From owner-freebsd-stable@FreeBSD.ORG Tue Jul 8 13:01:05 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB20037B401 for ; Tue, 8 Jul 2003 13:01:05 -0700 (PDT) Received: from loop.cnt.org (mailbox.cnt.org [68.20.235.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B36F43F93 for ; Tue, 8 Jul 2003 13:01:05 -0700 (PDT) (envelope-from paul@mailbox.cnt.org) Received: from loop.cnt.org (localhost.cnt.org [127.0.0.1]) by loop.cnt.org (8.12.3/8.12.3) with ESMTP id h68K14vC023600 for ; Tue, 8 Jul 2003 15:01:04 -0500 (CDT) (envelope-from paul@mailbox.cnt.org) X-Authentication-Warning: loop.cnt.org: Host localhost.cnt.org [127.0.0.1] claimed to be loop.cnt.org Received: (from paul@localhost) by loop.cnt.org (8.12.3/8.12.3/Submit) id h68K14eN023599 for freebsd-stable@freebsd.org; Tue, 8 Jul 2003 15:01:04 -0500 (CDT) (envelope-from paul) Date: Tue, 8 Jul 2003 15:01:04 -0500 From: Paul Smith To: freebsd-stable@freebsd.org Message-ID: <20030708200104.GA66624@cnt.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Subject: Hardening production servers X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2003 20:01:05 -0000 Greetings, Apologies if this is not the appropriate list, but my questions are about best practices in maintaining production servers (so I believe I can justify a post in -stable, short of a -release list :) I maintain a modest installation of 6 FreeBSD servers. They're CVSUP'd to RELENG_4_8 (I make buildworld on each individually) and I portupgrade ports as necessary. In an attempt to mature and harden this installation, I'm wondering what is the best approach for keeping production servers patched and with the latest ports. I know that compiling everything on each box is poor security practice and a unnecessary drain on resources. But I'm confused as to how to go about compiling world and the ports on a separate machine and how to then distribute to the production servers. Should I compile ports as packages? Which directories are appropriate for NFS export? Each machine is i386, so there should be any architecture issues, but each has its own hardware configuration, so how would I building a custom kernel work? My selfish goal is to reduce maintenance time and effort by centralizing patches and updates, and my overall goal is to enhance security and reliability on the production servers by removing compiling tools. Thanks in advance for any advice on this matter. Cheers, Paul -- Paul Smith Webmaster/Systems Administrator Center for Neighborhood Technology Chicago, Illinois USA