delphij's Chaos

选择chaos这个词是因为~~实在很难找到一个更合适的词来形容这儿了……

08 Mar 2004

Plan for my own server

As some of you may know, I am planning to buy a server with some friends and take it in an IDC by the time I will be graduated from the university. The server will be primarily do personal web, ftp hosting, as well as mail service and DNS service.

A preliminary plan is to deploy a somewhat 「ad-hoc」 server for this. My current intends is to give every shareholder the privilege to su(1) to root when it is need in emergency situations. All software to be installed on the computer should be through ports, and more specifically, I want to be a principal maintainer of the server and will look after it.

As the principal server administrator of FreeBSD China Community’s web server, and having administrated a large number of servers at university and the high school, I believe I am competent in this role. While keeping everyone’s wheel group bit, I would prefer to install and configure software in a consistent way so we can easily mitigate security problems.

The operating system I will choose is FreeBSD 5-STABLE’s RELEASE, by the time we want to build the server, it should be 5.3-RELEASE. No operating system upgrade will be done until a security update is available in the security branch, or it is necessary to update to a newer RELEASE (for example, new RELEASE brings significant performance gains, or the old release is dropped by FreeBSD security officer).

It is important to optimize the operating system carefully to maximize the performance and security. Some software I already has idea are:

o Web Server: Apache 2.x with python, php5, mod_mp3
o Remote Logon: OpenSSH (FreeBSD stock port)
o Mail: postfix 2.x, cyrus-imapd 2.x
o Database: PostgreSQL 7.4, MySQL 4.0
o DNS: bind 9 (stock port) or PowerDNS

In addition, Java 1.5.x or 1.4.x and resin may be considered. Moreover, I would like to jail something out so it will not be a pain to revise all code (as we don’t have much time!)

The hardware is a difficult thing. Personally I tend to use IDE device due to the lack of money, but it is obvious that IDE devices are not dependable. A workaround for this is to have two RAID arrays, one is RAID1, and the other is RAID0. A script will backup things to RAID1 array in a daily or hourly manner (compressed, of course). Important data such as e-mail are stored in RAID1 slices only, while we store most of other things in the RAID0 slices.

I intend to adopt a computer with following configuration:

o RAM: 2GB or 4GB
o HDD: 4x160GB (or x2 if money rules)
o CPU: Pentium4 2.6 x 2

The policy about management should be clarified before we buy the server. I do not prefer quota because it hinders performance and does nothing with someone who has root privilege so it is a waste of time. Hence only trusted people, say, they are proven to be trustworthy and met the following requirements can join the plan:

o He or she must be security-aware. For example, they will not share their private key with others.
o He or she must be a ‘stable’ person who will claim down before doing something while they are sad, angry, or agitated.
o He or she must be able to do things with their own hands, for example, to configure a FTP over SSL in their local client.
o He or she should be familiar with command line operations. A person who has a 「undo」 habit is not acceptable because many operations on a FreeBSD box is not undone-able.

I do not really care about if there will be many people to join this plan, as this is extremely a personal plan. My usage of the server will be:
As the primary NS and MX server of delphij.net. Of course, the server will be configured to accept virtual domains as a mail server, as I did for FreeBSDChina.org and frontfree.net. I do not really care what will be shown in TLS certificate, as the primary web server for websites at delphij.net. This is important for me, and the websites will finally include a documentation collection, a blog, and a personal website. The first two will utilize database. Moreover, the server might act as a transfer route when downloading files from the Internet.

The server will have a 「fair use」 policy, say, everyone will be granted the privilege to use the server to do whatever they wish, however, their behavior ought be limited in a manner, for example:
o Do not attack others though the server, as an instance, send spam mail.
o o not use this box for a bulk FTP file supplier. It’s OK to provide something really big (e.g. movies) to a group of friends, but might be harmful to do this to anonymous server.
o Do not publicly distribute anything that will violate law.
o Do not hold large amount (i.e. more than the shareholders’ share) of data over a long time. It’s Ok to do so for a temporary manner, for example a week, but not if this will last more than a month.
o Do follow the server directory layout policy. For example, one should put his or her files under specified, like storage/delphij/www for www.delphij.net and storage/delphij/logs for website log files. This will ease management.
o Do consult with others if one is planning to do something big, like to install software, or change primary root password.

I plan to invest at most 5000 Yuan for this at present. Yes it will be good if there are more shareholders, but I do not want to have more than 5 shareholders. Despite that only shareholders can have shell access to the box, every shareholder can do services through the resource for their friends, for example to provide e-mail box for 500 friends :-). Mailbox will have a nominal quota (50 or 100MB each virtual user) because it will be otherwise easily exploited by an attacker to exhaust mail storage.

Please let me know if you are interested to join me, also I need more detailed plan if you really want to join us.