LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-24-2010, 10:28 AM   #1
whitestar73
LQ Newbie
 
Registered: May 2010
Location: NJ
Distribution: Mandriva (for learning)
Posts: 13

Rep: Reputation: 0
LAMP questions: distros, install methods, permissions & user to run as


OK folks (linux n00b here), I'm going to be setting up a LAMP server eventually to host a couple web businesses running from home. I've got a few questions:

I'm considering the following distros: Fedora, Ubuntu, or Mandriva.
I'll be installing the LAMP server version of whichever I decide to go with, but I'd like to know from people if any of these distros have any major concerns I should know about. These concerns would be things like installations that require unusual methods, strange configurations, or just hacks to work around issues.

I installed a LAMP package on my netbook which is used for learning purposes, and I noticed that apache & mysql have their own group & username. Now, the LAMP server should ultimately run in runlevel 3, so should I create a username like "webserver" to login as to run the server? I'd like to think no one would use mysql or apache as a login and certainly not root.

At least one of my web businesses will require my php scripts to be able to create directories and files for each registered user. I was considering permissions to set as: directories = 774 & files = 664. Are these permissions ok? I know there might be a security risk involved. I also want to change the owner of the document root directory over to the username that will be created to run the webserver instead of having root as the document root owner. Is that acceptable?

Is there a way using the LAMP packages to install apache, mysql & php into a specific set of directories? I was able to do it when I installed apache from source, but the packages seem to lack install directory preferences, and what's worse is that, in my case, Mandriva installed the LAMP files ALL over the place which made tracking things down a royal pain. Is there a package install method that allows user specified directories? I would sure hate to have the source install method be the ONLY way to specify a directory. I'm not opposed to installing by source, but the problem is I have little faith in myself to "do it right". Sure I can do the basic source installs, but I don't want to accidentally miss something that a package install otherwise has covered.
 
Old 05-25-2010, 03:03 AM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,287

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
For a business, you need a long term stable distro; instead of Fedora, use Centos (free version of RHEL); instead of Ubuntu, use Ubuntu LTS (ie Long Term Stable ie server).
http://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux
http://en.wikipedia.org/wiki/CentOS
http://en.wikipedia.org/wiki/Fedora_(operating_system)

Just take the default install via the relevant pkg mgr for eg Centos. It will create the correct usernames/ownerships.perms etc.

For the user dirs/files we need to know exactly what the purpose of these are.

Know that creating a real business website ie secure (especially if it'll handle 'money') is a very tricky business. Obviously you'll need to enact SSL and do a lot of research.
http://www.w3schools.com/
http://www.php.net/manual/en/

Apache: http://httpd.apache.org/
MySQL: http://dev.mysql.com/doc/refman/5.0/en/

HTH
 
Old 05-25-2010, 07:16 AM   #3
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,910

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by chrism01 View Post
...instead of Ubuntu, use Ubuntu LTS (ie Long Term Stable ie server)
From what I remember, Ubuntu uses LTS to mean Long Term Support; that is, the repos for updates (security updates will be a particular concern for you, of course) do not get switched off suddenly after a short period of time, and you can therefore carry on using it with re-install/new security holes.

There is also a server build of Ubuntu; not all Ubuntu LTS versions are server versions, as some have all of the desktop stuff that you will not want. You will not want any desktop stuff, right?

Quote:
For the user dirs/files we need to know exactly what the purpose of these are.
For most apps, if you build them yourself, you can have control over where the files go; to be honest, I don't see the big concern over this, unless you have some particular fiendish partition system in mind, and want to control physically where the files go (not where in the filesystem hierarchy they go, but, say, to a hard disk rather than an SSD, or to a volume with noatime set, for example).

Sure, there can be a bit of scurrying around to find things, but that seems like the lesser of several evils.
 
Old 05-25-2010, 10:30 AM   #4
tobym
LQ Newbie
 
Registered: May 2010
Posts: 4

Rep: Reputation: 0
I would agree with the Centos recommendation, we use it a lot and it's very stable. For the 'AMP' bit of your setup I'd recommend adding an up-to-date yum repository - we use this one:

http://www.jasonlitka.com/yum-repository/

By default Centos' yum is very conservative/old.

