Arch Linux

Luke Armstrong

Member

From: UK

Registered: 2006-12-16

Posts: 12

Website

what is essential to a good Linux web server setup?

Hi there, I am kinda new to Linux but not afraid to learn (or ask stupid questions). I am a web developer and will be getting a dedicated server this month, it is totally unmanaged so I will need to set it up over SSH and be responsible for keeping any downtime to a minimum (or none at all if possible).

I was recommended to use CentOS 4.4, but the packages available on YUM are far too old. There were only out of date versions of PHP4 and MySQL4 available so I had to install v5 for each from source. I managed this without too much swearing, but wouldn't be comfortable keeping it up to date, and I felt CentOS was a bit bloated for what will be a simple web server. I had looked at Arch Linux in the past, because it always had the latest packages according to DistroWatch, but I didn't have time to learn how to use it properly. Now I have time, so am looking to learn!

What would be the best way of partitioning the server? I have only ever let the arch installer setup the harddrive, but some people say you should put the /home/httpd/html/ (or /var/www) on its own partition.

I will at first be hosting a single website from this server, but hope to run a few others on it at a later date. I have looked into getting a lifetime InterWorx licence and getting it installed by their staff as they will probably know best. But another part of me wants to learn how to do it by myself, save a few quid, and be the better for learning how. I suppose Webmin would be a good idea to get, if just for diagnosis, since it is free. Is Usermin recommended/free too?

I have used pacman to get these applications so far:
OpenSSH
vsFTPd
Apache2
PHP5
GD2
MySQL

I need to get some form of DNS/NS and POP3/SMTP applications. I want to be able to host my website on the server, but also have the nameservers on the server too. So ns1.lukearmstrong.co.uk ns2.lukearmstrong.co.uk to appear in the whois record for the websites I will be hosting. I also want to use the server for handling E-Mail sending (from the websites) and also handle email accounts for my clients.

I haven't got a clue about security, what precautions I should take, or what applications I should install to secure the system better? Also I need to think about backups, I have an insane amount of bandwidth available (3000gb), and as host backups are expensive would it be possible to get my arch web server to backup websites/databases automatically/incrementally to my local arch web server? What would be the best way of doing this, as I don't want to accidently take a backup if the server is in a compromised state (sql injection attack wiped db, xss wiped files, etc)

The host I have chosen has CentOS 4.4 available as one of their OS choices, I am still undecided between ArchLinux and that. It will cost me £40 to get them to install Arch for me, as they don't have the image, but I have managed to setup my old laptop on arch to spit out the results of phpinfo(); in firefox on another computer on my network in about an hour.

Any, and all help much appreciated.

Server Specs:
Dual Core Xeon 3040
1GB DDR ECC SDRAM
2x 80GB SATA Drives RAID 1 (Mirrored)

PS. I think the Xeon 3040 processor is 64bit, so should I go for Arch64? I have tried it on my main rig (amd athalon64), but there were some problems with applications available on pacman. Don't fancy updating the server one day and it going down.

skymt

Member

Registered: 2006-11-27

Posts: 443

Re: what is essential to a good Linux web server setup?

First off, please don't use Webmin. It's a security nightmare. Secunia currently doesn't list any unpatched vulnerabilities, but there have been some serious flaws in the past (some of which allowed attackers to bypass authentication). It's almost always best to minimize possible attack vectors, and that means sticking to one remote administration tool (SSH).

I couldn't find anything on Secunia about InterWorx-CP. cPanel (another popular commercial choice) has a longer vulnerability record (some unpatched), but it's mostly XSS attacks. Those are bad, but authentication flaws are much worse, from the point of view of the server admin.

If you want to give others space on your server, stick with FTP and (maybe) shell access.

Your application list looks good so far. I'd pick PostgreSQL over MySQL, but that's mostly personal preference (both are very good).

My pick for an SMTP server is Postfix. It's very secure, has enough features for almost any small-to-medium scale use, and is one of the easiest to configure.

Why choose POP3? Wouldn't IMAP be better? I haven't personally used any post office servers, but Courier is a popular choice. It supports both POP3 and IMAP, and offers SMTP as well. It looks good for an all-in-one solution.

The most popular DNS server is BIND, the Berkley Internet Name Daemon. It currently has an unpatched DoS vulnerability, and doesn't have the best reputation for security. djbdns is a popular security-focused alternative. If you don't need anything too complicated, it may be the better choice. On the other hand, development on it seems to have stalled.

I'd handle backups in a Unixey fashion. A shell script, run from cron, that transfers the backup with rsync, over an SSH tunnel. There are remote backup solutions, but it would be faster to whip up a quick script than learn the ins and outs of an overly complex backup system. If someone knows of a better network backup solution, please post it.

Most servers come with a fairly secure default configuration, so don't change anything you don't need to.

Brute-force attacks on SSH servers are very common, so look at projects like DenyHosts and Port Knockd (two very different solutions).

The weakest link on a web server is often not the server software itself, but the web applications it serves. If you use prefab webapps (blogs, forums and the like), choose carefully. Look at some less popular choices, as big applications like PHPBB or Wordpress are often easy targets for automated attacks.

Consider using Ruby, Python, or Perl instead of PHP. PHP wasn't exactly designed with security in mind. It's gotten better, but still has some major flaws. The quoting system is a nightmare, not because it's insecure, but because it makes it much harder to code securely. Ruby is my choice. It has a built-in security system: the $SAFE variable can be set to 1-4, specifying how careful Ruby should be with externally-supplied data.

smoon

Member

Registered: 2005-08-22

Posts: 468

Website

Re: what is essential to a good Linux web server setup?

Hi there, I am kinda new to Linux but not afraid to learn (or ask stupid questions). I am a web developer and will be getting a dedicated server this month, it is totally unmanaged so I will need to set it up over SSH and be responsible for keeping any downtime to a minimum (or none at all if possible).

You should try that on an offline system first (if you've not already done so) to see if you got enough experience to handle that task.

I was recommended to use CentOS 4.4, but the packages available on YUM are far too old. There were only out of date versions of PHP4 and MySQL4 available so I had to install v5 for each from source. I managed this without too much swearing, but wouldn't be comfortable keeping it up to date, and I felt CentOS was a bit bloated for what will be a simple web server. I had looked at Arch Linux in the past, because it always had the latest packages according to DistroWatch, but I didn't have time to learn how to use it properly. Now I have time, so am looking to learn!

I don't know CentOS, but I used to run Debian on my server but replaced it with Arch after I discovered it. Due to Arch's KISS principle it's times easier to set it up the way you want it and maintain it afterwards. For me Arch is the perfect distribution for desktop and server usage but others may disagree.

What would be the best way of partitioning the server? I have only ever let the arch installer setup the harddrive, but some people say you should put the /home/httpd/html/ (or /var/www) on its own partition.

Depends, but I think the way the Arch installer partitions your drive is perfectly fine.

I will at first be hosting a single website from this server, but hope to run a few others on it at a later date. I have looked into getting a lifetime InterWorx licence and getting it installed by their staff as they will probably know best. But another part of me wants to learn how to do it by myself, save a few quid, and be the better for learning how. I suppose Webmin would be a good idea to get, if just for diagnosis, since it is free. Is Usermin recommended/free too?

I've never even heard of that InterWorx thing, but if it is something along the lines of Webmin I suggest you don't get it. Maintain your system via ssh may seem complicated first but it is much more flexible than any (web based) frontend can ever be.

I have used pacman to get these applications so far:
OpenSSH
vsFTPd
Apache2
PHP5
GD2
MySQL

I prefer Lighttpd over Apache since it is a little bit faster, easier on the server's resources and has a much more flexible configuration file syntax that is way easier to understand than Apache's.
Also I'd use scp instead of ftp. If you need it for your customers and don't want them to get a full shell you can use scponly or something similar.
I fully agree with skymt on PHP, security-wise it's just not the best language for web development. I suggest you have a look at Django (Python) or Ruby on Rails (Ruby) for some nice frameworks you can use to rapidly develop web applications.

I need to get some form of DNS/NS and POP3/SMTP applications. I want to be able to host my website on the server, but also have the nameservers on the server too. So ns1.lukearmstrong.co.uk ns2.lukearmstrong.co.uk to appear in the whois record for the websites I will be hosting. I also want to use the server for handling E-Mail sending (from the websites) and also handle email accounts for my clients.

I'm not sure about the DNS stuff, but I don't think it's the best choice to run the DNS server on the same machine as the web-/mailserver.
Postfix is a really nice and flexible SMTP server while courier is a good choice for IMAP and POP (cyrus is not that bad either). But a word of caution: It's not a trivial task to set a mail system up.

