I want to create a home network that can host a domain, email and a website. I want to use FOSS for everything. I've never done this before. Please critique my build.
Router/firewall - openbsd
Domain controller - openbsd
Email server - openbsd
Web server - openbsd.
Other urls found in this thread:
openbsd.org
github.com
twitter.com
cuck license
>Domain controller - openbsd
I'm quite sure you really meant "DNS server".
Openbsd has a reputation for being one of the most secure operating systems in the world. If there's something else better, I'll consider it.
>le cuck license maymay xD
Daily reminder:
Only GNU zealots can effectively steal BSD code.
maybe his computer magically gets credentials from his domain?
Can I have the same server be a DNS server and domain controller?
Sure. All of these things you listed could be the same system.
Would qubes be a good choice for that?
Or would you just install all of it on one openbsd box?
yeah, you can run it all on one openbsd box easy. honestly though I would at least put the dns and email on a vps. vultr has $2.50/mo servers - grab two and use them as backups for each other.
router: dhcpd, unbound, pf
dns: nsd
email: opensmtpd
web: httpd, or pkg_add nginx
router tutorial: openbsd.org
email: github.com
web: easy, just read the manpages
dns: you'll need to set glue records and nameservers in your domain registrar, after that just use a simple nsd.conf and zone file
My goal is to be as secure as possible. Would the hosted servers compromise security?
well, who are you protecting against?
dns is fundamentally centralized, so ICANN (read: the us govt) can always take over your domain name and redirect the servers anyway. you're fucked anyway at that point, so hosting it elsewhere doesn't make things worse. main reason not to host it at home is 1) most domain registrars require at least two nameservers 2) unless your ISP gives you a static IP you'll have to update your glue records all the time
email is fundamentally insecure also since it's totally unencrypted. if you really want security use signal on a machine behind tor or something. main reason not to host email at home is a lot of ISPs block it as spam.
It's just that if I'm going be running a network, I want it to be as secure as possible, as a matter of practicality and pride. I once worked for a company that was hit by a lot of email spoofing attacks and that's what got me interested in security.
if you use a VPS they (and by extension the government) have hardware access. you can mitigate that a bit by encrypting the disk, but they can always snapshot the ram on a running system so it doesn't buy you much.
if you're not worried about that scale of attack, sure, it's fine and the increased availability and/or ddos protection will be worth it. a vps won't be susceptible to outside attackers any more than your machine at home.
i'm doing everything described in the OP with linux, the only "security" part is a pfsense hardware firewall between me and the modem that runs dhcp, dns, vpn, and obviously the firewall pf tables
two linux boxes behind, one is tiny and runs email, nextcloud, ldap, mysql (in a virtual machine) and torrents, flexget (in a virtual machine)
the other is just freenas for storage and doesn't have to be on all the time, wake on lan from pfsense or linux box.
feels good.
> (You)
>if you really want security use signal on a machine behind tor or something.
Interesting. So just do away with email entirely? Can't email be encrypted? Do you think corporations will move away from email and go with something like signal?
>>DDOS protection?
What do I need to protect a home network from a DDOS attack? A really powerful server that costs $50k?
you can encrypt your email with pgp before you send it.
most email servers are adding TLS but that doesn't mean the server/host won't read your email before it reaches your recipient.
nice. i assume you're not using bind for dns at least.
my openbsd setup is almost how i want it, i just want to add ipsec and ip/domain ad server blocking, and a package build cluster for funsies
you probably can't protect against ddos
it probably wont happen either so idk
you can "encrypt" email, but:
1) pgp only encrypts the body, not any of the headers including subject line, date, recipient
2) you will never convince your family to use pgp
a really really really fat pipe
pfsense uses unbound I think
I've set up bind, dhcpcd, and host blocking manually. it's not worth it. just get specialized software for it. pfsense can run in a virtual environment and you just pass the ethernet device or route the packets to it. the web interface alone is priceless when you want to set up new port forwards or change logging
OpenBSD is the only free OS where the same team maintains the OS (kernel and userland) as well as http server and mail server, and the documentation that goes with it.
The result is a very well integrated system.
Router/firewall - PFSense
Domain controller - Debian (with Samba)
Email server - CentOS
Web server - CentOS
OpenBSD won't save you when you are cucked by the hardware. It just tells the NSA that you have something they want to hack.