FAQ
Hello
I've got an un managed VPS running CentOS6
I'd like to install 2 websites and secure the whole VPS
I've tried tutorials from the how to forge website but things keep
screwing all the time.
Please if any one can help or give a good working tutorials that would
be awesome.
Thanks a lot
WI,

Search Discussions

  • Wuxi Ixuw at Feb 23, 2012 at 5:25 am
    Am I asking stupid questions to get no answers?
    On 23/02/2012 09:42 AM, Wuxi Ixuw wrote:
    Hello
    I've got an un managed VPS running CentOS6
    I'd like to install 2 websites and secure the whole VPS
    I've tried tutorials from the how to forge website but things keep
    screwing all the time.
    Please if any one can help or give a good working tutorials that would
    be awesome.
    Thanks a lot
    WI,
  • Rudi Ahlers at Feb 23, 2012 at 5:37 am

    On Thu, Feb 23, 2012 at 12:25 PM, Wuxi Ixuw wrote:
    Am I asking stupid questions to get no answers?
    On 23/02/2012 09:42 AM, Wuxi Ixuw wrote:
    Hello
    I've got an un managed VPS running CentOS6
    I'd like to install 2 websites and secure the whole VPS
    I've tried tutorials from the how to forge website but things keep
    screwing all the time.
    Please if any one can help or give a good working tutorials that would
    be awesome.
    Thanks a lot
    WI,
    _______________________________________________

    It would help if you're a LOT more specific asto what you've tried
    and what doesn't work.
    --
    Kind Regards
    Rudi Ahlers
    SoftDux

    Website: http://www.SoftDux.com
    Technical Blog: http://Blog.SoftDux.com
    Office: 087 805 9573
    Cell: 082 554 7532
    Fax: 086 268 8492
  • Wuxi Ixuw at Feb 23, 2012 at 8:18 am
    Actually I am looking for a tutorial or a guide to follow as I am really
    newbie to this world.
    On 23/02/2012 12:37 PM, Rudi Ahlers wrote:
    On Thu, Feb 23, 2012 at 12:25 PM, Wuxi Ixuwwrote:
    Am I asking stupid questions to get no answers?
    On 23/02/2012 09:42 AM, Wuxi Ixuw wrote:
    Hello
    I've got an un managed VPS running CentOS6
    I'd like to install 2 websites and secure the whole VPS
    I've tried tutorials from the how to forge website but things keep
    screwing all the time.
    Please if any one can help or give a good working tutorials that would
    be awesome.
    Thanks a lot
    WI,
    _______________________________________________
    It would help if you're a LOT more specific asto what you've tried
    and what doesn't work.
  • Marc Deop at Feb 23, 2012 at 7:25 am

    On Thursday 23 February 2012 12:25:12 Wuxi Ixuw wrote:
    Am I asking stupid questions to get no answers?
    They're not stupid, just way too general.

    We could answer something like "apache gives me this error: blablabla"

    Regards
  • Wuxi Ixuw at Feb 23, 2012 at 8:19 am
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    On 23/02/2012 02:25 PM, Marc Deop wrote:
    On Thursday 23 February 2012 12:25:12 Wuxi Ixuw wrote:
    Am I asking stupid questions to get no answers?
    They're not stupid, just way too general.

    We could answer something like "apache gives me this error: blablabla"

    Regards
  • John R Pierce at Feb 23, 2012 at 11:43 am

    On 02/23/12 5:19 AM, Wuxi Ixuw wrote:
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    there is no single 'right way'. security requires a thorough
    understanding of all aspects of the system, this is not something that
    can be dealt with by a 'how to' walkthrough. hire a systems
    adminstrator with a background in security.



    --
    john r pierce N 37, W 122
    santa cruz ca mid-left coast
  • Mark Roth at Feb 23, 2012 at 11:49 am

    John R Pierce wrote:
    On 02/23/12 5:19 AM, Wuxi Ixuw wrote:
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    there is no single 'right way'. security requires a thorough
    understanding of all aspects of the system, this is not something that
    can be dealt with by a 'how to' walkthrough. hire a systems
    adminstrator with a background in security.
    Or, since it's a VPS, call your ISP's support line and ask them.

    mark
  • Wuxi Ixuw at Feb 23, 2012 at 2:06 pm
    I did and they asked for a 150 usd per hour ... and I do not have that
    money and each time I am asking for a thing I will need to pay again and
    counting.
    On 23/02/2012 06:49 PM, m.roth at 5-cent.us wrote:
    John R Pierce wrote:
    On 02/23/12 5:19 AM, Wuxi Ixuw wrote:
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    there is no single 'right way'. security requires a thorough
    understanding of all aspects of the system, this is not something that
    can be dealt with by a 'how to' walkthrough. hire a systems
    adminstrator with a background in security.
    Or, since it's a VPS, call your ISP's support line and ask them.

    mark

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Craig Thompson at Feb 24, 2012 at 5:09 pm
    A good start would be to download and install ConfigServer Security and Firewall.

    http://configserver.com/cp/csf.html

    That will help you on the security side.