I haven't got a clue about security, what precautions I should take, or what applications I should install to secure the system better? Also I need to think about backups, I have an insane amount of bandwidth available (3000gb), and as host backups are expensive would it be possible to get my arch web server to backup websites/databases automatically/incrementally to my local arch web server? What would be the best way of doing this, as I don't want to accidently take a backup if the server is in a compromised state (sql injection attack wiped db, xss wiped files, etc)

rsnapshot is a pretty good choice for a backup system. It is not very complicated but does it job very well.
And just like skymt said: The weakest link on a properly configured webserver are poorly written webapps.
Here are some security tipps:
· Only install a bare minimum on applications (for example no ftpd if you can just use scp instead)
· Choose the webapps you run wisely
· Use some simple iptables rules to block anything but what you really need
· Configure your daemons properly
· Keep your software up to date
Some tipps for sshd:
· Read the documentation
· Deny root login (use su or sudo instead)
· Use keys for authentication rather than passwords
· Set LoginGraceTime to a low value (20 seconds are enough)
· Keep MaxStartups low (1 or 2 should be enough, but yet again: read what it does)
· Only permit protocol version 2
· Make use of AllowUsers!
· Use iptables recent module to block everyone for a few minutes who connects more than (for example) 4 times to port 22 within one minute. Those are usually brute force attempts.

The host I have chosen has CentOS 4.4 available as one of their OS choices, I am still undecided between ArchLinux and that. It will cost me £40 to get them to install Arch for me, as they don't have the image, but I have managed to setup my old laptop on arch to spit out the results of phpinfo(); in firefox on another computer on my network in about an hour.

If they offer a remote console you can choose CentOS and install Arch remotely over the console to save the £40.

Any, and all help much appreciated.

Server Specs:
Dual Core Xeon 3040
1GB DDR ECC SDRAM
2x 80GB SATA Drives RAID 1 (Mirrored)

PS. I think the Xeon 3040 processor is 64bit, so should I go for Arch64? I have tried it on my main rig (amd athalon64), but there were some problems with applications available on pacman. Don't fancy updating the server one day and it going down.

I'd use Arch even though 64 bit apps may perform better on this hardware. But I don't think the trouble's worth it.

Luke Armstrong

Member

From: UK

Registered: 2006-12-16

Posts: 12

Website

Re: what is essential to a good Linux web server setup?

Thank you smoon and skymt for your very good responses, I was worried no one would reply as my OP was a bit long winded!

PHP. On this server I will only be using bespoke php applications (coded entirely by me) to hopefully avoid any exploits often associated with 3rd party apps. Not saying Im any better than developers of 3rd party mods, just having closed source leads to the bonus of security through obscurity, but obviously I would try to reduce security holes wherever possible. I have been put off frameworks by using ASP.NET for the past 6 months, though have been interested in learning RoR.

MySQL vs PostgreSQL. MySQL seems to be introducing new features all the time, like stored procedures in version 5. Am I right in thinking MySQL is faster, but not as much of a heavyweight with lots of data that PostgreSQL could be? I will stick to what I know, as MySQL does far more for me than I need it to do anyway.

Webmin. A friend uses this on their server, but they change the default port and only allow access from localhost, so to get into it they log onto SSH with putty and make a tunnel.

Interworx. I may not be using this afterall, as I wont be using the system for selling hosting. Saves a bit of money and closes another possible security hole. Also teaches me more than how to use a GUI.

Install Arch over CentOS. I wouldn't be comfortable in doing this, I would rather ask them to set it up to a point where I can get access with SSH and do the rest, otherwise I will end up paying more for a botched installation/configuration.

POP3 vs IMAP. Am I right in thinking with POP3, once email gets read from the client it isn't on the server anymore, but with IMAP it remains on the server even when deleted from the client? Spam is a bugger at the moment, I use (google.com/hosted/) for my own domain at the moment, and the spam box is into the thousands. Just don't want spam and crap clogging up the server, so may even just use postfix for the websites and sign any clients up with Google accounts and change the logo in the top left.

DNS/NS. I only will have the one server, so will have to run the DNS/NS off the web server box.

Thank you again for your responses, it will help me a great deal with my research! Any books you can recommend? I've seen books for Apache, Bind, etc. I like the O'Reilly PHP books.

skymt

Member

Registered: 2006-11-27

Posts: 443

Re: what is essential to a good Linux web server setup?

