Slashdot Mirror

For FreeBSD, there exists the PicoBSD project, basically an initiative to produce slimmed-down versions of FreeBSD useable in embedded and/or read-only environments. However, this is for FreeBSD, not OpenBAS, and while I personally prefer FreeBSD, it does not match OpenBSD in terms of security (while still being more secure than the average Linux distribution). On the

b) Theo and company don't remove security bugs from software, they remove sloppy coding. Most other OS maintainers don't want the OpenBSD team to post 300 "this code was sloppy" comments to bugtraq. It's only after the fact that the sloppy code is determined to be a security flaw. Thus the frequent "we already fixed that" posts.

Creating a customized boot floppy with whatever you'd like is quite trivial.

[OT] I don't go in for OS wars but I decided to try out OpenBSD for the firewall. It's soo easy I can't only reccomend it enough. The documentation is excellent and there are even articles for the exact the role I wanted it for.

The only thing I would say about it is to make sure you use good NICs. I started out with a couple of no-name NE2000 jobbies but eventually ended up with 3Com's in there. But that's the same for any OS I guess.

wrighty.

Is it *REALLY* Microsofts fault, and should they *REALLY* call this a vulnerability, when the admin KNOWINGLY leaves a system account with a blank password exposed to the Internet in all its glory?


Repeat after me. Installations should be secure by default, insecure due to administrator action. The converse is NOT true.

So now, for penance, I suggest you go to OpenBSD and catch a clue on creating systems with security appropriate for being placed open on the net.

I going to set it up on my cable connection just a soon I get hold of some NICs that can grab a DHCP address (gotta love those no-name brands ;).

wrighty.

Taken from the OpenBSD homepage:

Three years without a remote hole in the default install!
Two years without a localhost hole in the default install!

and if you look at the Bugtraq stats:

Linux (aggr.): 10 23 84 30
OpenBSD: 1 2 4 2
Windows NT: 4 6 99 37

Heck, even OpenBSD 2.7 (which is excellent overall), had a few remote-root exploits in things like DNS and FTP when it was first released in June, I believe.

Also another big factor would be the time the none exploit is out to the time the bugfix is released. Microsoft is improving in this department, so lets give credit where credit is due... but I would never ever ever ever trust a SMB NT machine out on the open internet.

In conclusion.. scared of your linux / windows nt machine? (shameless plug), try OpenBSD!

Beer!
Of course, if you're OpenBSD user, you may want to go with Guinness :)
(no, it's not a flamebait, everyone knows Guinness is Theo's favourite drink)

-----

Beer!
Of course, if you're OpenBSD user, you may want to go with Guinness :)
(no, it's not a flamebait, everyone knows Guinness is Theo's favourite drink)

-----

Also, for the security-conscious, OpenBSD has a PowerPC port in progress as well.

- Joe

I believe IP should be free.

Cool. Here's some free IP, and here's some more free IP, and here's some more free IP.

This page also lets you get at some free IP, although you have to go to one of the subdirectories, download and unpack the tarball, and get it from the appropriate directory (kernel/net/ipv4).

I prefer more of the unbreakble BSD core to the "crunchy bsd core."

I checked into VPND somewhat recently to see if it'd be a nice way to link a few LANs which have faily powerful (min 200Mhz) firewalls which could be used to tunnel traffic.

I looked at the source code, as I had to port the program to OpenBSD. My first thought was that the person who wrote the code must've been some ASM programmer who took a 5-hour course in C. The entire body of main is the entire source file. Functional programming? What's that? The code is one big blob function. You can see blocks which are similar and could probably be handled by a separate function, but aren't.

My friend's first comment on waving him over to see the code was, "and you wanted to run that on your server?"

The code looks a lot like procmail's code, and is (IMO) a complete tear down and rewrite. I'm sure a lot can be salvaged from vpnd, but I find it hard to believe that the person who wrote code looking like that also did the strictest possible checking on all input/output code for security problems.

You might want to read the VPN section of the Linux Admin Security Guide for a listing of alternatives.
---

We finally decided on OpenBSD although we considered Linux, Tru64, Solaris, NetBSD, FreeBSD, Irix, NT and Windows 2000. By considered, I mean we thought about it. But we finally decided on OpenBSD because throughout all the security bulletins that we've seen, this was the one that touted the best security, and was notably lacking in security bulletins.

