Find the answer to your Linux question:
Results 1 to 3 of 3
Hello - We're provisioning a server to be used as a base VM ISO for several single-themed web sites. Each site will sit on it's own virtual server with additional ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2012
    Location
    Louisiana
    Posts
    2

    Configuring a perfect base server ISO


    Hello -

    We're provisioning a server to be used as a base VM ISO for several single-themed web sites. Each site will sit on it's own virtual server with additional programs specific to its purpose. We've started with a clean install of CentOS and Webmin. We intend to add a hand-full of programs common to most sites and then harden the server. Our list below reflects our current thoughts.

    What do you think about this list? Are there better selections out there? What else do we need, what are we missing? Again , we want to end up with a minimal base server ISO that we can drop in a VM, then add a custom site/application - do whatever we want, knowing the base is solid.

    PROGRAMS/SERVICES
    Roundcube
    Clamav
    SpamAssassin
    ProFTP
    MySQL
    phpMyAdmin
    Webalizer
    PHP

    HARDENING
    Ksplice
    csf firewall
    Linux Malware Detect
    Change SSH port to non-standard
    mount /dev/shm /tmp with noexec, nosuid
    turn off unwanted services
    Employ mod_security
    hide apache info
    deny browsing outside the document root

    I guess the hardening list could go on and on.

    Thank you

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    899
    Uninstall webmin. There's no reason for that software to be on a web server.

    You don't need any extra firewall software. Just learn to use iptables.
    You don't need to change the ssh port. This is not a substitute for setting up iptables and appropriate ssh settings.
    Personally, I would set up a dedicated mail server, and install spam assassin on that, vice each webserver. Don't allow incoming SNMP to your webservers if possible.

    Your overhead is going to be high if you run each site on it's own VM. Each base centos install is going to eat about 200mb RAM, with all the stuff you intend to pile on there, it will be much more, maybe 400+mb per site. Setting up virtual hosts in apache (or nginx or lighttpd) is very common, and not a big deal.

    Also, if each site is going to be mysql based, you might get more bang for your buck by setting up 2 VMs with replicated mysql dbs (or a warm backup), instead of having that on each server.

    Anyway, that's how I would do it, if I were managing each host. If you're planning on distributing this template, then perhaps the software and config you describe is suitable.

  3. #3
    Just Joined!
    Join Date
    May 2012
    Location
    Louisiana
    Posts
    2
    Thanks for your thoughts mizzle -

    Yes, handling email for the user is one of our unsettled areas, we are still not tied to any one answer. We intend to block the users from webmin completely and find, or write, a small script that would allow the user to only enter email and ftp accounts. Still thinking on that one.

    We will watch the overhead. I may have misused terms, we do setup individual virtual hosts, allocating resources to each. If they require more, the resources are supplied and billed for.

    Appreciate the 'perhaps the software and config you describe is suitable'. Maybe we're in the ball park, getting closer to what we want.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •