The StrongBox Quickstart GuideOr: "How to build a secure web server in 30 minutes"
StrongBox is an implementation of a set of system design principles
that I've outlined in my document entitled "The Partially Embedded
Computing Manifesto". The purpose of that document is to explain why
StrongBox has been designed the way it is.
This quickstart guide, on the other hand, is meant to provide an
introduction to StrongBox, and to get you started using it quickly. The
secondary purpose of this document is to help you to create a secure
web server with about 20 minutes of concentrated effort.
Section 1: Initial Setup
Step one: Hardware Requirements and Recommendations
StrongBox has fairly light requirements for running. The most stringent
requirement for running StrongBox is adequate RAM. For most situations,
you won't be able to run it effectively with less that 128MB of RAM.
It's possible to run it with less than that. 64MB is probably the
practical minimum, however 32MB might be possible with a lot of prior
tweaking: however, these configurations require a preconfigured swap
partition, and will definitely be slower. For production systems with
multiple virtual servers, I'd recommend 256MB to 1GB of RAM.
The only other requirement is some place to save
configurations and patches for StrongBox. This requires at leaste 1MB
of disk space, and it requires a unix-style filesystem that supports
links (this could include ext2, ext3, xfs, reiserfs, reiserfs4, etc).
This could be, for instance, a USB key with an ext2 partition, or an
existing linux partition on a hard drive, etc. This partition does not
necessarily need to be reformatted, and will have only 2 directories
placed on it: /configs and /patches.
There are a few recommendations beyond that. If you have a monitor and
video card that supports 800x600 at 16 bit, you'll get more screen real
estate, and a pretty boot screen. If you have more disk space, then you
can store more files. If you have a mouse and keyboard attached, then
you can use the pretty web-based configuration interface from the
console. But, it will work equally well with a simple serial console
(115200,N81, VT100): the choice is up to you.
There is very little else that's required for simply running StrongBox.
It can run entirely from RAM and CDROM with almost no effort, and
without touching or destroying your disks. I can make absolutely no
guarantees, but StrongBox has yet to destroy a running system by
itself. You may, however, want more resources for storing things like
web pages, temporary files, databases, etc, which would involve
formatting disks and potentially losing data.
Step Two: Bootup
Insert the cdrom. Type in "nopatch" at the isolinux prompt. Wait until
you're asked to log in.
The "nopatch" command runs a StrongBox boot script called "nopatch".
This boot script tells StrongBox to look for the OS on a cdrom and not
look for any further configuration information. There's also a few other options in it, most of which
simply constitute some sane defaults for StrongBox.
If you're having video problems with 800x600. Try running "nofb".
There's a lot of other options: F1 will show you boot commands, and F2
will show you boot options for specific hardware setups.
Step Three: Passwords and Keys
StrongBox has booted up. It's probably detected most of your hardware,
loaded modules, sound video, telephony, ethernet, etc. And it will have
attempted to get a DHCP address, and automatically launched sshd and
created host keys for you. Your username and password are now "root"
and "" (i.e. a blank password).
**IMPORTANT Once you log in, the root account is locked! You must now
set up authentication for the box, or else you will have to start again
from scratch if you log out. There are many forms of authentication
supported by StrongBox. If you have a USB flash drive, here's how you
set up 2 factor authentication (authentication that, in this case,
requires a USB flash drive and a password), plus gets you a StrongBox
signing key all in a few simple steps.
Whether or not you have a USB flash drive, you will need a StrongBox
key. *NOTE: Commercial users should ignore this step and use the key
that they received from Helmer Computing Corporation!
This key is your ticket to being able to sign patches for
StrongBox. Keys for the public version of StrongBox are available for
free using the "freecert". These keys will not work with the
commercially supported version of StrongBox: you will have a key for
that given to you when you purchase a copy.
To obtain a key/certificate, launch the "freecert" command. The email
address you provide in this command must be unique (not shared by
anyone else), and you will be denied if it is not. You can rest assured
that the information that you enter will be kept secure. However, if
you're leery of entering in real information here, you can always
enter bogus information. The key will be granted to you regardless
(there is no email verification scheme, etc).
