Do they still make wooden Christmas Trees?

[captpackrat]

A new server from Dell would cost about $6000, with more than half of that being the cost of 30 user licenses for Windows 2003 server. (30 licenses probably won't last long, we've got 28 computers currently)

I can build an Athlon 64 server for a mere $1000, if I use Ubuntu Linux as the OS. Holy crap! We budgeted $9000 for a new server (another $3000 for a tape drive). I wonder if I could get 9 little servers instead....

I don't know enough about Linux security to feel comfortable exposing one to the Intarweb just yet, so for the web/mail server, I'll probably just revamp the existing Windows 2000 machine.

Comments

[alohawolf.livejournal.com]

Linux out of the box should be secure enough, just intall shorewall and configure it with webmin and you should be good.

[rabitguy.livejournal.com]

Server hardware tends to be filled with lots of cool hardware watchdog and BIOS management stuff that you can't get with a consumer machine. An Intel rack server I recently bought on eBay will call your pager if the system crashes. How cool is that? :)

[nipper.livejournal.com]

You're pretty brave if you're exposing a W2k box to the internet!

[altivo.livejournal.com]

You're on the right track here. Microsoft network licensing is outrageously expensive and delivers nothing that Linux can't do today. Microsoft security is bad too, but Linux must also be managed if it is to be secure.

There are several excellent (and weighty) books available on the subject. Generally, a dedicated hardware firewall is a good idea whether your servers are Windows or Linux or a mix. I know nothing about Ubuntu, being a Slackware user myself. But I can tell you that the "currently popular" flavors of Linux are always the ones most heavily attacked by the script kiddies. At a guess, that would be Debian, Fedora/Redhat, and Ubuntu at the moment.

The most important key to Linux or UNIX security on the internet is "Thou shalt not run any port services that are not essential." So don't have named unless the box really is your public nameserver. Don't have a mail daemon unless it really is a maildrop. Don't have Samba or NFS available at all from the public internet. Get rid of inetd entirely if you can. And portmapper or rpc type daemons. If you need a telnet type login from outside for management purposes, use sshd. Do not allow telnet or rsh or ftp.

Any of these services are OK on the private network, but they will invariably lead to breakins on the public connection.