Hope this helps,

Toby
 
Old 05-25-2010, 01:15 PM   #5
whitestar73
LQ Newbie
 
Registered: May 2010
Location: NJ
Distribution: Mandriva (for learning)
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
For a business, you need a long term stable distro; instead of Fedora, use Centos (free version of RHEL); instead of Ubuntu, use Ubuntu LTS (ie Long Term Stable ie server).
http://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux
http://en.wikipedia.org/wiki/CentOS
http://en.wikipedia.org/wiki/Fedora_(operating_system)
OK, quick question: is this an LTS Ubuntu server? They claim it's for enterprises, so one would hope that it's LTS.

I'll add CentOS to my considerations.

I plan on using 64bit for memory usage beyond 4 gigs, so hopefully They've all got 64bit apache, php, mysql installs.

Quote:
Originally Posted by chrism01 View Post
Just take the default install via the relevant pkg mgr for eg Centos. It will create the correct usernames/ownerships.perms etc.
OK, but is there a default username they have you logon to run the server? Or... is it whatever username you decide to create at the time of install is perfectly fine?

Quote:
Originally Posted by chrism01 View Post
For the user dirs/files we need to know exactly what the purpose of these are.
The directories and files will be created with PHP and used to store files that are written to and accessed via the web interface. The users will not have direct access to the files or directories. I'll be disallowing directory "browsing" in apache. Users will be able to upload image files which will be resized and renamed when stored in the user's directory. I have some user information stored in flat-file which is why I'm creating directories and files, then there's other information stored in MySQL.

Quote:
Originally Posted by chrism01 View Post
Know that creating a real business website ie secure (especially if it'll handle 'money') is a very tricky business. Obviously you'll need to enact SSL and do a lot of research.
I won't be dealing with any money transfers. The model uses advertising as the revenue source (I know it'll take a long time for a turnaround... or it may never). I also considered perhaps using a donation button using an outside payment gateway which would have it's own SSL transaction server.

Believe me I have been doing LOTS of research. SQL injection prevention, PHP session hijack prevention, URL injection prevention. XSS prevention. Using htmlentities() for output and escaping for input. Form validation (on a side note, you'd never believe how many sites say it's ok to use javascript to validate forms... that's total crap! Validation should ALWAYS be done server side) Most of my time has been in doing research... sometimes maddeningly so, but it's worth it =)

I know that there's a lot involved, but I'm doing my best. I believe that I'll be all the wiser. I never like the idea of using a CMS because it'd take me forever to reverse engineer it and rework it to do what *I* want it to do, and I much liked the idea of writing it myself for the experience and customization. So far, I've gotten a decent site partially working. I've got a forum system that's working great with recaptcha integrated, a sweet navbar, and other things all coded myself. It's taking a while, but I really like doing it this way.
 
Old 05-25-2010, 01:47 PM   #6
whitestar73
LQ Newbie
 
Registered: May 2010
Location: NJ
Distribution: Mandriva (for learning)
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by salasi View Post
You will not want any desktop stuff, right?
I doubt it. I know servers need to be run in runlevel 3, and I'm perfectly fine with that. I'm no stranger to the command-line, but I understand it's quite different from DOS which I used aeons ago =P I also used a linux shell through dialup to get on the net back before we ever needed firewalls. Lynx... PICO... NCFTP =)

Looking at an image was a 2 step process: ftp to my account, then rename it so I could download it to a DOS 8.3 filename LOL!

What I may have considered use of the GUI for was to easily configure some things first, then when I was ready to do some testing and launch, switch to runlevel 3 for the longhaul. I know that you have to strip out all non-essenstial services, but how much of that is an issue in runlevel 3? I do intend to learn the command-line fully, but man there are just times where the GUI makes things so much easier to get things done.

