SME Server is pretty much the original ready-rolled server distribution. Although it has changed hands – and names – a few times, it's been around since 1999, when it was known as e-Smith, a name you'll still see in a few places. Name: SME Server 7.5.1 Supplier: Free download Price: Free, no subscriptions or registration …
When you learn more about linux admin and want to tweak things, SME server makes this ridiculous (at least the version I'm tasked with maintaining) - it seems to be a never ending sequence of includes within config files - look in /etc/<something> and you'll see that it includes /home/e-smith/some/thing - which doesn't necessarily correspond with the name of what you're trying to edit.
Of course, I can see why they've done it this way (easy upgrades & backups as you only need to preserve /home/), but it's a pain in the gluteus to work with.
It definitely seems to be a distro for the point-and-click generation, not us screwdriver-and-soldering-iron folks!
I have been using it for about 6 years, and it has been rock solid. It is a small enterprize ready server distrabution, that is dead simple to install and configure, and very secure. Six years ago I needed a system for a friend's small business (20 machines). I was not comfortable with my ability to secure something like Debain, especially for a business. Someone recommended SME. I looked into it and after playing around with it for a couple of weeks, I set up the server. It took about an hour to install and set up the user/email accounts. it has been running ever since, the only downtime was a couple of times due to my own stupidity.
Out of the box you get:
mail server with virus and spam filters,
Plus other contribs that are also easily installed and configured via a web page. Take a look at the contribs (specific SME packages) if those fit your needs than use it.
If you need or want more than one or two things not in the contribs section I suggest you go with something else like Centos, Debian, or Ubuntu if you have the experience to make it secure.
A TROLL . . .
Depending on your needs
...there are other similar distros out there. I was taking a look at ClearOS recently, which has multiWAN gateway capability (the reason we were looking at it) and a very simple what-do-you-want-to-turn-on setup. I haven't gotten under the covers on it yet, but the admin gui is very nice and if it really does what it says, just on the gateway side, would be a nice server alternative to *much* more expensive pieces of network kit for SOHO scenarios.
As a follow-up...
I had to go back and double check the "[everything turned on and difficult to shut off unneeded processes part]"... which pretty much means I will never, ever... ever ever ever install this distro.
If you don't need Apache, Apache should be turned off. If you don't need Samba, Samba should be turned off. Having unnecessary software and processes running on your server is extremely poor security practice - I'd guess that probably 1/10-1/4 of the Wintel patches we have to do are for fuddermucking Internet Explorer (if you can't tell, yes that is a pet peeve of mine) - why in the hell is Internet Explorer on our Wintel servers?!!!!!ELEVEN
Installing this and plopping it down on an Internet connection (which I don't think would be uncommon given the target market) with all the bells and whistles turned on (when you only really need a few of those bells and whistles) is a liability. Leave SMTP on and you could be used to relay spam...leave Samba or Apache on and someone could use your server to host illegal content. IEither could set you up for a TOS violation with your ISP and get your connection shutdown. If you don't need it turn the s#it off - it's as simple as that.
Disclaimer: while I am ranting about this particular distro, please do not construe this as some sort of attack on Linux in particular or FOSS in general. Good, basic security practice is the same no matter what platform you're talking about - the smaller your surface the better.
Most services can be turned off easily
There is a contrib that allows you to easily turn off services with a click of a box. The appropriate ports etc are then turned off without automatically.
Again this is a turnkey system. If you don't need most the out of the box features, or want to be able to install more than one or two things not in the contribs section you need to look at a different distro.
Not according to the article
@ZAM: "There is a contrib that allows you to easily turn off services with a click of a box."
Well, according to the article, contribs are not so easy in the first place. It kind of defeats the purpose when you have to install something to disable something.
"Turnkey system" is no excuse for not including basic configuration options such as "I want/don't want web serving" in the base system. In fact, I would argue that it means the exact opposite.
Thanks for the follow-up ZAM
It's good to know about the turn-stuff-off contrib. Other than me seeing that one specific issue (the ability to turn stuff off) as a big miss as part of the distro - I would tend to say that we're in agreement.
Simple appliance-type distros like this are great stuff and very useful for all sorts of scenarios. Cheers!
Are you at all familiar with the product?
Reading your post I wonder if you did try the product. I am part of the volunteers in development and can assure you that SME Server compared to many linux distributions is pretty secure.
The distribution is geared to people who want an alternative to Microsoft SBS and have barely any or no linux knowledge. For them it would be hard to setup a secure server as they should have to know a fair amount on security and how to configure this on linux. Please keep this in mind when considering this product.
Although services are on by default you can enable some services if you like, with little effort. Part of the problem of not being able to drop Apache is that it is used for the administrative web interface.