    But if you're completely new to the game, you should consider hosting your sites on a shared host somewhere and use the VPS as a learning tool -- unless the sites are not production and you don't care what happens to them occasionally.
    On Feb 23, 2012, at 2:06 PM, Wuxi Ixuw wrote:

    I did and they asked for a 150 usd per hour ... and I do not have that
    money and each time I am asking for a thing I will need to pay again and
    counting.
    On 23/02/2012 06:49 PM, m.roth at 5-cent.us wrote:
    John R Pierce wrote:
    On 02/23/12 5:19 AM, Wuxi Ixuw wrote:
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    there is no single 'right way'. security requires a thorough
    understanding of all aspects of the system, this is not something that
    can be dealt with by a 'how to' walkthrough. hire a systems
    adminstrator with a background in security.
    Or, since it's a VPS, call your ISP's support line and ask them.

    mark

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Mikael Fridh at Feb 25, 2012 at 12:54 am
  • Les Mikesell at Feb 23, 2012 at 12:01 pm

    On Thu, Feb 23, 2012 at 7:19 AM, Wuxi Ixuw wrote:
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    There are many large books on the subject. If you don't want to spend
    your life staying ahead of the game:
    Use popular software
    Don't change defaults you don't understand
    Keep it up to date
    Use good passwords

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Wuxi Ixuw at Feb 23, 2012 at 2:05 pm
    Please suggest a one as I am keep goggling and all result bring books
    dealing with linux as a real server and not a vps.
    On 23/02/2012 07:01 PM, Les Mikesell wrote:
    On Thu, Feb 23, 2012 at 7:19 AM, Wuxi Ixuwwrote:
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    There are many large books on the subject. If you don't want to spend
    your life staying ahead of the game:
    Use popular software
    Don't change defaults you don't understand
    Keep it up to date
    Use good passwords
  • Les Mikesell at Feb 23, 2012 at 2:21 pm

    On Thu, Feb 23, 2012 at 1:05 PM, Wuxi Ixuw wrote:
    Please suggest a one as I am keep goggling and all result bring books
    dealing with linux as a real server and not a vps.
    The difference is only in how much the hosting system forces you to
    use certain images and versions, which will likely vary with the
    vendor. Books on security are always out of date anyway. The system
    security business is very specialized - plan on spending a lot of
    either time or money if you are going to do anything out of the
    ordinary. But, unless you have something unique and valuable to
    attack, you mostly have to worry about known exploits on the platform
    you use, and the main thing you can do about it is to keep your
    software updated so you get the fixes as soon as they are available.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Wuxi Ixuw at Feb 23, 2012 at 3:16 pm
    I will use Drupal core and mostly no modules.
    On 23/02/2012 09:21 PM, Les Mikesell wrote:
    On Thu, Feb 23, 2012 at 1:05 PM, Wuxi Ixuwwrote:
    Please suggest a one as I am keep goggling and all result bring books
    dealing with linux as a real server and not a vps.
    The difference is only in how much the hosting system forces you to
    use certain images and versions, which will likely vary with the
    vendor. Books on security are always out of date anyway. The system
    security business is very specialized - plan on spending a lot of
    either time or money if you are going to do anything out of the
    ordinary. But, unless you have something unique and valuable to
    attack, you mostly have to worry about known exploits on the platform
    you use, and the main thing you can do about it is to keep your
    software updated so you get the fixes as soon as they are available.
  • John R Pierce at Feb 23, 2012 at 3:26 pm

    On 02/23/12 12:16 PM, Wuxi Ixuw wrote:
    I will use Drupal core and mostly no modules.
    Drupal has had its share of exploits, too.
    http://www.cvedetails.com/vulnerability-list/vendor_id-1367/product_id-2387/Drupal-Drupal.html


    --
    john r pierce N 37, W 122
    santa cruz ca mid-left coast
  • Wuxi Ixuw at Feb 23, 2012 at 3:50 pm
    What shall I use then?
    I did goggled a lot for what I should use and found that Drupal is so
    far the best CMS compared to Joomla or Wordpress.
    On 23/02/2012 10:26 PM, John R Pierce wrote:
    On 02/23/12 12:16 PM, Wuxi Ixuw wrote:
    I will use Drupal core and mostly no modules.
    Drupal has had its share of exploits, too.
    http://www.cvedetails.com/vulnerability-list/vendor_id-1367/product_id-2387/Drupal-Drupal.html
  • Mark Roth at Feb 23, 2012 at 3:56 pm

    Wuxi Ixuw wrote:
    On 23/02/2012 10:26 PM, John R Pierce wrote:
    On 02/23/12 12:16 PM, Wuxi Ixuw wrote:
    I will use Drupal core and mostly no modules.
    Drupal has had its share of exploits, too.
    http://www.cvedetails.com/vulnerability-list/vendor_id-1367/product_id-2387/Drupal-Drupal.html
    What shall I use then?
    I did goggled a lot for what I should use and found that Drupal is so
    far the best CMS compared to Joomla or Wordpress.
    You need to get your head around the idea that *NOTHING* is ultimately
    safe. To paraphrase the stupid phrase, "vigilance is the price of liberty
    (of your system from the bad guys)"

    mark
  • Wuxi Ixuw at Feb 23, 2012 at 3:58 pm
    Ok,
    I've made up my mind to dive and learn ... so to learn the right way
    like what professional do ... what shall I do?
    On 23/02/2012 10:56 PM, m.roth at 5-cent.us wrote:
    Wuxi Ixuw wrote:
    On 23/02/2012 10:26 PM, John R Pierce wrote:
    On 02/23/12 12:16 PM, Wuxi Ixuw wrote:
    I will use Drupal core and mostly no modules.
    Drupal has had its share of exploits, too.
    http://www.cvedetails.com/vulnerability-list/vendor_id-1367/product_id-2387/Drupal-Drupal.html
    What shall I use then?
    I did goggled a lot for what I should use and found that Drupal is so
    far the best CMS compared to Joomla or Wordpress.
    You need to get your head around the idea that *NOTHING* is ultimately
    safe. To paraphrase the stupid phrase, "vigilance is the price of liberty
    (of your system from the bad guys)"

    mark

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Lamar Owen at Feb 23, 2012 at 5:30 pm

