[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 253
  • Last Modified:

What services are needed on a dedicated Web Server?

I want to host our website from my office. I have assembled a PC from castoffs from our engineering department and installed SuSE Linux Enterprise Server 9.3 on it. This machine will eventually (hopefully) be a dedicated web server, hosting our website. I am not that familiar with Linux, although we do have a Redhat ES running on our net that is hosting our manufacturing database. We also have a Win 2K active directory domain with an exchange server running on that. My question is: what services should I(do I need) have running on the SuSE box for it to host our website? I want it to run only what's necessary to do that task. Should it be part of our AD domain on the same subnet? All of our stuff is behind a Cisco T1 router. We do not have high bandwidth demands of the Internet now and our website probably isn't a high-traffic site either.
0
dwielgosz
Asked:
dwielgosz
  • 5
  • 5
  • 2
1 Solution
 
PsiCopCommented:
Well, Redmond's never made an AD for Linux (and don't hold you r breath), so its not going to be able to be part of your AD environment. If you were operating in a Novell environment with eDirectory, no problem, but the last thing Redmond wants you to have is choices. Besides, is there anything from the AD environment that you need live access to from this public webserver? If the answer to that is "No"...and I suspect it is...then isolate it as much as possible.

The general rules for security apply to SLES as much as any other OS, just its easier to turn stuff off and not everything is turned on by default like you see in the M$ environment. Turn off everything you don't need. For a simple, standalone webserver, all it really needs is Apache (httpd) and the SSH daemon (sshd). Don't run the XWindows server, so everything from the command-line, once you get it up and configured.

Optimally, it should reside in a DMZ, separate from your production network. That's just Network Security 101.
0
 
PsiCopCommented:
I've made a lot of assumptions - for example, that you don't want to have password-protected pages (and therefore this server has no need to authenticate connections), that you're not doind SSL (and therefore don't need to generate certificates), that you'll use a secure shell (SSH) client to access the server, instead of telnet and FTP, that you have a DMZ or the infrastructure to create one, etc.

If you want more-precise advice, then you really need to provide more detail.
0
 
wesly_chenCommented:
> Should it be part of our AD domain on the same subnet?
No. No need to be in AD domain.

>of our stuff is behind a Cisco T1 router.
You need to put it in DMZ or do 1-to-1 NAT IP mapping for your webserver.

>run only what's necessary to do that task.
Apache server (httpd)
ssh/scp from LAN.

That's is.

Do
nmap -sS -O <webserver's IP>
to see your open service and use:
chkconfig --level 2345 <serivce name> off
/etc/init.d/<service name> stop
to disable those unnecessary services.

Also, download Bastille Linux to harden your webserver.
http://www.bastille.com/
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dwielgoszAuthor Commented:
Thanks PSICop, how do I access the linux box via SSH? I have tried with Putty but it won't accept the root's p/w. What must I do?
0
 
wesly_chenCommented:
> but it won't accept the root's p/w. What must I do
Edit /etc/ssh/sshd_config
PermitRootLogin yes

then restart sshd
/etc/init.d/sshd restart
0
 
dwielgoszAuthor Commented:
I opened the file in a text editor, but for some reason it will not allow me to change anything in it. I cannot uncomment the line for instance.
0
 
wesly_chenCommented:
You need to su to root to edit the file.
0
 
dwielgoszAuthor Commented:
I was trying to edit it in a text editor in the X windows interface. It would not allow any changes to the text in the file so I opened it in a terminal window and then I couldn't figure out how in the heck to get out of it and save the changes. I thought it was "Q" but apparently not in SuSE. If you haven't noticed, I know very little about Unix/Linux I still cannot login through ssh
0
 
wesly_chenCommented:
> I was trying to edit it in a text editor in the X windows interface.
Please login as root, then launch the X text editor.

> I thought it was "Q" but apparently not
pres ESC, then :wq!  to save and quit out of vi.
0
 
dwielgoszAuthor Commented:
Thanks, but I am logged into SuSE as "root", have been all along. I was using "File Manager SuperUser Mode". I finally managed to edit and save the change to the file, however every time I do that I seem to create a clone of the file that the system refers to as a "swap file" when I go to reopen it. I am then given the choice to edit or recover the swap file.
0
 
wesly_chenCommented:
It's similar to M$ Word. The test file wasn't closed properly last time so the swap file is not deleted (~<file name>.tmp in M$ Word).
Just delete the swap file or move that swap file to /tmp.
0
 
dwielgoszAuthor Commented:
OK, that's what I've been doing. So now I have only the "sshd_config" file in that directory "etc/ssh". The change has been made to the line that refers to "PermitRootLogin", i.e. I have "uncommented" it out and I still get the same message when I try to login with PuTTY. At this point do I need to restart a service? to enable the change? Are there any other config files that need to be edited? Or how about other files period? Thank you for your patience.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now