SME Server is installed by default with very restrictive access. The shell is not accessible to the outside interface, neither is the web based management interface by default. Yes, it uses passwords, but this can easily be changed to use client-server based certificate trust, the information is in our documentation, eliminating the need for passwords (although you can also choose certificate with passwords).
Relaying mail is also denied by default as SME Server will only accept mail for it's own domains, configured on the server by the administrator.
Apart from that we have very little reports of security being broken.
Not according to the article
Well . . . if you can't install a contrib you wouldn't be able to install any Linux package and configure it. Most of the contribs are standard packages that have been built for the SME system. Many have the configuration available via the web interface others require modification of config txt files as the server has no GUI.
As far as turnig off services here is the procedure:
wget "Link to contrib" (found in instruction)
yum localinstall smeserver-service_control-2.0-1.noarch.rpm
Goto the web admin page click Service Control and uncheck services you don't require. Hit save.
Boy that was so hard better take the rest of the week off . :)
It is obvious that you have different needs from a server distro. Luckly you are free to use whatever suits your needs.
Did anyone actually bother to read my post before they downvoted?
Let me say it again.. good security practice is good security practice - and my point (which apparently I didn't make clear or nobody bothered to get - take your pick) stands... if you don't need protocol X exposed on the Internet it shouldn't be there. It doesn't take a root exploit to send spam from your server, copy sensitive information from your fileshare, or host malware/phishing-attempts/other-illegal-content on your web server. It can all be done with connectivity *and* the right user authentication.
jmarten, is it possible to restrict certain protocols (HTTP, FTP, SMB/CIFS) to internal only if you're running as a Server/Gateway?
Make a Linux distro so simple
that even a Windows sysadmin could use...
I have used SME Server for about 2 years. Firstly to replace my router. But I needed a Terminal Services/RDP server and the SME didn't handle port forwarding very well.
So I prefixed a router and had 2 NICs in my desktop - one connected to the router and the other connected to SME. Now I have SME running as a (one of many) VM. The simplicity of setting up email and web servers is so advantageous.
My SOHO network has 2 Fedora 13 servers, a SheevaPlug and UNR 10.04 for the desktop. The RDP server is an XP VM. Although I am considered more than capable technically, I observe Occam's Razor - tend towards simplification.
It results in fewer headaches and one can spend time *using* their gear rather than spending their time configuring it!
openbsd the router OS of choice
With OpenBSD paranoid focus on correctness and security at pretty much the expense of everything else (LAMP performance on it has always been abysmal). Still for the requirements of a router its hard to beat OpenBSD (assuming it supports your hardware which is getting better). Yes in the FOSS even a zealot like Theo has his place.
...you've implied Windows is easier to administrate than Linux. I think that's exactly what MS were aiming for. You might prefer to challenge yourself by picking software that will put up a fight, I prefer to get some work done.
For Illiterates, Windows Is Indeed Better
Some people can't write BASH scripts, they need something clickety-click. Let them prevail in their inefficient working style and have a good life as a Unix admin.
This distro seems to be a clickety-click Linux, apparently. FAIL.
When (not if) your Windows domain controller starts misbehaving and spewing log messages with strange error codes, it's no longer better. Out come the command line tools and you better be familiar (or become familiar quickly) with AD partitions, replication etc. I've had some really hard times, the last was decommissioning an old domain controller. It's not simpler than Linux for sure.
I don't see these as clickety click Linux distros. This is an appliance that happens to be based on Linux. There's a subtle but important difference.
It's great and I love it.........
I've been using it since late v4 and it has been great. OK, it's not necessarily the cutting edge. v8 will help with more contemporary versions of things like PHP. I run a few v8 betas and they have been very stable indeed.
Yes, templates & modifying things take a bit of getting your head round if you really need to (and if like me you aren't an expert unlike 'us screwdriver-and-soldering-iron folks'). Anyone with an ounce of commonsense and a modicum of education will suss it in no time.
Disabling services is a doddle once you know how (or as suggested, use a contrib if you don't)
and is something like (if I remember correctly)
db configuration setprop (whatever service) status disabled; signal-event console-save
Is that so hard compared to some arcane things I have come across elsewhere ? I don't have to worry about manually hacking a config file to enable or disable a service - all that's taken care of in the background, as it should be. I just want it on or off.
Yes, some services are 'running' to start with, thought I'm not sure 'everything' is correct, but the default settings are pretty conservative - e.g local access only. Apache is needed to run the web managerment interface. Is that so unusual if you run say webmin ?????? Mail is enabled so that the system can send admin notices in the first instance. Is that unusual too ? Samba ? How else are we going to share files on a file server ?
Security ? Only one of the servers I have installed ever got hacked and that was because the owner, against my better advice, insisted on changing to a nonsense root password. He learned his lesson.
