Best distro for a web server

r3sistance · 11-04-2009, 02:17 PM

You don't need GUI for CentOS, personally I only use a vnc desktop for none administrative things. To add or remove programs the YUM (yellowdog Updater, Modifier) can be used. I suspect the GUI tool is just an interface for YUM.

A GUI uses more resources, personally I don't use GUI's other then vncserver for some casual activities now and then. You can disable a GUI post installation, you can also do installation via the GUI installer but not install any GUI facilities. Personally unless LVM is involved I use the text based installer... probably just from being so use to using it.

salasi · 11-04-2009, 02:18 PM

Quote:

Originally Posted by Orange Sunshine

...Just out of curiosity, what is it about Ubuntu that you dislike for a web server? Is it just that it takes up more resources because of the fact that it is a desktop OS?

well, I can't speak for anyone else but...

A definite 'gotcha' with Ubuntu is that it has the nasty habit of running services automatically when you install them. Most distros think that you should make a decision to run a service even though you have installed it, and this seems safer (you might not have configured the service as you like at that point, or, as I did once, only installed it to get a look at the man page).

Of course, when you know this is going to happen, it is not so much of a problem, but it only has to get you once in a big way...

The 'no root' model used by Ubuntu always seems a bit dubious for me in a non-desktop application, but isn't necessarily that dangerous.

In general, the friendly Ubuntu model, provided that you don't use a GUI, use their server kernel, use an LTS edition, probably is workable, but I couldn't describe it as the most appropriate for a professional server (probably different for a home server and if you already have Ubuntu experience) when there are good choices available.

Quote:

should I try to look for a package with php, ssh, apache, and mysql already installed (if that even exists) or just grab the latest CentOS and install all that stuff separately? Keep in mind, I'm pretty new to everything and installing a DB in Linux seems kinda scary to me.

You can get distros specifically intended for Lamp stack applications (SLAMM?), but you are worrying about the wrong problem. For practically every modern distro, installing common packages is a snap. There is a package installer. You tell it you want the package. It does it, including getting any libraries that are needed. Where is the problem?

Well, to answer my own rhetorical question, the problem is that this installs the package, but does not configure it, necessarily. Configuring packages, particularly if there is a security impact, is the bit that might cause head-scratching, but that's always the way, isn't it?

Quote:

My main concern is security. I would like it to be as maintenance free and secure as possible (dreaming?).

Yes, you are dreaming. When bugs show up, as they will, in the apps that you use, you will need to grab the updates and do it quickly. Fortunately, this is easy, but you can't ignore it. Unfortunately, that may mean that you need to re-test stuff if it is, eg, your database app, and an upgrade has the possibility of breaking things.

Quote:

ports I need to close/open?

Be very very careful with anything facing a threat (the internet and maybe also your own net, depending). Firewalls have been mentioned (which is good) but you shouldn't install unnecessary stuff (anything you don't have won't be listening on any port).

Part of this is about the structure of the network (do you have a DMZ?) and that hasn't been discussed.

Quote:

or do I just need to keep the OS up to date...Will Linux update itself automatically without requiring an restart?

Not 'automagically' but its a simple process. Usually only kernel changes need a re-boot, although there is even an app (ksplice) to deal with that. However, if you don't have some kind of test server somewhere, which may also be your desktop, you'll always be taking a leap in the dark with some updates.

Quote:

There will be sensitive data on the machine and I don't really know what I need to do to ensure that it remains secure. Are there other security applications I need to install?

If, by secure you mean that you don't want it to be corrupted, that sounds like a backup. If you mean that you are storing the secrets of three letter agencies and you don't want people to access it, you are way beyond my pay grade... Way, way, way beyond my pay grade.

You could do worse than read this:
http://www.cyberciti.biz/tips/linux-security.html which is probably as good coverage of the basics as I have seen.

Orange Sunshine · 11-04-2009, 02:32 PM

Quote:

Originally Posted by r3sistance

You don't need GUI for CentOS, personally I only use a vnc desktop for none administrative things. To add or remove programs the YUM (yellowdog Updater, Modifier) can be used. I suspect the GUI tool is just an interface for YUM.

A GUI uses more resources, personally I don't use GUI's other then vncserver for some casual activities now and then. You can disable a GUI post installation, you can also do installation via the GUI installer but not install any GUI facilities. Personally unless LVM is involved I use the text based installer... probably just from being so use to using it.

Thank you for clearing that up for me!

