LAMP questions: distros, install methods, permissions & user to run as
OK folks (linux n00b here), I'm going to be setting up a LAMP server eventually to host a couple web businesses running from home. I've got a few questions:
I'm considering the following distros: Fedora, Ubuntu, or Mandriva. I'll be installing the LAMP server version of whichever I decide to go with, but I'd like to know from people if any of these distros have any major concerns I should know about. These concerns would be things like installations that require unusual methods, strange configurations, or just hacks to work around issues. I installed a LAMP package on my netbook which is used for learning purposes, and I noticed that apache & mysql have their own group & username. Now, the LAMP server should ultimately run in runlevel 3, so should I create a username like "webserver" to login as to run the server? I'd like to think no one would use mysql or apache as a login and certainly not root. At least one of my web businesses will require my php scripts to be able to create directories and files for each registered user. I was considering permissions to set as: directories = 774 & files = 664. Are these permissions ok? I know there might be a security risk involved. I also want to change the owner of the document root directory over to the username that will be created to run the webserver instead of having root as the document root owner. Is that acceptable? Is there a way using the LAMP packages to install apache, mysql & php into a specific set of directories? I was able to do it when I installed apache from source, but the packages seem to lack install directory preferences, and what's worse is that, in my case, Mandriva installed the LAMP files ALL over the place which made tracking things down a royal pain. Is there a package install method that allows user specified directories? I would sure hate to have the source install method be the ONLY way to specify a directory. I'm not opposed to installing by source, but the problem is I have little faith in myself to "do it right". Sure I can do the basic source installs, but I don't want to accidentally miss something that a package install otherwise has covered. |
For a business, you need a long term stable distro; instead of Fedora, use Centos (free version of RHEL); instead of Ubuntu, use Ubuntu LTS (ie Long Term Stable ie server).
http://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux http://en.wikipedia.org/wiki/CentOS http://en.wikipedia.org/wiki/Fedora_(operating_system) Just take the default install via the relevant pkg mgr for eg Centos. It will create the correct usernames/ownerships.perms etc. For the user dirs/files we need to know exactly what the purpose of these are. Know that creating a real business website ie secure (especially if it'll handle 'money') is a very tricky business. Obviously you'll need to enact SSL and do a lot of research. http://www.w3schools.com/ http://www.php.net/manual/en/ Apache: http://httpd.apache.org/ MySQL: http://dev.mysql.com/doc/refman/5.0/en/ HTH |
Quote:
There is also a server build of Ubuntu; not all Ubuntu LTS versions are server versions, as some have all of the desktop stuff that you will not want. You will not want any desktop stuff, right? Quote:
Sure, there can be a bit of scurrying around to find things, but that seems like the lesser of several evils. |
I would agree with the Centos recommendation, we use it a lot and it's very stable. For the 'AMP' bit of your setup I'd recommend adding an up-to-date yum repository - we use this one:
http://www.jasonlitka.com/yum-repository/ By default Centos' yum is very conservative/old. Hope this helps, Toby |
Quote:
I'll add CentOS to my considerations. I plan on using 64bit for memory usage beyond 4 gigs, so hopefully They've all got 64bit apache, php, mysql installs. Quote:
Quote:
Quote:
Believe me I have been doing LOTS of research. SQL injection prevention, PHP session hijack prevention, URL injection prevention. XSS prevention. Using htmlentities() for output and escaping for input. Form validation (on a side note, you'd never believe how many sites say it's ok to use javascript to validate forms... that's total crap! Validation should ALWAYS be done server side) Most of my time has been in doing research... sometimes maddeningly so, but it's worth it =) I know that there's a lot involved, but I'm doing my best. I believe that I'll be all the wiser. I never like the idea of using a CMS because it'd take me forever to reverse engineer it and rework it to do what *I* want it to do, and I much liked the idea of writing it myself for the experience and customization. So far, I've gotten a decent site partially working. I've got a forum system that's working great with recaptcha integrated, a sweet navbar, and other things all coded myself. It's taking a while, but I really like doing it this way. |
Quote:
Looking at an image was a 2 step process: ftp to my account, then rename it so I could download it to a DOS 8.3 filename LOL! What I may have considered use of the GUI for was to easily configure some things first, then when I was ready to do some testing and launch, switch to runlevel 3 for the longhaul. I know that you have to strip out all non-essenstial services, but how much of that is an issue in runlevel 3? I do intend to learn the command-line fully, but man there are just times where the GUI makes things so much easier to get things done. Quote:
