LAMP questions: distros, install methods, permissions & user to run as
 

OK folks (linux n00b here), I'm going to be setting up a LAMP server eventually to host a couple web businesses running from home. I've got a few questions:

I'm considering the following distros: Fedora, Ubuntu, or Mandriva.
I'll be installing the LAMP server version of whichever I decide to go with, but I'd like to know from people if any of these distros have any major concerns I should know about. These concerns would be things like installations that require unusual methods, strange configurations, or just hacks to work around issues.

I installed a LAMP package on my netbook which is used for learning purposes, and I noticed that apache & mysql have their own group & username. Now, the LAMP server should ultimately run in runlevel 3, so should I create a username like "webserver" to login as to run the server? I'd like to think no one would use mysql or apache as a login and certainly not root.

At least one of my web businesses will require my php scripts to be able to create directories and files for each registered user. I was considering permissions to set as: directories = 774 & files = 664. Are these permissions ok? I know there might be a security risk involved. I also want to change the owner of the document root directory over to the username that will be created to run the webserver instead of having root as the document root owner. Is that acceptable?

Is there a way using the LAMP packages to install apache, mysql & php into a specific set of directories? I was able to do it when I installed apache from source, but the packages seem to lack install directory preferences, and what's worse is that, in my case, Mandriva installed the LAMP files ALL over the place which made tracking things down a royal pain. Is there a package install method that allows user specified directories? I would sure hate to have the source install method be the ONLY way to specify a directory. I'm not opposed to installing by source, but the problem is I have little faith in myself to "do it right". Sure I can do the basic source installs, but I don't want to accidentally miss something that a package install otherwise has covered.

For a business, you need a long term stable distro; instead of Fedora, use Centos (free version of RHEL); instead of Ubuntu, use Ubuntu LTS (ie Long Term Stable ie server).
http://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux
http://en.wikipedia.org/wiki/CentOS
http://en.wikipedia.org/wiki/Fedora_(operating_system)

Just take the default install via the relevant pkg mgr for eg Centos. It will create the correct usernames/ownerships.perms etc.

For the user dirs/files we need to know exactly what the purpose of these are.

Know that creating a real business website ie secure (especially if it'll handle 'money') is a very tricky business. Obviously you'll need to enact SSL and do a lot of research.
http://www.w3schools.com/
http://www.php.net/manual/en/

Apache: http://httpd.apache.org/
MySQL: http://dev.mysql.com/doc/refman/5.0/en/

HTH

From what I remember, Ubuntu uses LTS to mean Long Term Support; that is, the repos for updates (security updates will be a particular concern for you, of course) do not get switched off suddenly after a short period of time, and you can therefore carry on using it with re-install/new security holes.

There is also a server build of Ubuntu; not all Ubuntu LTS versions are server versions, as some have all of the desktop stuff that you will not want. You will not want any desktop stuff, right?

For most apps, if you build them yourself, you can have control over where the files go; to be honest, I don't see the big concern over this, unless you have some particular fiendish partition system in mind, and want to control physically where the files go (not where in the filesystem hierarchy they go, but, say, to a hard disk rather than an SSD, or to a volume with noatime set, for example).

Sure, there can be a bit of scurrying around to find things, but that seems like the lesser of several evils.

I would agree with the Centos recommendation, we use it a lot and it's very stable. For the 'AMP' bit of your setup I'd recommend adding an up-to-date yum repository - we use this one:

http://www.jasonlitka.com/yum-repository/

By default Centos' yum is very conservative/old.

Hope this helps,

Toby

OK, quick question: is this an LTS Ubuntu server? They claim it's for enterprises, so one would hope that it's LTS.

I'll add CentOS to my considerations.

I plan on using 64bit for memory usage beyond 4 gigs, so hopefully They've all got 64bit apache, php, mysql installs.

OK, but is there a default username they have you logon to run the server? Or... is it whatever username you decide to create at the time of install is perfectly fine?