We have been extremely satisfied with OpenBSD, and use it as a real bastion firewall, and as a transparent bridge to our production servers. It has an incredible amount of power, and is very versatile. Combined with Snort, Nessus, Nmap, IPF, and Perl (or any scripting language), it makes an wonderful IDS (Intrusion Detection System). I have yet to see a commercial system rival the power of this open source system in terms of complexity and diversity.

IPSec is one of the more interesting technologies out there at the moment. Essentially, it has the advantages of being implemented into multiple diffrent server platforms and client workstations.

For example OpenBSD supports it's natively and Linux can be made to support it with the FreeS/WAN projects kernel patches which allow you the IPSec functionality.

Unforuntately, the problems lie with IPSec compatible clients for the Win32 platform:

Essentially, if you company uses Win9X and NT then you have no problems. The Link will show you a bunch of clients that will actually work under OpenBSD's implementation of IPSec. Some of which are actually quite good.

On the other hand Windows 2000 is VERY unsupported. In fact it is very hard to find a Windows 2000 implementation (other then the poor implementation in Windows 2000 itself). Quite a few promise an implementation in a few months, some even a few weeks, but that does little if you need it done now.

If you need to get VPN clients for Windows 2000. I have found two that support it, but have yet to be able to test it's implementation ability with OpenBSD (the companies current Firewall/NAT platform). The two I have found are listed below:

Ashley-Laurent's VPCom Client. They also sell server software which may be of use (as you can open up one port to that box to gain IPSec functionality). The clients are a bit pricy (US 89.00$) in my opinion and I found the configuration to be somewhat convoluted. You can find their page here.

While I have not tried this one yet, it looks very nice, at least on the sales side. They offer a hardware server as well as software clients and the licensing is a bit lower in price (US 49.00$). They too have had a Windows 2000 clients for a few months now, and seem to be keeping tabs on technology. You can look at their products here.

Note : You can get a trial server and client if you are a company for about a month.

Now if anyone else knows of Windows 2000 compatible clients that work with IPSec then I would be very interested in knowing about them

IPSec is one of the more interesting technologies out there at the moment. Essentially, it has the advantages of being implemented into multiple diffrent server platforms and client workstations.

For example OpenBSD supports it's natively and Linux can be made to support it with the FreeS/WAN projects kernel patches which allow you the IPSec functionality.

Unforuntately, the problems lie with IPSec compatible clients for the Win32 platform:

Essentially, if you company uses Win9X and NT then you have no problems. The Link will show you a bunch of clients that will actually work under OpenBSD's implementation of IPSec. Some of which are actually quite good.

On the other hand Windows 2000 is VERY unsupported. In fact it is very hard to find a Windows 2000 implementation (other then the poor implementation in Windows 2000 itself). Quite a few promise an implementation in a few months, some even a few weeks, but that does little if you need it done now.

If you need to get VPN clients for Windows 2000. I have found two that support it, but have yet to be able to test it's implementation ability with OpenBSD (the companies current Firewall/NAT platform). The two I have found are listed below:

Ashley-Laurent's VPCom Client. They also sell server software which may be of use (as you can open up one port to that box to gain IPSec functionality). The clients are a bit pricy (US 89.00$) in my opinion and I found the configuration to be somewhat convoluted. You can find their page here.

While I have not tried this one yet, it looks very nice, at least on the sales side. They offer a hardware server as well as software clients and the licensing is a bit lower in price (US 49.00$). They too have had a Windows 2000 clients for a few months now, and seem to be keeping tabs on technology. You can look at their products here.

Note : You can get a trial server and client if you are a company for about a month.

Now if anyone else knows of Windows 2000 compatible clients that work with IPSec then I would be very interested in knowing about them

If I were you, I'd try out IPsec and PGP.net. IPsec is included with the default OpenBSD install(if you can install Debian you can install OpenBSD) and PGP.net is a component of the free Windows PGP client. They interoperate just fine with eachother, and the client will work on a standalone computer or as a gateway for a VPN linking two LANs into a WAN.

Who needs to sell encryption technology when we have OpenBSD?

Look at OpenBSD (http://www.openbsd.org/, it's only gone three years without a remote hole in the default install! And it's only gone two years without a localhost hole in the default install! Find me a Linux distro that matches that, and I'll pronounce you sir as a fucking genious.

Three years without a remote hole in the default install! Two years without a localhost hole in the default install!

.sigs are dumb!

