Some random selections from my notes on building Linode web servers:
- Set up reverse DNS in the Linode manager: select the Linode, click on "Remote Access", click on "Reverse DNS" (under "Public IPs")
- Linodes don't offer very much disk space; use localepurge to keep the filesystem on a diet: # apt-get install localepurge
- After installing and setting up MySQL, don't forget: # mysql_secure_installation
- After installing Apache, change the following in httpd.conf: ServerToken -> Prod, ServerSignature -> Off, KeepAlive -> Off
- After installing PHP, edit php.ini to make it shut up: expose_php -> Off
There's a bunch of other fiddly stuff to do, and a seemingly endless combination of packages and strategies depending on what you're trying to accomplish. For instance, I currently run a stack with Postfix for MTA, awstats+jawstats for beautiful server-side site statistics, mod_deflate, mem_cache, fcgid/suexec to make it harder to break the server if a site is compromised, PureFTPd for really easy managed-by-MySQL FTP access, and a pile of other little minor tweaks and knobs turned.
MOST IMPORTANTLY: Backups, backups, backups. If you don't already have your own in-house backup service for your server (and I bet you don't!), then please take advantage of Linode's backup services: http://www.linode.com/backups/
Blindly turning off KeepAlive isn't a recipe for awesomeness.
KeepAlive is a trade for memory/cpu time; on if you want to speed up in exchange for memory, off if you want to conserve memory and pay the cost of initializing new conections.
If you're doing anything like loading a web page with more than a few images, KeepAlive will likely improve connection time as http requests things serially, and you'll have a speed up by re-using the same connection.
Protip: run apache's mpm-worker with keepalive on and save memory and speed up your site.
1. Test how your VPS comes back after a reboot. When you make big changes and at least every 6 months due to all the upgrading that ubuntu does by default it can break the bootup process and you won't know until that emergency unscheduled reboot at 3AM.
2. As long as you're customizing the firewall you should block pings entirely.
* Really, since the distributions are very compatible I would urge you to consider a distro that has selinux enabled by default. Fedora Core is a great place to start. It also has better tools to manage security and gives you good resume skills.
Regarding keep-alive: yes, it will lead to memory issues when it's on and you use mod_php and the prefork MPM (which you really have to with mod_php). But this is just one configuration. You can easily fix it by either of:
- use php-fpm and switch to any other MPM in apache
- keep using mod_php but put an nginx or other reverse proxy before apache. It will do the keep-alive and you can configure apache to still close it's connections.
- use nginx and php-fpm directly
All will mitigate the memory issue while still allowing you to offer keep-alive
> - After installing Apache, change the following in httpd.conf: ServerToken -> Prod, ServerSignature -> Off, KeepAlive -> Off
>
> - After installing PHP, edit php.ini to make it shut up: expose_php -> Off
What is the purpose of this? Security by obscurity? Or being really frugal about header length?
The author's website ranks first for "Linode Hosting Review".
He'll receive a commission for sales generated through his site, and being that his strategy is so targeted, it should convert well and deliver value to both him and Linode.
And he does it without ever having to resort to spam, the very opposite in fact; he does it through high quality content.
Good for him for generating the content and getting the rankings. I don't think it's that competitive though. I launched my site last week and I am on page 2 for the same term.
"I originally compiled this guide as a .txt file of notes for myself, but decided to share it in case anyone finds it useful. If you're looking for something straight from the horse's mouth, Linode [offers guides](http://library.linode.com/) that cover how to set up a new server, but some of the info is out of date."
But what I would really like to see is a decent introduction to Salt, Puppet or Chef. This way people that are going to deploy their first server could easily build and rebuild the instance and don't end up retyping shell commands from a blog article.
Also a note on the default Apache setup. There are several "flavors" of the server. If you are going to host Python sites with mod_wsgi then the apache2-mpm-worker package is a lot beter choice than the traditional prefork model.