The directories and files will be created with PHP and used to store files that are written to and accessed via the web interface. The users will not have direct access to the files or directories. I'll be disallowing directory "browsing" in apache. Users will be able to upload image files which will be resized and renamed when stored in the user's directory. I have some user information stored in flat-file which is why I'm creating directories and files, then there's other information stored in MySQL.

I won't be dealing with any money transfers. The model uses advertising as the revenue source (I know it'll take a long time for a turnaround... or it may never). I also considered perhaps using a donation button using an outside payment gateway which would have it's own SSL transaction server.

Believe me I have been doing LOTS of research. SQL injection prevention, PHP session hijack prevention, URL injection prevention. XSS prevention. Using htmlentities() for output and escaping for input. Form validation (on a side note, you'd never believe how many sites say it's ok to use javascript to validate forms... that's total crap! Validation should ALWAYS be done server side) Most of my time has been in doing research... sometimes maddeningly so, but it's worth it =)

I know that there's a lot involved, but I'm doing my best. I believe that I'll be all the wiser. I never like the idea of using a CMS because it'd take me forever to reverse engineer it and rework it to do what *I* want it to do, and I much liked the idea of writing it myself for the experience and customization. So far, I've gotten a decent site partially working. I've got a forum system that's working great with recaptcha integrated, a sweet navbar, and other things all coded myself. It's taking a while, but I really like doing it this way.

I doubt it. I know servers need to be run in runlevel 3, and I'm perfectly fine with that. I'm no stranger to the command-line, but I understand it's quite different from DOS which I used aeons ago =P I also used a linux shell through dialup to get on the net back before we ever needed firewalls. Lynx... PICO... NCFTP =)

Looking at an image was a 2 step process: ftp to my account, then rename it so I could download it to a DOS 8.3 filename LOL!

What I may have considered use of the GUI for was to easily configure some things first, then when I was ready to do some testing and launch, switch to runlevel 3 for the longhaul. I know that you have to strip out all non-essenstial services, but how much of that is an issue in runlevel 3? I do intend to learn the command-line fully, but man there are just times where the GUI makes things so much easier to get things done.

This may sound silly, but I like application installs to be as self-contained / stand-alone as possible. I've already experienced the "dependency hell" a couple times, and it's damned annoying. See, back in the days of DOS (get off my lawn ya punks!) programs installed self-contained with maybe a batch to launch it. That was real nice =) I don't know if it's for security reasons that some linux apps are installed to the 4 winds, but it makes little sense to me personally, and it likely can cause serious issues with updating the way I see it. I'm sure there's a reason for it, but I was really taken aback when I saw linux apps installed this way especially when I think of how many linux people harp on M$ with regards to the registry and apps putting files in the windows system directories etc... This really doesn't seem much different, but I was expecting installations that, to me, made a little more "structural" sense.

Does that make any sense to you? Maybe I'm too old LOL!

the page to which you link does not mention any particular version, but its copyrighted 2010, so you could presume that it is referring to the 2010.4 release, which is LTS....but the pdf brochure linked to on that page describes Ubuntu Server Edition 2008.4 LTS.

So the answer is quite probably yes, but I'm not clear whether I mean 2010.4 or 2008.4. Or, probably they'll update the page soon. Or something.

That's a good idea.

I think it can be taken as read that anyone who has a 64 bit OS, will have 64 bit versions of non-proprietary stuff (ie, stuff that they only have to feed through the compiler with the appropriate options) if they are serious; OTOH, if you are reliant on proprietary stuff, it may deserve more serious investigation.

At install time, you'll create root and another user; the server programs should not run as root, and will probably run as some user like www-run, web, or something. You won't log in as that user, and you'll probably prevent any logging in as either root or this other user.

And I suspect that everyone who has ever written a CMS (and there have been quite a few) has started from that position.

Makes things easier. Or, at least, reduces the pear-shaped-ness you'll suffer from if it does go pear shaped.

I know what you mean about ease of use, particularly if you normally use a GUI for everything. What you should do depends a bit on how you get your hosting, what you are allowed to do and what comes with it.