Once you've obtained a key, you can automatically have it added to a
usb flash drive. If you don't, you can always save it into your
StrongBox system (defaulting to whatever directory you
were in when you created the key). Be warned: this is not as secure.
Note: using free certificates for a production system is not
recommended. Because these keys are easily obtainable, they cannot be
trusted 100%. You should be adding your own organizational CA to
StrongBox, or using a commercial version of StrongBox with a secure CA.
See www.strongboxlinux.com for more details.
The command to change user authentication is admuser, and to change it
for root, use
"admuser root". I recommend setting up 2 kinds of authentication: such
as usb
and ssh key, or password and ssh key. The choice, however, remains up
to you. If you want to
set up authentication for USB, type "usb" at the prompt. If you want to
set up
authentication for a certificate that is on the filesystem, choose
"cert" at the prompt. If
you want to set up passwords or ssh authentication (using x509
certificates, or public keys
in openssh format) then use those options.
Next, you should set up an administrative user account. This will be
the account that you
use for day-to-day use. The reasons for using a specific administrator
account, instead of
root, for administering your box are the following:
1) Logging of who executed what command
2) Increased security of consoles and terminals that are left unattended
3) The ability for each administrator to personalize their own settings.
Administrator accounts in StrongBox have privileges essentially
equivalent to root in terms
of ease of use. The only difference is that there are more checks and
balances, and it's
harder to accidentally make changes that could destroy your system.
To add a user, simply type "admuser". You will be prompted for user
information. Note that
usernames are case sensitive! Set up authentication for the user the
same was as you did for
root. There is no difference in the setup, and usb logins should work
the same.
Important note for USB users with unix formatted USB keys (this
doesn't apply to keys that are prepartitioned with "fat" or "vfat"
filesystems): If you have both "root" and a user on the system
authenticating
with the same usb key, then you must change the ownership of the files,
or the authentication
subsystem will refuse to authenticate you. Execute the following:
chown -R <username>:admins /mnt/usb/keys
chmod -R 700 /mnt/usb/keys /mnt/usb/keys
chattr -R +i /mnt/usb/keys
This makes the key unwriteable by the user, and prevents any non-root
user from using sudo unless they know the user's password. This is a
change from earlier versions of StrongBox, which allowed the user to
write to the keys! Note: currently, fat/vfat is the recommended filesystem
for keys as it's simpler to manage.
Where "username" is the name of the administrative user account that
will log in. This
limitation is there for your own safety.
When you're done, if you want to create a full administrative user
(i.e. one that is able to
access all root commands) then execute the following after entering in
the user's
information:
usermod -G wheel,admins <username>
This puts the user into the "wheel" group, which is able to switch to
root privileges
easily. Next, if you're on the console, you can switch consoles
(alt-F2) and test the
information you entered. If you're successful, you're done. Now log in
your main console
with your administrative user (not root!) and get ready to play.
If you're on StrongBox, and aren't running the Quickstart guide there,
you can do so by
typing "quickstart". You can then switch to a second console (Consoles
1 through 6 are
available using alt-F1 through alt-F6) where you can execute all the
commands you need to
use.
Section 2: Basic Setup
You may or may not realize it, but, you're already running StrongBox.
Congratulations! StrongBox doesn't have an initial install procedure,
simply because the OS doesn't require
one. However, if you want to do something useful with this
computer (other than log into it
and look at the pretty pictures) you'll have to set up resources for
StrongBox to use. In StrongBox, computer
resources are a more useful term
than an
installation.
The StrongBox OS is entirely modular. Nearly all services are run
in what are
called "bundles". A bundle is merely a set of software that is launched
from the base
StrongBox OS (which always resides in RAM) and generally resides
in it's own environment. The bundles can be based on a disk, or a
network
filesystem, or out of RAM as well.
If you're reading this on StrongBox (which you can do on recent
versions by running the "quickstart" command), then you're already
running a bundle. It's
called the "docs" bundle, and it's sole purpose is to provide
documentation, and a few nifty
utilities. These include "man", "info", links (a console-based
web-browser), and, if you're a
little handy, directvnc, ghostscript and cups (which aren't fully
supported yet).
