Slashdot Mirror
Server Optimization For Newbies?
supaneko writes "I recently took a new job as a network and server administration for a small IT company. I am absolutely shocked at how much is taking place within this company that I have little to no experience with. To help bolster my experience, I purchased a used server to use for hands-on training and practice. My ultimate goal is to have a complete, secure LAMP server available to the public running CentOS. I have been browsing the Net for various guides and tips on setup, optimization, security, and maintenance, but nothing I've found really gives me a hands-on approach to the topics I want to learn about. When you all started out, what route did you take to pick up the server setup and maintenance skills you have now? Is there anything in particular that you would recommend to someone who has excellent skills with consumer PCs and servers but is a total newbie to corporate and enterprise networking and servers?"
You forgot c) they fired the mentor with the junior barely trained and now the junior has to do the whole job by himself
Happens a lot more than you think
Not everyone works for a company with hundreds of people that already has an fleet of network admins. Sometimes you get put into a role that you have no experience in because you have the available time, expressed a desire previously, or maybe you just happened to be walking by an open door when the PHB thought "we need a network admin".
Most of the modern linux distributions have excellent package management. Most of them take care of 99% of the deploy "correctly" or "securely" issues.
The default setups are suitable for dedicated servers and intranet servers.
They are not suitable for hosting multiple sites, say two different department's or organization's sites on one shared server.
For example, the default install of Apache + PHP on Redhat Enterprise Linux uses mod_php.
In a hosted environment, you have to be concerned that one user's site may have buggy PHP code that can be exploited.
The default install provides no protection against User A's PHP scripts messing with User B's data files (for example, to discover User B's database password).
When scripts are run by mod_php, they run with the same credentials as the web server, hence all files (including passwords for SQL database access) have to be readable by the web server.
This configuration is not a best practice, from a security standpoint.
A better practice is to use PHP only in CGI mode, run it as the script owner using Apache SUexec.
Prevent user B from accessing user A's files and vice-versa, using ordinary file permissions.
User a wrapper around CGI scripts so user A and user B are chrooted into different directory trees where their documents are stored, so the damage an exploited script can do is limited to the ordinary expected permissions of that user's scripts.
Moreover, any script-writable directories should be on their own filesystem, marked with a 'noexec' attribute to prevent a web script from uploading and running arbitrary software.
If Redhat or any major distro ever provides an automated setup that properly deals with web page scripts to follow best security practices, when hosting a few dozen sites, without fear of an issue in one site's script resulting in server-wide compromise, I will be impressed.
I'm actually a software developer, but I work at a place with a lot of small projects and we do our own IT...meaning that we don't get budget for a dedicated IT staff and we end up doing a lot of it ourselves.
So, the way I learned what I need to know was to mess up a lot and get yelled at a lot. :-)
In all seriousness, we have finally landed at a place where we host and run our projects on Amazon's EC2. Some projects are even sophisticated enough now to leverage the EC2 platform and third-party services such as Rightscale for truly distributed cloud computing...but this isn't absolutely necessary if all you want is a place to run your production system. Best of all, since it's all virtualized so it's foolproof to learn new tech. When you're going to make significant changes you just save a snapshot of the current system, use it to start up a new instance off to the side, and screw it up any way you want to figure out a solution, and you can always easily revert to your previous snapshot if necessary. Just make sure you keep organized on which snapshots are configured with what, and be diligent about removing old snapshots that no longer have any purpose (again, purely organizational).
We've found in our business that the cost of doing this is vastly less than maintaining a rack of servers...so even though most projects don't leverage the cloud, we still benefit. (And of course there's room to grow into the cloud, which is also very beneficial.)
Get started by reading up on EC2, S3, and get the ElasticFox plugin for Firefox.
but have you considered the following argument: shut up.
I'd probably add the use of Tripwire or something similar to detect malware or other evidence of intrusions, and disable all unused services and processes. This will improve performance, reduce memory footprint, increase stability, increase security and mow the lawn. If you're into kernel building, remove unnecessary kernel options and specify your hardware rather than using generic options. If network loads may be a problem, you might want to investigate patches like Web100, if it'll work with the distro version of the kernel. Swap space should be 2.5-3 times the size of RAM for a server and /tmp should probably be on an isolated partition. I'd probably put /var/log on an isolated partition too. If you're paranoid, put a proxy server in the company's DMZ network (there is a DMZ network, right?) and only permit connections to (and from) the server via the proxy. Then put a honeypot on the proxy that traps all services and IP ports you've disabled on the server.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
When you all started out, what route did you take to pick up the server setup and maintenance skills you have now? Is there anything in particular that you would recommend to someone who has excellent skills with consumer PCs and servers but is a total newbie to corporate and enterprise networking and servers?
The guy is asking how to work with serving apps in general, he is light years from optimizing them. Like most noobs they post something not knowing what the hell they are doing, way over their heads, asking about something trying to be smart by saying I am trying to set up a PDC in server 2008, but cannot get my exchange 2007 running because it says I am getting a conflict with another IP. Reading things like this and the question in this forum make me shiver and want to scream because there are so many things wrong with the statements I barely know where to start. And in my example the guy was thinking there was just an IP problem, when in actuality "Can open, Worms everywhere".
CS: It is all sink or swim...oh and did I mention there are sharks in that water?