Hi there LQ peeps, I am designing a new production web server for our company. Probably will handles around a thousand unique visitors a day. I decided to use CentOS(Apache,PHP,MySQL) with DELL PowerEdge R710.

Questions:

What particular countermeasure should i implement with this server?
What configuration should i make for the highest up time?
Any suggestions regarding back up?
And other suggestions please.

Sincerely,
Albie Bokingkito

See this get back to me if you face problems

http://www.linuxquestions.org/questi...highlight=LAMP

If you're only at the design stage that's nice. If your company has the money then at least suggest having a staging server to test and document changes and releases on (could double as a temporary spare if managed properly) before implementing it in production.


"Probably" does not sound like the type of assessment I'd base any investment decision on.


Maybe ask what problems and scenarios lead to what decisions to be made?
- Is it your companies core business to host fully redundant, fully SLA-covered servers?
- What happens if your new production web server gets DoSsed? DDoSsed? Its power unit fails? Its single network connection gets severed? The RAID array b0rks at say New Years morning at 03:01?
- Would co-location be more expensive than maintaining servers at two or three physically different, fully redundant locations yourself?
- If you look at location, network, backup lines, backup power plant, hardware, software, management and human resources necessary to fulfill a SLA with 99.9% uptime guarantee would outsourcing it be cheaper?
- Would it be cheaper to scale down, outsource and opt (shop) for additional capacity when it's actually needed?
- Would using a content distribution network lead to better performance?
- Are there any rules and regulations you need to adhere to (HIPAA, SOX, GBLA, PCI-DSS, et cetera)?
- Should you use home-brewn kludges or opt for proven OTS parts which setup can more easily be replicated at other locations?


Centos OK, but why Apache and not a load balancer, two caching proxies and Nginx or Lighttpd or fast equivalent?


That partly depends on what it is going to be used for. A few questions for your checklist:
- What is the purpose of this server or servers?
- Am I using only and can I trust the tools I need?
- How will I know there is a problem?
- Who has access to what?
- Why should I trust user input?
- Did I and do I regularly test what I use?
- If I can't restore within 1 minute who can or what alternative do I have?
With respect to prioritizing things, project phases et cetera I think it would be better to go into details when your plan is more concrete or when you have posted more details.


Prawns and technology are a violent mix. You know that ;-p

I'm more on the network capacity side of things, but 'probably' and 'about' aren't going to give you anything concrete as far as your capacity or general planning is concerned, even server side. Unique visitors? When you plan the capacity of a system, from my perspective, you want to assume that 70% of your visitors will be first time hits on the site, which will result in a more realistic standpoint as far as bandwidth is concerned. If it's an e-commerce site, you need to assume at least 85%. The reason I say such high numbers is because you don't want to push your system beyond 80% capacity at full load, as this will allow for unforseeable spikes in usage, a failed drive in your RAID, very high SQL activity, general administration, etc, and prevent crashes.

For countermeasures, I suggest running a Cisco PIX, Fortigate, or really whatever your company already has in place for that system. In addition, I suggest running multiple NICs on this box. One will be for your external network connection, which will have your website, and it should be locked down to only provide service to that website. your second NIC will be for your internal network and can be used for any administration or other secured access that your company needs to the server. This will force any remote administration to this machine to run through your company's VPN. If you are building an e-commerce site, in addition to the aforementioned, I would have an IDS system or ASA running IDS on this box on all physical network connections. Having someone break into a server that handles financial transactions is just something you don't want to have to deal with.

For backups: just use what you already have.... no need to reinvent the wheel on this one.

Other suggestions...
Before you design anything, sit down with a pencil and paper and write out your plan, including every minute detail possible. Let it sit for a day, and then look at it again. Look for any possible points of failure, anything that can go wrong at each point of failure and why, and come up with as many contingency plans as possible for each point of failure that you see. You cannot use guesstimates on this one. You need to know the max capacity of your system, and the worst case scenario maximum usage that your system will see. to get this, you need to look at the trends for your existing website/webserver solution, and calculate the usage trends over a set period of time. Talk to your company's CIO to see what the target availability of this site is. What can you use for load balancing and redundancy. If you have no existing failover, is it in your company's budget to provide for additional redundancy of this new web site/server solution. I can tell you now that it will be a Christmas miracle if you have no redundancy and manage to get 99.9% uptime. I can tell you for a fact from experience that there is no such thing as an uncrashable database server, because it will crash eventually, regardless of who or what did it. For your redundancy: face it, all ISP's SUCK and your internet access will eventually get cut off by no fault of you/your company. If you want a local webserver, you still need to look at colocation of a backup somewhere halfway across the country or better. Your backup plan will only be perfect if you have to do nothing but get the failed system in your redundant configuration back online. AKA: a backup plan that you don't have to use. If possible, for a high availability site, you want triple redundancy, and you don't want both of your redundant systems, quite frankly, in the same timezone if possible, or at least 800 miles away.