EricTRA · 11-04-2009, 02:34 PM

Hi,

My personal favorite is Debian, it's quite secure, comes out with patches real quick when vulnerabilities are detected, and using the NETINST cd you just get the basics and setup what you need, nothing more or nothing less. I've installed Debian on several servers used in a production environment and used on the internet and haven't encountered a serious problem yet. Following up on outcoming patches of course along with keeping your server up to date is a must. For Debian you can check out Debian Security. I have that page as a newsfeed in my homepage. Great info and up to date.

I wouldn't install a GUI either, especially not for a server, get used to the command line and administer it from there.

As stated by other users already, the more services you run, known or unknown, the more vulnerable you are. Since your main goal is security, keep that last in mind.

Kind regards,

Eric

Orange Sunshine · 11-04-2009, 02:36 PM

Quote:

Originally Posted by salasi

well, I can't speak for anyone else but...

A definite 'gotcha' with Ubuntu is that it has the nasty habit of running services automatically when you install them. Most distros think that you should make a decision to run a service even though you have installed it, and this seems safer (you might not have configured the service as you like at that point, or, as I did once, only installed it to get a look at the man page).

Of course, when you know this is going to happen, it is not so much of a problem, but it only has to get you once in a big way...

The 'no root' model used by Ubuntu always seems a bit dubious for me in a non-desktop application, but isn't necessarily that dangerous.

In general, the friendly Ubuntu model, provided that you don't use a GUI, use their server kernel, use an LTS edition, probably is workable, but I couldn't describe it as the most appropriate for a professional server (probably different for a home server and if you already have Ubuntu experience) when there are good choices available.

You can get distros specifically intended for Lamp stack applications (SLAMM?), but you are worrying about the wrong problem. For practically every modern distro, installing common packages is a snap. There is a package installer. You tell it you want the package. It does it, including getting any libraries that are needed. Where is the problem?

Well, to answer my own rhetorical question, the problem is that this installs the package, but does not configure it, necessarily. Configuring packages, particularly if there is a security impact, is the bit that might cause head-scratching, but that's always the way, isn't it?

Yes, you are dreaming. When bugs show up, as they will, in the apps that you use, you will need to grab the updates and do it quickly. Fortunately, this is easy, but you can't ignore it. Unfortunately, that may mean that you need to re-test stuff if it is, eg, your database app, and an upgrade has the possibility of breaking things.

Be very very careful with anything facing a threat (the internet and maybe also your own net, depending). Firewalls have been mentioned (which is good) but you shouldn't install unnecessary stuff (anything you don't have won't be listening on any port).

Part of this is about the structure of the network (do you have a DMZ?) and that hasn't been discussed.

Not 'automagically' but its a simple process. Usually only kernel changes need a re-boot, although there is even an app (ksplice) to deal with that. However, if you don't have some kind of test server somewhere, which may also be your desktop, you'll always be taking a leap in the dark with some updates.

If, by secure you mean that you don't want it to be corrupted, that sounds like a backup. If you mean that you are storing the secrets of three letter agencies and you don't want people to access it, you are way beyond my pay grade... Way, way, way beyond my pay grade.

You could do worse than read this:
http://www.cyberciti.biz/tips/linux-security.html which is probably as good coverage of the basics as I have seen.

Great help! You answered many of my questions. The security link you gave me looks like exactly the information I am looking for as a beginner. Awesome!

I think I have a good basis to make decisions now and some good resources for security information. Thanks everyone!

r3sistance · 11-04-2009, 02:52 PM

I would point out on the whole security side, the protocols you run are also important to consider, standard FTP and VNC connections for example are highly insecure (sends login details in plain text format across the internet). I would also point out that the SSH daemon already has SCP and SFTP built-in, what are more secured methods of file transfers then FTP.

Jim Bengtson · 11-04-2009, 03:06 PM

Quote:

I wouldn't recommend Ubuntu. One thing I've learned in my line of work is desktop OS stinks at being server OS.

Have you tried using the server version of Ubuntu, rather than the Desktop version? Both are based on Debian, but with distinctly different purposes. The server version doesn't even have a GUI interface.

Quote:

A definite 'gotcha' with Ubuntu is that it has the nasty habit of running services automatically when you install them. Most distros think that you should make a decision to run a service even though you have installed it, and this seems safer

When you install the server version of Ubuntu, at the start you are given the option of changing the default install settings. Hit the F6 key twice, and you'll be able to select "Expert" mode, which will give you full control over the Debian installer, including which packages are installed on the new server.

