Is 14.2 default installation (and configuration) safe enough for web server?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there anything I should change in Apache configuration or can I leave it as is?
If you have more than one Domain/Documentroot you'll have to configure NameBasedVirtualHosts.
Even if you have no time, i would consider lxc container for various reasons for the webserver.
Even if you have no time, i would consider lxc container for various reasons for the webserver.
But wouldn't it take time to learn lxc?
I'm just going to serve small static content. If the Apache config is good enough, I'd prefer to run Apache natively.
It'll be single IP / single domain, nothing fancy for now.
I'm not sure that fail2ban is useful, at least it is useless against constant attacks on 22nd port (because they come from botnets, not fixed sources. At least this is so for hetzner, don't know know about online.net). I move ssh on port 26 to have clean logs. Also, don't forget to configure sendmail to send root's mail to you.
For your setup, a smaller virtual server would also do it at lower costs.
I'm migrating from pseudo VPS exactly because the costs were comparable.
And it's investment for the future times, when I'll be utilizing the server for more tasks.
And it has to be running my natural environment, namely Slackware OS
So, based on what you said, I'm going to stick with Apache.
I'm not sure that fail2ban is useful, at least it is useless against constant attacks on 22nd port (because they come from botnets, not fixed sources. At least this is so for hetzner, don't know know about online.net). I move ssh on port 26 to have clean logs.
But if botnet fails, say 3 times, you can block it. Unless they run single attack per IP per long period.
Quote:
Originally Posted by slalik
Also, don't forget to configure sendmail to send root's mail to you.
For the moment http + ssh and nothing more, exactly because I don't have time to configure stuff properly.
But if botnet fails, say 3 times, you can block it.
Unless they run single attack per IP per long period.
2-3 attempts from 1 ip with long intervals, indistinguishable from normal use.
Quote:
Originally Posted by atelszewski
For the moment http + ssh and nothing more, exactly because I don't have time to configure stuff properly.
For example, a hard drive dies and mdadm (if you have a raid) sends mail to root. You have to get it. I do the following trivial configuration: http://alik.ejik.org/Sendmail_as_a_s...y_local_server
This is far from a real smtp server, but if you whitelist this address on your accepting email server it should work. For security, I block 25 port in the firewall (already blocked in your config) and in /etc/hosts.deny.
I don't believe any distribution is ready for production without ample hardening.
If you aim to only serve static content (as in no PHP or friends) I would suggest looking at the following additions for your Apache configuration:
X-XSS-Protection
X-Frame-Options
X-Content-Type-Options
Content Security Policy
ServerTokens Prod
ServerSignature Off
TraceEnable Off
I would also recommend installing a WAF (web application firewall) like ModSecurity.
It takes some effort to configure, but it can be immensely powerful against attackers.
As for your firewall, it's a bit simplistic.
Maybe you should consider UFW (Uncomplicated Firewall) as it doesn't require detailed knowledge of iptables and is easy to configure to your needs.
Always be paranoid, examine your logs, and remember that you have a responsibility to protect your visitors to the best of your ability.
Oh, and have fun ;-)
I know it doesn't answer the question, but if you are not doing this just for learning, and your website is 100% static, you might be better served by AWS.
Put your content in an S3 bucket and serve it from there (+ a CDN to reduce S3 costs if needed).
For static websites there is nothing easier, and there are no servers to configure. You wrote a few times that you don't have the time to be a proper sysadmin, so it is better to not have a server to admin
If you are still going for the server option, I would suggest in general that you subscribe to the official communication channels (mail lists in general) for each project whose software you are using (i.e. stay around here for the OS things, subscribe to Apache mail list, etc)
Also I believe you should reconsider the root login thing, and disable password login completely.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.