tips for configuring web server OS?
Devin Carraway
aqua at atlantic.devin.com
Thu Mar 8 09:41:47 PST 2001
On Thu, Mar 08, 2001 at 09:18:18AM -0800, Jeff Miller wrote:
> Does anyone have a pointer to a good checklist or set of suggestions
> for configuring the OS (package updates, networking config, etc.) for
> a light-duty public web server?
Read through linuxecurity.com's security quick-reference card (2 sides of an
8.5x11" sheet): http://www.linuxsecurity.com/docs/QuickRefCard.pdf.
Particularly note the 'Disable Unnecessary Services,' SSH installation and
'TCP Wrappers' sections. Unless you know you have a specific need for a
service, shut it off. For a webserver, you really only need SSH (to log into
the machine) and http (for the webserver itself). That means you can shut
inetd/xinetd off completely, along with everything it might be trying to
expose (Apache and OpenSSH both run independent of inetd). Then configure
your hosts_access files (man hosts_access; the manpage is pretty good) to deny
all but connects to SSH ("ALL:ALL" in /etc/hosts.deny, "sshd : ALL" in
/etc/hosts.allow).
> From checking out the advisories on the RH and Debian sites, it
> looks like part of the package should be something to automatically
> check for security updates.
Automatically updating a production machine isn't usually a good idea, simply
in case things break at 4am. However, doing an attended auto-update
frequently is a good idea. Subscribe to your distribution's security-announce
mailing list, and read everything they send. If you're running a package on
which they issue an update, be prompt about upgrading -- or better, uninstall
the package unless you know you need it. These lists are low-traffic, easy to
keep up with, and include the exact commands you need to update your system.
Outside of the security realm, you might do the general tuning of Apache to
suit your hardware and network connection -- set MaxSpareServers to a number
suiting the amount of RAM you have, and adjust MaxClients to fit your RAM, CPU
and network connection. That's not generally all that big a deal, since
Apache is largely self-tuning, but those three give it the general guidelines.
--
Devin \ aqua(at)devin.com, 1024D/E9ABFCD2; http://www.devin.com
Carraway \ IRC: Requiem GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++
More information about the talk
mailing list