Freebsd jail for an small company - checklist - what shouldn't forget

user-management ssl-certificate freebsd email-server

Looking for an checklist for an "small company freebsd/jail server".

Having pretty common starting point:

  • FreeBSD jail (remote/headless) for the company:
    • public web, email, ftp server, and
    • private (maybe in the future partially public) wiki (foswiki)
  • 4 physical persons, (6 email addresses) + one admin - others will never use ssh)
  • have already done usual hardening on the host side (like pf, sshguard etc).
  • my major components are: dovecot, exim, apache22, proftpd, perl5.14.

Looking for an checklist, what I shouldn't forget. My plan right now includes:

  • openssl self-signed certificates for exim, dovecot and proftpd (wildcard keys)
  • openssl self-signed certificate for apache (later will go for "trusted-signed" key)
  • User accounts

but are there any other recommendations?

related:

  • What's your suggested mail server configuration for a FreeBSD server?

Solution 1:

This is really one of the classic virtual server questions - the only difference is you're saying "jail" instead of "VM".
If you remove the word "jail" from your question do you know what to do? (If so you can stop reading :-)

A specific checklist is by definition Too Localized to be answered on Server Fault -- It's intensely specific to your environment. I can tell you that your checklist for setting up a jail should be pretty much identical to your checklist for setting up a server (with the caveat that you won't be doing any kernel-related stuff, and the addition of some jail-specific steps which you should be familiar with already -- If not the FreeBSD handbook has a pretty comprehensive Jails chapter which should cover it.)

Do you already have a checklist for setting up a regular server?
If not, it should include things like:

  • Adding local user accounts
  • Installing commonly used packages
  • Setting up network user accounts (NIS, LDAP, etc.) if you use them
  • Applying local configuration (NTP, DNS, etc.)
  • Setting up & configuring the servers you want to run (Web, Mail, etc.)

Your full checklist may also include some stuff that's not relevant to jails, like:

  • Partitioning your disk (usually jails are monolithic though other configurations are possible)
  • Installing a custom kernel / configuring loadable modules
  • Configuring IPMI or other lights-out management controllers

Which you'd usually do on the host machine as you would for any other system.

Write down what you do for your next server build.
If you missed stuff add it to the list as you fix it.

Eventually you will have a comprehensive, site-specific checklist (probably several. I have one for web servers, one for DB servers, one for mail servers...).

Related

Is it generally safe to use SIGCONT on processes?
UCARP: prevent the original master from taking over the VIP when it comes back after failure?
Creating a network link between 2 very close buildings
How do you apply proxy settings per computer instead of per user?
sc command with wildcard
Check remote certificate - MySQL
avahi stops publishing after a few minutes
Mikrotik and NAT/Routing issue
Ubuntu 12.04 host lookups extremely slow
Setting per-directory umask using ACLs
Turn on Desktop Session Host without domain involvement
repetitive errors on user machines - DC migration from a windows XP based to a windows 7 based network