Slashdot Mirror
Server Optimization For Newbies?
supaneko writes "I recently took a new job as a network and server administration for a small IT company. I am absolutely shocked at how much is taking place within this company that I have little to no experience with. To help bolster my experience, I purchased a used server to use for hands-on training and practice. My ultimate goal is to have a complete, secure LAMP server available to the public running CentOS. I have been browsing the Net for various guides and tips on setup, optimization, security, and maintenance, but nothing I've found really gives me a hands-on approach to the topics I want to learn about. When you all started out, what route did you take to pick up the server setup and maintenance skills you have now? Is there anything in particular that you would recommend to someone who has excellent skills with consumer PCs and servers but is a total newbie to corporate and enterprise networking and servers?"
You forgot c) they fired the mentor with the junior barely trained and now the junior has to do the whole job by himself
Happens a lot more than you think
Learning Slackware has certainly served me well. I think it gives the most rounded education of how a system works--it's said that "when you learn Red Hat, you know Red Hat. When you learn Slackware, you know Linux." Learning how to install software and run servers in Slackware, I learned a bunch. (And yes, the knowledge you take away from that is more generally applicable than what you learn from Gentoo.)
A cat can't teach a dog to bark.
the person is honestly asking for advice. most replies seem helpful; what's with the self-absorbed minority who think it's more productive to denigrate the poster/ his or her company than just lend a hand?
I did the same you did a looong time ago. Got myself an old computer, put Linux on it, Apache, Sendmail (now you would use Postfix), bought a book about Linux. I ran my own website and my own mail server, and kept doing that for 15 years. It doesn't make you the ultimate expert, but at least you get to know what it's all about. I must say that back then, it was much easier to get started because security wasn't such an issue. Right now, you'll spend a considerable amount of time keeping your server secure....
no, I don't have a sig
Not everyone works for a company with hundreds of people that already has an fleet of network admins. Sometimes you get put into a role that you have no experience in because you have the available time, expressed a desire previously, or maybe you just happened to be walking by an open door when the PHB thought "we need a network admin".
Most of the modern linux distributions have excellent package management. Most of them take care of 99% of the deploy "correctly" or "securely" issues.
The default setups are suitable for dedicated servers and intranet servers.
They are not suitable for hosting multiple sites, say two different department's or organization's sites on one shared server.
For example, the default install of Apache + PHP on Redhat Enterprise Linux uses mod_php.
In a hosted environment, you have to be concerned that one user's site may have buggy PHP code that can be exploited.
The default install provides no protection against User A's PHP scripts messing with User B's data files (for example, to discover User B's database password).
When scripts are run by mod_php, they run with the same credentials as the web server, hence all files (including passwords for SQL database access) have to be readable by the web server.
This configuration is not a best practice, from a security standpoint.
A better practice is to use PHP only in CGI mode, run it as the script owner using Apache SUexec.
Prevent user B from accessing user A's files and vice-versa, using ordinary file permissions.
User a wrapper around CGI scripts so user A and user B are chrooted into different directory trees where their documents are stored, so the damage an exploited script can do is limited to the ordinary expected permissions of that user's scripts.
Moreover, any script-writable directories should be on their own filesystem, marked with a 'noexec' attribute to prevent a web script from uploading and running arbitrary software.
If Redhat or any major distro ever provides an automated setup that properly deals with web page scripts to follow best security practices, when hosting a few dozen sites, without fear of an issue in one site's script resulting in server-wide compromise, I will be impressed.
I'm actually a software developer, but I work at a place with a lot of small projects and we do our own IT...meaning that we don't get budget for a dedicated IT staff and we end up doing a lot of it ourselves.
So, the way I learned what I need to know was to mess up a lot and get yelled at a lot. :-)
In all seriousness, we have finally landed at a place where we host and run our projects on Amazon's EC2. Some projects are even sophisticated enough now to leverage the EC2 platform and third-party services such as Rightscale for truly distributed cloud computing...but this isn't absolutely necessary if all you want is a place to run your production system. Best of all, since it's all virtualized so it's foolproof to learn new tech. When you're going to make significant changes you just save a snapshot of the current system, use it to start up a new instance off to the side, and screw it up any way you want to figure out a solution, and you can always easily revert to your previous snapshot if necessary. Just make sure you keep organized on which snapshots are configured with what, and be diligent about removing old snapshots that no longer have any purpose (again, purely organizational).
We've found in our business that the cost of doing this is vastly less than maintaining a rack of servers...so even though most projects don't leverage the cloud, we still benefit. (And of course there's room to grow into the cloud, which is also very beneficial.)
Get started by reading up on EC2, S3, and get the ElasticFox plugin for Firefox.
but have you considered the following argument: shut up.
I'd probably add the use of Tripwire or something similar to detect malware or other evidence of intrusions, and disable all unused services and processes. This will improve performance, reduce memory footprint, increase stability, increase security and mow the lawn. If you're into kernel building, remove unnecessary kernel options and specify your hardware rather than using generic options. If network loads may be a problem, you might want to investigate patches like Web100, if it'll work with the distro version of the kernel. Swap space should be 2.5-3 times the size of RAM for a server and /tmp should probably be on an isolated partition. I'd probably put /var/log on an isolated partition too. If you're paranoid, put a proxy server in the company's DMZ network (there is a DMZ network, right?) and only permit connections to (and from) the server via the proxy. Then put a honeypot on the proxy that traps all services and IP ports you've disabled on the server.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
When you all started out, what route did you take to pick up the server setup and maintenance skills you have now? Is there anything in particular that you would recommend to someone who has excellent skills with consumer PCs and servers but is a total newbie to corporate and enterprise networking and servers?
The guy is asking how to work with serving apps in general, he is light years from optimizing them. Like most noobs they post something not knowing what the hell they are doing, way over their heads, asking about something trying to be smart by saying I am trying to set up a PDC in server 2008, but cannot get my exchange 2007 running because it says I am getting a conflict with another IP. Reading things like this and the question in this forum make me shiver and want to scream because there are so many things wrong with the statements I barely know where to start. And in my example the guy was thinking there was just an IP problem, when in actuality "Can open, Worms everywhere".
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
Oh I know all about that, having written at least one (proof of concept, buggy as hell, fake architecture) emulator myself.
Essentially, I've found VirtualBox can run some windows games that don't run in wine (not really a virtualizer or an emulator, it reimplements parts of the Windows API on top of Linux libs), at least not for me. (Diablo may be listed as working but I've followed all the instructions and...nope)
I use dosbox for anything that goes in dos, it's not like XP can play most of those anyway.
Also can be used to install things like iTunes in a sandbox for requiem. Which, apparently, is actually legal, since from my understanding of the DMCA you just can't /distribute/ DRM bypass tools or do it for other people.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
@COMON$: You're a jackass... it's comments like this that put others off asking for assistance... thereby perpetuating the void you seem so angry/frightened of.
He says he's new. Admits he is starting at ground level. Lets the world know that he found himself out of his depth... BUT is doing something not a lot of ohers do - ASKING FOR HELP! So you trash him?
@kdawson - Good move getting a practise box... if nothing else, it will give you the confidence to take some risks to find out how stuff works.
There is an amazing wealth of infor out there in the form of HOWTO and various sites like this where all sorts come together to discuss stuff.
I found it easier to start building something, then once i found I was hitting a wall, look it up. I'm learn nest by doing, so this worked for me. Others work better by reading. So I guess its up to you how you best learn, which will give you a path.