undefined | Better HN

0 pointsefortis4y ago0 comments

Hi xianwen,

Both servers are SuperMicro with:

- 6 Cores 3.3/4.5GHz (E-2136)

- 32GB ECC DDR4

- 2 × NICs (em, igb)

- 2 × 480GB SSD

- 20TB on 1Gbps with DDoS FENS

- IPMI over VPN

I rent them to Hivelocity.

===

FreeBSD vs OpenBSD

Ilja van Sprundel answers your question by comparing the number of kernel vulnerabilities since 1999 of the BSDs and Linux. [1]

I don't think FreeBSD, even well hardened [2], is as secure as OpenBSD. After all, OpenBSD's main focus is security. I use OpenBSD for orchestration and monitoring, and I have an experimental setup of OpenBSD with VMM but they crash sporadically, so I'll wait a bit.

At any rate, my goal is to have two heteregenous paths (maybe OpenBSD, FreeBSD) or (Solaris, Linux). This way I could simply shutoff the vulnerable path when there's an unfixed vulnerability.

[1] https://youtu.be/rRg2vuwF1hY?t=264

[2] https://vez.mrsk.me/freebsd-defaults.html

===

BTW, I have the FreeBSD hardening and setup scripted, which you could add into the ISO in `/etc/installerconfig`, or downloaded from the orchestration and manually ran with `bsdintall script myinstallerconfig.sh` if you wish.

0 comments

xianwen4y ago

Thank you very much!

I'll keep the hardening script on mind. I have strong interests to spend more time on servers, but at the moment it is difficult to find time.

If vmm(4) is stable on OpenBSD, it can be used as an alternative to jail. Because OpenBSD has small footprint, a virtual machine of OpenBSD through vmm(4) probably will not require much more resources than a jail instance, I guess.

I have been bitten by OpenBSD once, though. I was traveling with a laptop, where OpenBSD was the only OS and the filesystem was encrypted. However, there was a hardware failure, that the data on the hard disk was corrupted. I lost some work and some files, and managed to recover the rest of the files before the hard disk died.

At the moment OpenBSD still does not support a filesystem that implements file checksum. I think it can be a limitation.

j / k navigate · click thread line to collapse