|
Best distro for a web server
Hello all! I'm looking for some help deciding which distro to use for a web server I am putting together. The server will be using Apache, mysql, php, phpmyadmin (though I may just run that on another machine and connect to the web server), and whatever other stuff I find out that I need. It is for a small business and shouldn't have to push out very much data (though that may change in the future).
My main concern is security. I would like it to be as maintenance free and secure as possible (dreaming?). There will be sensitive data on the machine and I don't really know what I need to do to ensure that it remains secure. Are there other security applications I need to install? ports I need to close/open? or do I just need to keep the OS up to date? Will Linux update itself automatically without requiring an restart? I use CentOS at work but haven't had that much experience with it so I am still very much a newbie and didn't install it on the machine so I have no experience installing it. However, it is the OS that I have the most experience with and was planning on using that. Is CentOS a good way to go? Any other suggestions? Thanks before-hand for the help and let me know if I need to provide more information. |
Quote:
NOT Ubuntu or its derivatives. |
forgot to mention...
I forgot to mention that this server will be manager remotely though SSH and since it will be a web server will be running 24 hours a day (obviously). Don't know if that info makes any difference but I wanted to mention it.
|
Quote:
|
Quote:
|
CentOS is a perfectly sound choice. It's a free edition of Red Hat Enterprise Linux, so CentOS experience should be transferrable to RHEL, and if you decide you want commercial support you could migrate from CentOS to RHEL fairly easily.
Debian would be the other recommendation, but it's best to stick with what you know. Ubuntu is gaining popularity for servers. For a server you would almost certainly want to use the Long Term Support ('LTS') edition, currently Ubuntu 8.04 Hardy Heron. Security is a complex issue, and one that will take you some degree of study to understand. (I claim little understanding of security of Linux systems.) |
Quote:
|
Quote:
Granted Ubuntu makes it EASY... but I'd sacrifice ease of setup for a solid server. As for security... I have a few recommendations. 1. ClamAV. Especially best when you're also running mail on the server. Protects Windows users from viruses. 2. IpTables. Use it. Use it use it use it use it use it use it use it use it. Learn it if you have to. 3. If you're willing to learn it and have to time: SELinux. Its biggest drawback is that it is a pain in the rear to set up, configure, and use. But it is an excellent MAC system. Alternatives could be Tomoyo and AppArmor. 4. KEEP THAT SERVER UP TO DATE! ALWAYS run the latest kernel available to you. |
Quote:
|
Quote:
RHEL isn't of itself more user friendly than CentOS, but if you pay the money for RHEL then you can get technical support from Red Hat, by web or telephone depending on which option you choose. However, RHEL isn't cheap - it's an enterprise product aimed at business and prices start from 350 dollars. Whether or not that's worth it is a business decision, not a technical one. |
Quote:
|
Not scary at all!
CentOS has an "Add/Remove Programs" utility (or something very similar) in the Applications menu, on the desktop (after you get it installed, of course ;)). From there, it's as simple as checking a box, and clicking a confirmation button! |
I have always used linux in production servers however recently switched to solaris just for giggles and find it to be AWESOME. The ZFS file system is incredible and the glassfish web stack makes building a SAMP server a dream. Of course security is on point. Just food for thought.
Regards, JKZfixme |
Well...If I were you...I would choose between Debian,CentOS,FreeBSD,OpenBSD
|
Quote:
|
You don't need GUI for CentOS, personally I only use a vnc desktop for none administrative things. To add or remove programs the YUM (yellowdog Updater, Modifier) can be used. I suspect the GUI tool is just an interface for YUM.
