Date: Tue, 8 Jul 2003 15:01:04 -0500 From: Paul Smith <paul@cnt.org> To: freebsd-stable@freebsd.org Subject: Hardening production servers Message-ID: <20030708200104.GA66624@cnt.org>
next in thread | raw e-mail | index | archive | help
Greetings, Apologies if this is not the appropriate list, but my questions are about best practices in maintaining production servers (so I believe I can justify a post in -stable, short of a -release list :) I maintain a modest installation of 6 FreeBSD servers. They're CVSUP'd to RELENG_4_8 (I make buildworld on each individually) and I portupgrade ports as necessary. In an attempt to mature and harden this installation, I'm wondering what is the best approach for keeping production servers patched and with the latest ports. I know that compiling everything on each box is poor security practice and a unnecessary drain on resources. But I'm confused as to how to go about compiling world and the ports on a separate machine and how to then distribute to the production servers. Should I compile ports as packages? Which directories are appropriate for NFS export? Each machine is i386, so there should be any architecture issues, but each has its own hardware configuration, so how would I building a custom kernel work? My selfish goal is to reduce maintenance time and effort by centralizing patches and updates, and my overall goal is to enhance security and reliability on the production servers by removing compiling tools. Thanks in advance for any advice on this matter. Cheers, Paul -- Paul Smith <paul@cnt.org> Webmaster/Systems Administrator Center for Neighborhood Technology Chicago, Illinois USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030708200104.GA66624>