Thank you smoon and skymt for your very good responses, I was worried no one would reply as my OP was a bit long winded!

You're welcome! I'm glad to help how I can.

PHP. On this server I will only be using bespoke php applications (coded entirely by me) to hopefully avoid any exploits often associated with 3rd party apps. Not saying Im any better than developers of 3rd party mods, just having closed source leads to the bonus of security through obscurity, but obviously I would try to reduce security holes wherever possible. I have been put off frameworks by using ASP.NET for the past 6 months, though have been interested in learning RoR.

RoR is very good. I've used it, and I recommend it. However, if you really don't like frameworks, try erb (embedded Ruby). It essentially allows you to embed Ruby code in a document (often with the extension .rhtml), just like PHP. You need to set up your server to process .rhtml documents with erb, but that only takes about 10 minutes, including reading the docs and testing.

MySQL vs PostgreSQL. MySQL seems to be introducing new features all the time, like stored procedures in version 5. Am I right in thinking MySQL is faster, but not as much of a heavyweight with lots of data that PostgreSQL could be? I will stick to what I know, as MySQL does far more for me than I need it to do anyway.

Both are very good. Use whichever you prefer. Recent versions of Postgre have gotten much faster, but all the speed comparisons I can find on Google use older versions, so I don't exactly know which is faster.

Webmin. A friend uses this on their server, but they change the default port and only allow access from localhost, so to get into it they log onto SSH with putty and make a tunnel.

That's perfect! I wish I'd thought of it.

POP3 vs IMAP. Am I right in thinking with POP3, once email gets read from the client it isn't on the server anymore, but with IMAP it remains on the server even when deleted from the client? Spam is a bugger at the moment, I use (google.com/hosted/) for my own domain at the moment, and the spam box is into the thousands. Just don't want spam and crap clogging up the server, so may even just use postfix for the websites and sign any clients up with Google accounts and change the logo in the top left.

Not exactly. POP3 clients can choose whether to delete the mail from the server as soon as it's downloaded, keep it on the server for a certain amount of time, or keep it forever. Most clients I've used delete immediately by default, but some don't.

The IMAP approach is closer to webmail. The messages and folders you see in your client are always the messages and folders on the server. Move a message in the client, it gets moved on the server. Delete a message, it gets deleted. One huge benefit of IMAP is that you don't download every message. It downloads the headers first, so you can delete any obvious spam. Then individual messages are downloaded as you read them.

Reading over that, I don't think I explained IMAP very well. Look it up in Wikipedia for a better explanation.

Thank you again for your responses, it will help me a great deal with my research! Any books you can recommend? I've seen books for Apache, Bind, etc. I like the O'Reilly PHP books.

The Book of Postfix is probably the best book about Postfix. It focuses on spam prevention and security.

Ending Spam goes into more detail on various ways to block spam.

If you decide to learn Ruby, the definitive book is Programming Ruby. The first edition is available for free online, but you want the second edition, which is updated for the latest version of Ruby.

For Rails, there's another good book from some of the same authors: Agile Web Development with Rails.

Luke Armstrong

Member

From: UK

Registered: 2006-12-16

Posts: 12

Website

Re: what is essential to a good Linux web server setup?

If they offer a remote console you can choose CentOS and install Arch remotely over the console to save the £40.

Hi, they said they won't install Arch for me as it would be too much effort for them. For fucks sake, for £1500 a year paid up I thought installing something as basic as Arch wouldn't be asking too much. They will just install one of their chosen distros now, I will probably go for CentOS. I can ask how I want it partitioned too if that helps with my next question.

How would it be possible to install Arch Linux over the console? Help please!

Luke Armstrong

Member

From: UK

Registered: 2006-12-16

Posts: 12

Website

Re: what is essential to a good Linux web server setup?

Ah I have found this from the installation forum, if you have anything else to add please do

http://wiki.archlinux.org/index.php/Rem … ux_Install

Cynical

Member

Registered: 2006-11-07

Posts: 36

Re: what is essential to a good Linux web server setup?

Too much effort? Bah, I just reinstalled arch and setup gnome/alsa/nvidia drivers in a couple of minutes. Follow the installation guide (or just follow the livecd, its pretty straight forward) and ask us if you need help understanding anything. You can have it setup in no time.