Quote:
Originally Posted by salasi View Post
For most apps, if you build them yourself, you can have control over where the files go; to be honest, I don't see the big concern over this, unless you have some particular fiendish partition system in mind, and want to control physically where the files go (not where in the filesystem hierarchy they go, but, say, to a hard disk rather than an SSD, or to a volume with noatime set, for example).
This may sound silly, but I like application installs to be as self-contained / stand-alone as possible. I've already experienced the "dependency hell" a couple times, and it's damned annoying. See, back in the days of DOS (get off my lawn ya punks!) programs installed self-contained with maybe a batch to launch it. That was real nice =) I don't know if it's for security reasons that some linux apps are installed to the 4 winds, but it makes little sense to me personally, and it likely can cause serious issues with updating the way I see it. I'm sure there's a reason for it, but I was really taken aback when I saw linux apps installed this way especially when I think of how many linux people harp on M$ with regards to the registry and apps putting files in the windows system directories etc... This really doesn't seem much different, but I was expecting installations that, to me, made a little more "structural" sense.

Does that make any sense to you? Maybe I'm too old LOL!
 
Old 05-25-2010, 03:27 PM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,910

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by whitestar73 View Post
OK, quick question: is this an LTS Ubuntu server? They claim it's for enterprises, so one would hope that it's LTS.
the page to which you link does not mention any particular version, but its copyrighted 2010, so you could presume that it is referring to the 2010.4 release, which is LTS....but the pdf brochure linked to on that page describes Ubuntu Server Edition 2008.4 LTS.

So the answer is quite probably yes, but I'm not clear whether I mean 2010.4 or 2008.4. Or, probably they'll update the page soon. Or something.

Quote:
I'll add CentOS to my considerations.
That's a good idea.

Quote:
I plan on using 64bit for memory usage beyond 4 gigs, so hopefully They've all got 64bit apache, php, mysql installs.
I think it can be taken as read that anyone who has a 64 bit OS, will have 64 bit versions of non-proprietary stuff (ie, stuff that they only have to feed through the compiler with the appropriate options) if they are serious; OTOH, if you are reliant on proprietary stuff, it may deserve more serious investigation.

Quote:
OK, but is there a default username they have you logon to run the server? Or... is it whatever username you decide to create at the time of install is perfectly fine?
At install time, you'll create root and another user; the server programs should not run as root, and will probably run as some user like www-run, web, or something. You won't log in as that user, and you'll probably prevent any logging in as either root or this other user.

Quote:
...I believe that I'll be all the wiser. I never like the idea of using a CMS because it'd take me forever to reverse engineer it and rework it to do what *I* want it to do, and I much liked the idea of writing it myself for the experience and customization. So far, I've gotten a decent site partially working.
And I suspect that everyone who has ever written a CMS (and there have been quite a few) has started from that position.

Quote:
I won't be dealing with any money transfers.
Makes things easier. Or, at least, reduces the pear-shaped-ness you'll suffer from if it does go pear shaped.

Quote:
What I may have considered use of the GUI for was to easily configure some things first, then when I was ready to do some testing and launch, switch to runlevel 3 for the longhaul. I know that you have to strip out all non-essenstial services, but how much of that is an issue in runlevel 3? I do intend to learn the command-line fully, but man there are just times where the GUI makes things so much easier to get things done.
I know what you mean about ease of use, particularly if you normally use a GUI for everything. What you should do depends a bit on how you get your hosting, what you are allowed to do and what comes with it.

Think about Webmin. CPanel. Fantastico (oh, all right, only think about that last one if you know what it does badly, and are prepared to avoid that stuff) and there are others, but if some of the dummies who claim to be able to do this stuff and who only really know the appearance/usability of web design get away with it, you'll do fine.

Quote:
This may sound silly...
that depends on whether I decide to say it in a silly high pitched voice, doesn't it?

Quote:
but I like application installs to be as self-contained / stand-alone as possible. I've already experienced the "dependency hell" a couple times, and it's damned annoying.
  • Irelevant; the package manager deals with it and sorts out dependencies. Dependency hell I've experienced, but not this century. (BTW, RPM is NOT a package manager, RPM is a system for packaging apps. Some other app deals with the business of using RPM and sorting out dependencies. If you use the RPM command directly, then its all your own fault. Or you are really desperate to learn the hard way; have you considered Linux From Scratch )
  • If, in spite of that, you are philosophically inclined to keep things separate, you might prefer a BSD. There are disadvantages to that (effectively, 'bloat per unit application'), but you'd probably find that the idea of how it works more to your liking.
the trouble is, a lot of this goes back to the Linux Filesystem Hierarchy, which has a number of historical features and general gnarliness. Whatever, the system as it does work and work well, even if its not intuitive. I wouldn't want to work without locate/updatedb though.
 
