Easy for a newbie to manage an OpenBSD server?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Easy for a newbie to manage an OpenBSD server?

titan-2
I have quite a predicament.  I have been tasked with setting up an FTP
server for the research group I'm involved with.  The problem is once
I'm gone someone with no *NIX experience will be maintaining the
server.  I've been considering using OpenBSD because it looks like it
can go far longer without updates than Windows and Linux servers and
looks to be very secure.

In your experience, would it be possible for someone with no *NIX
experience to maintain a simple FTP server?


How long would you trust an unpatched OpenBSD server to go unhacked?

Thanks for your help.

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Craig McCormick-2
Thee: In your experience, would it be possible for someone with no *NIX
Thee: experience to maintain a simple FTP server?

In my opinion, OpenBSD is the most logical and straight forward
UNIX-like operating system around. There isn't much in the way of
how-to's and tutorials, but it is straight forward to learn via the
man pages, the documentation on the OpenBSD site and with a couple of
books that I have.


How long would you trust an unpatched OpenBSD server to go unhacked?
That depends entirely on what the absent patches cover. It is
impossible to say really. How long is a piece of string?

Best regards,

Craig

http://slashboot.org/

Support OpenBSD
http://www.openbsd.org/orders.html

On 01/08/06, Titan <[hidden email]> wrote:

> I have quite a predicament.  I have been tasked with setting up an FTP
> server for the research group I'm involved with.  The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server.  I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.
>
> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?
>
>
> How long would you trust an unpatched OpenBSD server to go unhacked?
>
> Thanks for your help.

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Will Maier
In reply to this post by titan-2
On Tue, Aug 01, 2006 at 10:26:23AM -0500, Titan wrote:
> I have quite a predicament.  I have been tasked with setting up an
> FTP server for the research group I'm involved with.

Do you need FTP? Can you use SFTP instead?

> The problem is once I'm gone someone with no *NIX experience will
> be maintaining the server.

Why? Can't you train them? I can understand if most research groups
can't afford to hire a full sysadmin, but hiring an up-and-coming
undergrad for seven peanuts an hour shouldn't be too bad.

> I've been considering using OpenBSD because it looks like it can
> go far longer without updates than Windows and Linux servers and
> looks to be very secure.

/me sighs

OpenBSD, while very, very useful, isn't a magic bullet. System
security is as much the admin's job as it is the OS's. If you leave
your box unpatched, even if it's running IdealOS v20, you'll
eventually regret it. Period.

No matter what OS you put on your server, you'll need to make sure
that it's patched. Some OSes make that task easier; others have
strong security track records. But with a dumb or negligent admin at
the console, it doesn't matter what bonafides your OS has -- you're
screwed.

> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?

Yes.

> How long would you trust an unpatched OpenBSD server to go
> unhacked?

This is silly. Patch your system. If you and your successor spend a
day or two reading the FAQ and afterboot(8) and keep your eye on
your system, you'll stand a good chance of not having too much
trouble.

--

o--------------------------{ Will Maier }--------------------------o
| web:.......http://www.lfod.us/ | [hidden email] |
*------------------[ BSD Unix: Live Free or Die ]------------------*

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Mike Hernandez-3
In reply to this post by titan-2
On Aug 1, 2006, at 11:26 AM, Titan wrote:

> I have quite a predicament.  I have been tasked with setting up an FTP
> server for the research group I'm involved with.  The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server.  I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.
>
> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?
>
>
> How long would you trust an unpatched OpenBSD server to go unhacked?
>
> Thanks for your help.
>

If the person maintaining the server has no *nix experience then  
maybe you
should consider using technology that they are familiar with. Of  
course using
openbsd has advantages but there's no point using it if you know the  
server
won't get proper care and feeding.

If using something the future maintainer can  handle is out of the  
question
(maybe they only know windows Me? I'm not sure ;)) then maybe you can
get paid a little or do some pro bono remote maintenance?

If the server will never get taken care of then you really should  
consider
paying for some remote ftp hosting. At least then the management of  
the server
is off your hands. It may not be an option if you have sensitive data  
but it might
be more secure than leaving a server to get old.

Personally, I don't think it will be *too* bad if you leave it  
running... as long as
it doesn't get popular and/or people don't start poking at it to see  
if it will break.

Mike

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Melameth, Daniel D.
In reply to this post by titan-2
Titan wrote:
> I have quite a predicament.  I have been tasked with setting up an
> FTP server for the research group I'm involved with.  The problem is
> once I'm gone someone with no *NIX experience will be maintaining the
> server.  I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.    

You are correct on the last part.

> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?

Yes, but there are no shiny PHD (Push Here Dummy) buttons built-into
OpenBSD--standard system administration practices require editing files,
downloading source updates and compiling them, but you could create
wrappers for these tasks.  In any event, a system that one knows well is
likely to be better maintained than one that one does not.

> How long would you trust an unpatched OpenBSD server to go unhacked?

A lot longer than most OSs.

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Darrin Chandler
In reply to this post by titan-2
On Tue, Aug 01, 2006 at 10:26:23AM -0500, Titan wrote:

> I have quite a predicament.  I have been tasked with setting up an FTP
> server for the research group I'm involved with.  The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server.  I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.
>
> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?
>
>
> How long would you trust an unpatched OpenBSD server to go unhacked?

Leaving *anything* unpatched on a public IP is asking for trouble.
OpenBSD will fare better than most, but it's still a bad idea.

A better idea would be to script various things, write some procedures
down, and walk the other person through everything and have them perform
them before you leave.

--
Darrin Chandler            |  Phoenix BSD Users Group
[hidden email]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Ingo Schwarze
In reply to this post by titan-2
Hi Titan,

> I have quite a predicament.  I have been tasked with setting up an FTP
> server for the research group I'm involved with.  The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server.  I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.

A properly administered OpenBSD server requires an operating system
update at least once a year.  Additionally, it requires patching
once in a few months - of course, frequencies vary.

Patching and updates are not difficult for someone who knows basic
Unix system administration, but a person with no Unix experience
will quite possibly fail at the task.

> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?

Possible, yes, after considerable learning effort.  Easy, no.

> How long would you trust an unpatched OpenBSD server to go unhacked?

If you talk about authenticated FTP (with passwords), until anybody
with basic networking skills and root access to any host where your
FTP traffic passes by actually cares to hack it.  That person will
probably be able to change the data on the FTP server only, not
to corrupt the operating system, if it was set up properly and if
it does not run any other services.

If you talk about anonymous FTP (read access for everyone, optionally
with a _seperate_ public upload area), the server may be safe for
several years, even unpatched, if it runs no services except stock ftpd.
Bugs in OpenBSD ftpd and basic networking are not found that often.
Yet, bugs *may* be found at any time, and the server may happen to need
updates at any time - with bad luck, even a few days after deployment.


In case you are talking about FTP with plain text passwords, better
drop the whole project or use SFTP instead.  If it must be plain text
FTP and money for licences is not an issue, your colleague is
probably better off with a Windows Server.  FTP is terribly insecure
anyway, so Windows or OpenBSD makes hardly any difference from a
security standpoint, and people usually administer system they
know well better than ones they see for the first time.

In case you are talking about anonymous FTP only, i would rather
suggest Debian GNU/Linux than OpenBSD _for_this_particular_task_.
If you know what you are doing, OpenBSD is much easier to use
than Debian (imho, but i won't argue about it here) - but if you
have no experience whatsoever, your chances may be better to get
 # apt-get dist-upgrade
right once a month than to compile OpenBSD errata patches correctly
when needed.

Yours,
  Ingo

--
Ingo Schwarze <[hidden email]>
usta.de / studis.de sysop

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Nuno Morgadinho
In reply to this post by titan-2
* Titan ([hidden email]) wrote:
> I have quite a predicament.  I have been tasked with setting up an FTP
> server for the research group I'm involved with.  The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server.  I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.
>
> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?

Why put someone with no *NIX experience maintaining a *NIX server?

From my stand you're considering:
- security
- stability
- is it easy to maintain?

From my experience these all fit the OpenBSD profile.

> How long would you trust an unpatched OpenBSD server to go unhacked?