Does that make any sense to you? Maybe I'm too old LOL! |
Quote:
So the answer is quite probably yes, but I'm not clear whether I mean 2010.4 or 2008.4. Or, probably they'll update the page soon. Or something. Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Think about Webmin. CPanel. Fantastico (oh, all right, only think about that last one if you know what it does badly, and are prepared to avoid that stuff) and there are others, but if some of the dummies who claim to be able to do this stuff and who only really know the appearance/usability of web design get away with it, you'll do fine. Quote:
Quote:
|
Quote:
I'm insanely curious. Does this mean you just start the server and leave it at a login prompt and everything is running at that point? Quote:
When I was reading up on hosts, I became increasingly dissuaded the more I looked into it. I didn't like how they'd bait you with dedicated server plan prices only to have the final price be astronomical once you modified the plan for what you REALLY needed. The hardware they offered for the price was unacceptable. In building my own system, I get the hardware that *I* want, plus I'm getting boatloads more storage capacity, ram capacity, processor muscle, raid options, etc... that I have TOTAL control over. I weighed the differences between managed dedicated hosting costs VS being able to do it myself and settled on doing it myself since I'm pretty confident I can handle it (knocks on every piece of wood in range). If later on I need more than what I have at home and need to set up a colo, then I'll cross that bridge when I get to it. One of the other upsides of having my own hardware is that if I need to have it hosted at a center, I'll have a little better idea of whether they're bullshitting me on certain details. Hosts seem to be notorious for doing as little as possible and taking "clueless" businesses for a ride. And who knows, maybe by then, home solutions will be the wave of the future (which I actually see happening). Quote:
Quote:
LOL I see a lot of people bash RPM in favor of apt-get, so I guess that settles that... On a side note, isn't CentOS an RPM based linux given that it's based on RHEL? |
Quote:
You can su/sudo to root, but if it impossible to directly login as root, all the script kiddies who try to brute-force/dictionary attack root will be wasting their time. Quote:
Quote:
Quote:
yum, zypper are (depending on rpm-based distro; the RedHat family is all yum (?) SuSE's brand of rpm-based is now zypper, and, of course yast, but it briefly supported yum, too). So all I am saying is that you could, if you really wanted to make life difficult for yourself, use the rpm command directly, if you do not want to turn into one of the warped souls who claim that rpm is all cr*p compared to apt-get, surrounded by clumps of torn-out hair, and only uttering words that I couldn't include in this message, please don't. Use something that allows the computer to do the stuff that the computer is good at and would be very tedious for you. |
Quote:
Quote:
Thanks for the help man! Now it's time for me to pester the security forum with some WTF!!! questions =P |
Not to get off topic, but I think you might be missing a key factor in hosted at a data center vs. hosted at home. It is possible to offer much better uptime (if we take your hardware and software out of the picture since it could be identical) when running in a professionally run colo facility. I run what I would consider a low end setup at a data center, and it involves having everything needed being redundant. All servers have two power supplies, each to a different circuit, and each circuit on a different UPS, each UPS being fed from a different electrical grid. Also tack on a generator for when there is an extended power outage.
For network I run BGP, and multi home with multiple providers so I can route around carrier issues and outages. Everything is fully redundant here as well, and all servers are behind enterprise firewalls with only required ports being exposed to the internet. Running this type of setup from your house is basically going to be impossible. Now as a startup step it might work for you, but just understand that it isn't as simple as buying server with certain spec is cheaper if you keep it under your desk than at a host. As for the distro to use I would lean to Debian over Ubuntu (even LTS) or CentOS. If you are really serious about the business I might even consider going to the full RHEL since pricing for a single server isn't that bad, and the major thing you will gain is support. |
Quote:
Most of the time, the power outages here are limited to a few minutes tops... except for the time that idiot hit the main pole and knocked power out for around 12 hours =P But I'm cool with that since it doesn't happen often enough where it's a problem (at least not the way I see it)... nothing a standard UPS can't handle for the most part. |
Sounds good. You might want to look into a colo that will sell you space in a rack only, and you provide the server. If you start out building the server you want at home now in a rack mount form factor you can easily ship to a colo when your business picks up and requires that type of stability.
|
I know PHP apps can be done securely, but they have a nasty tendency to be horribly insecure so you may want to make sure you've got a good monitoring and incident response plan in place before you get going too far.