Bundles can run off of the CD, or they can run off of the hard disk
or out of RAM. If you want to create a complete install of StrongBox on
one ore more hard disks,
then run the "Installation Walkthrough", which will be covered in the
manual in more detail. This guide will only cover a very basic form of
StrongBox: with just a CD-ROM, a USB key or a small hard drive
partition, and, if you have
less than 256 MB of RAM, a swap partition.
Step One: Creating a Swap Partition
StrongBox may have already detected and activated an existing swap
partition. You can check
if this is the case by running:
swapon -s
If anything comes up in the list ( such as /dev/hdb2\040deleted ) then
you've got a swap
partition already loaded, and can go to the next step.
If you don't, and you have less that 256 MB of RAM, then you'll need to
either start one, or make one. To do
this, type:
strongbox
This will bring up the StrongBox console, where you can configure a
number of things about
your StrongBox installation. From here, choose "Manage Installation",
and then choose "Make
Swap Partition".
This will bring up a list of partitions for you. If you want to use an
existing partition,
then choose it. If you'd rather repartition your hard drive, then
choose "cfdisk". StrongBox
supports
partition resizing: ntfsresize, resize2fs, resize_reiserfs,
resize.reiserfs4, xfs_growfs, lvreduce, evms, and parted -> these
are all available, and have manual pages covering each of them. If
you're
making a StrongBox swap
partition, I'd recommend allocating 1 GB of swap.
If you need help resizing partitions, you can try using "qtparted",
which is included on the CD-ROM.
Once you've chosen a partition, allow StrongBox to activate it. Then,
quit the StrongBox
console. You can verify that it's working by running "swapon -s". You
should then see the
partition you just assigned in the list.
*** Advanced users: if you're assigning a non-standard swap partition
(such as a loop
device, encrypted swap, etc), then you should add an entry for it into
fstab to have it re-activated
on reboot.
Step two: Assigning a patch device and a key
For this step, you simply have to choose where you want to store your
configuration
information for StrongBox. If you don't have a filesystem already
available for this (such
as an ext2 formatted usb key, or a linux disk that's running another
distribution), then
you'll need to create one. To create one, type in "strongbox install"
at the command prompt.
From there, choose "Select Install Source", and then "Make StrongBox
Partition" (Note: if you don't have a log of disk space, you can type
in "none" when it's asking you what versions of the StrongBox os to
copy over). Or, you can simply run "cfdisk" at the command prompt, and
run mke2fs
/dev/<device> on the partition you create. Warning: any of these
commands, used improperly, could damage
your system.
Once you have a partition, type "strongbox" at the prompt. Run "Change
StrongBox Patch
Volume". This will bring up a list for you. The only limitation is that
it cannot be a filesystem
that doesn't support symlinks (such as fat12, fat32, or ntfs). Any unix
filesystem should do
the
trick. This can be an ext2 usb key as well: it will show up as "sda1"
or anything that says "sd<letter> <number>.
Then, you need to select a key for signing configurations. If you have
the certificate on a
USB key, you should insert it now. Then choose "Security Settings" and
select the key. If
you
don't have it on the usb key, then specify it's filename or the
directory it's in, type "home" to look in your home directory, or type "ssh"
to obtain the key over an ssh connection. Once
you've selected a valid
key, it will ask you for the key's password. If you enter it, it will
be available for all operations in the StrongBox Console
performs until you quit.
Run "save current configuration". If you've completed the other steps
successfully, then this
will save all your changes to the volume you've selected. Then, choose
"Add To Boot
Configuration". This will first ask you to add comments about the patch
that you
created. This is the start of a changelog that will follow all your
changes to the
system. After you hit exit, and save the comments, you will be asked to
accept the boot
script that StrongBox has created for you. Choose "Accept Boot Script"
*** Advanced Users: StrongBox supports a myriad of boot options, which
are listed in the
StrongBox manual (type "manual" at the command prompt). This can help
you customize your
ramdisk for a larger size, or for other settings. The
defaults are quite sane,
flexible, and are the best for low memory situations.