    On Thursday, February 23, 2012 03:58:10 PM Wuxi Ixuw wrote:
    Ok,
    I've made up my mind to dive and learn ... so to learn the right way
    like what professional do ... what shall I do?
    First, try not to top post.

    Second, download the CentOS 6.2 installation media and install it on your own hardware, reading through the excellent upstream documentation (linked from the www.centos.org website). Read through the CentOS wiki HOWTOs and such. And play around with your system, feeling free to reinstall it (or re-clone it, for a VM) at any time. Live with it to learn it, really.

    HowtoForge has some nice articles on setting up servers to do various things; read through a few that use CentOS 6 as the base, and attempt to implement on you testing CentOS server. Then attempt on your VPS.

    Expect to spend quite a bit of time on the process; Rome wasn't built in a day, and neither is admin experience.
  • Wuxi Ixuw at Feb 23, 2012 at 5:35 pm
    Ok, I've found many versions from it, one for 700 MB and others for a
    DVD, which one I should get?
    On 24/02/2012 12:30 AM, Lamar Owen wrote:
    On Thursday, February 23, 2012 03:58:10 PM Wuxi Ixuw wrote:
    Ok,
    I've made up my mind to dive and learn ... so to learn the right way
    like what professional do ... what shall I do?
    First, try not to top post.

    Second, download the CentOS 6.2 installation media and install it on your own hardware, reading through the excellent upstream documentation (linked from the www.centos.org website). Read through the CentOS wiki HOWTOs and such. And play around with your system, feeling free to reinstall it (or re-clone it, for a VM) at any time. Live with it to learn it, really.

    HowtoForge has some nice articles on setting up servers to do various things; read through a few that use CentOS 6 as the base, and attempt to implement on you testing CentOS server. Then attempt on your VPS.

    Expect to spend quite a bit of time on the process; Rome wasn't built in a day, and neither is admin experience.
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Lamar Owen at Feb 23, 2012 at 6:22 pm

    On Thursday, February 23, 2012 05:35:32 PM Wuxi Ixuw wrote:
    Ok, I've found many versions from it, one for 700 MB and others for a
    DVD, which one I should get?
    While I specifically stated the installation media, you should get both the DVD1 and DVD2; specifically, assuming a 32-bit system (you mentioned trying on a Pentium 4 or Pentium D, so 64-bit may not be an option, and isn't really necessary for a 'lab' machine anyway; you do need as much memory as you can cram in that old Optiplex, with an absolute minimu of 1GB (and it's going to top out less than 4GB anyway....)), you need to download, from a mirror:
    CentOS-6.2-i386-bin-DVD1.iso
    CentOS-6.2-i386-bin-DVD2.iso

    While DVD2 is somewhat optional, it won't hurt to have it on hand just in case.

    The LiveDVD and LiveCD options boot up to a usable desktop, and you can install from them, but if you're wanting the *server* install experience you need the others, not the LiveDVD or LiveCD.

    Now, go give it a whirl, make sure you read the documentation on installation on the CentOS.org website, and come back in a few days when you've played with that installation a while.
  • Wuxi Ixuw at Feb 23, 2012 at 6:25 pm
    Is it advised to install on a virtual machine like vmware or a real
    computer?
    On 24/02/2012 01:22 AM, Lamar Owen wrote:
    On Thursday, February 23, 2012 05:35:32 PM Wuxi Ixuw wrote:
    Ok, I've found many versions from it, one for 700 MB and others for a
    DVD, which one I should get?
    While I specifically stated the installation media, you should get both the DVD1 and DVD2; specifically, assuming a 32-bit system (you mentioned trying on a Pentium 4 or Pentium D, so 64-bit may not be an option, and isn't really necessary for a 'lab' machine anyway; you do need as much memory as you can cram in that old Optiplex, with an absolute minimu of 1GB (and it's going to top out less than 4GB anyway....)), you need to download, from a mirror:
    CentOS-6.2-i386-bin-DVD1.iso
    CentOS-6.2-i386-bin-DVD2.iso

    While DVD2 is somewhat optional, it won't hurt to have it on hand just in case.

    The LiveDVD and LiveCD options boot up to a usable desktop, and you can install from them, but if you're wanting the *server* install experience you need the others, not the LiveDVD or LiveCD.