Think about Webmin. CPanel. Fantastico (oh, all right, only think about that last one if you know what it does badly, and are prepared to avoid that stuff) and there are others, but if some of the dummies who claim to be able to do this stuff and who only really know the appearance/usability of web design get away with it, you'll do fine.

that depends on whether I decide to say it in a silly high pitched voice, doesn't it?

• Irelevant; the package manager deals with it and sorts out dependencies. Dependency hell I've experienced, but not this century. (BTW, RPM is NOT a package manager, RPM is a system for packaging apps. Some other app deals with the business of using RPM and sorting out dependencies. If you use the RPM command directly, then its all your own fault. Or you are really desperate to learn the hard way; have you considered Linux From Scratch :p )
• If, in spite of that, you are philosophically inclined to keep things separate, you might prefer a BSD. There are disadvantages to that (effectively, 'bloat per unit application'), but you'd probably find that the idea of how it works more to your liking.

the trouble is, a lot of this goes back to the Linux Filesystem Hierarchy, which has a number of historical features and general gnarliness. Whatever, the system as it does work and work well, even if its not intuitive. I wouldn't want to work without locate/updatedb though.

THAT caught my attention right away. I know that no one should ever run as root, but are you telling me that I shouldn't log in as the user EITHER? @_@

I'm insanely curious. Does this mean you just start the server and leave it at a login prompt and everything is running at that point?

Ah, I should have clarified this. I'm not going with a host. I'm building my own server, and I plan on using FIOS for business. I think the static ip 35/35 plan should have the bandwidth I need for a while.

When I was reading up on hosts, I became increasingly dissuaded the more I looked into it. I didn't like how they'd bait you with dedicated server plan prices only to have the final price be astronomical once you modified the plan for what you REALLY needed. The hardware they offered for the price was unacceptable. In building my own system, I get the hardware that *I* want, plus I'm getting boatloads more storage capacity, ram capacity, processor muscle, raid options, etc... that I have TOTAL control over. I weighed the differences between managed dedicated hosting costs VS being able to do it myself and settled on doing it myself since I'm pretty confident I can handle it (knocks on every piece of wood in range). If later on I need more than what I have at home and need to set up a colo, then I'll cross that bridge when I get to it. One of the other upsides of having my own hardware is that if I need to have it hosted at a center, I'll have a little better idea of whether they're bullshitting me on certain details. Hosts seem to be notorious for doing as little as possible and taking "clueless" businesses for a ride. And who knows, maybe by then, home solutions will be the wave of the future (which I actually see happening).

I was looking at Webmin, but I wonder if I'll need it since I'll be doing the admin locally right here.

I umm...... officially learned the hard way (doh!)

LOL I see a lot of people bash RPM in favor of apt-get, so I guess that settles that... On a side note, isn't CentOS an RPM based linux given that it's based on RHEL?

No, what I meant is that you shouldn't log in as the 'pseudo-user' that has been set up to run the LAMP stack applications.

You can su/sudo to root, but if it impossible to directly login as root, all the script kiddies who try to brute-force/dictionary attack root will be wasting their time.

Note that you can probably ignore using CPanel, then. the way they do the pricing gives hosting suppliers, with lots of users, attractive costs per user, and as an end user the extra cost to you is low (or zero). As an individual user, you don't get that pricing.

...you still might find it makes things easier, although being able to get at the box physically, is a big help.

CentOS is RHEL without the branding, so you are right, it is RPM-based. But the point is that RPM is two things; a format and the rpm command, and neither of those things happen to be a dependency resolving package manager, so comparing rpm itself with a dependency resolving system would be odd.

yum, zypper are (depending on rpm-based distro; the RedHat family is all yum (?) SuSE's brand of rpm-based is now zypper, and, of course yast, but it briefly supported yum, too). So all I am saying is that you could, if you really wanted to make life difficult for yourself, use the rpm command directly, if you do not want to turn into one of the warped souls who claim that rpm is all cr*p compared to apt-get, surrounded by clumps of torn-out hair, and only uttering words that I couldn't include in this message, please don't. Use something that allows the computer to do the stuff that the computer is good at and would be very tedious for you.