OpenBSD supports PPPoE as of version 2.7.

jon

http://www.openbsd.org/cgi-bin/man.cgi?query=pppoe &aprop os=0&sektion=0&manpath=OpenBSD+Current&arch=i386&f ormat=html

Okay. I know you will very well call me a stick in the mud for this one, but I must be a bit more pessimistic than the article or the general air for the IBM 405GP is.

I've followed the development of the for a while now, even having a few email conversations with Jonathon Thompson, Quong Ho Thoc, and Hagr Itstein (three lead developers). I told them about a few of my concerns but it looks like marketing prevailed :(

While yes, I am a fan of Linux and OSS (hell, I've used been running Slackware since version 2 and my firewalls run OpenBSD), I don't see Linux being the right tool for this. I don't want to see this product fail since I know IBM is a good company. By all means everything else they made was a success, but the IBM 405GP looks like it will be a flop.

Why?

(1) Security - This is a big concern for me. Imagine some evil hacker getting control of this baby...now imagine if this was used in your bank or a military instituion. See the problem? While I commend the design of Open Souce, perhaps allowing the innerworkings of this to be accessable by a hacker is not good, even more so when it's an embedded system.

Check out these sites, they explain why the needs for your desktop's security (which Linux can provide) are on the other end of the spectrum for bank/B2B/military security (which Linux cannot provide):
The CIA's spin
Military disablement
cpsr.org

(2) Expansion architecture - Check the specs on this thing. While a PCI slot is normally a good thing, wouldn't MCA or a propietary bus be better suited for this? Linux runs on the MCA fine, and I think it's low overhead and fault-tolerant properties are better than a run of the mill PCI slot for this. Or a new bus design could be implemented. IBM benefits with better performance, we as a comunity benefit from more GPL code being released. Sound good?

(3) Operating system - [flamesuit] I like Linux, but I don't think Linux is the best tool for this. IBM has made the decision to go with Linux, so I'll respect that. But I must say that WindowsCE or QNX would be better. We know who WindowsCE is backed by, but I must admit Mico$oft'$ embedded OS department knows thier stuff. Look at the recent Sharp handhelds - fine work and I think the same design could be applied to the IBM 405GP. If you don't want to recognize MS products though, I can understand. QNX would be just as valid (and in some ways such as power usage and latency) even better than WindowsCE and Linux. Scalibility and performance are key here, and QNX can deliver better than Linux. [/flamesuit]

Again, I don't like being negative but I don't think the IBM 405GP will do that well. I want to be proved wrong though, I want to see Linux progress and gain market share, and I want to see IBM be profitable....but Linux just ain't gonna cut it for this one my friends. Please tell me I'm wrong.

That's okay, because nobody asked for your permission anyway. I can understand why one would be nervous about getting scanned, but if your system is secure, you have nothing to fear.

Anyhow, there's a legend about Werner Von Braun at NASA that goes like this: In the early days of the space program, Von Braun was in charge of the facilities at the Redstone Arsenal in Huntsville Alabama. They needed to build a large neutral bouyance tank to simulate weightlessness, so they just built one. Later when government officials were visiting, they saw the large tank and were upset that Von Braun never went through any red tape in Washington to get an official budget to build the tank.

<feds>: We never gave you permission to build the neutral buoancy tank!
<VonBraun>: That's OK, I never asked ;)

Matt

Pretty serious. I am venting on the lack of recent innovation. I haven't seen a feature released in any recent OS candidates that has made me mutter, "Wow, thats fraggin' cool".

Come on. The encrypted swap space support of OpenBSD 2.7 definitely has the "Wow, that's fraggin' cool" feel. It also has the "Wow, I have absolutely no need for that" feel, but that's beside the point.

*cough*cough*cough*cough*cough*cough*cough*

Sorry, I got a bad cold.

a great way to code a new kernel is to look at other, open-source kernels. Also, learn assembly if you don't know it already. It is a low-level language so you get a feel for the architecture, and the concepts in assembly are definitely needed in kernel development.

According to their web page, the PowerPC port is relatively new and only a few machines are supported. In the list of hardware platforms under development, they claim:

• Apple PowerMac systems with at least a 603 processor and OpenFirmware.
• Only the Apple imac (333Mhz) currenly has driver support.
• Other systems supported with hardware availability and driver information. more recent systems will be given priority over older/slower systems.