    Now, go give it a whirl, make sure you read the documentation on installation on the CentOS.org website, and come back in a few days when you've played with that installation a while.
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Rob Kampen at Feb 23, 2012 at 7:25 pm

    On 02/24/2012 12:25 PM, Wuxi Ixuw wrote:
    Is it advised to install on a virtual machine like vmware or a real
    computer?
    If you are going to use CentOS 6 - as a VM host it must be installed on
    a 64 bit architecture!
    On 24/02/2012 01:22 AM, Lamar Owen wrote:
    On Thursday, February 23, 2012 05:35:32 PM Wuxi Ixuw wrote:
    Ok, I've found many versions from it, one for 700 MB and others for a
    DVD, which one I should get?
    While I specifically stated the installation media, you should get both the DVD1 and DVD2; specifically, assuming a 32-bit system (you mentioned trying on a Pentium 4 or Pentium D, so 64-bit may not be an option, and isn't really necessary for a 'lab' machine anyway; you do need as much memory as you can cram in that old Optiplex, with an absolute minimu of 1GB (and it's going to top out less than 4GB anyway....)), you need to download, from a mirror:
    CentOS-6.2-i386-bin-DVD1.iso
    CentOS-6.2-i386-bin-DVD2.iso

    While DVD2 is somewhat optional, it won't hurt to have it on hand just in case.

    The LiveDVD and LiveCD options boot up to a usable desktop, and you can install from them, but if you're wanting the *server* install experience you need the others, not the LiveDVD or LiveCD.

    Now, go give it a whirl, make sure you read the documentation on installation on the CentOS.org website, and come back in a few days when you've played with that installation a while.
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Wuxi Ixuw at Feb 23, 2012 at 7:28 pm
    But I will install cent os 6 32 bit on the vps later on.
    On 24/02/2012 02:25 AM, Rob Kampen wrote:
    On 02/24/2012 12:25 PM, Wuxi Ixuw wrote:
    Is it advised to install on a virtual machine like vmware or a real
    computer?
    If you are going to use CentOS 6 - as a VM host it must be installed on
    a 64 bit architecture!
    On 24/02/2012 01:22 AM, Lamar Owen wrote:
    On Thursday, February 23, 2012 05:35:32 PM Wuxi Ixuw wrote:
    Ok, I've found many versions from it, one for 700 MB and others for a
    DVD, which one I should get?
    While I specifically stated the installation media, you should get both the DVD1 and DVD2; specifically, assuming a 32-bit system (you mentioned trying on a Pentium 4 or Pentium D, so 64-bit may not be an option, and isn't really necessary for a 'lab' machine anyway; you do need as much memory as you can cram in that old Optiplex, with an absolute minimu of 1GB (and it's going to top out less than 4GB anyway....)), you need to download, from a mirror:
    CentOS-6.2-i386-bin-DVD1.iso
    CentOS-6.2-i386-bin-DVD2.iso

    While DVD2 is somewhat optional, it won't hurt to have it on hand just in case.

    The LiveDVD and LiveCD options boot up to a usable desktop, and you can install from them, but if you're wanting the *server* install experience you need the others, not the LiveDVD or LiveCD.

    Now, go give it a whirl, make sure you read the documentation on installation on the CentOS.org website, and come back in a few days when you've played with that installation a while.
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Lamar Owen at Feb 24, 2012 at 11:58 am

    On Thursday, February 23, 2012 07:25:09 PM Rob Kampen wrote:
    On 02/24/2012 12:25 PM, Wuxi Ixuw wrote:
    Is it advised to install on a virtual machine like vmware or a real
    computer?
    If you are going to use CentOS 6 - as a VM host it must be installed on
    a 64 bit architecture!
    I think he was asking more about a guest install rather than a host.

    I'd echo the comment Les made and recommend to the OP to 'try both.' Virtual installs and physical installs are a tad different, but virtual has some distinct advantages, especially in terms of quick cloning, snapshotting with rollback capabilities for testing, etc. But virtualization brings with it another layer; and I would go as far as saying that, once you've gotten some experience, and if you have 64-bit hardware at your disposal, that you might want to attempt duplicating your hosted VPS environment completely, on you own 'host' as then you can test with the exact configuration you're using in production. That would mean the same VPS packages, the same 'guest' install options, and the same host OS packages.

    But before throwing so many new layers in the mix try I'd recommend to the OP to get familiar with it one layer at a time; too many layers at once can be very confusing if you don't know enough to separate the effects of each layer.
  • Les Mikesell at Feb 23, 2012 at 7:33 pm

    On Thu, Feb 23, 2012 at 5:25 PM, Wuxi Ixuw wrote:
    Is it advised to install on a virtual machine like vmware or a real
    computer?
    Both. It is quick and easy to test a lot of different variations of
    things and emulate network connections under vmware, and relatively
    cheap to hold a bunch of images on a big disk or two. It will make
    learning a lot quicker. But, real hardware has its own quirks.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • John R Pierce at Feb 23, 2012 at 2:41 pm

    On 02/23/12 11:05 AM, Wuxi Ixuw wrote:
    Please suggest a one as I am keep goggling and all result bring books
    dealing with linux as a real server and not a vps.
    you could do worse than starting here...
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/

    VPS and real hardware work exactly the same once the software is installed.

    my base level suggestions:

    * start with a *minimal* install of the latest release (currently 6.2)
    * create your user account, give both user and root account different
    secure passwords
    * secure the SSH server (no root, key instead of password
    authentication, only allow ssh from your home/office networks or a
    few secure 'bastion' hosts, etc)
    * yum update right after install and reboot
    * install *just* the services you need, only from trustworthy yum
    repositories
    * secure the services you install as appropriate
    * document your configuration, including what packages you needed to
    install
    * script a secure backup of your configuration specific conf and data
    files to reliable offsite storage.
    * plan on regular yum updates, and staying up on security alerts, such
    as CERT


    by far the biggest threat to servers are things installed on top of
    them, like web applications... for instance the very popular WordPress
    has a long and checkered history of security exploits, ranging from
    annoying to root elevation...
    http://www.wordpressexploit.com/

