imature packet filter. Imaturity doesn't necessary mean it's not secure, but likely unstable, which turns out to be the case, you'd know if you are on the mailing list. If the OS he is choosing can't give him stablility, it must not be a wise choice. Not to mention when FreeBSD can be configured as secure as OpenBSD. When it comes to stability, NetBSD would be the best choice on earth. I am not saying Open is not secure, it's just less stable than Free and Net. Don't forget, I'm still running two OpenBSD boxes.
Originally posted by freebsd
If the OS he is choosing can't give him stablility, it must not be a wise choice.
It seems to me that you are using pf's faults to talk smack on the whole OS. When this guy would have no user for pf anyway. But at least we agree it should be *BSD.
That's all I'm saying.
>> you are using pf's faults to talk smack on the whole OS
Because OpenBSD community is getting smaller since the removal of ipf.
>> When this guy would have no user for pf anyway
Are you telling him not to use any packet filter at all? Why bother facing all these troubles when FreeBSD can compensate all the deficits of OpenBSD.
>> at least we agree it should be *BSD
Definitely. BTW, I made couple comments on the difference of BSDs couple months ago -> http://forums.devshed.com/showthread.php?threadid=23343&forumid=31
Feel I should mention that OpenBSD has never been unstable for me.
At least not when using requested deamons. (FTP/httpd/php/perl/mysql)
Had a few X crashed when I ran it on a LapTop, but I believe that had more to do with my poor WindowMaker config skills then the relative stability of the system as I almost never use X at all. Besides, it was only WindowMaker that chrashed, not the system itself.
I don't have any statistics or major comparison charts between Open and FreeBSD except my own use of the systems, so I have no real reference, but... for me, OpenBSD have never let me down and chrashed (Nor has FreeBSD).
//Fjodor
Apologies for lateness replying to this thread first off.
Well, this converstation has raised a few items of interest. Firstly phlux says that I might have no need for a packet filter - I would most certainly imagine using a packet filter at some point - security is most certainly an issue in web-hosting no?
Whilst I can appreciate that the need for a software firewall/filter may be negated by the use of a hardware solution, for a small hosting company would it not be too expensive to afford a hardware firewalling solution in the early days?
Further - on the matter of which types of BSD suit which circumstances best - are one of Open/NetBSD best for network security? What are the reasons for this and do those reasons make open/net bsd less suitable for a hosting platform?
Thanx in advance.
The thing about IPF vs PF is that IPF has been around longer. When it comes to devices like packet filtering people tend to use the same arguments as with cryptography, which is, if a program has been around for a long time with no (or fixed) weaknesses it is more likely to be secure. PF is newer so it simply hasn't had the same amount of auditing. IPF is on the other hand well tested. On the other hand, like freebsd said, it's not to say PF is insecure, BUT we don't know that yet. Unfurtunally, none knows if something is secure until it's broken, and then we know it's not. ;)
This is the right thing to look at security though, the more tests and audits it has gone through, the more likely it is to be secure.
So... IPF is more tested then PF, that's the short answer. IPF will compile on the new OpenBSD I think I read somewhere on their mailinglist... Haven't followed it as hard as I should, so this might be incorrect, but I think so.
Then, when it comes to OpenBSD vs FreeBSD vs NetBSD, to save myself from alot of wrighting, I direct you here for further reading:
Difference and similareties between NetBSD, FreeBSD and OpenBSD (http://www.daemonnews.org/200104/bsd_family.html)
//Fjodor
Cheers for that link fjodor, very interesting. So basically NetBSD is the one to go for if you want to run UNIX on some obscure platform (lol @ running NetBSD on Sega Dreamcast;)), OpenBSD is the one to go for if you want security by default and FreeBSD is the one if you want an easy life! Mmm tough choice.
In the context of this thread though, I suppose freebsd would be the best choice for webhosting but ensuring that a custom kernel configuration is built to add the default security settings viz-a-viz openbsd. I was mightily impressed by the 2terrabyte-in-one-day file transfer stats achieved by walnut creek on a single freebsd server. V impressive.
>> So basically NetBSD is the one to go for if you want to run UNIX on some obscure platform
NetBSD is not just portable, it's the most stable OS on earth. This is the 2nd time, please read this thread now -> http://forums.devshed.com/showthread.php?threadid=23343&forumid=31
It covers something you won't be able to find anywhere on the Internet - my aggressive opionion.
>> IPF will compile on the new OpenBSD
Yes, but there is still some stability and compatibility problems, whereas PF might be secure, but a poor stability record has been shown.
Personally, I don't just want security, I also want stability and configurability.
Sincere apologies freebsd - I read the bulk of your post above but neglected the link...
Ahh, I knew I'd read that somewhere before - yes I had read that post a while ago freebsd - damned excellent info there, many thanks. I was trying to remember where I'd read that before too!
Cheers.
Good summation :)
//Fjodor
Sorry for dragging up this old thread, but as it sort of drifted towards IPF vs PF I thought this was the best place to place this link.
Darren Reed, the author of the great IPF has released OpenBSD 3.0 with the default packet filter `pf' removed in favor of his `ipf' tool. This is good news! :)
Here's the link to Reeds release.
openBSD 3.0 with IPF pre-built (http://openbsd30.ipfilter.org/)
/Fjodor
Unfortunately ipf will break when you cvsup your src to track 3.0-stable or 3.0-current.
If you are that type of person who don't cvsup your src, that would be a great binary release. If you do cvsup your src occasionally, it's suggested that you cvsup first, then perform a clean build on ipf from its src.