Is that a Ubuntu only tool? I'd be hesitant to commit myself to anything that runs in a single distribution if I can help it. Fail2Ban would work if I decided to migrate to Centos later down the line. https://help.ubuntu.com/community/UFW
Make sure your SSH port is below 1024 (but still not 22). Reason being if your Linode is ever compromised a bad user may be able to crash sshd and run their own rogue sshd as a non root user since your original port is configured >1024.
Thanks for the advice on the out of memory reboot. I probably have Apache misconfigured, or my app is slowly leaking memory, but I've run into random downtime and an unresponsive server as apache runs out of memory.
One of the most annoying things I'm running into with Linode and other VPS services is dealing with my drive running out of space. I've been moving all my database stuff to Heroku and I'm much happier (plus the automatic backups are a dream).
I find my Linode really useful for x11 forwarding to use Firefox in public places, or to get around web filters. Might be worth a mention of how to do this.
"On Windows, you’ll want to use putty [...] criminals often try to guess the root password using automated attacks that try many thousands of passwords in a very short time. This is a common attack that nearly all servers will face."
yet another tutorial I wonder who's the target audience. if somebody doesn't know the term brute-force or how to open a terminal app and connect with ssh, IMO they are not supposed to set up their own servery by themselves.
heh, i saw the same thing myself and i had the same sort of reaction but i think it's more an issue with the writer misjudging his audience (you can see this if you've ever taken a continuing education class or the opposite problem if you read lots of technical documentation).
But in any case, everyone starts somewhere and everyone's entitled to post their own 'linode post-mortem' especially if they're beginners and want to ossify their hazy thoughts somewhere. i don't begrudge the guy for just wanting to keep some record of his process and maybe some day he'll look back and edit the document to keep up with his level of knowledge at the time.
My only gripe with linode is that they are unable to handle DoS attacks. If you're subjected to an attack, your linode will be shut off (null routed) for 24 hours. After that time, they'll check to see if it's still being attacked.
I really think they could do a lot better than that. Apart from that gripe, they're a great VPS host.
sounds like they have a clear policy in place; most places it's a vague judgment call. But most places will kick any user that gets hit with a DoS attack that is large enough to disrupt service to other customers.
I mean, I agree that 'finishing the job' and letting the attacker win by null-routing the target is... a suboptimal way to deal with the problem, but with pipe-filling attacks? if the attacker can send more bytes than your pipe can handle, there is really no other realistic way to handle the problem. (I mean, you can try to trace down the source and call up the ISPs the packets are coming from, but BCP38 is still not widely implemented, so good luck tracing a spoofed source more than one or two hops up, and meanwhile, as you are calling people up and trying to get through to someone skillful enough to figure out where a spoofed packet is coming from, you are down.)
There are 'clean pipe' services, where someone with a very large pipe says they will programatically detect and block DoS traffic, then pass along the good traffic to your (much smaller) pipe, and yes, those services can work /if/ the service provider has a larger pipe than the attacker. Of course, buying such a service from a service provider with a sufficiently large pipe is, as you can imagine, quite expensive. Buying such a service from someone that has less available bandwidth than your attackers are able to throw at the problem, of course, is completely useless.
So yeah, uh, assuming you can't afford to be on a 'clean pipe' that is backed by a huge network, you are much better off with an ISP that proactively shuts down DoS targets than one that doesn't. Unless, of course, you are a DoS target.
I mean, the economics of pipe-filling denial of service attacks, right now, are heavily tilted in favour of the attacker. It is a problem that needs to be solved, but I don't know how to solve it.
Remind me again why anybody is still using Linode ?
Poor uptime and a disgraceful attitude towards security. ANY service provider that hides the facts behind major security incidents from their customers should never be used.
I guess their new customers will soon realise how crappy it feels to find out from Reddit that your VPS is potentially hacked.
