From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 23 16:15:23 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 367DD37B401 for ; Wed, 23 Apr 2003 16:15:23 -0700 (PDT) Received: from priv-edtnes44.telusplanet.net (outbound05.telus.net [199.185.220.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 699CD43FBD for ; Wed, 23 Apr 2003 16:15:22 -0700 (PDT) (envelope-from pfak@telus.net) Received: from oxygen ([154.5.44.11]) by priv-edtnes44.telusplanet.net (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with SMTP id <20030423231522.XBZS3906.priv-edtnes44.telusplanet.net@oxygen> for ; Wed, 23 Apr 2003 17:15:22 -0600 Message-ID: <001901c309ee$36029070$c601a8c0@oxygen> From: "Peter" To: Date: Wed, 23 Apr 2003 16:15:20 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Keeping a large shellbox stable and secure X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2003 23:15:23 -0000 Hello, I'm going to be starting to run a large shell box again, about 900 users (basically free shell accounts, crazy isn't it?). I would like to avoid the same mistakes I made before, my system was pretty secure (I'm running FreeBSD, and I keep everything up to date and tuned). I had a problem with the boxes crashing a lot, and in this case the box will no longer be hosted at my house, but by an ISP, they are also sponsoring it so it won't be "supported", which means that I will have to buy a reboot switch (one time fee of $50), but I would like to avoid having to hard reset the box all the time. Are there any methods that have been proven to work in keeping your system stable, so that is harder to crash. I found that even when I was using login.conf, the system would crash a lot from people running programs that would use excessive system resources to attempt to crash the system and so forth. Are there any proven methods that you have used? System tweaks, etc. That seem to work under high system loads? Such as sysctl.conf, rc.conf, etc. What programs would you recommend to install on the system, kernel patches, etc? That have helped you maintain a highly loaded, and a box that will come under scrutiny from people try to attack, crack it, crack from it, flood from it, etc. Would ipfw2 or Ipfilter be better? Should I run RELENG_4 or RELENG_4_8. Any ideas would be appreciated. Basically, I'm attempting to make this box as stable and secure as possible. Anything would be appreciated. Thanks, (Sorry if I posted this to the wrong list) -- Peter Kieser