I haven't seen any serious weakness in Ubuntu server versus any other Linux server. I would not suggest using Ubuntu Desktop as a server.

r3sistance · 11-04-2009, 03:28 PM

I think you misunderstood that point, what salasi was saying is when you say, install mysqld, Ubuntu will make it active/started from the get-go... not sure if that one is true but that's how I read it. So when you apt-get anything, other distributions give you the chance to pre-configure the service before actually starting it, it can be a security flaw to automatically start services without the ability to preconfigure.

As far as Ubuntu server, I can't understand why anybody would use it over Debian in the first place... Debian is there and already does all those server tasks much more effectively IMO and is easier to administrate. Then again I just don't get on with Ubuntu what-so-ever, so might be baised on that one. The whole no root thing (I still believe this is completely pointless and in some respects lowers the level of security and can cause maintenance headaches further down the line), the multiple times I have had graphical issues with Ubuntu... and worst of all, their love of the most horrid UI colour scheme I have ever seen... why so much Orange in the default settings, even RHEL's Red interface seems better then that...

cantab · 11-04-2009, 05:42 PM

Quote:

Originally Posted by Orange Sunshine

I was kinda under the impression that I would not have a desktop GUI if I was installing CentOS. Do I have a choice? Is there a reason to or not to install the GUI version? I will be managing remotely so obviously the GUI would be of no use then but I will have the box physically when installing and if a GUI would make things easier installing and there aren't any disadvantages to having the GUI then why not? I'm confused.

You can have a GUI is you want. You don't need one on a server, but if you're not comfortable with working from a plain terminal you might find a GUI easier. Copy-and-paste certainly springs to mind as something MUCH easier to do with a GUI.

Quote:

Originally Posted by r3sistance

As far as Ubuntu server, I can't understand why anybody would use it over Debian in the first place...

Memories of the long time between releases of Woody and Sarge...
On the flipside, Ubuntu LTS releases are generally supported for LONGER than Debian releases. Debian stops support for the previous stable releases one year after the new one. That means when you install Debian, you don't know how long it's supported for - because Debian doesn't stick to a defined release schedule. (Not saying that's bad or good, but it's how they do it)
Ubuntu intend to continue support for server use of LTS releases for 5 years from initial release, 3 years from release of the next LTS. That also means when you make an Ubuntu install you know how long it gets security updates for before you have to upgrade. (Assuming the project doesn't go belly-up, but that's a risk you take with any operating system)
And then there's the benefit of only having to deal with one distro. Ubuntu on the desktops and on the servers.

Quote:

Originally Posted by r3sistance

and worst of all, their love of the most horrid UI colour scheme I have ever seen... why so much Orange in the default settings, even RHEL's Red interface seems better then that...

I like the brown. I've grown used to it. I've made my Arch Linux use the same colours.

chrism01 · 11-04-2009, 07:36 PM

Here's the RHEL/Centos v5 Admin/Deployment guide; http://www.linuxtopia.org/online_boo...ion/index.html .

As above, you can install using the GUI (this distro comes with just about everything you need in the repos), then, when it's prod ready, you can reboot it into level 3, which means it runs without the GUI; your choice.

Certainly go through the list of services/daemons avail and only run the ones you need.
Security is a process, not a product, so you'll have to read the docs.
Updates are up to you, the default is for the update daemon to run every 4 hrs iirc, or you can disable it and run it manually when you want eg 'yum update' as root.
For a business, it's a good idea to have a secondary (identical) machine for development & in case the primary has issues, also to test updates before putting them on prod.

salasi · 11-05-2009, 04:27 AM

Quote:

Originally Posted by r3sistance

I think you misunderstood that point, what salasi was saying is when you say, install mysqld, Ubuntu will make it active/started from the get-go... not sure if that one is true but that's how I read it. So when you apt-get anything, other distributions give you the chance to pre-configure the service before actually starting it, it can be a security flaw to automatically start services without the ability to preconfigure.

Yes, you have the point exactly and stated it more succinctly than I managed to do, so thank you for that.

The main problem is if you are unaware of this 'quirk'. If you are aware you will always do something like ps -ef | grep 'name' after an installation just to check and kill anything that you don't like, but there is the possibility that it takes you by surprise and you don't check.

As far as a GUI is concerned, the best security advice is don't run one; GUIs are big, complex and barely-understood programs (barely understood by the person who has to take care of security) and can be relied on to be buggy. Simplicity and ease of comprehension are the friends of security and big and complex aren't.

There are some circumstances in which running a GUI is not too big an error (in a largely benign, rather than internet-facing, application for example), but still, gui-less would be more secure. If you feel that you are happier away from the command line environment, consider something like webmin, which is probably closer to your comfort zone.