10 Replies - 1568 Views - Last Post: 08 January 2009 - 01:52 PM

#1 didgy58  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 246
  • Joined: 23-October 07

web servers and security

Post icon  Posted 12 December 2008 - 01:23 AM

Hi All

just got hold of my first dedicated server and been busy tinkering around with it, ive installe apache, php and mysql. as well as phpmyadmin, im also running webmin as a nice graphical user interface as my command line knowledge aint to hot. im going to be hosting a couple of sites that i have made as well as maybe some more that i will be creating for various friends family and other people.

so here is how i have it setup at the moment (or will be within the next hour or 2)

i have to ip addresses. one is where i will point all web domains the other is simply used for webmin to listen to so i can loginto that on a different addess and it will be a subdomain of one of my web domains pointed to that 2nd ip address. is this something you guys would recommend?


next on my list is apache security as this is the first time ive done this ive used the basic setup and left it there really apart from turning off a few things such as showing the version of apache in the header and if php is running. is there any things that you could recommend for this any tutorials or places to go and look at to help me out.

also has anyone ever setup a mail server as im thinking about this only for a limitied number of clients mainly on one site to be honest but the more confident i get with it then the more possibility of adding more.

im using the latest version of apache 2.2.9 on a ubuntu linux 8.10 if that helps

would you also recommend me adding any free stats packages to each virtual hosts so they have some sought of stats then? and are there any directory structures that you would recommend that i setup as the default for each virtual host at the moment they are being served from /home/username

any information or suggestions would be much appreciated as i would really like to make this as secure and firm as possible

thanks again

Dan

Is This A Good Question/Topic? 0
  • +

Replies To: web servers and security

#2 didgy58  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 246
  • Joined: 23-October 07

Re: web servers and security

Posted 12 December 2008 - 01:47 AM

and just another quick question, off site backups im guessing i would have to set this up through a cron job, so if i have a nas sat on my network at home is there a way i can setup a cron job to back up server first time and then every night after just backup the changes/updates etc? would this be the way its done you think?
Was This Post Helpful? 0
  • +
  • -

#3 mocker  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 50
  • View blog
  • Posts: 466
  • Joined: 14-October 07

Re: web servers and security

Posted 12 December 2008 - 11:10 AM

You can use rsync as an easy way to run the backups you want. It only copies changed files, so the first time you run it it will copy all the files, and then only changes from there. You could have a separate process that copies the backup files once per week or so, as only having one days worth of backups isn't that reliable in the case a bunch of files get corrupted or whatever.

I haven't really seen different IP's being dedicated to the control panel only, but in a way that makes sense, in that people going to your main domain won't see what control panel you are running by doing a port scan on its ip.

Apache by itself is pretty much secure. The security issues you'll tend to see are the web apps people run through it, so that's what you want to pay attention to. If you can setup apache to use suexec to run as the web user instead of the default (usually 'nobody'), then it will do a lot better job of keeping insecure user programs from affecting the whole server. You might need to google about it for more information.

You have a lot of options for mail servers. Exim is an old one, but proven. If your control panel has any options for it I'd suggest using it, because the mail server itself isn't that complicated but integrating it with the rest of the software can be.

Awstats and Urchin stats are two of my personal favorite stat packages.
Was This Post Helpful? 0
  • +
  • -

#4 didgy58  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 246
  • Joined: 23-October 07

Re: web servers and security

Posted 15 December 2008 - 02:28 AM

rsync i will have to take a look at this, as this is something that i really want to get sorted first before i start to place websites on there, i would like to do as you have said copy the first load and then just copy across the updates daily, to 2 different locations. ive taken a look at awstats and i think its the one im going to use for now.

thanks for this info mocker has helped alot, ive also bit the bullet and bought an apache book by apress, and i must say ive only read a little so far but its been very helpful and its written in a way that anybody could understand (i know all the info is available online for nothing but sometimes i find it easier to read a book about it all)

so does anybody else have any suggestions about things that i should do to get apache setup and running correctly before putting sites on there?

thanks again

Dan
Was This Post Helpful? 0
  • +
  • -

#5 didgy58  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 246
  • Joined: 23-October 07

Re: web servers and security

Posted 15 December 2008 - 03:38 AM

ok my next problem has occured im trying to just setup my second ip address, so ive been given it by the company i have the server with, so ive gone into webmin and into the apache webserver > global configuration > networking and addresses.

from here ive added the new ip address to the other ip address that already exists in the listen on addresses and ports list, as well as adding it to the addresses for name virtual servers list, ive assigned it to port 80 listening, ive gone to restart apache and the following now appears and apache wont start