[+] [-] thaumaturgy|13 years ago|reply
- Set up reverse DNS in the Linode manager: select the Linode, click on "Remote Access", click on "Reverse DNS" (under "Public IPs")
- Linodes don't offer very much disk space; use localepurge to keep the filesystem on a diet: # apt-get install localepurge
- After installing and setting up MySQL, don't forget: # mysql_secure_installation
- After installing Apache, change the following in httpd.conf: ServerToken -> Prod, ServerSignature -> Off, KeepAlive -> Off
- After installing PHP, edit php.ini to make it shut up: expose_php -> Off
There's a bunch of other fiddly stuff to do, and a seemingly endless combination of packages and strategies depending on what you're trying to accomplish. For instance, I currently run a stack with Postfix for MTA, awstats+jawstats for beautiful server-side site statistics, mod_deflate, mem_cache, fcgid/suexec to make it harder to break the server if a site is compromised, PureFTPd for really easy managed-by-MySQL FTP access, and a pile of other little minor tweaks and knobs turned.
MOST IMPORTANTLY: Backups, backups, backups. If you don't already have your own in-house backup service for your server (and I bet you don't!), then please take advantage of Linode's backup services: http://www.linode.com/backups/
[+] [-] epic9x|13 years ago|reply
KeepAlive is a trade for memory/cpu time; on if you want to speed up in exchange for memory, off if you want to conserve memory and pay the cost of initializing new conections.
If you're doing anything like loading a web page with more than a few images, KeepAlive will likely improve connection time as http requests things serially, and you'll have a speed up by re-using the same connection.
Protip: run apache's mpm-worker with keepalive on and save memory and speed up your site.
[+] [-] sounds|13 years ago|reply
1. Test how your VPS comes back after a reboot. When you make big changes and at least every 6 months due to all the upgrading that ubuntu does by default it can break the bootup process and you won't know until that emergency unscheduled reboot at 3AM.
2. As long as you're customizing the firewall you should block pings entirely.
* Really, since the distributions are very compatible I would urge you to consider a distro that has selinux enabled by default. Fedora Core is a great place to start. It also has better tools to manage security and gives you good resume skills.
[+] [-] pilif|13 years ago|reply
- use php-fpm and switch to any other MPM in apache
- keep using mod_php but put an nginx or other reverse proxy before apache. It will do the keep-alive and you can configure apache to still close it's connections.
- use nginx and php-fpm directly
All will mitigate the memory issue while still allowing you to offer keep-alive
[+] [-] nigma|13 years ago|reply
[+] [-] floomp|13 years ago|reply
What is the purpose of this? Security by obscurity? Or being really frugal about header length?
[+] [-] omarchowdhury|13 years ago|reply
The author's website ranks first for "Linode Hosting Review".
He'll receive a commission for sales generated through his site, and being that his strategy is so targeted, it should convert well and deliver value to both him and Linode.
And he does it without ever having to resort to spam, the very opposite in fact; he does it through high quality content.
Good work feross!
[+] [-] ohashi|13 years ago|reply
[+] [-] shawnee_|13 years ago|reply
http://library.linode.com/getting-started http://library.linode.com/securing-your-server
[+] [-] feross|13 years ago|reply
[+] [-] juan_juarez|13 years ago|reply
[+] [-] Jgrubb|13 years ago|reply
[+] [-] nigma|13 years ago|reply
But what I would really like to see is a decent introduction to Salt, Puppet or Chef. This way people that are going to deploy their first server could easily build and rebuild the instance and don't end up retyping shell commands from a blog article.
Also a note on the default Apache setup. There are several "flavors" of the server. If you are going to host Python sites with mod_wsgi then the apache2-mpm-worker package is a lot beter choice than the traditional prefork model.
[1] http://www.linode.com/stackscripts/
[+] [-] adient|13 years ago|reply
[+] [-] justinhj|13 years ago|reply
[+] [-] xachen|13 years ago|reply
Make sure your SSH port is below 1024 (but still not 22). Reason being if your Linode is ever compromised a bad user may be able to crash sshd and run their own rogue sshd as a non root user since your original port is configured >1024.
[+] [-] angryasian|13 years ago|reply
http://unix.stackexchange.com/questions/16564/why-are-the-fi...
