Linux guru (Vlad?)

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Linux guru (Vlad?)

Post by alex.barylski »

Figured I'd throw that name in there seeing as he is almost always the one who replies. :P Sorry buddy if that makes you uncomfrotable or anything.

Anyone else listening is welcome to chime in of course.

Basically I have walked into a situation where this organization manages there physical servers and I suppose buy the uplink from a ISP to support hosting a web site completely in house, somewhat different from me, where I am used to working with dedicated server s at most.

Issue 1: They are running Ubuntu Server and while thats fine I think they'd be better off running Debian reduced to nothing more than a web server, and I am more familiar wih Debian as well. :P

Problem is, the server is "live" so I cannot just reformat everything, drop the partitions, re-install Debian and AMP software and think wrestle with the codebase getting it conigured. My biggest fear though, is that the internal DNS servers might trip me up, unless we use some third party party DNS.

I'n the process of switching to Debian I am going to disable remote root login, force sudo and keep logs for everything (Apache, Linux, shell history?, PHP) hopefully find some tools to help us analyze data and determine any exploit vectors, etc

Disabling error reporting, Seetting persmissions, limited user accounts, all these things are trivial...

I know that dedicated hosts usually offer firewalls for additional security, can we do something similar inside out own network, how would that work? The firewall should only allow HTTP responses if the matching HTTP request has been found, anything we can do to prevent DoS, etc. Where would a frewall sit in this kind of setup? Seperate computer or would I setup IP table firewalls on the Live server?

Just a few question I have for now, more will come later.

Thanks for the replies in advance :)

Cheers,
Alex
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Linux guru (Vlad?)

Post by VladSun »

:)

So... you have to move Apache, PHP, MySQL and DNS to another server with different IP, right?

Also, take a look Suhosin PHP patch - http://www.hardened-php.net/suhosin/a_feature_list.html
I know that dedicated hosts usually offer firewalls for additional security, can we do something similar inside out own network, how would that work? The firewall should only allow HTTP responses if the matching HTTP request has been found, anything we can do to prevent DoS, etc. Where would a frewall sit in this kind of setup? Seperate computer or would I setup IP table firewalls on the Live server?
HTTP and TCP/IP (i.e. firewall) are in different OSI layers.

Your firewall could protect you from SYN-flood, port-scan, bad TCP/IP packets, etc. attacks, but it can't determine packets related to an HTTP session (well, there are some L7 iptables patches, but I don't recommend using them). Putting your firewall on the LAMP server is fine, IMHO.

Enable tcp_syncookies - http://cr.yp.to/syncookies.html

Code: Select all

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
If you need an intrusion detection system (IDS) search for "Linux IDS" - I've used Snort for a while. I would recommend you to use a switch with network traffic mirroring capabilities or TAP, so you can run the IDS on a separate machine.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Linux guru (Vlad?)

Post by alex.barylski »

Thanks for the speedy reply :)
So... you have to move Apache, PHP, MySQL and DNS to another server with different IP, right?
Not quite. Basically we have an internal server, it's running Ubuntu server, it was installed by another developer and I want to reformat and re-install using just Debian, keep things lean as possible and remove all the extraneous stuff.

Then I'm looking to harden the server the best I can, as the PHP scripts are probably laden with potential exploits, so I'm thinking SAFE MODE, Apache mod_secure (if I recall correctly there is a module like this?), etc.

Apparently we have a firewall (freedom9) installed already so I assume IP tables would be redundant.

It's weird cause the other developer just explained that the firewall handles the DNS???

Basically when I reformat using Debian I need to ensure I keep all services running properly and the domain resolves properly to our internal server. I have setup Debina many times locally at home behind my own firewall but never dealt with Email or DNS as I just used localhost or the IP of my machine and because of port blocking wasn't able to access my web site or send emails, etc.

Now I am in a similar situation, but there are multiple machines, a firewall which all sit behind and that controls DNS?

Cheers,
Alex
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Linux guru (Vlad?)

Post by Weirdan »

PCSpectra wrote: Basically when I reformat using Debian I need to ensure I keep all services running properly
I don't think it's possible to use a server while its hard disks are being reformatted. Unless you meant something else, of course.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Linux guru (Vlad?)

Post by Christopher »

PCSpectra wrote:Issue 1: They are running Ubuntu Server and while thats fine I think they'd be better off running Debian reduced to nothing more than a web server, and I am more familiar wih Debian as well. :Px
Uhhhh ... Ubuntu is based on Debian. You should be able to uninstall anything you don't want with Apt to get a more minimal system. I can't imagine there would be much difference on a minimal server setup. Mostly Ubuntu gives you the latest application releases and desktop niceties -- but the core is Debian.

I know you can do some live kernel updates with Debian based distros, but you may need to reboot. Do disk check before rebooting if the server has been up a while so you don't get force checks on reboot.
(#10850)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Linux guru (Vlad?)

Post by alex.barylski »

I don't think it's possible to use a server while its hard disks are being reformatted. Unless you meant something else, of course.
Hehe...I wouldn't be reformatting while the server was running and in-use. Not sure how to go about making the transition seamless. They have two servers, one for development and one for deployment. The development code eventually needs to make it's way onto the deployment server, but before I do that I want to reformat and reinstall only Debian.
Uhhhh ... Ubuntu is based on Debian. You should be able to uninstall anything you don't want with Apt to get a more minimal system. I can't imagine there would be much difference on a minimal server setup. Mostly Ubuntu gives you the latest application releases and desktop niceties -- but the core is Debian.
Force of habit. Who knows what weird configurations, adjustments, etc the people before have applied (I just know when I asked for SSH access I was told it didn't work and restarting the server caused issues with Apache). I'm not interested in tinkering with a potentially 'tinkered' installation so I'd rather start anew and be sure of what exactly what is going on.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Linux guru (Vlad?)