[Mon Dec 15 10:26:25 2008] [notice] Graceful restart requested, doing restart
[Mon Dec 15 10:26:25 2008] [warn] NameVirtualHost xx.xx.xxx.xxx:443 has no VirtualHosts
(99)Cannot assign requested address: make_sock: could not bind to address xx.xx.xx.xxx:80
no listening sockets available, shutting down
Unable to open logs



im not sure what im doing wrong or even if this is correct, when i delete the ip address from the list apache runs fine. does anybody have any suggestions, im just trying to set it up to listen to the two ip addresses and then i can use both of these addresses to setup virtual hosting.

thanks

Dan
Was This Post Helpful? 0
  • +
  • -

#6 mocker  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 50
  • View blog
  • Posts: 466
  • Joined: 14-October 07

Re: web servers and security

Posted 16 December 2008 - 01:58 PM

You have to add the IP to the servers network configuration before apache can use it. It's been a while since I used webmin so I did a search and found this (http://www.devshed.com/c/a/Administration/OneStop-Linux-Administration-with-Webmin/3/ ) which looks like it is what you want.

Quick summary:
Webmin-> Hardware -> Network Configuration -> Network Interfaces
add a new IP under "Interfaces Active at boot time"
Most of the information should be similar to your first IP. If your first IP is on eth0 your second should be eth0:1
Netmask and broadcast are the same
Hit Save, then Save and Apply

Now it's setup, so go through the same process you already did to add it to apache

Side note: If you are using Redhat based system, the ip configuration scripts are in /etc/sysconfig/network-scripts and you could add an IP by setting up /etc/sysconfig/network-scripts/ifcfg-eth0:1 (for example). Other linux flavors have slightly different setups
Was This Post Helpful? 1
  • +
  • -

#7 didgy58  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 246
  • Joined: 23-October 07

Re: web servers and security

Posted 16 December 2008 - 04:23 PM

thanks mocker i will have a crack of that tomorrow morning and let you know. gonna read another chapter of my apache book right now and learn a bit more about the basics just so i wont have to rely on webmin so much..
Was This Post Helpful? 0
  • +
  • -

#8 Mike111  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 22
  • Joined: 19-November 08

Re: web servers and security

Posted 16 December 2008 - 04:46 PM

You should harden your system a little. Running apache under a chroot jail is a very good idea, so good in fact that it is standard under OpenBSD. Might be incompatible with some applications though. You should also install LIDS and Tripwire. There are more stuff to do as well.

Read stuff like 'Hacking Linux Exposed', it will definitely help you along!
Was This Post Helpful? 0
  • +
  • -

#9 homemade-jam  Icon User is offline

  • Gabe's Nemesis
  • member icon

Reputation: 11
  • View blog
  • Posts: 1,300
  • Joined: 17-March 08

Re: web servers and security

Posted 16 December 2008 - 05:12 PM

And listen to pauldotcom security weekly - nothing is perfectly secure.
Was This Post Helpful? 0
  • +
  • -

#10 didgy58  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 246
  • Joined: 23-October 07

Re: web servers and security

Posted 17 December 2008 - 12:59 AM

thanks guys will check out pauldotcom as well, the info worked mocker thanks again
Was This Post Helpful? 0
  • +
  • -

#11 cmariomej  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 08-January 09

Re: web servers and security

Posted 08 January 2009 - 01:52 PM

View Postdidgy58, on 12 Dec, 2008 - 12:23 AM, said:

Hi All

just got hold of my first dedicated server and been busy tinkering around with it, ive installe apache, php and mysql. as well as phpmyadmin, im also running webmin as a nice graphical user interface as my command line knowledge aint to hot. im going to be hosting a couple of sites that i have made as well as maybe some more that i will be creating for various friends family and other people.

so here is how i have it setup at the moment (or will be within the next hour or 2)

i have to ip addresses. one is where i will point all web domains the other is simply used for webmin to listen to so i can loginto that on a different addess and it will be a subdomain of one of my web domains pointed to that 2nd ip address. is this something you guys would recommend?


next on my list is apache security as this is the first time ive done this ive used the basic setup and left it there really apart from turning off a few things such as showing the version of apache in the header and if php is running. is there any things that you could recommend for this any tutorials or places to go and look at to help me out.

also has anyone ever setup a mail server as im thinking about this only for a limitied number of clients mainly on one site to be honest but the more confident i get with it then the more possibility of adding more.

im using the latest version of apache 2.2.9 on a ubuntu linux 8.10 if that helps

would you also recommend me adding any free stats packages to each virtual hosts so they have some sought of stats then? and are there any directory structures that you would recommend that i setup as the default for each virtual host at the moment they are being served from /home/username

any information or suggestions would be much appreciated as i would really like to make this as secure and firm as possible

thanks again

Dan



Hi,

Regarding security you can take a look at my blog, I posted a guide on how to secure your web server. It is just the basic stuff but still very useful.

My blog is located at carlosmariomejia.com/blog. The blog title is "LINUX: Guide to Secure your Web Server"

Let me know any feedback please ;)

This post has been edited by cmariomej: 08 January 2009 - 01:57 PM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1