This isn't exactly a ringing endorsement. Stick with NetBSD.

--

Posted by 11223:

No - I disagree. While I don't know what a 'teh shell' is, I can assure you that NetBSD stands out as a platform. While FreeBSD is the OS of choice for Proprietary Systems, NetBSD provides honest-to-goodness Open Source software on almost every platform - and we don't need to hide in Canada either.

There's an SMP branch in the CVS repository.

There's a few information available here.

Sure, I'd be glad to explain. You're wondering why www.OpenBSD.org is running on a Solaris server. See this comment from the misc OpenBSD mail archive.

Basically www.OpenBSD.org runs on a University of Alberta server. The bandwidth is provided free. OpenBSD is looking for venture capital and funds are limited so why look a gift horse in the mouth?

While you're looking around the site, check out their T-shirts. I like the fish-cipher t-shirt t-shirt that any open source guy would like. It has the Blowfish code printed on the t-shirt's back.

Sure, I'd be glad to explain. You're wondering why www.OpenBSD.org is running on a Solaris server. See this comment from the misc OpenBSD mail archive.

Basically www.OpenBSD.org runs on a University of Alberta server. The bandwidth is provided free. OpenBSD is looking for venture capital and funds are limited so why look a gift horse in the mouth?

While you're looking around the site, check out their T-shirts. I like the fish-cipher t-shirt t-shirt that any open source guy would like. It has the Blowfish code printed on the t-shirt's back.

OpenBSD did not have procfs installed by default where as *BSD did. And from what I understand from my security junkie programming buddies, FBSD is still probably vulrable to a procfs exploit (although it hasn't been written yet). OpenBSD worked really hard on this one and fixed the problem right.

Code junkies wanna check out the code? OBSD procfs patch
FBSD procfs patch

Yes, there is such a document: http://www.openbsd.org/faq/INSTALL.linux

This document makes a teensy error; it completely ignores the fact that the Linux swap space is not included in the Linux native file system; it has to be allocated on a separate partition with a different file system.

The Second Amendment Sisters

They do not -and I think, will not- add things such as KDE to their ports... OpenBSD is not built for beauty... It is built for rock-solid security. You can still add KDE, using the built-in Linux emulation, but IMHO you are defeating OpenBSD's reason to exist.

On where to find a list of ports, anyway... You can find a list at ftp.openbsd.org/pub/OpenBSD/2.7/ ports.tar.gz.

I have built an OpenBSD Firewall, and it has been chugging away on a $10.00 salvage 486 with two spare NICs for a few months now. OpenBSD uses the IPFilter packet filtering program for firewalling, and for Network Address Translation (having multiple machines share a single IP), you have IPNAT.

Both are included in the base install of OpenBSD, but need to be activated. From the OpenBSD FAQ at http://www.usa.openbsd.org/faq/faq6.ht ml#6.2 you can check out the IPFilter and IPNAT sections - this helped me to get running from practically step zero. The MAN pages in OpenBSD are also the best in the business, with example code and config files, and they are consistently getting better with each release.

To develop your rule base for IPFilter, you can't beat the IPFilter HOWTO located at http://www.obfuscation.org/ipf/. This has everything you need to know about creating a solid firewall without being an expert in TCP/IP packet routing.

So since you can get all the info for free, try downloading OpenBSD 2.7 and give it a shot. When it works for you WAY easier than you expected, take the cash that you would have spect on the firewall book and purchase the CD (and yes, mine is on the way...)

Good Luck and Enjoy!

I have built an OpenBSD Firewall, and it has been chugging away on a $10.00 salvage 486 with two spare NICs for a few months now. OpenBSD uses the IPFilter packet filtering program for firewalling, and for Network Address Translation (having multiple machines share a single IP), you have IPNAT.

Both are included in the base install of OpenBSD, but need to be activated. From the OpenBSD FAQ at http://www.usa.openbsd.org/faq/faq6.ht ml#6.2 you can check out the IPFilter and IPNAT sections - this helped me to get running from practically step zero. The MAN pages in OpenBSD are also the best in the business, with example code and config files, and they are consistently getting better with each release.

To develop your rule base for IPFilter, you can't beat the IPFilter HOWTO located at http://www.obfuscation.org/ipf/. This has everything you need to know about creating a solid firewall without being an expert in TCP/IP packet routing.