    ANY user written web code has to be designed with security in mind, no
    matter how insignificant your little web server is, its valuable to the
    black hats as a proxy for their evil, and the worms and exploit scanners
    will find a wide range of poor design

    http://xkcd.com/327/



    --
    john r pierce N 37, W 122
    santa cruz ca mid-left coast
  • Mark Roth at Feb 23, 2012 at 2:52 pm

    John R Pierce wrote:
    On 02/23/12 11:05 AM, Wuxi Ixuw wrote:
    Please suggest a one as I am keep goggling and all result bring books
    dealing with linux as a real server and not a vps.
    you could do worse than starting here...
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/

    VPS and real hardware work exactly the same once the software is
    installed.

    my base level suggestions:

    * start with a *minimal* install of the latest release (currently 6.2)
    * create your user account, give both user and root account different
    secure passwords
    I was assuming his provider gave him a working system, not virtual bare
    metal.
    * secure the SSH server (no root, key instead of password
    authentication, only allow ssh from your home/office networks or a
    few secure 'bastion' hosts, etc)
    * yum update right after install and reboot Yup.
    * install *just* the services you need, only from trustworthy yum
    repositories
    YES! For about 10 years, I ran an old rh (NOT RHEL) system as a
    firewall/router for my home network. I ran Bastille Linux over it - which
    is *not* a distro, but a set of hardening scripts. Great stuff, and NIST
    recommendations these days refer to it, last time I looked.

    After running Bastille, *then* I got paranoid: I never installed X
    (security holes), or *any* compiler, or language I didn't absolutely need
    (no gcc, yes to perl). No nuttin'... and to the best of my knowledge,
    though I did see scans, I never had an intrusion, partly due to firewall
    rules of DROP, and partly because they had nothing to use to run their
    nasties.

    If it got installed, and you don't need it, don't only turn it off, yum
    remove. At work, and home, I certainly don't need either bluetooth or
    avahi running, on wired boxen.
    * secure the services you install as appropriate
    * document your configuration, including what packages you needed to
    install
    YES. You do *not* want to be trying to figure out what you'd done, a year
    from now, at 17:00 on a Friday, or 02:00 some morning.
    * script a secure backup of your configuration specific conf and data
    files to reliable offsite storage.
    Yup. Or have the full website, and all configuration files for the system,
    on your machine at home or work, so you can just upload the whole thing.
    * plan on regular yum updates, and staying up on security alerts, such
    as CERT
    <snip>
    RH, and this offshot I know of, called CentOS, are pretty good at
    announcing security fixes in a timely manner.... (take a bow, Johnny).

    mark
  • Wuxi Ixuw at Feb 23, 2012 at 3:47 pm
    Actually I read many times that geek people used to use a Linux computer
    as a firewall for their network but never figured out how they do so.

    On 23/02/2012 09:52 PM, m.roth at 5-cent.us wrote:
    John R Pierce wrote:
    On 02/23/12 11:05 AM, Wuxi Ixuw wrote:
    Please suggest a one as I am keep goggling and all result bring books
    dealing with linux as a real server and not a vps.
    you could do worse than starting here...
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/

    VPS and real hardware work exactly the same once the software is
    installed.

    my base level suggestions:

    * start with a *minimal* install of the latest release (currently 6.2)
    * create your user account, give both user and root account different
    secure passwords
    I was assuming his provider gave him a working system, not virtual bare
    metal.
    * secure the SSH server (no root, key instead of password
    authentication, only allow ssh from your home/office networks or a
    few secure 'bastion' hosts, etc)
    * yum update right after install and reboot Yup.
    * install *just* the services you need, only from trustworthy yum
    repositories
    YES! For about 10 years, I ran an old rh (NOT RHEL) system as a
    firewall/router for my home network. I ran Bastille Linux over it - which
    is *not* a distro, but a set of hardening scripts. Great stuff, and NIST
    recommendations these days refer to it, last time I looked.

    After running Bastille, *then* I got paranoid: I never installed X
    (security holes), or *any* compiler, or language I didn't absolutely need
    (no gcc, yes to perl). No nuttin'... and to the best of my knowledge,
    though I did see scans, I never had an intrusion, partly due to firewall
    rules of DROP, and partly because they had nothing to use to run their
    nasties.

    If it got installed, and you don't need it, don't only turn it off, yum
    remove. At work, and home, I certainly don't need either bluetooth or
    avahi running, on wired boxen.
    * secure the services you install as appropriate
    * document your configuration, including what packages you needed to
    install
    YES. You do *not* want to be trying to figure out what you'd done, a year
    from now, at 17:00 on a Friday, or 02:00 some morning.
    * script a secure backup of your configuration specific conf and data
    files to reliable offsite storage.
    Yup. Or have the full website, and all configuration files for the system,
    on your machine at home or work, so you can just upload the whole thing.
    * plan on regular yum updates, and staying up on security alerts, such
    as CERT
    <snip>
    RH, and this offshot I know of, called CentOS, are pretty good at
    announcing security fixes in a timely manner.... (take a bow, Johnny).

    mark

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • John R Pierce at Feb 23, 2012 at 3:58 pm

    On 02/23/12 12:47 PM, Wuxi Ixuw wrote:
    Actually I read many times that geek people used to use a Linux computer
    as a firewall for their network but never figured out how they do so.
    install linux on a computer with two ethernet cards. connect eth0 to
    your internet connection, and eth1 to your local network. configure
    iptables firewall rules in the linux system. or install pfsense on that
    same computer.



    --
    john r pierce N 37, W 122
    santa cruz ca mid-left coast
  • Wuxi Ixuw at Feb 23, 2012 at 4:00 pm
    And do I need a recent computer for the linux one or an old one can do so?
    I mean something like Pentium 4 or Pentium D may fits?
    On 23/02/2012 10:58 PM, John R Pierce wrote:
    On 02/23/12 12:47 PM, Wuxi Ixuw wrote:
    Actually I read many times that geek people used to use a Linux computer
    as a firewall for their network but never figured out how they do so.
    install linux on a computer with two ethernet cards. connect eth0 to
    your internet connection, and eth1 to your local network. configure
    iptables firewall rules in the linux system. or install pfsense on that
    same computer.

  • Mark Roth at Feb 23, 2012 at 4:10 pm

    Wuxi Ixuw wrote:
    And do I need a recent computer for the linux one or an old one can do so?
    I mean something like Pentium 4 or Pentium D may fits?
    On 23/02/2012 10:58 PM, John R Pierce wrote:
    On 02/23/12 12:47 PM, Wuxi Ixuw wrote:
    Actually I read many times that geek people used to use a Linux
    computer
    as a firewall for their network but never figured out how they do so.
    install linux on a computer with two ethernet cards. connect eth0 to
    your internet connection, and eth1 to your local network. configure
    iptables firewall rules in the linux system. or install pfsense on that
    same computer.
    That's one of the beauties of Linux: unlike a competing "operating system"
    which shall remain nameless (but is headquartered in Redmond, WA), it'll
    run on pretty much *anything*. It will find more hardware errors...
    because it uses the entire system much more efficiently. But if the
    hardware's ok, it'll run for a *long* time. So, yes, anything you've got
    should work.

    mark
  • Wuxi Ixuw at Feb 23, 2012 at 4:12 pm
    what do you mean?
    On 23/02/2012 11:10 PM, m.roth at 5-cent.us wrote:
    It will find more hardware errors
  • Mark Roth at Feb 23, 2012 at 5:08 pm

    Wuxi Ixuw wrote:
    what do you mean?
    On 23/02/2012 11:10 PM, m.roth at 5-cent.us wrote:
    It will find more hardware errors
    Windows uses hardware sloppily, and not that well. Linux, like all
    versions of Unix, uses much more of the hardware's capabilities. Try
    running Linux on the same hardware as Windows: my fiancee's 14-yr-old son
    is dual booting his T-60 laptop, and *he* sees the difference in speed
    (Linux being that much faster).

    mark
  • Les Mikesell at Feb 23, 2012 at 5:17 pm

    On Thu, Feb 23, 2012 at 4:08 PM, wrote:
    Windows uses hardware sloppily, and not that well. Linux, like all
    versions of Unix, uses much more of the hardware's capabilities. Try
    running Linux on the same hardware as Windows: my fiancee's 14-yr-old son
    is dual booting his T-60 laptop, and *he* sees the difference in speed
    (Linux being that much faster).
    That doesn't really make any sense. Things that use directx on
    windows are typically slightly faster than openGL equivalents and
    everything else should work at hardware/wire speeds. A badly
    maintained windows box might be more likely to have disk fragmentation
    or malware, or it might have an intentionally-installed virus scanner
    wasting time.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Wuxi Ixuw at Feb 23, 2012 at 5:18 pm
    I will install it as the only operating system on this machine.

    On 24/02/2012 12:08 AM, m.roth at 5-cent.us wrote:
    Wuxi Ixuw wrote:
    what do you mean?
    On 23/02/2012 11:10 PM, m.roth at 5-cent.us wrote:
    It will find more hardware errors
    Windows uses hardware sloppily, and not that well. Linux, like all
    versions of Unix, uses much more of the hardware's capabilities. Try
    running Linux on the same hardware as Windows: my fiancee's 14-yr-old son
    is dual booting his T-60 laptop, and *he* sees the difference in speed
    (Linux being that much faster).

    mark

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • John R Pierce at Feb 23, 2012 at 4:19 pm

    On 02/23/12 1:00 PM, Wuxi Ixuw wrote:
    And do I need a recent computer for the linux one or an old one can do so?
    I mean something like Pentium 4 or Pentium D may fits?
    for a SOHO firewall, I would want to use something very reliable and low
    power, quiet. CPU isn't at all important, reliability is.

    If I was buying something, I'd probably get a little ITX box like alix
    http://www.pcengines.ch/alix2d2.htm
    or soekris
    http://soekris.com/products/net4501-1.html

    and run pfSense on it, using it strictly as a pure firewall not a
    general purpose computer.


    --
    john r pierce N 37, W 122
    santa cruz ca mid-left coast
  • Wuxi Ixuw at Feb 23, 2012 at 4:27 pm
    Here at local stores we have a used branded computers like Dell optiPlex
    GX 620 ... so I mean something like this ... it is sold for 80 usd.