OK so no logging in as the "mysql" or "apache" users. I kinda figured that, but I needed clarification that I wasn't supposed to touch either of those.

OK, I'll make a mental note to search any RPM based distro for a "dependency resolving" installer on that system and use that instead.

Thanks for the help man! Now it's time for me to pester the security forum with some WTF!!! questions =P

Not to get off topic, but I think you might be missing a key factor in hosted at a data center vs. hosted at home. It is possible to offer much better uptime (if we take your hardware and software out of the picture since it could be identical) when running in a professionally run colo facility. I run what I would consider a low end setup at a data center, and it involves having everything needed being redundant. All servers have two power supplies, each to a different circuit, and each circuit on a different UPS, each UPS being fed from a different electrical grid. Also tack on a generator for when there is an extended power outage.

For network I run BGP, and multi home with multiple providers so I can route around carrier issues and outages. Everything is fully redundant here as well, and all servers are behind enterprise firewalls with only required ports being exposed to the internet. Running this type of setup from your house is basically going to be impossible. Now as a startup step it might work for you, but just understand that it isn't as simple as buying server with certain spec is cheaper if you keep it under your desk than at a host.

As for the distro to use I would lean to Debian over Ubuntu (even LTS) or CentOS. If you are really serious about the business I might even consider going to the full RHEL since pricing for a single server isn't that bad, and the major thing you will gain is support.

Oh yes, I know about those differences. I weighed them carefully, and decided I can deal with some inconveniences in return for running the setup that I want the way I want. The kind of system I'm putting together is the kind in terms of performance and capacity that a provider would salivate over the $hundreds$ a month they'd be charging. I could buy a new system each year with what they'd charge. The reason I'm putting together such a beefy system -now- is because I'm projecting for later, and I want a system that will perform and last a while. Such a system design will give me ample time to plan on what to do next whether it be a different setup still at home or a move to a colo.

Most of the time, the power outages here are limited to a few minutes tops... except for the time that idiot hit the main pole and knocked power out for around 12 hours =P But I'm cool with that since it doesn't happen often enough where it's a problem (at least not the way I see it)... nothing a standard UPS can't handle for the most part.

Sounds good. You might want to look into a colo that will sell you space in a rack only, and you provide the server. If you start out building the server you want at home now in a rack mount form factor you can easily ship to a colo when your business picks up and requires that type of stability.

I know PHP apps can be done securely, but they have a nasty tendency to be horribly insecure so you may want to make sure you've got a good monitoring and incident response plan in place before you get going too far.

If you haven't already, please head over to the Security forum and have a read through some of the stickies. There are a number of articles on hardening your system that you might find useful. Are you considering hardening like SELinux? How about monitoring like Aide or Samhain? Maybe lock down Apache a bit more with mod_security? Also, will any of your businesses be taking credit card numbers?

I won't be touching credit cards, and if I ever do, I've looked into payment gateways that have their own secure end to deal with it. That's not to say that I wouldn't have more to deal with on my end however.

OK, lemme check my chickenscratch paper here... This is what I've got listed for things I'll need to look into for hardening and such:
Fail2ban
Bastille
Grsecurity
Sentry Tools
Firestarter/Guarddog
Apparmor
Suhosin

So, how does that list look? I don't know if installing ALL of those is necessary or not... Samhain is one more thing I'll add to that list.

One REALLY important thing that I think would be good is a decent H.I.P.S.

On a related note, trying to understand iptables is a royal pain in the ass. I've only glossed over it so far, but wow... I'm not sure I'd trust myself with making rule sets only to find out AFTER getting hacked that they didn't work @_@ manually editing looks to be a real pain, and firestarter/guarddog look to be able to handle some of it. Are firestarter/guarddog decent enough front-ends to work with iptables? Also, will those rules stick when switching to runlevel 3?

edit: yes I'll be installing mod_rewrite & mod_security

another edit: I'm also planning on buying a Checkpoint hardware firewall as well (model 1000n i think)

To be honest, I look it from more of a task perspective than a software collection. You've pretty much got three categories to worry about, prevention, detection and recovery. Obviously that is a gross oversimplification, but if you don't have all three of those covered, you'll be hurting if you get cracked.