So since you can get all the info for free, try downloading OpenBSD 2.7 and give it a shot. When it works for you WAY easier than you expected, take the cash that you would have spect on the firewall book and purchase the CD (and yes, mine is on the way...)

Good Luck and Enjoy!

Check out: http://www.openbsd.org/ports.html for generat information on the ports, and http://www.openbsd.org/cgi-bin/cvsweb/ ports/ to browse (via cvs) the ports tree. Good luck.

Check out: http://www.openbsd.org/ports.html for generat information on the ports, and http://www.openbsd.org/cgi-bin/cvsweb/ ports/ to browse (via cvs) the ports tree. Good luck.

Yes, there is such a document:

http://www.openbsd.org/faq/INSTALL.linux

OpenBSD does have ext2fs support as well.

OpenBSD can use Blowfish passwords. Not Serpent or Twofish but Blowfish. Why?

Password checking for user authentication is performed in software on a general-purpose computer. Brute-force password cracking can be carried out on specialized hardware. Algorithms that run much faster in hardware than in software are bad choices for password hashing.

The design of Blowfish makes it difficult to speed up in hardware. Twofish and Serpent, on the other hand, were designed for fast hardware implementation. Blowfish is also more scalable, which lets you keep up with Moore's Law.

A paper (PostScript format) on OpenBSD's rationale for choosing Blowfish can be found here. A short presentation is here.

------

OpenBSD can use Blowfish passwords. Not Serpent or Twofish but Blowfish. Why?

Password checking for user authentication is performed in software on a general-purpose computer. Brute-force password cracking can be carried out on specialized hardware. Algorithms that run much faster in hardware than in software are bad choices for password hashing.

The design of Blowfish makes it difficult to speed up in hardware. Twofish and Serpent, on the other hand, were designed for fast hardware implementation. Blowfish is also more scalable, which lets you keep up with Moore's Law.

A paper (PostScript format) on OpenBSD's rationale for choosing Blowfish can be found here. A short presentation is here.

------

Someone in the audience with me actually pointed out that twofish would be faster, and the authors of the paper replied that that was precisely why they didn't use it.

It's an interesting paper, nonetheless.

-Jeff Evarts, who has forgotten his Slashdot password

Someone in the audience with me actually pointed out that twofish would be faster, and the authors of the paper replied that that was precisely why they didn't use it.

It's an interesting paper, nonetheless.

-Jeff Evarts, who has forgotten his Slashdot password

I think this is the article you asked my opinion on? If not, here is my opinion anyhow. Take it with a grain of salt, and let me apologize for the length of this post in advance.

I agree, except on the software part. Books, magazines, music, movie etc help people learn (besides entertain), and apply the ideas they learn as they like, without charges. I think of most software as a tool. I don't expect to be able to borrow it out of the library and keep a copy forever, the same way I don't expect to borrow a bulldozer and keep it forever.

The perception of Software as a tool is one that the Software Industry has been pushing for a very long time now. The truth is Knowledge in general is a tool. Software is just a different method of recording a set of instructions. The computer interpretting those instructions is the tool.

An odd example: If I wrote a flowchart to show the way that _I_ made a peanut butter and jelly sandwich (I did this once as a kid!), and attempted to sue all the kids in the world who told their parents they wanted theirs made the same way(with potato chips in them!), everyone would agree that I was nuts. What if I had actually thought of this first (I admit I pirated the idea from the little girl next to me), and had actually patented it? You'd still think I was nuts, and anyone who wanted to put potato chips on their PB&J would continue to do so anyway.

Ok, fine, I lost that lawsuit. I'm gonna go sue the Producers of the movie that popularized my idea without giving me my royalties, and the authors of the 1000 or so cookbooks, that rudely took my flowchart and made recipes out of it.

Still think it's absurd? Yeah, because it is.
Even if I legitimately thought of the idea first.
Even if I was legitimately the first to do it.
Even if I had spent 100 hours of my own time, and bought 500 loaves of bread and 50 jars of PB&J, most people would think I was nuts to demand payment of them, just because they built their sandwiches the same way.

You could use similar logic to argue against letting people borrow books, magazines, etc, but I think there's a difference. Software, like MS Word doesn't help you learn. You don't really need MS Word. There's nothing you can do with MS Word that you can basically do without it.

