Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have just setup a web server ( Rehdat 6 , apache 2,0 , PHP , mysql ) , all are standard setting , but no need to do HA , backup & restore is solved.
I just thinking is there any improvement that I can do to make it run better , in the aspect of security , performance , reliable etc , eg. is there any package that I can install to monitor the security , what security issue that I need to concern ? is there script that I should develop to monitor the performance .. etc
I am new to web server deployment , could advise what admin task that I should do for a web server ?
No need provide the detail step to do it , just would like to know what I should do .
Well after that, you setup iptables as strict as you can, maybe install something like tripwire, ossec, add an external firewall and monitor your audit, secure and webserver logs like crazy.
I don't believe in all the security by obscurity stuff. But i do believe in keeping things as standard to the base operating system base as possible with only the packages you need installed and always updated, but most importantly monitor the logs.
Many hacked servers are hacked mostly because of old software and not monitoring logs to detect and remedy early enough.
If you want to go further, get some application firewall going like mod_security and external monitoring with something like snort.
Honestly though so far in 1 year of my server being hooked up, snort goes crazy for many alerts but most those things are false because the firewall drops the packets anyway then onto the server side, 100% of problems or hack attempts so far have been people running scripts like wootwoot and zmeu and the odd few trying to connect as a proxy.
I have now got zmeu and wootwoot totally blocked via ip tables and only so often still see the proxy attempts, since i don't have the server configured as a proxy, i ignore those most the time.
But everyday i check my logs to see what people try doing. Log monitoring is the hardesk and unfortunately the most boring of sys admin work but the most important.
Other than that html content should have strict permissions. So don't set directory and file permissions 777. I set user and group to root and read permission only to apache unless strictly required otherwise. In that case i leave owner asroot and allow access via acl using setfacl etc. Load your temp directory on a seperate partition and set it to noexec in fstab.
As you can see there are tons of stuff but lots of it is not directly related to your question, hence for the other general sysadmin stuff, do read the redhat manuals. They really cover about 80% of what you need.
Last edited by ericson007; 11-20-2013 at 05:51 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.