Post by VladSun »

I need you to clarify the network topology, how clients will reach your service (is it Intranet or Internet), DNS setup, etc.
It's weird cause the other developer just explained that the firewall handles the DNS???
:mrgreen: OOOOK ;) I really want to see it :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Linux guru (Vlad?)

Post by Eran »

He probably means the router handles the DNS and the firewall. He probably refers to the router as "the firewall"
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Linux guru (Vlad?)

Post by alex.barylski »

I don't know what he means...I may have misinterpreted router for firewall, although I know the difference.

Basically there are two machines, one dev and one for deployment.

I know nothing more than that of the network topology, which is what I am trying to learn, but no one can really explain it to me (at work I mean).

They probably have a router (or a switch -- if I remember correctly) which sends requests to the appropriate machines. Apparently only the live server will see HTTP requests, in order to work on the deve site from home I need to login using Windows VNC -- which was totally foriegn to me hitherto.

The guy before me was clearly a Windows centric VB style programmer, hence the choice of MSSQL as a database engine... :banghead:

Self preservation at it's finest...the system is so complex if he left right now we'd all be f***ed. :P
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Linux guru (Vlad?)

Post by Weirdan »

arborint wrote:Mostly Ubuntu gives you the latest application releases and desktop niceties
Actually, Ubuntu mostly lags behind Debian, considerably.
arborint wrote:I know you can do some live kernel updates with Debian based distros
There was a time I was running "Debuntu" on my dev box (Ubuntu was installed first and then updated from Debian repositories), but that didn't end well. One day it just didn't start.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Linux guru (Vlad?)

Post by alex.barylski »

I tried Ubuntu when it first came out...Ubuntu is slow, sluggish at best.

Seems to me it would just be natural to use a Debian (plain/tweaked) install for both security and speed/performance. Besides do you really need a full fledge desktop GUI system for running a single web site/application?

All of the services/daemons used to web sites I am quite familiar with and when I run into problems I come here and VladSun or someone else helps me out. *thumbs up*

Ubuntu on the other hand, when I asked in their forums, it was an experience like Joomla, where most users were just that, users...anything more difficult than trivial file permissions and your essentially left on your own.

I like being forced into working directly with the config files for Apache, MySQL, Postfix, etc...it forces you to learn.

There is so much I don't understand about networks, etc because Windows shelters you from much of it.

Cheers,
Alex
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Linux guru (Vlad?)

Post by Christopher »

Weirdan wrote:Actually, Ubuntu mostly lags behind Debian, considerably.
This is simply not true for actual stable releases. Debian latest stable release was 22 months after the last one. Ubuntu stable releases are every 6 months. You can test your luck with unstable and testing packages from either (and any other) distro, but those are not stable releases. Using unstable/testing packages in a production environment requires doing your own testing.
Weirdan wrote:There was a time I was running "Debuntu" on my dev box (Ubuntu was installed first and then updated from Debian repositories), but that didn't end well. One day it just didn't start.
I have created Debian-like installations from the Ubuntu repository and Ubuntu-like installations from the Debian repository. Mixing repositories should only be done with a lot of knowledge about package perquisites. But both repositories have the same stuff, so there is little need to mix.
(#10850)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Linux guru (Vlad?)

Post by VladSun »

Let me show you how I suppose your network is build (using the little information you provided ;) )

Code: Select all

 
                          Public IP               Private IP 1
Clients ------>  Internet -----> router/firewall  -----> DNS
                                                  Private IP 2
                                                  -----> production server (WWW, DB)
                                                  Private IP 3
                                                  -----> development server (WWW, DB)
 
Is it really this way?
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Linux guru (Vlad?)

Post by alex.barylski »

Is it really this way?
To be honest I don't know. I haven't really had a chance to ask many questions about the setup. I know that we have one live server which is used to power the existing web site and another server used for development but it is not accessible from the outside, I have to login using remote desktop into my console at work, then VNC into the development server.

We all access the test server using a domain (not the IP) which I assume is internal (how they set that up I don't know?). The live site is accessible from home without VNC (I cannot disclose the domain as the site is potentially hijackable).

The Ubuntu server is accessed internally or externally via VNC. I have tried installing SSHd and it seems to install fine but when I ping the IP of the Ubuntu server (using the IP returned by ifconfig logged in as root -- I have already suggested we use sudo but everyone says it breaks the server) from my console at work I get nothing but failure.

Everything seems really f***ed up...
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Linux guru (Vlad?)

Post by Christopher »

PCSpectra wrote:The Ubuntu server is accessed internally or externally via VNC.
So you can connect via VNC (which is an oldschool thin client system for those who care) What IP does it use?
PCSpectra wrote:I have tried installing SSHd and it seems to install fine but when I ping the IP of the Ubuntu server (using the IP returned by ifconfig logged in as root --
Is the daemon started? Is the port open? Etc?
PCSpectra wrote:I have already suggested we use sudo but everyone says it breaks the server) from my console at work I get nothing but failure.
Everyone says it breaks the server?!? That's just crazy. So what works and what gives nothing but failure?
PCSpectra wrote:Everything seems really f***ed up...
Not working is a lot different from f*ed up as I recall... ;)
(#10850)
Post Reply