You now have a fully working StrongBox system. If you were to reboot,
and let the system
boot unattended, you will always be back to where you were the last
time that you
saved your configuration. This is an important principle in StrongBox:
all changes must be saved,
or else they will be erased on reboot. This means that all changes to
your system's configuration must be
both saved and signed with a valid StrongBox key or it's like they never
really happened. This
is one way that StrongBox safeguards your data.
Note: As of StrongBox 1.0.b-10, changes are cached into /run/cache if you've
created a cache volume for StrongBox to use. In this case, /run/cache/boot will
have a current backup of the last changes that you made even if they weren't saved.
Step 3: Installing Bundles
Almost all applications that run on StrongBox (web servers, database
servers, etc). run in
bundles. Bundles are a generic term that is used to describe a
collection of programs,
libraries, and files that are used run services in a secure environment
on your box. They
fulfill the following needs in StrongBox:
1) Isolation: All bundles are isolated from eachother, as well as the
main host, for greater
security
2) Immutability: Static bundles generally use read-only filesystems. Only
files that must be
written to during the course of operation can be written to. That means
that other files
(such as libraries, binaries, etc) cannot be changed during normal
operation
3) Manageability and auditability: Because static bundles have an immutable
base, it's easy to see what's changed when it does change. And, with
the use of digital
certificates, it's easy to trace who changed them as well.
The base StrongBox CD comes with a bundle that's geared towards
web
hosting. It includes postfix, postgres, mysql, apache, cyrus imap...
all the services that a
web hosting company would need to function. This section will show you
how to set up that
bundle. StrongBox bundles can easily be run off of a cdrom. If
you want to learn how to
install them to a hard drive, that's covered in the "Installation
Walkthrough"
section.
First, make sure that the CD-ROM is inserted. Then run
"strongbox
install" or choose "mange installation" in the strongbox console. Then,
run "scan bundles". This
should automatically load
the bundles that you have available on cdrom. Note: StrongBox verifies
the digital signatures on all of them, so this will take a minute:
Click to enlarge
At this point, choose quit to go back to the main console. Then choose
"Install Bundles",
and "Setup new bundle". The list should contain "debmail" (with a
version number after it),
which is the one you want. Choose this, and type in a name for the
bundle installation. This
creates an instance of the bundle under that name.
Once it's done, it will ask you if you'd like to configure the bundle
now. Choose yes. This brings you to the bundle configuration screen.
At this screen, choose "Save/edit configuration". This brings up the
configuration for
the bundle (very much
like the boot configuration window) and asks you to approve it. First,
however, you
should choose "Edit Port Forwarding". Since this will be a web server
that we want
other people to be able to access, type in "80" at the prompt. Then,
accept the
configuration, choose "start bundle".
*** Advanced users: You will note a) that the bundle has been
automatically assigned an unrouteable IP address, b) the box is
automatically using the box's main IP address, and c) there are a lot
of other configuration
parameters that are available. They're all described in the StrongBox
Manual. The automatic
configuration parameters are all contained in /etc/strongbox.conf. The
comments in
that file cover most of what these settings do, and how they're used in
StrongBox, as well as a
number of other options that are available to you.
Step Four: Using Bundles
At this point, you'll see the services starting up in the bundle. Two
of the services, cyrus and mysql, will complain that they have no
storage assigned to them, and
so won't start. This is normal, as you haven't assigned any storage to
them. You can do that after running the "Installation Walkthrough" by
choosing "Edit mount information".
Once the bundle
has started, you can
enter it simply using "enter bundle". This brings you to a command
prompt,
that is distinctive as
it shows you the name of the bundle and the hostname, so you know where
you are in the
system. You'll now notice, if you do "ip addr ls", that you can only
see the virtual IP
address and the virtual interface for the ubndle, not the real ip
address of the box. Also,
you'll notice something else: try "touch /etc/test". It will complain
that it's a read-only
filesystem. This is also normal, as this bundle comes shipped with an
option called
'LOCK_CONFIG". This option can be changed, but, you don't need to right
now. Type "exit" to
get back to the bundle configuration screen, and then type in "Enter
Configuration Mode".
This will bring up the bundle again. You'll also find that if you run
"touch /etc/test" it
will now work.
OK, exit out now, as you should try out the web server and make sure
that it's working. Exit
out of the StrongBox console and type: "links http://<bundlename>"
or "links
http://172.30.30.1". This should bring up the apache start page.
You now have a functioning web server. You should probably save your
configuration. Instead
of navigating the menus, you can now run: strongbox quicksave. This
will save everything
that you've done so far. After you've saved, you can reboot. StrongBox
will automatically
start the webserver you've configured when it's rebooted.
Step Five (optional): Configuring Add-Ons
StrongBox OS addons
StrongBox now has optional software add-ons that allow administrators to
tailor the main StrongBox OS. These add-ons include:
Asterisk PBX
Samba Fileserver
Webmin Ssystem management tool
Full Perl and Python Environments
Documentation and Graphical Web Browser
Webmin for web administration of StrongBox
Samba Fileserver
Domain Services: LDAP, Kerberos5
Heartbeat and ldirectord for clustering
Mysql database server
Full BGP/OSPF router with quagga/zebra
Network Monitoring Utilities: snort, snort_inline, ntop, nmap
These add-ons are intended to make your life easier, by allowing some functions
to run without the need for full-blown strongbox bundles. This is great for
building low-footprint systems like firewalls, IDS systems, and very basic file
and directory servers. However, you should be warned: it's more secure to put
these functions into StrongBox bundles, so you should do this whenever possible!
Add-Ons can configured to be available at boot time by editing /etc/conf.d/vmounts.
You can also mount them on the fly: either run a service that requires them
(as per webmin below) or run vmount opt:<addon-name>.
The Webmin add-on is included by default with StrongBox.
To use Webmin in StrongBox, simply type "webmin". Log in as an
administrative user (using the username and password that you set up in
the last section), and you should have privileges for everything that
you need. Note that StrongBox uses webmin in an "on-demand" way: the
Webmin server is brought up when you're using it, and is shut down when
you're not using it. This allows you to have all the benefits of the
Webmin interface, without having to leave it running all the time.
If you want to use Webmin remotely, you should ssh to your StrongBox server, and
use port forwarding to forward from your local machine to the
Webmin interface. The first time you run webmin on StrongBox, it
chooses a random high port to run it on. If you want to set this
port, you can change it by typing: edit /etc/webmin/miniserv.conf, and
changing the "port" line (the default for webmin is normally 10000).
Then, once you're happy with it, ssh to the server you've built with
your local port 10000 forwarded to the remote webmin port. If you're
using openssh, the command would look something like:
ssh -l <username> -L 10000:localhost:<webmin port>
my.server.name
This gets you access to webmin from your remote machine.
However, you may also want to use Webmin for the bundles as well as the
main StrongBox machine. The recommended way to do this is by using the
main StrongBox machine's webmin installation to control all the
bundles. To do this, type the following:
webmin takeover <bundlename>
This does the following:
a) creates a random, difficult to guess webmin root password for the
bundle
b) creates a webmin server configuration for that bundle in /etc/webmin
c) unlocks the configuration for the StrongBox bundle
d) launches webmin in that bundle, and in strongbox
e) launches a links session for webmin to that bundle through the main
StrongBox webmin interface, and allows the user to continue work until links exits.
f) stops webmin in the bundle
g) waits for the user to hit enter, and then re-locks the configuration
for the bundle, and stops webmin servers
Once you've done the "takeover" (and saved your strongbox
configuration), you can automatically connect to the bundle without
re-setting the password by simply using:
webmin <bundlename>
If you're using this over a remote connection, you should connect using
port forwarding the same way. Then, simply browse to: webmin ->
webmin servers index, and choose the appropriate server from the list.
You may want to pay particular attention to the "Virtualmin Virtual
Servers" module, which gives you most of the features that you'd want
for doing webhosting with multiple users.
Note: if
you're running the system off of CDRom, and you have more than 128MB of
RAM available, you
probably want to run "webmin install" first. This loads webmin into
your ramdisk, so that
the number of different processes that have to access the cdrom at one
time is reduced. This
will speed up your
interface considerably, at the cost of around 20MB of RAM.