Old 05-25-2010, 06:41 PM   #8
whitestar73
LQ Newbie
 
Registered: May 2010
Location: NJ
Distribution: Mandriva (for learning)
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by salasi View Post
At install time, you'll create root and another user; the server programs should not run as root, and will probably run as some user like www-run, web, or something. You won't log in as that user, and you'll probably prevent any logging in as either root or this other user.
THAT caught my attention right away. I know that no one should ever run as root, but are you telling me that I shouldn't log in as the user EITHER? @_@

I'm insanely curious. Does this mean you just start the server and leave it at a login prompt and everything is running at that point?

Quote:
Originally Posted by salasi View Post
I know what you mean about ease of use, particularly if you normally use a GUI for everything. What you should do depends a bit on how you get your hosting, what you are allowed to do and what comes with it.
Ah, I should have clarified this. I'm not going with a host. I'm building my own server, and I plan on using FIOS for business. I think the static ip 35/35 plan should have the bandwidth I need for a while.

When I was reading up on hosts, I became increasingly dissuaded the more I looked into it. I didn't like how they'd bait you with dedicated server plan prices only to have the final price be astronomical once you modified the plan for what you REALLY needed. The hardware they offered for the price was unacceptable. In building my own system, I get the hardware that *I* want, plus I'm getting boatloads more storage capacity, ram capacity, processor muscle, raid options, etc... that I have TOTAL control over. I weighed the differences between managed dedicated hosting costs VS being able to do it myself and settled on doing it myself since I'm pretty confident I can handle it (knocks on every piece of wood in range). If later on I need more than what I have at home and need to set up a colo, then I'll cross that bridge when I get to it. One of the other upsides of having my own hardware is that if I need to have it hosted at a center, I'll have a little better idea of whether they're bullshitting me on certain details. Hosts seem to be notorious for doing as little as possible and taking "clueless" businesses for a ride. And who knows, maybe by then, home solutions will be the wave of the future (which I actually see happening).

Quote:
Originally Posted by salasi View Post
Think about Webmin. CPanel. Fantastico (oh, all right, only think about that last one if you know what it does badly, and are prepared to avoid that stuff)
I was looking at Webmin, but I wonder if I'll need it since I'll be doing the admin locally right here.

Quote:
Originally Posted by salasi View Post
Irelevant; the package manager deals with it and sorts out dependencies. Dependency hell I've experienced, but not this century. (BTW, RPM is NOT a package manager, RPM is a system for packaging apps. Some other app deals with the business of using RPM and sorting out dependencies. If you use the RPM command directly, then its all your own fault. Or you are really desperate to learn the hard way; have you considered Linux From Scratch )
I umm...... officially learned the hard way (doh!)

LOL I see a lot of people bash RPM in favor of apt-get, so I guess that settles that... On a side note, isn't CentOS an RPM based linux given that it's based on RHEL?
 
Old 05-26-2010, 03:59 AM   #9
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,910

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by whitestar73 View Post
THAT caught my attention right away. I know that no one should ever run as root, but are you telling me that I shouldn't log in as the user EITHER? @_@

I'm insanely curious. Does this mean you just start the server and leave it at a login prompt and everything is running at that point?
No, what I meant is that you shouldn't log in as the 'pseudo-user' that has been set up to run the LAMP stack applications.

You can su/sudo to root, but if it impossible to directly login as root, all the script kiddies who try to brute-force/dictionary attack root will be wasting their time.

Quote:
Ah, I should have clarified this. I'm not going with a host.
Note that you can probably ignore using CPanel, then. the way they do the pricing gives hosting suppliers, with lots of users, attractive costs per user, and as an end user the extra cost to you is low (or zero). As an individual user, you don't get that pricing.

Quote:
I was looking at Webmin, but I wonder if I'll need it since I'll be doing the admin locally right here.
...you still might find it makes things easier, although being able to get at the box physically, is a big help.

