About My Site

I am proud of the fact that I am a geek, and I like to show off what I can do. I have old Sun 3 equipment, including a 3/50, a 3/110, and a 3/150, complete with 19" monitors and a 1600' tape drive. I also have an HP9000/F10 which runs HP/UX 10.20 (and would be running NetBSD if HP would ever release the documentation on the hardware). However, PCs are now relatively inexpensive and much more powerful, these machines predominately sit in a powered down state. However, these are just a few of the systems which I run, including those which connect me to the rest of the network.

The Network Connection

I currently have a ADSL connection from Covad, who provides me a 3008/768kbps uplink and my 68.164.221.208/29 public network (e.g. I have 5 routable IP addresses which I can use). It is terminated at a Zyxel P643 router.

The Systems

This site is just one of several which I host on a single machine. It runs on a old dual-processor P90 system, but only uses a single processor at this time until I can get a good, solid build of the development branch with all of my necessary packages. Here are the details about the system:

Component Description
Motherboard AIR 54CDP
CPU Dual 90MHz Pentium (only one active)
Memory 128MB (4-32MB SIMMs)
Video Cirrus Logic CL-GD5430
HBA Onboard Adaptec AIC-7870 (Wide/Ultra)
Disks (SCSI) 9GB Western Digital (System)
18GB IBM (Data)
NIC Intel Pro100+ (100Mbps, DHCP client)
Operating System NetBSD 2.0
Public Services DNS (Bind 9), SMTP (Sendmail), SNMP (NetSNMP), WWW (Apache)
Restricted Services
(internal only) 		NTP, Syslog (proxy for router), MySQL

The above host is acting as a bastion host and network proxy, and so resides in a DMZ network segment, protected by a firewall. Here are the details on the firewall itself:

Component Description
Motherboard Asus P55TP4N
CPU 100MHz Pentium
Memory 128MB (4-32MB SIMMs)
Video Cirrus Logic CL-GD5430
HBA Adaptec AHA-2940UW
Disks (SCSI) System - Seagate ST32550N
NIC Intel Pro100+ (public @ 10Mbps)
Intel Dual Pro100+ (DMZ @ 100Mbps, Private @ 10Mbps)
Operating System NetBSD 1.6.2
Public Services None (relays all external connection attempts to bastion host)
Restricted Services
(internal only) 		NTP (client), DHCP Relay, SNMP (NetSNMP)

Finally, if you have been looking at my web pages, you may have noticed I enjoy to play Unreal Tournament, and am the clan general for a gaming clan. As a result, I have put up a second bastion host. This server is running a private gaming server, and is also running a Zope/Plone server, serving several other web sites in my domain and which is accessed through proxy redirects through the main web server. Here are the details on that server.
Component Description
Motherboard Gigabyte GA7DXE
CPU Athlon 1700+ (1340MHz)
Memory 256MB (256MB PC2100)
Video Cirrus Logic CL-GD5430 (and I still have a few left!)
HBA Onboard VIA IDE (KX133 - ATA/100)
Disks (ATA-100) Maxtor 90845D4 (8GB) (system)
WDC WD800JB (90GB) (Application/Data)
NIC Intel Pro100+ (100Mbps, DHCP client)
Operating System NetBSD 2.0
Public Services TeamSpeak (password protected), UT2003 (password protected)
Zope application server with Plone Content Management System for several web sites
Restricted Services
(internal only) 		SNMP (NetSNMP)

The Practices

As you may have gathered, I am very security conscious. For this reason, the first step I have taken is to have extremely restrictive rules on my firewall. The best way to summarize these rules is to deny absolutely everything, and then very selectively allow only what is needed. Where possible, these rules even specify the IP addresses of which hosts are permitted. This means that my firewall will not accept connections from any machine which comes through the public or DMZ interfaces. Instead, using NAPT, the connection is either passed along to a different machine, or just ignored. Since I can do this on a port-by-port basis, it is possible for me to map the same port on multiple IP addresses to a particular host, or to map multiple ports on the same IP address to different hosts.

While firewalls are a good first line of defense, they cannot be totally relied upon. So in addition to having the firewall, the OS and application software for these hosts are first built on one of my other machines and then are distributed to the machines using that nbuild. Because of this, I take advantage of this and routinely redistribute the files to these machines. This is the same technique I used to maintain almost 1500 hosts running BSD/OS when I worked at CompuServe. Not only does it make for more secure systems, but it makes for rapid recovery in the event of a problem. It can also make for upgrades with little or no downtime. Indeed, even when upgrading from NetBSD 1.5.x to NetBSD 1.6, and most recently from 1.6 to 2.0, I was able to accomplish the upgrade with only the downtime for two reboots. The first was to put the new kernel into place after it had been copied over, and the second was to make sure the new software was being used after it had been pushed.

To produce the distribution trees, I use a number of shell scripts to build these release trees in a sandbox which is mostly independent of the OS release on the build machine. The only restriction is that I cannot build the packages for a release tree across major release boundaries (such as for NetBSD-current on a 1.6.x host). You can see these scripts in my CVS repository.

Along with this, all configuration and content data is maintained in the same manner as the OS and application software. Master copies reside on other machines, often in a CVS repository, and periodically distributed to the servers.

Finally, I do extensive monitoring. All system logs are relayed back to a central server, where they are inspected for critical events. I also have SNMP monitoring in place to monitor the state and performance of all of my machines, which is displayed on windows of one of my two workstations. It is able to pop-up windows to alert me should a problem occur. This allows me to tell within 30 seconds of when a machine reboots or when I loose my DSL connection. Here is a snapshot of what I typically see. I also use MRTG to monitor my network to look for problems or to find trends which may indicate a problem.

Virtual Hosts

I mentioned earlier that this web site containing my personal web pages is just one of several hosted on the same server. Indeed, you may have already seen the site which has the Apache test page as it main page. I do that since quite a few spammers and script kiddies know to look for web pages on host names like ``www.ka8zrt.com'', but with only blind links from there to the other pages, it does not prove of much use. Indeed, you must know URLs such as http://www.ka8zrt.com/~cinnion to get to the real contents. At one point, I had a page with text which started out ``You obviously have too much time on your hands...'', but I never put that page back after upgrading to NetBSD 1.6. I am still debating what to do with that main page, but suspect I may put a separate page which reflects the fact that I am also a consultant. That is not the only web site on the same server. I have the virtual host for my personal web pages, and a couple of virtual hosts which are now redirecting to the second bastion host which is running the Zope application server with the Plone Content Management System for several web sites. This has replaced several other sites which were running either php-Nuke or post-Nuke for my clan and both sides of my family. Add to this the web site for the old BEL clan and several other test sites where I do some development testing, and I now have about 16 separate virtual hosts on this web server or relayed through it. It is my plan to sometime in the next few months to upgrade the main web server and retire the old dual-P90, perhaps only using it when working on multi-processor type development.
Powered by Apache Site driven by NetBSD
Last modified on $Date: 2005/02/03 02:37:02 $ by $Author: cinnion $