But there is still a way to profit off of it, without directly selling it. If you (as a company) spend time to develop a product, then nobody is going to know that product better than you, and generally they are going to come to you for training and support for that product. Additionally, when that product doesn't do exactly what they want, but damn close, they're going to pay you money to figure out how to make that product do what they want. They may even pay you money to teach them how to make that product do what they want. Example: OpenNMS.

Another possibility is that you develop software that absolutely kick ass, everybody loves it, and you give it away for free, under a fully functional, but request (not demand) payment, "If you want to see it get better, send me money so I can keep making it". See WinAMP.

Or best of all, do it because it's what you love to do, and because you believe it should be done, and because you want to contribute to the world you live in. Package it with cool and unique but cheap stuff (Stickers), sell T-Shirts, and give recognition to the individuals or companies that support your efforts. I bought a copy of OpenBSD just to have a CD with a Pufferfish on it.

Books contain ideas that you can't expect to get on your own. I'm at a loss to explain it better. One way to look at is that books impart knowledge, and software and equipment are facilitators.

As I said computers are the tool, software just the instructions to make them work. If anybody should be funding software development, it's the computer manufacturers who are selling you a tool, and making you buy the manual from someone else.

It did actually used to be this way, I might add, before M$. Apple computers came with Apple's OSs on them(and still do). Mainframes with Unix. IBMs with IBM-DOS. However, once people started buying M$ to replace the installed OSs, the computer manufacturers eventually began selling computers without OSs. Do you think they removed the cost associated with the development of the software?

With those books, you can obtain the knowledge to build the software and equipment you think you need.

We as a society should be supporting the growth of that society, not reinventing the wheel, if it has already been done, the knowledge that you need to do it again should be freely available, I think that software falls into the category of this Knowledge. Building equipment, a physical undertaking is different.

Also, I think software in libraries is a good idea if the idea is for trial use, use the software until you return it. Pay for it afterwards.

Why pay for it afterwards? You haven't cost anybody any money by not paying for it. Instead, pay a company to better it, something they may not be able to do without the necessary funding.

Open Source is nice, but there's a lot of other nice software we wouldn't have because it takes too much time and skill to produce for free.

Free is relative. If computer manufacturers or corporations were paying to have it developed to begin with (for the purposes of their own profits), then it would already be paid for.

Copy machines in libraries is a good point though, and has significance to the software industry. Even though you can copy an entire book in the library, people still buy books. Though, sometimes it is just as expensive to photocopy a book, not to mention it's time consuming.

Indeed, I would buy a copy of an Operating System from the company that created it, if that cost was fair, and they were only profitting minorly from the cost of distribution.

Lasty, I should mention I'm a bit of a hypocrite because I use some pirated software. Almost all the software I use often (once a month or more), I buy, if it's not free that is. I'm not sure if this is good or bad, but, for instance, I don't want to pay $100+ bucks for MS Word, when I use it rarely to view and lightly edit a Word file someone sent me in an email. Also, I have no stolen software that I would buy to use if I wasn't able to steal it.

Excactly the point of this whole diatribe. Software is not priced fairly. Value is a relative thing, and one thing may have many different values to many different people. Perhaps if the software industry were to open it's eyes and see this, and build a more morally correct business model, then we wouldn't have the problems that we face now.

-Tommy

You know, I agree with that. You really don't need to be running things as powerful as Bind.

Unfortunately, the default installations of many Linux distros seem to be getting more and more top-heavy. Even things like Bind and Sendmail are getting installed by default; I'm not sure if this is a good thing.

One thing I like about OpenBSD is the very sparse, almost Bauhaus-style install. You have to go through manually and set things up if you want to use them.

It seems like a lot of work, and it perhaps is very cumbersome if you've never done it before, but I just feel much more comfortable running an OS that doesn't have a whole bunch of crufty packages installed that I may or may not ever want or need.

The security audit for OpenBSD helps, too, though. ;-)

Well, to be honest, its your fault for using BIND!

BIND is notoriously insecure, so you should always run it in a chrooted environment if you are going to use it.

Also, investigate alternative, and far superior servers for services you want to run.

Instead of BIND, look at Dan Bernstein's DNSCache package, which is lightweight, stable and uncrackable. In fact, he offers a monetary reward to the first person who can find a security hole in it.

Similarly, replace sendmail with either qmail, exim, or postfix and get a superior, more intuitive feature set, and better peace of mind security wise.

Also, look at a more secure OS than Linux, for example OpenBSD which has not had a remote security hole in its default installation for over two years now.