    On 23/02/2012 11:19 PM, John R Pierce wrote:
    On 02/23/12 1:00 PM, Wuxi Ixuw wrote:
    And do I need a recent computer for the linux one or an old one can do so?
    I mean something like Pentium 4 or Pentium D may fits?
    for a SOHO firewall, I would want to use something very reliable and low
    power, quiet. CPU isn't at all important, reliability is.

    If I was buying something, I'd probably get a little ITX box like alix
    http://www.pcengines.ch/alix2d2.htm
    or soekris
    http://soekris.com/products/net4501-1.html

    and run pfSense on it, using it strictly as a pure firewall not a
    general purpose computer.
  • Wuxi Ixuw at Feb 23, 2012 at 3:29 pm
    thanks a lot for these steps, I will follow them and hope to find all up
    and running.
    On 23/02/2012 09:41 PM, John R Pierce wrote:
    On 02/23/12 11:05 AM, Wuxi Ixuw wrote:
    Please suggest a one as I am keep goggling and all result bring books
    dealing with linux as a real server and not a vps.
    you could do worse than starting here...
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/

    VPS and real hardware work exactly the same once the software is installed.

    my base level suggestions:

    * start with a *minimal* install of the latest release (currently 6.2)
    * create your user account, give both user and root account different
    secure passwords
    * secure the SSH server (no root, key instead of password
    authentication, only allow ssh from your home/office networks or a
    few secure 'bastion' hosts, etc)
    * yum update right after install and reboot
    * install *just* the services you need, only from trustworthy yum
    repositories
    * secure the services you install as appropriate
    * document your configuration, including what packages you needed to
    install
    * script a secure backup of your configuration specific conf and data
    files to reliable offsite storage.
    * plan on regular yum updates, and staying up on security alerts, such
    as CERT


    by far the biggest threat to servers are things installed on top of
    them, like web applications... for instance the very popular WordPress
    has a long and checkered history of security exploits, ranging from
    annoying to root elevation...
    http://www.wordpressexploit.com/

    ANY user written web code has to be designed with security in mind, no
    matter how insignificant your little web server is, its valuable to the
    black hats as a proxy for their evil, and the worms and exploit scanners
    will find a wide range of poor design

    http://xkcd.com/327/

  • John R Pierce at Feb 23, 2012 at 4:49 pm

    On 02/23/12 12:54 PM, Wuxi Ixuw wrote:
    Really thanks a lot for your reply.
    Please is it possible if you have a little time to talk in messenger
    or use team viewer to connect to my computer?
    Thanks a lot :)
    I wouldn't do that sort of thing for less than US$1000/day. I'm way to
    busy to be doing your job too.

    (you can find much cheaper systems adminstrators, I'm an engineer).


    --
    john r pierce N 37, W 122
    santa cruz ca mid-left coast
  • Wuxi Ixuw at Feb 23, 2012 at 5:17 pm
    This is a fortune !
    Sure you deserve but it i s beyond my ability.
    But thanks for offering :)
    On 23/02/2012 11:49 PM, John R Pierce wrote:
    On 02/23/12 12:54 PM, Wuxi Ixuw wrote:
    Really thanks a lot for your reply.
    Please is it possible if you have a little time to talk in messenger
    or use team viewer to connect to my computer?
    Thanks a lot :)
    I wouldn't do that sort of thing for less than US$1000/day. I'm way to
    busy to be doing your job too.

    (you can find much cheaper systems adminstrators, I'm an engineer).
  • Marc Deop at Feb 24, 2012 at 7:05 am

    On Friday 24 February 2012 00:17:15 Wuxi Ixuw wrote:
    This is a fortune !
    Sure you deserve but it i s beyond my ability.
    But thanks for offering
    By the love of God, haven't you noticed that everybody is writing *below* your emails?

    Please, do not top-post (as you've been already told).

    Anyway... good luck with your webserver! :)

    Regards
  • Wuxi Ixuw at Feb 23, 2012 at 3:14 pm
    I'd like to learn indeed but feel like lost in a very big ocean.
    please if you may give any outline that would be awesome or even a title
    for a good book to start with.
    On 23/02/2012 09:15 PM, Reindl Harald wrote:
    and where is the difference between a real server and a VPS
    in the context of a webserver -> hint: there is none!

    you have two choices:

    * read many manuals and learn the needed things
    * to not use VPS at all and switch to a maintained hosting

    there is no easy way for " i have no technical knowledge but i
    want to have simple instructions for making a secure root-server"

    if you have not the knowledge, not the time to learn
    and not the money to let do people who can simply
    do not such things!