Quote:
LOL I see a lot of people bash RPM in favor of apt-get, so I guess that settles that... On a side note, isn't CentOS an RPM based linux given that it's based on RHEL?
CentOS is RHEL without the branding, so you are right, it is RPM-based. But the point is that RPM is two things; a format and the rpm command, and neither of those things happen to be a dependency resolving package manager, so comparing rpm itself with a dependency resolving system would be odd.

yum, zypper are (depending on rpm-based distro; the RedHat family is all yum (?) SuSE's brand of rpm-based is now zypper, and, of course yast, but it briefly supported yum, too). So all I am saying is that you could, if you really wanted to make life difficult for yourself, use the rpm command directly, if you do not want to turn into one of the warped souls who claim that rpm is all cr*p compared to apt-get, surrounded by clumps of torn-out hair, and only uttering words that I couldn't include in this message, please don't. Use something that allows the computer to do the stuff that the computer is good at and would be very tedious for you.
 
Old 05-26-2010, 12:29 PM   #10
whitestar73
LQ Newbie
 
Registered: May 2010
Location: NJ
Distribution: Mandriva (for learning)
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by salasi View Post
No, what I meant is that you shouldn't log in as the 'pseudo-user' that has been set up to run the LAMP stack applications.
OK so no logging in as the "mysql" or "apache" users. I kinda figured that, but I needed clarification that I wasn't supposed to touch either of those.

Quote:
Originally Posted by salasi View Post
CentOS is RHEL without the branding, so you are right, it is RPM-based. But the point is that RPM is two things; a format and the rpm command, and neither of those things happen to be a dependency resolving package manager, so comparing rpm itself with a dependency resolving system would be odd.

yum, zypper are (depending on rpm-based distro; the RedHat family is all yum (?) SuSE's brand of rpm-based is now zypper, and, of course yast, but it briefly supported yum, too). So all I am saying is that you could, if you really wanted to make life difficult for yourself, use the rpm command directly, if you do not want to turn into one of the warped souls who claim that rpm is all cr*p compared to apt-get, surrounded by clumps of torn-out hair, and only uttering words that I couldn't include in this message, please don't. Use something that allows the computer to do the stuff that the computer is good at and would be very tedious for you.
OK, I'll make a mental note to search any RPM based distro for a "dependency resolving" installer on that system and use that instead.

Thanks for the help man! Now it's time for me to pester the security forum with some WTF!!! questions =P
 
Old 05-26-2010, 08:59 PM   #11
ComputerErik
Member
 
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 268

Rep: Reputation: 42
Not to get off topic, but I think you might be missing a key factor in hosted at a data center vs. hosted at home. It is possible to offer much better uptime (if we take your hardware and software out of the picture since it could be identical) when running in a professionally run colo facility. I run what I would consider a low end setup at a data center, and it involves having everything needed being redundant. All servers have two power supplies, each to a different circuit, and each circuit on a different UPS, each UPS being fed from a different electrical grid. Also tack on a generator for when there is an extended power outage.

For network I run BGP, and multi home with multiple providers so I can route around carrier issues and outages. Everything is fully redundant here as well, and all servers are behind enterprise firewalls with only required ports being exposed to the internet. Running this type of setup from your house is basically going to be impossible. Now as a startup step it might work for you, but just understand that it isn't as simple as buying server with certain spec is cheaper if you keep it under your desk than at a host.

As for the distro to use I would lean to Debian over Ubuntu (even LTS) or CentOS. If you are really serious about the business I might even consider going to the full RHEL since pricing for a single server isn't that bad, and the major thing you will gain is support.
 
Old 05-27-2010, 09:15 AM   #12
whitestar73
LQ Newbie
 
Registered: May 2010
Location: NJ
Distribution: Mandriva (for learning)
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by ComputerErik View Post
Not to get off topic, but I think you might be missing a key factor in hosted at a data center vs. hosted at home. It is possible to offer much better uptime (if we take your hardware and software out of the picture since it could be identical) when running in a professionally run colo facility. I run what I would consider a low end setup at a data center, and it involves having everything needed being redundant. All servers have two power supplies, each to a different circuit, and each circuit on a different UPS, each UPS being fed from a different electrical grid. Also tack on a generator for when there is an extended power outage.
Oh yes, I know about those differences. I weighed them carefully, and decided I can deal with some inconveniences in return for running the setup that I want the way I want. The kind of system I'm putting together is the kind in terms of performance and capacity that a provider would salivate over the $hundreds$ a month they'd be charging. I could buy a new system each year with what they'd charge. The reason I'm putting together such a beefy system -now- is because I'm projecting for later, and I want a system that will perform and last a while. Such a system design will give me ample time to plan on what to do next whether it be a different setup still at home or a move to a colo.

Most of the time, the power outages here are limited to a few minutes tops... except for the time that idiot hit the main pole and knocked power out for around 12 hours =P But I'm cool with that since it doesn't happen often enough where it's a problem (at least not the way I see it)... nothing a standard UPS can't handle for the most part.
 
Old 05-28-2010, 07:00 AM   #13
ComputerErik
Member
 
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 268

Rep: Reputation: 42
Sounds good. You might want to look into a colo that will sell you space in a rack only, and you provide the server. If you start out building the server you want at home now in a rack mount form factor you can easily ship to a colo when your business picks up and requires that type of stability.
 
Old 05-28-2010, 07:19 AM   #14
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
I know PHP apps can be done securely, but they have a nasty tendency to be horribly insecure so you may want to make sure you've got a good monitoring and incident response plan in place before you get going too far.

If you haven't already, please head over to the Security forum and have a read through some of the stickies. There are a number of articles on hardening your system that you might find useful. Are you considering hardening like SELinux? How about monitoring like Aide or Samhain? Maybe lock down Apache a bit more with mod_security? Also, will any of your businesses be taking credit card numbers?

Last edited by Hangdog42; 05-28-2010 at 07:20 AM.
 
Old 05-29-2010, 12:03 PM   #15
whitestar73
LQ Newbie
 
Registered: May 2010
Location: NJ
Distribution: Mandriva (for learning)
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Hangdog42 View Post
I know PHP apps can be done securely, but they have a nasty tendency to be horribly insecure so you may want to make sure you've got a good monitoring and incident response plan in place before you get going too far.

If you haven't already, please head over to the Security forum and have a read through some of the stickies. There are a number of articles on hardening your system that you might find useful. Are you considering hardening like SELinux? How about monitoring like Aide or Samhain? Maybe lock down Apache a bit more with mod_security? Also, will any of your businesses be taking credit card numbers?
I won't be touching credit cards, and if I ever do, I've looked into payment gateways that have their own secure end to deal with it. That's not to say that I wouldn't have more to deal with on my end however.

OK, lemme check my chickenscratch paper here... This is what I've got listed for things I'll need to look into for hardening and such:
Fail2ban
Bastille
Grsecurity
Sentry Tools
Firestarter/Guarddog
Apparmor
Suhosin

So, how does that list look? I don't know if installing ALL of those is necessary or not... Samhain is one more thing I'll add to that list.

One REALLY important thing that I think would be good is a decent H.I.P.S.

On a related note, trying to understand iptables is a royal pain in the ass. I've only glossed over it so far, but wow... I'm not sure I'd trust myself with making rule sets only to find out AFTER getting hacked that they didn't work @_@ manually editing looks to be a real pain, and firestarter/guarddog look to be able to handle some of it. Are firestarter/guarddog decent enough front-ends to work with iptables? Also, will those rules stick when switching to runlevel 3?

edit: yes I'll be installing mod_rewrite & mod_security

another edit: I'm also planning on buying a Checkpoint hardware firewall as well (model 1000n i think)

Last edited by whitestar73; 05-29-2010 at 12:06 PM.
 
  


Reply

Tags
distros, lamp, permissions, users


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Enterprise LAMP Summit & Big LAMP Camp LXer Syndicated Linux News 0 09-21-2009 01:51 AM
Nautilus/Root user questions & Mplayer skins install str8upnobs Linux - Newbie 4 03-20-2007 09:52 AM
user groups and permissions questions cuco76 Linux - Security 4 12-23-2006 12:22 PM
Can We Run Raw Sockets With User Permissions fpfernando Programming 2 10-27-2005 06:03 AM
LAMP & Qmail install on RedHat/Fedora 88guy Linux - Newbie 0 05-28-2004 12:17 PM


All times are GMT -5. The time now is 10:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration