This documentation is no longer maintained. It may be out of date, or simply wrong. I will leave it online, as long as it think it may still be useful.
Well, this is my so called HOWTO setup a server. It expresses my views in how to do things. Iam pretty sure that your mileage varies from mine, but i hope you may see some interesting applications, which increase both security and flexibility.
This document is aimed at people that already have a bit knowledge with unix-ish systems, and want to get an idea how other people solved their problems they had with computers. This document is NOT thought for people that want to setup an 31337 ``firewall'' using Linux 8.1 ;)
Well, if we want to setup a server, we have to choose a Kernel and a preliminary Userland that will run on this server. Any unix-ish Kernel will do it, but i have choosen Linux. Linux is available in multiple flavors. There are some very nice distributions out there, that are usuable on server machines. Iam currently working with both CRUX and Debian. Please note that this document will contain some linux-specific hints. Just ignore them if youre not using linux.
On each Server, you need a hierarchy. I have the following one:
| /etc | config files |
| /home | homedirs |
| /var | variable files, spools and such |
| /usr | $os packages |
| /usr/local | non-packaged software, bloat |
| /package | djb's slash-package |
| /service | djb's supervise dir |
As you see, i did not specify where exactly pid files should go, temporary sockets, etc. pp. most of these details are covered by man hier of your os. You may even choose do it exactly as the man hier of your describes the hierarchy. I have decided to use a central /etc, containing all configuration files. The ports system of the free BSD Operating tend to do this differently, but i dislike that approach. It is just important that you like it, as it adds the necessary amount of overview to your system.
On a server, you need software. Well, there some basic things which come with every os, like fsck, gettys and such. I wont talk about them here. If you have additions to this list, drop me a line.
Every server needs some service control system. On most systems, this is either a BSD stylish set of init scripts, or a sysv init system. However, there are some exceptions to this, for example the init system of the Gentoo Linux Distribution, which features an init system with dependencies. However, i think that theyre mostly too bloated, and that they cant do anything if a service dies. This is why i use daemontools which has a nice interface to start and stop services, and restarts service if they died. On Linux, you may want to use runit instead of your init. Runit replaces supervise and svscan (part of daemontools).
You also need a system log daemon. However, most of them are completely bloated, and do not have a logical behaviour, but a complex config file. This is why i use socklog. Socklog is a small and fast system log daemon, which works together with multilog (part of daemontools)
Everybody wants to maintain unix-ish systems over the network. Currently, theres no alternative to OpenSSH which has a kinda unpleasant security history.
You will need an inetd-like superserver, to run most internet services. I can recommend ucspi-tcp here, which features a program called tcpserver. tcpserver is a one-service inetd. But it has much more features, and a cleaner design. Sometimes, you may want to provide your services with ssl. The choice here would be to use ucspi-ssl, which has sslserver in it. sslserver does nearly the same as tcpserver, but for ssl connections.
HTTP-Servers are often needed on servers in todays internet. I can recommend fnord. fnord uses tcpserver and sslerver to provide its services to the network.
You will also need an MTA. Today, there are two known good MTAs. qmail and postfix. qmail requires patching if you want features like tarpitting, ipv6, tls, etc. pp. postfix requires patching only for ipv6 and tls. I use both of them, for different purposes. Test both, choose the one you like.
If you are running an MTA, you mostly also need remote access to your mails. This can be achieved using IMAP or SSH (latter requires a MUA on the server). IMAP services are provided by bincimap. bincimap can be used with tcpserver, sslserver and vmailmgr.
If you already have an mta, you may want to run mailing lists on it too. For mailing-lists, i can recommend ezmlm, which has VERP, and is pretty fast. Altough, it only works with qmail. If you want to use it with postfix, you may want to install postfix's qmqpd and setup a mini-qmail for ezmlm. If you want some fancy features for your ezmlm, you may have a look at ezmlm-idx.
Often, you need a something to transfer large amounts of files. I think that FTP sucks, as most FTP-Servers do too. Because of this, i run an anonymous rsync to provide downloads. rsync works together with tcpserver, and even sslserver if you like to. However, there are some reasons why you would really need a FTP server. In such cases, i use pure-ftpd, which has no config file, just commandline parameters.
Under linux, when youre using software raids, you may want to get a notice if your raid fails. I use mdadm for this purpose (but also for administration of the raid subsystem.
Sometimes, you may want to setup a dns server. I use djbdns, which has a nice design. Authoritive Server and Resolver are splitted in two programs. This make the design more robust. If you have primary dns servers, which are running BIND, you may want to use autoaxfr, which allows easy secondarying with bind.
For setting up vpns, you may want to use openvpn (which works an linux, *BSD, and solaris). It's not as ugly and complicated as lIPsec ;)
You may also want to run a small, fast, and stable irc server. Well, there is only one i can really recommend: iacd. It has some interesting concepts, and is a complete rewrite from scratch, optimised for actually useful features, speed, and security.
When having a look at your network, you may want to use some monitoring tools. There are some i really like. Have a look a bmon, a bandwith monitor, cmon, a connection monitor which also includes a netstat replacement (cstat), and nstats, which generates statistics about captured traffic.
You will also need a piece of software, that schedules execution. I use uschedule, which is not actually a replacement for cron. It has a more general approach than cron, and you can schedule processes with much more flexibility.
I do not like working as root, which is why i use sudo on a regular basis. It allows me to be non-root all the time, and only get super user rights when i want them. sudo can be configured to suit your needs exactly.
On Linux, most of the above software links against the dietlibc. This will increase speed, and lessen memory usage. I can only recommend you to link all software against the dietlibc.
For filesystems, i stick to ext3. It is built upon ext2, and is thus pretty stable, something i cannot say about xfs, reiserfs or jfs. Linux's software raid is also a feature that cant be missed on any server, its fast and simple, and enhances the reliability of your disk subsystem.
You may want to use iproute2's ip instead of the old and deprecated ifconfig and route commands.
Get a chrooted shell on your workstation, install your OS there, and package all the software you are going by yourself. Dont use premade packages, because usually they do not fit your needs. However, you should look at other packages, and learn from them.
For each software above, theres lots of documentation in the web. Learn how to use the software most efficiently, how to install it, and generally how it 'feels'. This may need a lot of time, but will help you greatly to fully understand what your system is actually doing.
You will surely run into many problems where something does not do what you want. Rewrite the program, put a wrapper around, whatever your way is to fix it, make it publicily available on the web, so that other people can use it
I have created a packaging system that i can use with both Debian and CRUX, called sw-utils. It's designed to be extensible, so i could easily use it on a BSD System, Solaris, or a commercial Linux Distribution. You can find it here.
I want to thank the following People (without any order):
If you have any questions or suggestions don't hesitate to contact me.
This document is public domain.