    Am 23.02.2012 20:05, schrieb Wuxi Ixuw:

    Please suggest a one as I am keep goggling and all result bring books
    dealing with linux as a real server and not a vps.
    On 23/02/2012 07:01 PM, Les Mikesell wrote:

    On Thu, Feb 23, 2012 at 7:19 AM, Wuxi Ixuwwrote:
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    There are many large books on the subject. If you don't want to spend
    your life staying ahead of the game:
    Use popular software
    Don't change defaults you don't understand
    Keep it up to date
    Use good passwords
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Wuxi Ixuw at Feb 23, 2012 at 2:08 pm
    I am not using cent os for my daily computing tasks at home or work but
    just for the vps hosting website.
    you mean to use web control panel back end or you mean another issue?
    On 23/02/2012 07:01 PM, Les Mikesell wrote:
    On Thu, Feb 23, 2012 at 7:19 AM, Wuxi Ixuwwrote:
    I am afraid if I get hacked and do not know what should i do to setup
    the whole vps the right way.
    There are many large books on the subject. If you don't want to spend
    your life staying ahead of the game:
    Use popular software
    Don't change defaults you don't understand
    Keep it up to date
    Use good passwords
  • Peter Peltonen at Feb 23, 2012 at 2:23 pm
    Hi,
    On Thu, Feb 23, 2012 at 9:08 PM, Wuxi Ixuw wrote:
    I am not using cent os for my daily computing tasks at home or work but
    just for the vps hosting website.
    If all you want to do is to host a single website then a VPS is an overkill.

    Just a find a hosting service for a "webhotel": this way your ISP
    deals with the security of the server and you don't need to worry
    about any operation system level admin stuff.

    It should be a lot cheaper as well.

    Best,
    Peter
  • Wuxi Ixuw at Feb 23, 2012 at 3:18 pm
    Actually I used to be on a shared hosting and run out of resources many
    times.
    I am expecting about 20 k or may be more per day with 400-600 on the
    same time visitors.
    This is why I want to go for a VPS.
    I did start to learn and keep screwing the whole vps several times.
    On 23/02/2012 09:23 PM, Peter Peltonen wrote:
    Hi,

    On Thu, Feb 23, 2012 at 9:08 PM, Wuxi Ixuwwrote:
    I am not using cent os for my daily computing tasks at home or work but
    just for the vps hosting website.
    If all you want to do is to host a single website then a VPS is an overkill.

    Just a find a hosting service for a "webhotel": this way your ISP
    deals with the security of the server and you don't need to worry
    about any operation system level admin stuff.

    It should be a lot cheaper as well.

    Best,
    Peter
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Les Mikesell at Feb 23, 2012 at 2:27 pm

    On Thu, Feb 23, 2012 at 1:08 PM, Wuxi Ixuw wrote:
    I am not using cent os for my daily computing tasks at home or work but
    just for the vps hosting website.
    you mean to use web control panel back end or you mean another issue?
    I don't have any idea what a 'web control panel back end is' since
    that is not a stock centos feature. CentOS itself packages updates as
    soon as possible after they are released and on a non VPS system you
    would use 'yum update' to install them. And normally you want to do
    that as soon as possible because when the updates are published, the
    vulnerabilities that they fix are obvious and often even explained in
    public.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Mark Roth at Feb 23, 2012 at 2:39 pm

    Les Mikesell wrote:
    On Thu, Feb 23, 2012 at 1:08 PM, Wuxi Ixuw wrote:
    I am not using cent os for my daily computing tasks at home or work but
    just for the vps hosting website.
    you mean to use web control panel back end or you mean another issue?
    I don't have any idea what a 'web control panel back end is' since
    that is not a stock centos feature. CentOS itself packages updates as
    I'd guess he's talking cPanel.
    soon as possible after they are released and on a non VPS system you
    would use 'yum update' to install them. And normally you want to do
    that as soon as possible because when the updates are published, the
    vulnerabilities that they fix are obvious and often even explained in
    public.
    Actually, I assume that my hosting provider is regularly updating system
    software. I should probably look, but I think I'm paying for that, as part
    of what they do... which is also very much to their own benefit.

    mark
  • Wuxi Ixuw at Feb 23, 2012 at 3:20 pm
    managed web hosting is really expensive.
    On 23/02/2012 09:39 PM, m.roth at 5-cent.us wrote:
    Les Mikesell wrote:
    On Thu, Feb 23, 2012 at 1:08 PM, Wuxi Ixuwwrote:
    I am not using cent os for my daily computing tasks at home or work but
    just for the vps hosting website.
    you mean to use web control panel back end or you mean another issue?
    I don't have any idea what a 'web control panel back end is' since
    that is not a stock centos feature. CentOS itself packages updates as
    I'd guess he's talking cPanel.
    soon as possible after they are released and on a non VPS system you
    would use 'yum update' to install them. And normally you want to do
    that as soon as possible because when the updates are published, the
    vulnerabilities that they fix are obvious and often even explained in
    public.
    Actually, I assume that my hosting provider is regularly updating system
    software. I should probably look, but I think I'm paying for that, as part
    of what they do... which is also very much to their own benefit.

    mark

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Wuxi Ixuw at Feb 23, 2012 at 3:19 pm
    I mean something like ISPConfig , VirtualMin, WebMin, ..etc
    On 23/02/2012 09:27 PM, Les Mikesell wrote:
    On Thu, Feb 23, 2012 at 1:08 PM, Wuxi Ixuwwrote:
    I am not using cent os for my daily computing tasks at home or work but
    just for the vps hosting website.
    you mean to use web control panel back end or you mean another issue?
    I don't have any idea what a 'web control panel back end is' since
    that is not a stock centos feature. CentOS itself packages updates as
    soon as possible after they are released and on a non VPS system you
    would use 'yum update' to install them. And normally you want to do
    that as soon as possible because when the updates are published, the
    vulnerabilities that they fix are obvious and often even explained in
    public.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedFeb 23, '12 at 2:42a
activeFeb 25, '12 at 10:10p
posts52
users12
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase