After too many problems with Wintendo and IIS/WWW issues (defacements, etc), the firm I work for has decided on a linux/apache solution. I will be running SuSE 8.0 with apache (plus security update), and have loaded php, perl, and python, along with jakarta-tomcat. What things should I look for in tuning apache for maximum performance, and good security practices (i've never had apache as the primary webserver before). The hardware is a pent 3/450, 512MB of RAM, 3c905 NIC, 8GB of Hard Drive Space, ATI video card + floppy, cdrom, keyboard, and mouse. I am building another machine (celeron 633 with roughly the same stuff) to function as a backup/spare webserver. I would enjoy hearing any and all comments about tuning and security :-) -Bill
On Fri, Jul 05, 2002 at 08:14:20PM -0700, Bill Parker wrote:
After too many problems with Wintendo and IIS/WWW issues (defacements, etc), the firm I work for has decided on a linux/apache solution. I will be running SuSE 8.0 with apache (plus security update), and have loaded php, perl, and python, along with jakarta-tomcat.
What things should I look for in tuning apache for maximum performance, and good security practices (i've never had apache as the primary webserver before).
Welcome to Linux. Here are some basic tips. The first thing you need to do is turn off ALL services on your server you don't absolutely need. For example, if you don't need the "at" service, disable it using the runlevel editor in YaST2. That includes Apache modules you don't need. Only run what you need. Don't use telnet to access the server remotely, use OpenSSH (SuSE default configuration is this way). Install and configure tripwire. This is a program that takes a cryptographic "fingerprint" of all your key binaries, configuration files, and libraries and stores it in a database. Then, you can run it daily to detect any unexpected changes to your configuration. It is inlcuded on the SuSE CDs. I put my tripwire database along with a staticly linked copy of the program on a CD to prevent any tampering with the database. For performance, take a look at the HTTPD_PERFORMANCE variable in /etc/sysconfig/apache. The default setting is slim, but you may want to change it to mid or thick. This changes the default and max number of child processes that apache uses. Set HTTPD_SEC_PUBLIC_HTML=no. Check your log files regularly. Check for security updates on your server with YaST2 frequently and sign up for the suse-security mailing list. Each of these topics (security and performance) can take up several books, but the above should get you started. Best Regards, Keith -- LPIC-2, MCSE, N+ Right behind you, I see the millions Got spam? Get spastic http://spastic.sourceforge.net
Hi Keith I'm in a similar position as Bill.. Can you point me in the direction of good books or ones you have read on the security side for security of these programs? Luck is my game ;-) Linux is my aim :) tia Dre :-) -----Original Message----- From: Keith Winston [mailto:kwinston@twmi.rr.com] Sent: 06 July 2002 11:47 To: suse-linux-e@suse.com Subject: Re: [SLE] Taking the plunge On Fri, Jul 05, 2002 at 08:14:20PM -0700, Bill Parker wrote:
After too many problems with Wintendo and IIS/WWW issues (defacements,
etc), the firm I work for has decided on a linux/apache solution. I will be running SuSE 8.0 with apache (plus security update), and have loaded php, perl, and python, along with jakarta-tomcat.
What things should I look for in tuning apache for maximum performance, and good security practices (i've never had apache as the
primary webserver before).
Welcome to Linux. Here are some basic tips. The first thing you need to do is turn off ALL services on your server you don't absolutely need. For example, if you don't need the "at" service, disable it using the runlevel editor in YaST2. That includes Apache modules you don't need. Only run what you need. Don't use telnet to access the server remotely, use OpenSSH (SuSE default configuration is this way). Install and configure tripwire. This is a program that takes a cryptographic "fingerprint" of all your key binaries, configuration files, and libraries and stores it in a database. Then, you can run it daily to detect any unexpected changes to your configuration. It is inlcuded on the SuSE CDs. I put my tripwire database along with a staticly linked copy of the program on a CD to prevent any tampering with the database. For performance, take a look at the HTTPD_PERFORMANCE variable in /etc/sysconfig/apache. The default setting is slim, but you may want to change it to mid or thick. This changes the default and max number of child processes that apache uses. Set HTTPD_SEC_PUBLIC_HTML=no. Check your log files regularly. Check for security updates on your server with YaST2 frequently and sign up for the suse-security mailing list. Each of these topics (security and performance) can take up several books, but the above should get you started. Best Regards, Keith -- LPIC-2, MCSE, N+ Right behind you, I see the millions Got spam? Get spastic http://spastic.sourceforge.net -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com
On Sat, Jul 06, 2002 at 11:55:46AM +0100, arawak wrote:
Hi Keith
I'm in a similar position as Bill..
Can you point me in the direction of good books or ones you have read on the security side for security of these programs?
The field is really vast, so it's hard to recommend a small set of books that cover everything. That said, I like a book called "Counter Hack", and the Hacking Exposed series of books are OK. You can also get some good information here: http://www.linuxsecurity.com/docs/ http://www.cert.org/ Best Regards, Keith -- LPIC-2, MCSE, N+ Right behind you, I see the millions Got spam? Get spastic http://spastic.sourceforge.net
participants (3)
-
arawak
-
Bill Parker
-
Keith Winston