This is a work in progress and it will be updated over the next week or so…
My father’s company has had a linux based server, firewall and router for a while. This server hosts this web site and others, a virtual mail hosting system and general file sharing for his company. It serves as a NAT router and firewall as well. Basically it is a linux network swiss army knife. After 5 years of faithful service to us (in addition to 5 years in a production cluster) the dual PIII-450 machine hosting the system is having hardware issues that cause freezes and so we figured it was a bout time for new hardware. My father’s company purchased a AMD64 based Dell T105. While this $700 system was more expensive than the free salvaged box, it comes with 4 year 24×5 support and warrantee.
The previous box runs gentoo and that is my distribution of choice (my laptop, pvr and several other boxes all run gentoo). Naturally I am sticking with that. I am starting with the AMD64 2008.0 version (currently in beta).
The last server had 2 similar size drives and I ran a nightly rsync for a lazy mirror. The idea being that I could roll back config changes and it provided decent backup of the data on the server (all of which was just backed up there from elsewhere). I didn’t do anything fancy like software raid or LVM (both of which I’ve used elsewhere).
For this server, I’ve decided to boot off software raid and to allocate space using LVM2. LVM2 is an excellent storage management system designed to dynamically allocate space from a pool as needed. Paired with a file system that can do online resizing (reiserfs to the rescue) you can easily add additional space as needed and rearrange as needed. LVM2 also has snapshot support allowing you to freeze the drive states for backup or whatever other reason you might have without interrupting the system as a whole.
Booting off software raid can be a bit of a PIA. In my case, I could not get a straight genkernel based config to boot, even following the instructions, so I reconfigured the kernel to include all the required drivers (not as modules) to boot without an init ram disk. After enabling all the correct drivers the system boots up on software raid and LVM2 fine.
My basic partition layout is root, swap and boot on software raid 1 partitions and all the significant directories in root (home, tmp, var, usr, opt) on their own logical volumes.
Firewall & Security
The previous server used gShield to configure and manage the firewall. GShield is masked for amd64, however, the other options (shorewall – no good gentoo docs, gentoo’s build in system – looks to limited, other random packages – all look aimed at desktop configs and are limited) appear worse and I know gshield already and have a working config. So, I’m going to give it a shot and see how it work on the amd64 arc. It shouldn’t have problems as it is basically a perl script that runs iptables commands for you.
For additional security, I’m using fail2ban (emerge net-analyzer/fail2ban), a script that watches the logs for failures on various services and then adds block rules to the firewall for hosts that have to many failures. This stops brute force password attacks in their tracks as the attackers only gets 3 guesses (or however many you specify) at a password before their IP is blocked. I’m using fail2ban for ssh and other services. Obviously, if you are remotely managing the server, you don’t want to get blocked should something happen (caps-lock? it has happened to the best of us). So, if you are going to use fail2ban for ssh (I recommend it) you should be using SSH keys not just passwords.
One of this server’s main purposes in life is to provide light office file sharing. To do this I’m using samba. Nothing magical here. The only change for the current version is that I’m running CIFS instead of the SMB drivers.
The original purpose of the server was to host several domains email (i.e. this server is the target of those domains’ MX records). Before deciding to do this, one should consider several facts:
- Mail hosting systems are highly complex and can be difficult to setup.
- Virtual mail hosting (i.e. that host more than one domain) are more complex.
- Incorrect configuration can result in a mail black hole, becoming a spam relay (resulting in disconnect by your ISP) and other generally evil things.
- There are cheap or free alternative to host mail for a domain that offer lots of services like good spam filtering.
Generally, unless you want to spend more than a few nights dealing with emergencies, consider a paid or free hosting service for this part. I still choose to host my own mail for a couple of reasons:
- I can run mailman for mailing lists.
- I’m a control freak.
- I already know how to do it.
- I’m already doing it.
If even one of the previous things wasn’t true, I’d have the people using this server (myself included) just pay for mail hosting.
The setup I’m using is documented here. It is basically using postfix as a mail transfer agent, courier for pop and imap services, mysql to store account information, maildir to store actual messages, amavis-new, spamassasin and clam-av for virus/spam/junk filtering and mailman for mailing lists. It is a complex setup and for my own sanity, I’m mostly just copying it from the old server.
The major thing I’ve learned over the past 5 years is that mail is a PIA. One concrete pointer, in the postfix main.cf file you probably want to use the “relay_host” variable to point to your ISP’s outgoing SMTP server. Even “commercial” connections are ofter listed as “residential” and mail transfered from them directly will be rejected as probably spam. As a result, you just want your server to hand off to your ISP’s server that is not in that situation. Let them fight the fight to not get rejected by various major email hosters like Yahoo, Google and AOL.