Hello!

I work now for a company from Germany and I am from Romania. Usually I'm doing some PHP code and webdesign. We have the MySQL database on one server and the website on another. Now our website hoster is going crazy and the boss want's to buy/rent a root server. The server on wich is the database is not the best too.
We are two guys who know a little bit of Linux and one that want's to learn. Our boss want's us to administrate the server and learn something from this so he won't hire a specialist. We found at www.hosteurope.de and www.server4you.de some servers to rent. My [our] question is what is the best distribution to choose for the server: RedHat Enterprise ES Basic [this one +15 Euro/Month], SuSe or Debian?
I want to mention that on this server will run a big MySQL database and an Apache webserver with PHP, maybe some CGI later.

My other questions are:
1) Which is the best way to aministrate this server from a different country [from distance]? I think about SSH or is there a better, secure way of doing that?
2) Wich distribution to choose? like above.
3) What else should we use or not use for the best security? I know a little bit of "iptables" firewall.
4) Use the MySQL server on another port than it's default?
5) Should we buy an usual webadress and forward it's index.html to our webserver? And make a policy to our firewall that the only accepted connection is from the IP adress of the webadress? Or should we use the direct connection to our server?
6) How should our firewall look like? First block everything, then open ports 22 tcp [ssh] for a specific IP-adress, 80 tcp/udp [http], 443 tcp/udp [https] and 3306 tcp/udp [MySQL] or another port? What else?
7) How to filter services on each port? For example I found 22 trojans working on port 80 like http. But how can I block them on this port an allow only http?
8) What about flooding? Yes we will block pinging our IP adress...but syn, fin...how to block them and what other floods to stop?

You can give me some links, but some answers to my questions are better.
Thank you in advance!

With regards, Boby!

1.) SSH would be the best , you can take a look at webmin over ssl
2.) Go with redhat or suse they are more user friendly and easier to use for a beginner
3.) iptables is your only choice pretty much use a frontend like shorewall(www.shorewall.net), or knetfilter or millions of other frontends out there. shorewall is supported in webmin
4.) Probably no need, just block incoming request for port 3306 since the only thing that would access the database server would be the apache web server.
5.) If you are going to be hosting your own webserver than this would just be a waste of money just buy the domain and point the dns at your ip for your server.
6.) Thats it
7.) You cant, and dont worry about it anyway unless you filter at the application layer, waste of resources and the trojans dont infect your server (read about what a trojan is and what it does and how it works)
8.) setup the apache webserver to time out connections faster or setup a reverse proxy with squid and configure squid to your liking.


Be sure to test your iptables firewall script before hand because if you block yourself out you wont be able to login again unless you remove those rules for that reason if you like something more graphically try fwbuilder.
and also look into cohosting your server somewhere or just hosting your domain somewhere so you dont have to worry about all of these things.

If you go with your selection of choices to host with then they will take care of the firewall and everything else all you have to worry about is the website and database administration at least thats how most isp do it but i dont read german so i could be wrong

1. ssh should be sufficient. If you are terribly security paranoid you may want to implement a vpn tunnel.

2. very subjective question. No one can answer this for you. Go to their websites and read the docs. Got questions...fire them off and see the quality and speed of the response. Redhat and SuSe are for profit businesses...they want to make money. Debian is a non-profit volunteer run distro. How does that fit into your philosophy? Redhat and SuSe will offer commercial support. Debian will not (ie: your on your own with technical problems)

3. You will definately want a strong iptables firewall. Commercial firewalls also exist. Look into kernel hardening patches such as grsecurity and selinux...

4. This is security through obscurity. A quick portscan with service detection will reveal which port your mysql runs on...

5. Not too sure what you're getting at here...

6. The best practice here IMO is too block everything...and specifically allow only needed services

7 and 8: sounds like you need some heavy iptables voodoo for this...and even then I am not sure it can be done... beyond my expertise anyway....

good luck....

Ok zatriz and bulliver, thank you very much so far!
I'll wait now to have the new server and I'll be back for sure with more questions

Thank you and Merry Christmas!
Boby