The rest have been fault free. They sit in a corner and do what they are meant to do. Just work. For months on end, without trouble - the longest was over a year, and only went down because they moved offices.
I run all sorts of stuff on mine - vTiger, eGroupware, PHPlist. LimeSurvery, and lord knows what else over time. Yes, I have long argued that to be a competitor to SBS it needs shared Calendaring, but then no one in the FOSS world can ever seem to make up their mind as to a standard for such things.......... an easy replacement for Outlook/Exchange is a must, in the Linux world in general. It's been the sticking point in me trying to get people to move away from Windows. They'll give up their Windows, but not their Outlook. Funny really.
Having tried a few other linux 'server' versions (and having had to try & figure out the mess that is WIN SBS), one thing I have always been concerned about is whether the system is secure with the things I DO enable. I'm no SAMBA, SMTP or Apache expert. At least with this, it takes away a lot of that pain.
A great distro, and I won't be changing, hopefully for a very long time.
Did the author not bother with minimal basic security tests such as nmap -P0 ... for internal and external interfaces?
I would have been very interested in the port fingerprint from internal and external interfaces?
Also if the devices handle multiple (>2) interfaces, how easy is it to set up zones such as a DMZ?
And the "snidy" comment about ppp (dialup) is just plain nasty - I use ppp to talk to DSL "bridge" devices. Having the host control PPPoA or PPPoE can be very handy and you end up with more IPs available to the host as theer is no router to steal an IP :-)
Haters be hatin'.
SME is a stripped-down, specialized distribution designed for *ease of use* and security. It won't relay spam but the spam *filter* works well. It may not have the latest kernel but it's up to date with security patches. The configuration templating system isn't terribly intuitive - but then again you're not supposed to mess with it. Make a few choices from the administration pages and it's done for you.
Just to give one example, SME is an excellent spam and virus filter in front of an Exchange server. Right out of the box SME can strip viruses and most spam from the incoming email stream then then pass the sanitized emails along to Exchange. No messing about with configuration files necessary.
So everyone who's criticizing SME on the basis of what *they* think it should be ... or *likes* faffing about with configuration files ... go use something else, willya? It's not as though you don't have choices!
Nice idea, but why a full major CentOS release behind?
SME Server is an interesting idea, but I wonder why they are basing the current stable release on CentOS 4 and the current beta release on CentOS 5, when CentOS 6 is less than 2 months away?
Also, wouldn't SME Server be better implemented as a CentOS 5 (or 6 for beta) repo, so that you install the standard CentOS 5/6 and then do "yum groupinstall sme_server" or something like that to convert your CentOS 5 vanilla install into an SME Server install. It then allows SME Server to get all the CentOS 5 updates (kernel, C library, Apache, PHP and so on) and allows the easy downgrade back to CentOS 5 vanilla again "yum groupremove sme_server".
I think the feature most people don't realise is that the config files are templated.
Change your internal IP? Change the setting in the web admain, and hit apply...
SME will reconfigure web, email, relay filters, *FIREWALL*, ldap, samba, etc.
If the service isn't used or is denied to external users, the application is configured to not listen *and* the firewall is automatically configured to block traffic to that service.
It's the SBS 2003 of the linux world - it's not SBS2008, but plenty of us are annoyed with the crap we've put up with to configure SBS2008 or the preview SBS2011
I'm a big fan of e-smith/SME Server but I work with a MS Gold Partner. Anybody who doesn't want to spend the cash on hardware and licenses, we recommend SME and point them to Contribs to make a donation.
Thanks. That is something I failed to point out, it isn't just turning off services it also automatically reconfigures the system to make things secure.
Show me a big app that has to have hard-coded IP values and doesn't just pick up its things from interface bindings and/or binds to 0.0.0.0 and lets the firewall do it's job.
And, seriously, how often do you change IP's for this to be an issue? I'd much rather they didn't spend hours making the config files templatable in this fashion (and thus probably no longer user-editable in a meaningful way that preserve the templating) for the one or two line sed script (or Search / Replace if you MUST use a GUI) that would do this for me automatically and globally in the very rare occasion that a SERVER has to change IP. Change in external IP? That's what DHCP is for, that's what DHCP notifications are for, and that's why my internet-bound services bind to specific interfaces and/or 0.0.0.0 and then the firewall says who can access what.
And apart from that, there's not much else that I can envisage being at all useful in a templateable scenario, otherwise all those programs would share a common config file for that information, in the manner of resolv.conf or similar.
This distro is a make-a-server distro. It really clings to historically bad ideas (installing everything by default, wiping out partitions and not letting you specify, making things difficult to disable, relying on the community to produce otherwise vital additions). Any distro worth installing lets you modify those things even if they don't appear by default (that's what "Advanced Setup" and similar things are FOR). All this distro does is encourage people to make servers that they don't intend to play with or configure or lockdown and even lets them open them up to the Internet without a single thought. It's nothing that can't be achieved with ordinary installs (even of CentOS!) with much more flexibility and control.
If you can't work out how to change an IP address in a squid config, or have to do everything through web-based control then you need a decent Linux with Plesk or something. But this is just an abomination - hell, the kernel is so old that my home PC that's been untouched in another house for three years has a more years-more modern one (2.6.9 - that's 2004!). That machine still had an ISA port for one of it's Ethernet interfaces.
Use this for an Internet-facing server? I'd rather slit my own throat, thanks. A 5-year-old default full install of Slackware actually does a better job and that's saying something. This is just a monumentally bad idea and if I ever hear of someone deploying this crap near me, I'll be disowning those admins / networks involved. I wouldn't even like to THINK of even a home connection running this thing with any Internet-facing service. I'd panic if I heard that a small business was running this as even an internal server - it's a "click-and-build" config with very bad defaults and no concept of security just waiting to introduce disaster.
Please, for the love of God, stop deploying this crap and go use CentOS or something (anything) instead.
TROLL . . .
Perhaps the most telling part of your rant: "encourage people to make servers that they don't intend to play"
Well you see a lot of people don't like to play with things when dealing with businesses, they want things to just work. They don't like to hear thing like "Well the network is down because I want to play with this new super cool package and it screwed up everything else."
- and - "it's a "click-and-build" config with very bad defaults and no concept of security just waiting to introduce disaster." Its clear you have no ideal what the hell you are talking about and at this point you are just TROLLING . . .
Feel free to play with yourself and whatever distribution of Linux you like in you mums basement ;)
If I need to get a functioning basic secure system in place in under an hour this will do it. Not everyone needs the latest set of cool tools to get the job done. This has a specific place in a small business setting, it is not meant to be all that flexible.
Not for Everyone
The fact that it doesn't support dual booting, of course, means that it's not for people playing with Linux on a primarily Windows machine. This may be perfectly legitimate for a server operating system, since one doesn't want uncontrolled access to the hard drive of a server. And there are plenty of other distros around. But that particular lacking feature certainly startled me.
What? . . .
Why would you want to dual boot a server OS? Is it shocking you can't set up Win Server 2008 to dual boot when installing it?
Another SME Fan
I am another longtime SME user, and I am really happy with it (and I push it a lot harder than most SME users). In spite of what Lee claims (without any actual experience of the product), SME is far more secure than an out-of-box distro server, because the defaults are secure and sensible - no external administration, no telnet, no SMTP relay, Spam and virus filtering, no CGI/PHP on the webserver unless you ask, ports blocked unless opened, no external FTP/SMB /webdav access unless enabled and secured. Anything you don't want can be disabled with a modicum of research if it is not immediately available from the admin interface. It might be a bit different to many distros, but it is not rocket science. You can upgrade packages directly from CentOS if you want, but it is a bit risky, as you may break a dependency. And SME8 may be a bit behind the curve (CentOS 5.5) but I suspect it will be upgraded fairly quickly once Centos 6 is out.
And manually modifying the system takes a bit of thought, but it can be done - I run a number of additional (non-contrib) services on mine that makes it ideal for home use - OpenXchange, DLNA, UPnP music, Media server, Newzbin downloader. It works reliably, has massive uptimes, and is secure. Believe me, I've checked from the inside and outside.
Someone doesn't understand RHEL kernels...
Complaining about the kernel being version 2.6.9 does show something of a lack of knowledge.
RedHat pick a kernel shape when the distribution launches. For RHEL4 (which is what this distro is based on), that was a 2.6.9 kernel. It will be a 2.6.9 kernel when RHEL4 is finally retired.
This does not mean that it is out of date; updates to the kernel are back-ported into the 2.6.9 base. That is why the version number is complicated - the current RHEL4 kernel is not simply 2.6.9, it is 2.6.9-89.31.1, and dates from mid-October.
The reason for this is to provide a stable platform - the kernel will behave in largely the same way on the day you retire the box as it did on the day you installed it. There will be bugfixes and improvements along the way, but the platform stays very much the same shape, so applications don't suddenly get broken on kernel updates.
AFP for OS X? No thanks
OS X supports NFS out of the box, so why would you bother running AFP?
- Acorn founder: SIXTH WAVE of tech will wash away Apple, Intel
- Analysis BlackBerry Messenger unleashed: Look out Twitter and Facebook
- Comment Mobile tech destroys the case for the HS2 £multi-beellion train set
- Nine-year-old Opportunity Mars rover sets NASA distance record
- Things that cost the same as coffee with Tim Cook - and are WAY more fun