[+] [-] feross|13 years ago|reply
[+] [-] yesimahuman|13 years ago|reply
One of the most annoying things I'm running into with Linode and other VPS services is dealing with my drive running out of space. I've been moving all my database stuff to Heroku and I'm much happier (plus the automatic backups are a dream).
[+] [-] zoba|13 years ago|reply
[+] [-] mratzloff|13 years ago|reply
[+] [-] ck2|13 years ago|reply
Use the free, awesome CSF (configserver firewall) instead.
http://www.configserver.com/cp/csf.html
[+] [-] zdw|13 years ago|reply
[+] [-] 3pt14159|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] feross|13 years ago|reply
[+] [-] zalew|13 years ago|reply
yet another tutorial I wonder who's the target audience. if somebody doesn't know the term brute-force or how to open a terminal app and connect with ssh, IMO they are not supposed to set up their own servery by themselves.
[+] [-] thaumaturgy|13 years ago|reply
[+] [-] feross|13 years ago|reply
What about people setting up a server for the first time? How else are they supposed to learn?
I built my first site when I was 14 and moved to a VPS when I was 17. Until I moved to Linode, I never had a reason to open Terminal.
[+] [-] nsfmc|13 years ago|reply
But in any case, everyone starts somewhere and everyone's entitled to post their own 'linode post-mortem' especially if they're beginners and want to ossify their hazy thoughts somewhere. i don't begrudge the guy for just wanting to keep some record of his process and maybe some day he'll look back and edit the document to keep up with his level of knowledge at the time.
[+] [-] mibbitier|13 years ago|reply
I really think they could do a lot better than that. Apart from that gripe, they're a great VPS host.
[+] [-] lsc|13 years ago|reply
sounds like they have a clear policy in place; most places it's a vague judgment call. But most places will kick any user that gets hit with a DoS attack that is large enough to disrupt service to other customers.
I mean, I agree that 'finishing the job' and letting the attacker win by null-routing the target is... a suboptimal way to deal with the problem, but with pipe-filling attacks? if the attacker can send more bytes than your pipe can handle, there is really no other realistic way to handle the problem. (I mean, you can try to trace down the source and call up the ISPs the packets are coming from, but BCP38 is still not widely implemented, so good luck tracing a spoofed source more than one or two hops up, and meanwhile, as you are calling people up and trying to get through to someone skillful enough to figure out where a spoofed packet is coming from, you are down.)
There are 'clean pipe' services, where someone with a very large pipe says they will programatically detect and block DoS traffic, then pass along the good traffic to your (much smaller) pipe, and yes, those services can work /if/ the service provider has a larger pipe than the attacker. Of course, buying such a service from a service provider with a sufficiently large pipe is, as you can imagine, quite expensive. Buying such a service from someone that has less available bandwidth than your attackers are able to throw at the problem, of course, is completely useless.
So yeah, uh, assuming you can't afford to be on a 'clean pipe' that is backed by a huge network, you are much better off with an ISP that proactively shuts down DoS targets than one that doesn't. Unless, of course, you are a DoS target.
I mean, the economics of pipe-filling denial of service attacks, right now, are heavily tilted in favour of the attacker. It is a problem that needs to be solved, but I don't know how to solve it.
[+] [-] fluxon|13 years ago|reply
[+] [-] ciupicri|13 years ago|reply
[+] [-] feross|13 years ago|reply
[+] [-] feross|13 years ago|reply
[+] [-] taligent|13 years ago|reply
Poor uptime and a disgraceful attitude towards security. ANY service provider that hides the facts behind major security incidents from their customers should never be used.
I guess their new customers will soon realise how crappy it feels to find out from Reddit that your VPS is potentially hacked.
[+] [-] yoshamano|13 years ago|reply
[+] [-] jacques_chester|13 years ago|reply
Lots of people use the Fremont centre. It is a dud.
I've hosted in Dallas without incident and currently I use Tokyo.
[+] [-] angryasian|13 years ago|reply