By the way... you asked for perfect... Perfect in IT is like you or me hooking up with Heidi Klum. It ain't gonna happen, and if it does, someone needs to smack the hell out of ya 'cause you're obviously dreaming.

Wait.. Wait.. Wait.. I'm just a newly hired System Administrator and its this is my first time. Teach me first the basic of it. Please.

Have a nice guide here:

http://www.lamphowto.com/

I smell a newbie!!! lol jk..

I can't hope to walk you through the entire webserver implementation process without you taking the first steps and doing some serious research on the systems you will be implementing. Security, I can help you with, but it will be from my opinion and P.O.V. Everyone has their own preferences and theory when it comes to security, and I'm no exception.

What we need to know in order to help you:
- What is the purpose of this website?
- Who will have access to this website, and what kind of access will
they have?
- Who has PHYSICAL access to this webserver?
(could care less about names, but if everyone and their mom can walk
up to this box and play with it... you have a problem)
- What security solutions do you have at your disposal? (No, the
shotgun you have ready for use on your daughter's boyfriend will not
do, nor will your father-in-law)
- What is your required and target SLA? (believe me, your devs will
find a way to crash this thing. Oh, remember that weird scratching
sound you heard underneath the DC floor? Yea, that's the rat chewing
on your not-so-redundant connection to the interwebs)
- What is your existing backup solution? Is it 'bulletproof' (even if
the Rapture/Second Coming/teenage daughter finds out she's
pregnant/Armageddon(Bruce Willis or the Bible one... your choice)
happens?)
- Load balancing(very different from checkbook balancing)/proxies: do
you have anything that can be used in this capacity? No, not on the
same box either... =P

Despite my smart-ass jokes... if you answer these, someone on here will have an idea or two to get you started.

Some suggested reading to get you started:
(remember, I have no idea what level you are at, or what research you've done...so there is some n00b stuff here too... and you did say you were a n00b)

http://fedorasolved.org/server-solutions/lamp-stack
http://www.dixite.com/docs/lamp/dixite-lamp-en-0_3.pdf
http://library.linode.com/lamp-guides/centos-5/
http://httpd.apache.org/docs/1.3/mis...rity_tips.html
http://www.ibm.com/developerworks/op...pps/index.html
http://www.hardened-php.net/ (others on lq might have opinions on this as I do not have a guinea pig to play with this on...)
http://nagios.org/ (systems monitoring solution... a freakin howler monkey can get this up, running, and generally serviceable across the infrastructure within hours or days for extremely large infrastructures) assuming you don't use this already
http://www.howtoforge.com/perfect_setup_centos_4.4 (older OS and software versions, but follows some good principles)
http://wiki.centos.org/HowTos/OS_Protection
No clue on which version of MySQL you want to use... so here's this:
http://www.mysql.com/
http://dev.mysql.com/doc/refman/5.0/...rivileges.html
http://dev.mysql.com/doc/refman/5.0/...st-attack.html

As for OS and software version choices... Don't necessarily go by the 'latest and greatest,' go by what you are comfortable with, what you need and no more. The last thing you want is an unreliable, bloated, and overspec box. Eventually it will just become a liability.

I will recommend that you install a GUI (whichever is your favorite, doesn't really matter), but do not have it start automatically. Typing 'startx' every time you need it isn't going to be that much of a hassle, and it saves on system overhead.

'The basic of it' and 'perfect' are two very different requests. In any case, 'perfect' may not be possible to satisfy, but:

Without knowing, at the very, very least, something about the access/purpose, whether you are behind a hardware firewall, whether you are in a DMZ, anyone who gives you a direct 'do this, do that' answer is not having a good day (I'm being generous) and if you want that kind of answer, fine. Just be aware that it isn't a good answer, and you will have to live with the consequences of that, which could be severe.

It has been explained why no one could give you a sensible answer to that yet; it is entirely up to you whether you want to change that situation.

Write a procedure and follow it. The procedure is incomplete if it does not include testing. And are you happy with the consequences if the worst-case disaster happens? Could you change your procedure to improve this? And did you audits show that you were actually following your procedure, or did you just make excuses?

Read the MySQL documentation, which is good.

And this
@unSpawn
is a very important question; my guess would be (and you haven't given enough information for anything other than a guess, at this stage) that there are external standards that you have to meet, but either you haven't done enough research to find that out or you have found out, but you haven't told us.

Bear in mind that having standards like these isn't necessarily just a pain; something like PCI-DSS gives you a good framework from which you can write a procedure relevant to your site and your circumstances.

And, no other software, such as a CMS which you haven't told us about? In which case, you will have a lot of PHP, and it will be buggy (everyone else's is, in the initial stages, so why shouldn't yours be?). Aside from whether this is the most sensible use of your, and your organisation's, time, it does rule out 'perfect'.

If there is other software that sits on top of the LAMP stack, you should have told us by now, as that can have a big impact on the advice.