LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 03-05-2013, 01:59 AM   #1
killout
LQ Newbie
 
Registered: Nov 2012
Posts: 14

Rep: Reputation: Disabled
My first production server. What should i focus on?


Hi.

I have a experience in administration, but I had never implemented installation of real production environment.
Now I have to install server, that will be used in production.

That is dedicated server at datacenter.
This installation has:
centos 6.3
postgresql database
tomcat server and java webapp
mediawiki (and mysql db for it)

Which settings for security, backupping and performance should I set up in these applications?
 
Old 03-05-2013, 02:07 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964
well I wouldn't have two different databases on one box for one thing, why not share?

We really can't just tell you magically how to configure *EVERYTHING*. Lots of it will be application specific, and we've no idea what this java web app is. If you use packages from the CentOS repository, then each will have reasonable defaults so just go with them outside of anything you know has special requirements.

As for things like backups, there are plenty of guides on how to achieve good backups, we can't start all this stuff from scratch.
 
1 members found this post helpful.
Old 03-05-2013, 10:14 PM   #3
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Everything acid_kewpie said

Also, use
Code:
chkconfig --list
to check what services are running; turn off those not strictly required.

Similarly, check /etc/sysconfig/iptables and tighten that down as much as possible.

You might want to consider disabling ipv6 unless you are going to use it. most systems are still only really using ipv4.
http://www.unixtutorial.org/2009/12/...red-hat-linux/
 
1 members found this post helpful.
Old 03-06-2013, 06:43 AM   #4
killout
LQ Newbie
 
Registered: Nov 2012
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
well I wouldn't have two different databases on one box for one thing, why not share?
Because mediawiki main dbms is mysql. I have installed mediwaiki with postgresql, but most of plugins supports only mysql.
 
Old 03-06-2013, 06:56 AM   #5
killout
LQ Newbie
 
Registered: Nov 2012
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thumbs up

Quote:
Originally Posted by chrism01 View Post
Everything acid_kewpie said
Also, use
Code:
chkconfig --list
to check what services are running; turn off those not strictly required.
Similarly, check /etc/sysconfig/iptables and tighten that down as much as possible.
http://www.unixtutorial.org/2009/12/...red-hat-linux/
Here is my config

chkconfig --list
Code:
abrt-ccpp       0:off   1:off   2:off   3:on    4:off   5:on    6:off
abrt-oops       0:off   1:off   2:off   3:on    4:off   5:on    6:off
abrtd           0:off   1:off   2:off   3:on    4:off   5:on    6:off
acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
flute           0:off   1:off   2:on    3:on    4:on    5:on    6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
irqbalance      0:off   1:off   2:off   3:on    4:on    5:on    6:off
jexec           0:on    1:on    2:on    3:on    4:on    5:on    6:on
kdump           0:off   1:off   2:off   3:on    4:on    5:on    6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:on    3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:on    3:on    4:on    5:on    6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpdate         0:off   1:off   2:off   3:off   4:off   5:off   6:off
postfix         0:off   1:off   2:on    3:on    4:on    5:on    6:off
postgresql-9.2  0:off   1:off   2:on    3:on    4:on    5:on    6:off
psacct          0:off   1:off   2:off   3:off   4:off   5:off   6:off
quota_nld       0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
restorecond     0:off   1:off   2:off   3:off   4:off   5:off   6:off
rngd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
saslauthd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
smartd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
svnserve        0:off   1:off   2:off   3:off   4:off   5:off   6:off
sysstat         0:off   1:on    2:on    3:on    4:on    5:on    6:off
tomcat7         0:off   1:off   2:on    3:on    4:on    5:on    6:off
udev-post       0:off   1:on    2:on    3:on    4:on    5:on    6:off
cat /etc/sysconfig/iptables
Code:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
And whether a checklist exists, something like:
Centos
Turn on iptables
Turn on log rotation
turn off root account for ssh
turn on ntpd

postgresql
configure pg_hba.conf

tomcat
?

Also, I have found a useful link http://www.puschitz.com/SecuringLinux.shtml.
 
Old 03-06-2013, 07:00 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964Reputation: 1964
this guide is commonly used for security - http://www.nsa.gov/ia/mitigation_gui...s.shtml#linux2

But you really need to note that you're asking for knowlwedge that comprises an entire profession, that's so so so so much you *might* want to do.
 
1 members found this post helpful.
Old 03-06-2013, 07:11 PM   #7
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
1. There's a complete set of (free to read) RHEL6 manuals here http://www.linuxtopia.org/online_boo...ion_index.html

2. As acid_kewpie suggested, if you've gone with MySQL, then you presumably don't need postgresql, so remove it.

3. The default install settings for RHEL/Centos are pretty reasonable, but you should probably start by checking (in addition to all of the above) the Security guide in that link in point 1.

The main point is that only you can say what you REALLY need; there's no real shortcut.
Sure, check logrotate is on; maybe install/setup logwatch to automatically screen the logfiles and email you.
 
  


Reply

Tags
centos, mediawiki, postgresql, tomcat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Copying OpenBSD Kernel from a non production to production machine lcxpics *BSD 3 05-05-2011 02:58 AM
32bit Test Server for 64bit Production Server jmxfield Linux - Newbie 4 03-21-2011 06:50 PM
Lampp for a production server? xpucto Linux - Newbie 9 06-10-2006 02:42 AM
Production server? RusRob Debian 2 09-02-2005 01:53 AM
FreeBSD production server zoso *BSD 4 02-13-2005 10:08 AM


All times are GMT -5. The time now is 03:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration