- PGP Keys
- Vossen's Law
- Firewall Rules
- Home Net Security
- Snort Books
- Sec Tools
- Honeypot Stats
- Firewall Stats
- IP Calcs
- SME Server
- Backup (DI-30)
- Win Tools
- Win. Shell Scripting
- POSIX Redirection
This page is intended for anyone who does or supports all the IT "stuff"
at a small business and it assumes some familiarity with Windows networking
SME Server (Small to Medium sized Enterprise) is an Open
Source answer to Microsoft's
Small Business Server, except that it's free and it actually works. It
runs on any old Pentium computer you have laying around (see Hardware Requirements)
or can buy for next to
nothing, and is much more stable and secure out-of-the-box that the Microsoft
This thing is Really Cool! See the Mitel
web site, especially the design and architectures links on the upper
The list below is based on my own observations, with some content adapted from
the Mitel introduction
and SME Server
v5.5 Release Announcement.
- It's FREE, and there are no licensing restrictions. How much time do
you waste keeping track of the minor legalities of using Microsoft
software? Well, you're still stuck with it on your desktops if you use
Windows and Office, but at least you can get rid of it for your
server! (Get rid of MS Office too, and use OpenOffice,
a fully compatible and free office suite.)
- The security and stability of Linux, tuned to work as a plug and play
back-end for Windows desktop clients, and administered via a fast and well
designed Web tool (you don't need to know anything about Linux/UNIX to run
- Based on RedHat 7.2, but with a RedHat 7.0 kernel (see Cons).
- Installs via a single bootable CD-ROM, though you can create a boot
diskette if your server can't boot from a CD. (Small con within a pro,
you need to be able to download a 200+ meg "ISO" image, verify the
md5sum, and then "burn"
it to a CD. This is actually a lot easier than it sounds.)
- Provides Windows 2000 and XP domain logons and file and print-sharing--As far as your Windows desktop PC's are concerned, SME
Server looks like an NT or Windows 2000 server (no Active Directory)! You don't need any Windows
servers, but if you have one or more
Windows servers, SME Server works with them too. See The role of the SME Server.
- Macintosh file and print-sharing--Via AppleTalk over TCP/IP.
- End Users may change their password using a secure Web-Based form.
- You can enable User disk space quotas. (It took MS years to finally
add this to Windows 2000--NT never had it built-in. Pet Peeve: how can
you claim something as a "Network Operating System" when you can't
even provide something as simple as disk-space quotas???)
- Internal e-mail server and Internet accessible webmail (via IMP)
for your users.
- sendmail - Given the number of security vulnerabilities reported in sendmail over
the years, they used qmail and mailfront (was obtuse-smtpd), both of which have been
designed from the beginning with security in mind.
- The e-mail server is configured as a closed relay out-of-the-box.
means that spammers can't use your system to forward spam and get you
into trouble with your ISP and the world in general.
- Secure remote access via SSH, HTTPS and PPTP (128 Bit only, 40 not
- Web Server hosting, with virtual domains if necessary.
- Apache, with SSL and PHP pre-configured
- FTP Server hosting
- wu-ftpd - Like sendmail, wu-ftpd has suffered from security flaws over the
past years. They chose proftpd as a replacement because of its focus on
security as well as our ability to more easily configure it to limit access.
bays or i-bays are a "unique feature built into your SME Server V5 with ServiceLink. i-bays are a powerful, simple, flexible mechanism for creating distinct information-sharing sites."
They easily allow different virtual web or FTP sites, file sharing between
different groups, etc. Much easier than trying to tie all this
together using either Windows or typical Linux/UNIX servers and services.
- The Squid caching proxy server (on port 3128) is installed. Unless
you have a large disk, and a number of users who visit the same sites, this
won't do you much good, but it's nice to have just in case.
- Support for an NTP server to automatically keep the date and time
correct. Your Windows clients can then set their own time off of the
SME Server. See my Time Sync page for how to do this.
- Easy system recovery:
- Optional software RAID 1 (disk mirroring) using two identical IDE or
SCSI hard drives.
- Emergency boot diskette--Boots the server if the MBR (Master Boot
Record) is somehow corrupted.
- Emergency re-install diskette--Allows you to re-install the system the
same way you did originally.
- Easy backup and restore either via a tape drive or a
large compressed file backed up to a workstation with a (very) large hard
drive. Tape is better, because you can keep a copy off-site.
- To recover or restore, you re-install the system using the CD and the
re-install diskette, then restore the backed up tape or file. Note that
Linux/UNIX systems are not like Windows. You should never need
to re-install just to fix some stupid, unpredictable software error.
You should never need to reboot to fix same either.
- The entire system is formatted with the Linux ext2 file system, which
never needs to be defragged.
- The following UNIX services are running on the base system (this is actually a
pretty small list for a UNIX server): afpd, atalkd, crond, dhcpd, httpd, klogd, ldap, lpd,
mingetty, mysqld, named, nmbd, ntpd, papd, qmail, smbd, smtpfwdd, squid,
sshd, syslogd, xinetd.
service that provides 24x7 server monitoring, DNS, Anti-Virus, e-mail, IPSec
VPN and other services. This is a really cool business model.
They built SME Server to provide a standardized and remotely supportable
customer premises server. They have to maintain it anyway, so why not
give away that software then provides the services on the back-end.
This is a recurring revenue stream that takes great advantage of economies
of scale, and allows them to give something back to the community as
well. Really nice work!
- ServiceLink and the Mitel resellers also provide technical support,
network consulting and system integration, should you need any of those
- No DDNS (Dynamic DNS) between the internal DNS and DHCP servers.
This requires ISC DHCP v3 or better, which RedHat inexplicably doesn't even
have in v7.3, let alone 7.1 or 7.0 (it IS finally in RH8). This is the one thing I can think
of that the MS product can probably do that SME Server can't. When
your internal clients get DHCP addresses, they are not added to DNS, so they
can't talk to each other. However, in Microsoft Networking (i.e. SMB,
AKA CIFS) WINS also performs name resolution functions, so the lack of DDNS
may not be that big a deal. It still bugs me.
- No support for ISA network cards. (No big deal, use $20 PCI cards
instead. See the Hardware Requirements,
especially Supported Ethernet Adapters.)
- For various pretty good reasons,
they are still using the Linux 2.2 series kernel. The biggest impact
this has is that they have to use IPChains,
which is not stateful,
instead of kernel 2.4 and IPTables,
which is stateful.
- No man (manual) pages. In the rare event that you would need to log
in to a command line on the machine, there are no man pages. In normal
use you will probably never need to do this, but is you are intending to
learn how to use Linux/UNIX, then this is probably not a good solution for
you. (Pro within a Con: if you don't care to learn Linux/UNIX, then
this is a good solution for you!)
My one major concern about the security of SME Server v5 is that it claims to
be a firewall. Technically it is, sort-of. But if you use SME Server
as both your firewall and your main production server on the same box, you are violating
the first and second rules of firewall design:
- Never, ever, ever, ever, ever, run a web server on the same box as a
firewall server!!!! I can't stress this enough. Web servers
are designed from the ground up to give people things. They suck at not
giving people things, which is what a firewall is supposed to do. Now
repeat after me, "I promise never to run a web server on my
- A firewall server is a firewall server--nothing that isn't part of the
firewall should run on it. This includes split-zone DNS servers, web
servers (gasp), etc. but may not include web, FTP and other proxies if they
are part of the firewall itself..
My other security concerns are that the firewall is not stateful, the
firewall rules are not configurable,
and I don't see an easy way to turn off services (like AppleTalk) that you are
not using. Why stateful firewalls are more secure than non-stateful ones
is out of the scope of this paper--just trust me; they are. Go Google it
if you don't believe me. The inability to configure firewall rules may not be that big a
deal for your environment, but I don't like not at least having the
option. As far as services (UNIX calls them daemons) are concerned Mitel has done a great
job turning off most services that are not needed, and they also made sure the
Evil Services like NFS and the "r" services are not even installed.
One possible solution is to run 2 copies of SME Server (after all, it's free
and you already have it, so why not?), one as your "server" and the
other as your "firewall." The problem with that on the firewall
side is above--it's not stateful, you
can't turn off most of the "built-in" services, and you can't
configure the firewall rules. Instead, I recommend using some other free
firewall (see my GNATBox Firewall Installation Quick Reference
and SOHO Security pages) and use the SME
Server on the inside of your network, where is it just totally awesome!
One other security concept is that of a "DMZ" or demilitarized
zone. You run Internal accessible services such as Web servers on that
network, with is different from your LAN and protected by the firewall. If
your web server is on your LAN and is compromised, you're toast. If it's
on a DMZ, the DMZ is toast, but your LAN is not! Unfortunately, the free
version of GNATBox does not support a DMZ, but you can see my SOHO
Security page for other firewalls that do. Also unfortunately, proper
configuration of a DMZ is a little more complicated than just throwing the
server on the LAN and calling it a day.
However, you should be able to implement a pretty decent DMZ using a GNATBox
and SME Server in parallel--a kind of "firewall sandwich." I
have not actually tested this, but there is no reason which it wouldn't
work. The caveats were already stated above--you can't configure the
firewall rules, and getting everything to work might be a little tricky.
You need an external firewall and at least 2 SME Servers. On acts as the
web server and sits between the external firewall and the internal firewall/SME
Server. Note, if you put the web server on the internal SME server,
you might as well not have bothered with the "DMZ." A more
detailed discussion is currently out of the scope of this document. You
should contact a qualified Network Security firm to help you implement such a
solution if you want to.
SME Server makes it really easy to implement a firewall/web server/everything
server all in one, so I suspect a lot of people will. It's a bad idea, but it's a
lot less bad to do this with SME Server than it would be to do it with Windows/IIS.
You have been warned.
Other Security Points
- SME Server uses "Blades" as a really easy way to keep
up-to-date with the latest patches.
- Named runs as user "dns" and in a chroot jail. In English,
that means that if someone is able to compromise the DNS server (running
named), they are not automatically root (i.e. Administrator) but just some lowly
user with no privileges. Also, they are locked in a small section of
the file system where there is essentially nothing. This is not useful
to a hacker.
- See above notes on the use of more secure replacements for WuFTPd and
Read the above security section if you haven't already. I recommend
you use SME Server in "Server-only mode." But for that, it's
If you support a small (or home) network and are looking for what I call a
"services server" look no farther. All of the basic network
infrastructure services are covered (see features), it
runs on cheap hardware and the software is free with no licensing
restrictions. It's much more stable and secure out-of-the-box than the
comparable Microsoft solution, and it's easier to administer too.
The few minor disadvantages are far outweighed by the benefits. Give it