OpenBSD Journal

Your OpenBSD Story - Nick Humphrey

Contributed by jason on from the duct-tape-rubber-bands-and-a-cdrom dept.

Nick Humphrey writes in to tell us about how he got started with OpenBSD:

I started using OpenBSD around 2000. In early 2001 I joined a small company with an almost non-existent IT budget, so securing cash for hardware, software and support was extremely difficult. I used OpenBSD in a wide variety of roles to provide excellent security and robust services at minimal cost.

On arrival, the infrastructure was mainly Windows NT4/2000 desktops and servers. No anti-virus (on anything), a firewall with ANY-ANY-ALLOW as the active ruleset, almost no ACLs in place on any shares/directories. Server systems were crumbling, tape drives flaky and without support/maintenance contracts lots of the software was out-of-date and unpatched. There was a pile of older low spec Dell desktop machines that were unused. Most of these were around 128MB RAM and 20GB hard disk drives with 100MB ethernet.

I started by taking a desktop machine with the largest hard disk I could find and installed OpenBSD. I locked down the machine further by disabling almost everything except SSH, then set configuration to only allow connections from my desktop admin PC, then setup a local source tree. From here I would apply patches, maintain post-install scripts, make my own release ISOs and use these to install/upgrade other systems locally. I configured another OpenBSD machine to act as an FTP server so I could easily move files around the LAN (these were the days before USB flash drives became ubiquitous!).

I then spent a Saturday swapping out the existing unsupported firewall for a pair of Dell machines running OpenBSD. I had verified that the BIOS, hardware config, etc was identical, with one running as the main firewall and the other on warm stand-by ready to be swapped in within 5 minutes. They also provided DNS and DHCP capabilities to the internal network.

An undergrad student from a nearby university had taken a temp data input job with the firm over the summer and accidentally deleted one of the critical data repositories in a Windows file share. Although we restored from tape, this shock to management meant I was finally granted permission to re-work the groups, policies and ACLs on the Windows Domain and I was allocated some money to buy two large hard disks and another small UPS. These hard disks were installed into one of the Dell machines, installed with OpenBSD and fed with clean power from the UPS, all of which I sited in a locked closet in the IT room. This system was setup to scan all critical Windows server file directories every hour and snapshot changed/new files. This archive "time machine" system would provide a fast fall-back for file access should a worm or other malware make its way into the Windows network, or accidental or malicious deletion of data by users. Within minutes I could locate and restore almost any user file from the last 6+ months.

After the 9/11 attacks, management attitude towards IT investment changed. They approached me to enquire as to what funding I would need to ensure robustness of the systems and continuity of operations. I laid down a plan based on some earlier analysis conducted with different departments and my "wish lists" of sensible improvements to my MacGuyer-esque infrastructure (lots of Duck tape and rubber bands). Although management didn't approve the full package of recommendations, I got funding to purchase three IBM 1U rackmount servers with support contracts, hosting at a physically secure site ~100 miles away and new tape drives with fresh media. With this funding splurge I also made sure that we purchased an official OpenBSD CD-ROM set for every company system running it. Two of the IBM rackmount servers became new OpenBSD firewalls/VPN termination points - one for our main office, the other for our backup hosting site. The third system was put in the secondary site then configured with OpenBSD, MySQL, Postfix, Courier-IMAP and Squirrelmail to be a fallback e-mail and file server synced from the main office "time machine" over the VPN between the two OpenBSD firewalls. In the event that our main office was inaccessible, staff would still be able to access <=1 hour old customer data and send/receive e-mail from home/internet cafe whilst I was restoring from nightly tapes at a new office. The main office tape drives were replaced and fresh media used for the first time in YEARS. The new configuration was tested one weekend every six months or so by knocking out the Cisco router and ISDN backup lines, then making sure the fallback site and servers worked properly. In all this time, OpenBSD never let us down. I integrated various advice, HOWTOs and pointers from the misc@ mailing list into our own infrastructure documentation which made an excellent knowledge base for the additional staff we eventually took on.

I left the company many years ago, but have since deployed OpenBSD in a number of other environments, usually as a NIDS or firewall. Today, I still use OpenBSD/sparc64 on a Netra X1 as my home firewall, DHCP and DNS server. In addition, I track STABLE OpenBSD/amd64 on my IBM Thinkpad x61s - this is the machine that goes with me nearly everywhere.

Thank you to all the OpenBSD developers - past, present and future!

(Comments are closed)


  1. By Adam P (adamrt) fakeempire@gmail.com on

    I've been coming here since it was deadly and never had an account. I don't accounts at any of the sites I frequent actually, but I finally got an account to say I really appreciate the content you've been posting lately and I dig these "openbsd stories" section too. Keep up the good work and keep em coming.

    Thanks

  2. By jirib (jirib) jirib@mailinator.com on

    very nice.

    i had little similar experience - entering outdated windows based company...

    any recommendation for good reading about sysadmin/network architecture? something which would help to setup good architecture for a company, how to design redundancy, backups etc... there are tons of books/docs describing how to setup one piece but what i miss is some complex look on the problem (complex doesn't mean to talk about several applications which could help you but that mean to talk about design/architecture without speaking about specific product).

    jirib

    1. By Will Backman (bitgeist) on http://bsdtalk.blogspot.com

      Try "The Practice of Network and System Administration".
      http://everythingsysadmin.com/

  3. By Thomas Ward (TWard) thomasmward@fastmail.fm on

    For your Netra X1, have you modded it to silence the fans any? Those things are harrier jets.

    1. By Nick Humphrey (Nick_H) on

      > For your Netra X1, have you modded it to silence the fans any? Those things are harrier jets.

      Yes, I swapped out all the factory-fitted fans for Scythe Mini Kaze Ultra 40mm x 20mm (purchased from: http://www.quietpc.com/gb-en-gbp/products/scythefans/mini-kaze-ultra)

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]