A GUI uses more resources, personally I don't use GUI's other then vncserver for some casual activities now and then. You can disable a GUI post installation, you can also do installation via the GUI installer but not install any GUI facilities. Personally unless LVM is involved I use the text based installer... probably just from being so use to using it. |
Quote:
A definite 'gotcha' with Ubuntu is that it has the nasty habit of running services automatically when you install them. Most distros think that you should make a decision to run a service even though you have installed it, and this seems safer (you might not have configured the service as you like at that point, or, as I did once, only installed it to get a look at the man page). Of course, when you know this is going to happen, it is not so much of a problem, but it only has to get you once in a big way... The 'no root' model used by Ubuntu always seems a bit dubious for me in a non-desktop application, but isn't necessarily that dangerous. In general, the friendly Ubuntu model, provided that you don't use a GUI, use their server kernel, use an LTS edition, probably is workable, but I couldn't describe it as the most appropriate for a professional server (probably different for a home server and if you already have Ubuntu experience) when there are good choices available. Quote:
Well, to answer my own rhetorical question, the problem is that this installs the package, but does not configure it, necessarily. Configuring packages, particularly if there is a security impact, is the bit that might cause head-scratching, but that's always the way, isn't it? Quote:
Quote:
Part of this is about the structure of the network (do you have a DMZ?) and that hasn't been discussed. Quote:
Quote:
You could do worse than read this: http://www.cyberciti.biz/tips/linux-security.html which is probably as good coverage of the basics as I have seen. |
Quote:
|
Hi,
My personal favorite is Debian, it's quite secure, comes out with patches real quick when vulnerabilities are detected, and using the NETINST cd you just get the basics and setup what you need, nothing more or nothing less. I've installed Debian on several servers used in a production environment and used on the internet and haven't encountered a serious problem yet. Following up on outcoming patches of course along with keeping your server up to date is a must. For Debian you can check out Debian Security. I have that page as a newsfeed in my homepage. Great info and up to date. I wouldn't install a GUI either, especially not for a server, get used to the command line and administer it from there. As stated by other users already, the more services you run, known or unknown, the more vulnerable you are. Since your main goal is security, keep that last in mind. Kind regards, Eric |
Quote:
Great help! You answered many of my questions. The security link you gave me looks like exactly the information I am looking for as a beginner. Awesome! I think I have a good basis to make decisions now and some good resources for security information. Thanks everyone! |
I would point out on the whole security side, the protocols you run are also important to consider, standard FTP and VNC connections for example are highly insecure (sends login details in plain text format across the internet). I would also point out that the SSH daemon already has SCP and SFTP built-in, what are more secured methods of file transfers then FTP.
|
Quote:
Quote:
I haven't seen any serious weakness in Ubuntu server versus any other Linux server. I would not suggest using Ubuntu Desktop as a server. |
I think you misunderstood that point, what salasi was saying is when you say, install mysqld, Ubuntu will make it active/started from the get-go... not sure if that one is true but that's how I read it. So when you apt-get anything, other distributions give you the chance to pre-configure the service before actually starting it, it can be a security flaw to automatically start services without the ability to preconfigure.
As far as Ubuntu server, I can't understand why anybody would use it over Debian in the first place... Debian is there and already does all those server tasks much more effectively IMO and is easier to administrate. Then again I just don't get on with Ubuntu what-so-ever, so might be baised on that one. The whole no root thing (I still believe this is completely pointless and in some respects lowers the level of security and can cause maintenance headaches further down the line), the multiple times I have had graphical issues with Ubuntu... and worst of all, their love of the most horrid UI colour scheme I have ever seen... why so much Orange in the default settings, even RHEL's Red interface seems better then that... |
Quote:
Quote:
On the flipside, Ubuntu LTS releases are generally supported for LONGER than Debian releases. Debian stops support for the previous stable releases one year after the new one. That means when you install Debian, you don't know how long it's supported for - because Debian doesn't stick to a defined release schedule. (Not saying that's bad or good, but it's how they do it) Ubuntu intend to continue support for server use of LTS releases for 5 years from initial release, 3 years from release of the next LTS. That also means when you make an Ubuntu install you know how long it gets security updates for before you have to upgrade. (Assuming the project doesn't go belly-up, but that's a risk you take with any operating system) And then there's the benefit of only having to deal with one distro. Ubuntu on the desktops and on the servers. Quote:
|
Here's the RHEL/Centos v5 Admin/Deployment guide; http://www.linuxtopia.org/online_boo...ion/index.html .
As above, you can install using the GUI (this distro comes with just about everything you need in the repos), then, when it's prod ready, you can reboot it into level 3, which means it runs without the GUI; your choice. Certainly go through the list of services/daemons avail and only run the ones you need. Security is a process, not a product, so you'll have to read the docs. Updates are up to you, the default is for the update daemon to run every 4 hrs iirc, or you can disable it and run it manually when you want eg 'yum update' as root. For a business, it's a good idea to have a secondary (identical) machine for development & in case the primary has issues, also to test updates before putting them on prod. |
Quote:
The main problem is if you are unaware of this 'quirk'. If you are aware you will always do something like ps -ef | grep 'name' after an installation just to check and kill anything that you don't like, but there is the possibility that it takes you by surprise and you don't check. As far as a GUI is concerned, the best security advice is don't run one; GUIs are big, complex and barely-understood programs (barely understood by the person who has to take care of security) and can be relied on to be buggy. Simplicity and ease of comprehension are the friends of security and big and complex aren't. There are some circumstances in which running a GUI is not too big an error (in a largely benign, rather than internet-facing, application for example), but still, gui-less would be more secure. If you feel that you are happier away from the command line environment, consider something like webmin, which is probably closer to your comfort zone. |
| All times are GMT -5. The time now is 07:31 AM. |