I think recovery is probably the easiest to deal with. You need decent backups that work. My personal take is that virtual machines are a nice way to deal with this as well. Of course before you can recover you need to have an investigation plan so you're not just restoring a crackable machine. You should have the CERT checklist bookmarked as well as the Security forum here. If you're willing to follow some procedures, there are some experienced investigators who like to tackle those problems.

Detection is kind of a pain, but you need to worry about it. I like tools like Aide or Samhain, but I've also seen some experienced people voice concerns that those sorts of tools are among the first things good crackers would look for. Monitoring log files will also help.

I don't take any issue with the list you've created although there is probably some redundancy. Just out of curiosity, you don't have SELinux as option, did you exclude that? I don't know if any of the distros your considering have SELinux enabled (I know RHEL does, so maybe Fedora does as well). I know SELinux can be a bear to get configured, but it might be worth considering if you haven't.

Actually, basic iptables is fairly straight-forward once you've done a little reading. While tools like firestarter and guarddog are fine, I personally like writing rules by hand because then I understand how my firewall is doing what it does. However, that is very much a personal preference and if you're more comfortable starting with a tool, then certainly do so. The firewall should start in runlevel 3, but a quick check never hurts.

Basically, it looks like you're taking a decent approach. Redundancy is the key.

I sheepishly admit to leaving SELinux out of the picture due to my apprehension about its complexity. The general consensus is that it's a real pain to work with (probably why it's SO secure).

I've got a lot ahead of me.

I'm kind of amazed that in the beginning, I thought it was as simple as many suggest to setup a LAMP server, but I'm finding that that's not really the case since security seems to be the biggest hurtle. Sure one could setup a LAMP easily (as long as you don't mind getting hacked), but securely is another ballgame all together and requires that person almost to be a security expert. ARGH!

You know... beings that I'm a gun owner, think we could declare open season on all hackers? I'd love that *evil grin*

Half of the 'net is filled with deprecated HOWTOs, unmaintained documents, misinformation by developers and companies who never bothered to try things and opinions from people who say they know stuff, all trying to scare people away from even trying. The other half of the 'net basks in the light of progress: see the accounts of Real Life threats it stopped, see the web log of Dan Walsh, the improvements brought to Fedora and RHEL and the difference between using SELinux in RHEL3 versus how it works out-of-the-box right now.

If you've tried it on your staging host (don't want to mess up production, right?) and no solutions or workarounds we can provide you with help then you have earned the right to call it whatever you want.

Check point H/W is awesome!

Is it? From which vantage point slash how does this help the OP?

might just be too late
 

Well... at this point, the only help I need is not the kind this forum can give.

Yesterday I was finally able to get through to the unemployment office (lines have been jammed), and the word was "there's no money". Everyone across the board who is on the federal extension just ran out. On paper, the extensions are available, but there's no funding to back it up. Currently, it's being held up in the senate. I work part time for the place that laid me off. We're in the housing/construction sector - civil engineering firm to be exact. The workload is so light, the boss has no idea if it'll be enough to stay in business. Meanwhile, they're letting me get enough hours in to pay the bills... at least for now, but... I mean, last month posted the worst housing figures ever. Commercial construction is almost non-existent.

I was hoping to get something going in hopes that it would lead to something better, but right now, that just doesn't look possible, I can't even think straight, can't afford anything, and I may just lose my home soon.

Things are bad... REALLY bad right now. I don't know when it's going to turn around, but I'm praying real hard for it.

Whether or not you believe in a higher power or not, please muster up a prayer of some kind if you can. Do it for yourself and also for everyone else because we are ALL in very VERY SERIOUS trouble.

That sounds like really tough times for you. I hope something goes your way soon.