Linux Server Config Advice Wanted
So I recently decided to drop the safety net of the GUI and switch my Ubuntu server at school from Ubuntu Desktop to Ubuntu Server 11.04. I have two extra hdds in the machine; the first for webserver content (Apache's www folder, mysql databases, etcetera), the second as storage space. I had them all set up in fstab mounting to /media/Web and /media/storage, respectively. The storage drive was also supposed to be shared via samba, but I could never get it to play nice with Windows..
Now that I'm starting anew, I'd like you guy's advice on it's configuration. Should I keep the drives mounted in media or should I mount them elsewhere? Our resident linux admin suggested /opt/
Comments
It sounds to me like your /media/Web is actually /var/. I would backup your /media/Web drive. Then during the installation process of Ubuntu Server mount /var/ to that drive. Then you can put your www folder in /var/www/, and your MySQL databases in /var/data/mysql or whever they usually go. I'm not sure what's on your storage, but if it's music and shit, you might just want to put it in /home/you/Music. Or you could even mount it to /home/you or even /home/.
Something I've found with the Ubuntu server version is that the firewalls aren't really set up, and most people don't know how to use console for iptables. I always lock down my internet systems really tightly.
If you'd like, I can grab an example iptables file and show how to load it up on boot. If you have an internet facing server, firewalls are mucho importante. The Chinese and Eastern Bloc have hit every server I've ever had up. They just brute force IP addies and do scans. I like to check my logs and find the location of IP addresses that hit my systems in suspicious ways.
Also, I disable the repositories except for all security repos and the basic one (whose name I forgot). I will only install something from the universe repo after doing research. Forcing myself to enable universe repo to grab a package basically ensures I don't get lazy about checking up on the packages before installing them.
Let's say you have standard LAMP server with SSH.
SSH runs on port 22 by default. Plenty of bots will be trying to brute force it with passwords. You could move SSH to a different port, like 2022. Then all their requests to 22 will time out and your security log will be much less noisy. But let's say you leave it on 22. You should not have password auth enabled in the first place. Even if you did, your password should be awesome enough that a bot won't be guessing it. If your SSH is setup properly a firewall or changing ports on it won't make any difference. Now, you might want to add some host-based authentication on there. For example. People can only SSH into the server with the right key AND if they are currently at my house or at my office. That's not a bad use of a firewall, but overkill for anything that's not a business. Just make sure your business has a VPN so you can still access the server when you are on vacation.
Apache runs on port 80. You're going to leave it open to the world, that's the point. If you get DDoS'd there's not much you can do. If you get DOS'd from one IP, you can block it in Apache, but iptables can do it also. Doesn't matter which you choose.
MySQL should be running on a local socket because this is a single server configuration. People won't be able to access it over the network anyway. Firewalling the port makes no difference.
Anything else you are running, such as memcached, should be bound to localhost, so none of them will accept traffic over any network interface besides the loopback. Whether you firewall 11211 or not with iptables will make no difference. It doesn't hurt to block all those ports you aren't using, but it's not something you have to worry about.
The main thing to use a firewall for is when you have multiple machines together. For example if you have MySQL on a separate machine you want port 3306 to be locked off for the entire world except for the web servers that are going to be querying that database.
Of course, all this assumes that you have each individual service configured properly. If you don't know how to make sure your MySQL is bound to localhost only, then blocking the port in iptables can't hurt as another level to prevent a configuration file mistake. But if you're not smart enough to configure your MySQL properly, you aren't going to be able to configure the iptables properly either.
-A INPUT -p tcp --dport 80 -m limit --limit 100/minute -j ACCEPT
I also added this same kind of limitation to my SSH port, to reduce brute force attempts from non-coordinated, single points of origin. Actually, I don't trust code I didn't write. Firewalls prevent poorly written code, or maliciously written code, from being too easily accessible. My firewalls tend to be two way. Things come in only as I allow them, and I also write the same going out. If someone manages to install some script that goes out from my server to tell the world where to go, it's going to have to pick the right way to do it.-A INPUT -p tcp --dport 443 -m limit --limit 100/minute -j ACCEPT
I find it odd that you'd argue so feverishly against firewalls. Again, they don't cost much time to configure and setup, but they gain in security. You can diminish that gain all you'd like, but it is still non-zero positive.
I also like the ability to have a firewall DROP packets. If you don't setup the firewall to default drop, then it will send back a response saying denied. This is a mild deterrent, but it creates a difficulty in determining whether there was a packet transmission mistake or whether the remote end simply isn't responding to that port. I find it amusing to grief in this way.
Otherwise I don't know. The Apache site itself is good for reference, but blindingly confusing if you don't know what you're looking for going into it.
Also, the firewall does use a very tiny amount of CPU that you will not use if you don't use it. There is an insignificantly small performance gain from not using a software firewally on an application server. Ok people, seriously. Not picking on you specifically, but all the people who bring their tech questions here. Use Google to get your tutorials and howtos. Then actually do the thing. Then use Stack Overflow and its related sites for your specific questions. FRC Forum != tech help forum just because there are tech people here. You are all being your parents who ask you to fix the computer when you visit home. Don't be that.
One piece of advice for anyone. Do not try to setup public servers that do anything real, important, or have any important information on them, unless you are an expert. There are so many different factors you have to worry about to get everything just right, you will get owned if you aren't an expert. You even see all those so-called experts getting owned by lulzsec and shit? Even experts don't dot all the i's and cross all the t's. You will fuck it up, I guarantee it. If you need it done, get a professional to do it for you.