My new setup

It’s time to rebuild and make myself a harder target.

What O/S? I like OS X and all, but after spending a little time on Google, I have begun to question my faith in all things Apple. Sites such as this suggest that the security in OS X is somewhat lacking. Others such as this suggest that things have improved markedly in Lion (mind you, I was already running Lion). I’m not sure what to believe.

Rightly or wrongly, given my recent experience, that it was a clean slate and that it was an ideal opportunity to play while convincing myself I was ‘working’, I have decided against using OS X for any external facing services. I quickly narrowed my choices down to OpenBSD, Ubuntu Server LTS or Ubuntu Server 11.10. After a little experimentation with each, I went for Ubuntu 11.10 as it appeared to give support for more and newer packages and could be hardened appropriately for external access. Please don’t flame me, I am happy with my choice (constructive criticism is always welcome of course!). Maybe I will change my mind with the Next Ubuntu LTS, which is due soon, we’ll see.

My internal services are mixed between some OS X specific functions such as file, print and backup serving, and some more generic services such as hosting my source control.

My external services are all generic services: SFTP, VPN and WWW.

I also had to consider the practice of have a single server versus a server per function. There is some debate regarding this such as here, however I have decided to move to a pragmatic position of

• 1 internal only OS X server handling OS X specific services (time machine backups over a network can be temperamental at the best of times)
• 1 internal Ubuntu server handling more generic services including a GIT server
• a separate Ubuntu server for each external service currently VPN, SFTP and WWW

I ended up reusing my MacMini for the OS X server, adding some more RAM and then also hosting my Ubuntu VMs on this same host. I would have preferred more separation, but the budget and my wife’s acceptance of computer clutter only stretched this far.

As luck would have it my modem also died a few days later. So now I run a new DD-WRT setup over a bridged modem, which gives me the ability to run IP Tables on the router, which is a good thing.