Also: links is a very simple framebuffer web browser. Although it does
a very good job for the footprint that it has, it is not a
full-featured web browser. I don't recommend using it for very
extensive configuration using webmin, it's more meant as a handy tool
that allows you to do some work right on the console. In particular, it
doesn't always refresh the data promptly: you may need to choose
"reload" from the file menu (or CTRL-R) to get it to see changes that
you've made.
Final Steps: Locking and saving
One common failing in computer security is this: changes are able to be made
to the operating system at any point: like an accident waiting to happen.
StrongBox uses distinct administrative and non-administrative modes for
the OS to make changes only happen at certain times. This is currently done by
having all sensitive parts of the OS mounted read-only during normal operation.
Application bundles are locked by default, and are only unlocked when you
activate "configuration mode". On the other hand, the main StrongBox OS
comes unlocked by default, to facilitate the initial configuration of the OS.
To lock it, run: edit /etc/strongbox.conf, and change the ADMIN_LOCK variable
to "true". Then run "setadm off". Your StrongBox configuration is now read-only.
When you want to edit configuration files again, you can either run "setadm on"
or simply "edit <filename>". The edit command turns admin mode off and on as necessary
in order to simplify working with StrongBox in adminmode.
You'll notice that your command prompt changes to reflect changes in administrative
status. You can also access this information by running: adminmode or adminmode all.
Also, if your StrongBox install had problems with network startup, your commandline
may say "*5 ALERTS*". If you run the command "alerts", you can read what these
alerts are, and remove them from sight.
You may also notice a message complaining about a lack of cache volume for saving
changes. This is part of the soon-to-be-appearing StrongBox undo feature, which will allow you to
quickly roll back single configuration files on the fly. To create a cache volume, you
can run (assuming you're using lvm):
lvcreate -n cache -L 250M data ; mkreiserfs /dev/data/cache
This will give you a useable backup of all your configuration partitions at /run/cache.
You can edit the location or volume of this by editing /etc/vmounts/cache.
Remember to always save your changes when you're done configuring your
StrongBox system! And, use the handy changelog system to enter in real
information about what you did and why you did it. It takes an extra 30
seconds now, but it'll save you hours when you're trying to track down
configuration bugs. So, at the end of configuring your box, type:
strongbox quicksave
This saves your configuration based on the parameters you entered
earlier, and does it as quickly and unobnoxiously as possible.
You now have a working StrongBox Linux system. Congratulations.
Section 3: Where to go from here?
There are a number of advanced features of StrongBox that you can
access. More and more are
being integrated every day. Also, more and more bundles are being
created for StrongBox. For
the latest information on this, visit www.strongboxlinux.com.
Here are some of the features in the default install of StrongBox:
Documentation:
There is a bundle of documentation that comes with StrongBox. Run
"manual" for the StrongBox
manual. Run "docs" to view a piece of documentation. Run "finddoc
<something>" to look for a
document who's name you know. And man and info should work normally
with the CD inserted (or
the bundles installed to disc).
Also, a number of guides and other miscellaneous information is
included. If you run "docs'
the first few things are:
| 00-StrongBox | The StrongBox documentation (which is
ever growing) |
| 01-HOWTOS | English Language Howtos from the LDP Project |
| 02-guides | Several Guides, both from the LDP project,
and other projects on the net |
| 10-DiveIntoPython | A great book that's available about
the Python language |
And much, much more, including some of the default files and
documentation from all the
packages used to build strongbox. Note that, when the docs bundle is
running, all these
files are located at /vservers/docs.
Installation Walkthrough:
The installation walkthrough is what you should use for a first time
setup of StrongBox.
Think about how much resources you need beforehand. If you use LVM and
reiserfs, then you
want to estimate low: it's very easy to resize reiserfs volumes on LVM,
so you have a
maximum of flexibility. All of the normal rules apply: mirrored raid or
raid 5 is desirable,
and backups are good. StrongBox 1.0 will have an automatic backup
feature available for
net backups, tape backups, and periodic disc archiving for changes.
The debmail bundle takes up 350MB in read-only, compressed format. If
you want to uncompress
it to use it as a vserver, you should see www.linux-vserver.com for
more information about
the linux-vserver subsystem that is responsible for a lot of the
manageability of StrongBox.
You should also read-up on the vmount subsystem in the StrongBox Manual
-> you can really use
it to your advantage in a vserver-based system design.
Firewalling:
For a bundle of obvious reasons, including that it can run entirely
from RAM, StrongBox makes an ideal firewall system. Included in
StrongBox is the
shorewall firewall, which is an advanced firewall configuration
utility, that just happens to be
integrated with the firewalling on the StrongBox bundles. Run "man
shorewall" for
information on example setups, etc. The information there is taken from
http://www.shorewall.net, which will have even more information for
you.
Also, there's a webmin interface for shorewall installed in StrongBox.
Other advanced firewalling features included in StrongBox:
| ipvs: | allows for virtual services routing to multiple hosts (Layer 4
routing) |
| pound: | a simple, secure, reverse proxy that handles layer 7 content
switching for web services |
| openswan: | an advanced ipsec vpn solution that supports site-to-site
VPN, client-to-site |
| VPN and opportunistic encryption poptop: | a client-to-site vpn solution for windows pptp/l2tp clients |
| vconfig: | Handles vlans (supported by most modern managed switches to
virtualize network connectivity)
|
Logging:
StrongBox supports, nay, encourages logging to mysql servers. Version
1.0 will have an easy
switch to do it. For now, several howtos exist online that describe the
process.
Syslog-ng, which shorewall uses, is a very flexible logging program. It
allows automatic
classification of logs based on any parameter you wish, and can easily
be configured to call
another program to parse information for it. By default, however, all
logs are directed to RAM: you should create a log partition (such as
/dev/data/logs) to store these on at the very least.
Usermode Linux:
StrongBox supports usermode Linux out of the box. Eventually, usermode
linux bundles will be
available just as easily as the StrongBox static vserver bundles.
You'll see this after
version 1.0. Also, QEMU support is under active development, and will
show up in later
versions.
Clustering:
StrongBox supports clustering through heartbeat and ldirectord. More
information can be obtained on the Linux-cluster project website. Stay
tuned, version 1.0
should also have ENDB support (enhanced network block devices).
Versions of StrongBox with
GFS support are also in the works. StrongBox's modular design makes it
an ideal platform for keeping a cluster working together. Also, if you
have your bundle configurations on a redundant nfs or endb partition,
you can easily have bundles that migrate between servers, by simply
running bundle <name> stop on one server, and bundle <name>
start on the other. (assuming that data files are being kept in sync).
Directory Services:
If you want a box to perform domain authentication, then you should
look no further. There's
built-in support in StrongBox for ldap, kerberos, and NIS
authentication, allowing for full
integration into company domain systems. StrongBox makes an ideal
directory services
server: it's secure, and can be locked down so that no remote access to
the core system
is possible.
There is a bundle in development that can provide samba/LDAP
integration as well, to act as
a very secure domain controller for windows boxes.
PBX and Asterisk:
StrongBox has built-in support for Digium hardware. An asterisk bundle
will be coming in
early 2005. As a secure system that's built for reliability and low
maintenance, StrongBox
makes an ideal platform for building phone systems.
Kiosks and Desktop systems:
StrongBox customized desktop and kiosk bundles are available for paying
customers. Knoppix-like hardware detection and a high level of security
mean that your system can be made virtually unbreakable by your
users/customers. Talk to us today about your needs, and we can have you
up and running quickly.
In short, StrongBox is an ideal platform for many kinds of deployments.
The very small core OS provides a solid underpinning on which reliable
services can be deployed. The state of the art digital security gives
you extra peace of mind.
If you're interested in supporting StrongBox, whether through
development, evangelism, or buying our commercial product, please
contact us at http://www.strongboxlinux.com or info@strongboxlinux.com.
Thanks!
Liam Helmer
Helmer Computing Corporation
Vancouver, Canada
Home
Helmer