No one seriously will give you an answer for this. If it's a unpatched
whatever system and there's a known exploit then you shouldn't connect it
to any network. If no exploit is known to exist in public you can pray
but I don't know for how long I would trust it..

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Joachim Schipper
In reply to this post by titan-2
On Tue, Aug 01, 2006 at 10:26:23AM -0500, Titan wrote:
> I have quite a predicament.  I have been tasked with setting up an FTP
> server for the research group I'm involved with.  The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server.  I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.
>
> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?

No.

In fact, most persons with UNIX experience would counsel you against
using FTP other than anonymous FTP - as posted before, it's quite
insecure[1]. As mentioned before, sftp is preferable.

If you must do this, consider going with whatever the group knows. If
this is nothing, tell them to get some help.

> How long would you trust an unpatched OpenBSD server to go unhacked?

If it's only running ftpd (or sshd+sftp-server), system compromise is
likely to take years, given a proper setup (i.e., no root access via ftp
and such). However, user accounts may be compromised within minutes.

                Joachim

[1] Using S/Key exclusively does go some way towards mitigating the
problem, but adds a lot of complexity and raises the bar for a competent
attacker from 'trivial' to 'easy'. (Hint: take over a session; if you
have some time, write a program that does so as soon as QUIT is seen,
leaving the user none the wiser. This does, however, require a host that
can actually intercept the stream, instead of just seeing it. Or, for a
quicker solution, proxy the authentication request from the server to
the client and then deny authentication, and you have succesfully stolen
a password. Less stealthy, though.)

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

Sigfred Håversen
In reply to this post by titan-2
Titan wrote:
[snip]
> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?

That could work well if that person is willing to read documentation.
OpenBSD comes with very good documentation in the form of manual
pages and FAQ. Google is quite useful as well, of course.

/Sigfred

Reply | Threaded
Open this post in threaded view
|

Re: Easy for a newbie to manage an OpenBSD server?

David Leung
In reply to this post by titan-2
On Wednesday 02 August 2006 03:26, Titan wrote:
> I have quite a predicament.  I have been tasked with setting up an FTP
> server for the research group I'm involved with.  The problem is once
> I'm gone someone with no *NIX experience will be maintaining the
> server.

Does the ftp have to run on a unix-like system? Leaving someone unfamiliar
with a system to maintain it is a pretty bad idea. It is much better to have
the FTP server setup on an OS that he or she knows best, so that it can be
patched and fixed quickly should problems occur. Even if that OS is said to
be "insecure", it is still far better than having a server with an
administrator has no clue of how it works, let alone patching it when needed.

I still don't quite understand what your setup requirement is. Since you seem
worried about the system being compromised, I presume that you are setting up
a private ftp server. In that case, look into deploying SFTP rather than
plain old FTP. Any good FTP client should support it, and it is the cheapest
insurance you can get to keep the user information safe, which can only help
you to protect the machine.

> I've been considering using OpenBSD because it looks like it
> can go far longer without updates than Windows and Linux servers and
> looks to be very secure.

It may be so, but don't bet on it. Any unpatched system, especially when
(critical) patches are available, is simply inviting trouble.

> In your experience, would it be possible for someone with no *NIX
> experience to maintain a simple FTP server?

If this person is willing to learn, OpenBSD is indeed one of the better
unix-like system out there to administrate. The man pages are very well
written, the FAQ on the project's website will answer a considerable number
of questions, and the file system layout is logical and consistent. These are
all benefits that makes administration easier.

If your setup is simple and small, the box could probably be left alone to run
for a while. In this case, it may not take your successor too much time to
pick up enough unix to keep the box running for a while.

> How long would you trust an unpatched OpenBSD server to go unhacked?

That is like asking when do we expect the world to end :-) In other words, it
is very hard to say for sure. OpenBSD comes with sane and reasonable default
configuration, so it is likely that it will last much longer unpatched than
other system, if the default configuration is not changed much.

Patching an OpenBSD system is not exceedingly hard. The FAQ detailed how this
can be done. Also, there is http://www.openbsd101.com that your successor may
find useful if you did choose to deploy OpenBSD. There is also the mailing
lists and the #OpenBSD channel over at freenode.net if reading through the
documentations didn't help.