If you haven't already, please head over to the Security forum and have a read through some of the stickies. There are a number of articles on hardening your system that you might find useful. Are you considering hardening like SELinux? How about monitoring like Aide or Samhain? Maybe lock down Apache a bit more with mod_security? Also, will any of your businesses be taking credit card numbers? |
Quote:
OK, lemme check my chickenscratch paper here... This is what I've got listed for things I'll need to look into for hardening and such: Fail2ban Bastille Grsecurity Sentry Tools Firestarter/Guarddog Apparmor Suhosin So, how does that list look? I don't know if installing ALL of those is necessary or not... Samhain is one more thing I'll add to that list. One REALLY important thing that I think would be good is a decent H.I.P.S. On a related note, trying to understand iptables is a royal pain in the ass. I've only glossed over it so far, but wow... I'm not sure I'd trust myself with making rule sets only to find out AFTER getting hacked that they didn't work @_@ manually editing looks to be a real pain, and firestarter/guarddog look to be able to handle some of it. Are firestarter/guarddog decent enough front-ends to work with iptables? Also, will those rules stick when switching to runlevel 3? edit: yes I'll be installing mod_rewrite & mod_security another edit: I'm also planning on buying a Checkpoint hardware firewall as well (model 1000n i think) |
Quote:
I think recovery is probably the easiest to deal with. You need decent backups that work. My personal take is that virtual machines are a nice way to deal with this as well. Of course before you can recover you need to have an investigation plan so you're not just restoring a crackable machine. You should have the CERT checklist bookmarked as well as the Security forum here. If you're willing to follow some procedures, there are some experienced investigators who like to tackle those problems. Detection is kind of a pain, but you need to worry about it. I like tools like Aide or Samhain, but I've also seen some experienced people voice concerns that those sorts of tools are among the first things good crackers would look for. Monitoring log files will also help. I don't take any issue with the list you've created although there is probably some redundancy. Just out of curiosity, you don't have SELinux as option, did you exclude that? I don't know if any of the distros your considering have SELinux enabled (I know RHEL does, so maybe Fedora does as well). I know SELinux can be a bear to get configured, but it might be worth considering if you haven't. Quote:
Basically, it looks like you're taking a decent approach. Redundancy is the key. |
Quote:
I've got a lot ahead of me. I'm kind of amazed that in the beginning, I thought it was as simple as many suggest to setup a LAMP server, but I'm finding that that's not really the case since security seems to be the biggest hurtle. Sure one could setup a LAMP easily (as long as you don't mind getting hacked), but securely is another ballgame all together and requires that person almost to be a security expert. ARGH! You know... beings that I'm a gun owner, think we could declare open season on all hackers? I'd love that *evil grin* |
Quote:
If you've tried it on your staging host (don't want to mess up production, right?) and no solutions or workarounds we can provide you with help then you have earned the right to call it whatever you want. |
Check point H/W is awesome!
|
Quote:
|
might just be too late
Well... at this point, the only help I need is not the kind this forum can give.
Yesterday I was finally able to get through to the unemployment office (lines have been jammed), and the word was "there's no money". Everyone across the board who is on the federal extension just ran out. On paper, the extensions are available, but there's no funding to back it up. Currently, it's being held up in the senate. I work part time for the place that laid me off. We're in the housing/construction sector - civil engineering firm to be exact. The workload is so light, the boss has no idea if it'll be enough to stay in business. Meanwhile, they're letting me get enough hours in to pay the bills... at least for now, but... I mean, last month posted the worst housing figures ever. Commercial construction is almost non-existent. I was hoping to get something going in hopes that it would lead to something better, but right now, that just doesn't look possible, I can't even think straight, can't afford anything, and I may just lose my home soon. Things are bad... REALLY bad right now. I don't know when it's going to turn around, but I'm praying real hard for it. Whether or not you believe in a higher power or not, please muster up a prayer of some kind if you can. Do it for yourself and also for everyone else because we are ALL in very VERY SERIOUS trouble. |
That sounds like really tough times for you. I hope something goes your way soon.
|
All times are GMT -5. The time now is 05:24 PM. |