Virtual hosting suggestions.

Support for webhosts that use CentOS
Frankieh
Posts: 17
Joined: 2005/04/05 09:40:10
Contact:

Virtual hosting suggestions.

Postby Frankieh » 2005/04/05 10:07:17

Hi all,

I've been searching long and hard for a good distro for virtual web hosting. I'm currently using Mandrake 9.2 (the base and Apache/Perl/PHP at least) and it has served it's purposes well enough, but it has just fallen off security support and so I need to find an alternative and I don't want to use a distro that drops support so quickly. I've downloaded the 4 CentOS iso's and will be giving it a go shortly.

Here is what my needs are and I'd like advice from guru's as to what the best method is.

- Virtual name hosting for multiple users (Perl, PHP, Apache).
- SSH access only, no FTP or at least no unencrypted FTP. (need some method to lock users into their home directory and so far the only way I can find is via chroot SSH.
- Lock down Apache/PHP/Perl as much as possible as a users old version of phpBB nearly stung me not so long ago.

Basically the most important part is to protect the machine from users stupidity, and to lock them in their home Directories in SSH. (can SELinux help with that?)

I've actually been considering some virtual Linux distro's such that I might give each user their own root and then write a daemon on the root OS and have that redirect port 80 calls to the relevant virtual Linux, but that has it's own problems as then the users would be responsible for their own patching and I'd get swamped in support calls. but on the upside they couldn't hurt each other or the root OS.

Anyway, that's basically want I'm trying to set-up and I'd love to hear any suggestions with regards to possible solutions.

regards

Franki

devil
Posts: 42
Joined: 2005/02/08 15:41:01
Location: Bangalore

Re: Virtual hosting suggestions.

Postby devil » 2005/04/05 14:29:55

m not a very big fan of SELINUX, ppl been saying it has all the bells and whiste, to give u a secure system, but it has it own pain in the rear and a big learning curve, still on a very expiremental stage to put in a production system and have all the users on yr back.....frankly i still belive in the old fashion way of securing my system and apps, i.e the config way :-D

I can safely bet on CentOS 3.x to server all the stuff u need, from a powered kernel to stable OS, with updates and patches and most imp, prodcution proven system, the stuff i like to think while i sleep, instead of checking the bloody pager in wee hrs...

-Apache, new version, patched ...tweak to make it secure, few performance tweaks , it will support all the virtual host in the world, run AWSTATS and u have web reporting, which put webtrends reporting to shame..

--VSFTPD, speed and security both combined ...nice, u can jail user to their directory, no snooping around..

--SSH..the defacto, SSH2 with security tweaks will work nice, u can chroot the users to their home dir + sudo kicks in well if u r thinkin of giving shell access to all ...

--Perl/PHP can be done well to suit the apache security standards

examples and configurations may make this mail go on for the whole night.....lemme know if u need help in settings up any of this ....

Frankieh
Posts: 17
Joined: 2005/04/05 09:40:10
Contact:

Re: Virtual hosting suggestions.

Postby Frankieh » 2005/04/17 17:28:09

For what it's worth, I've decided to use the following:

- VSFTP/TLS for encrypted FTP and to lock (possibly virtual) users into their home directories.
- mod_security module in apache to block SQL injection and other such attacks.

If I can use SELinux to tighten things up, I will do so, but after much research SELinux looks like it will have to be turned off for httpd as it will require vast amounts of fiddling to get right and may cause more hassles then it fixes.

Thanks for the tips.

regards

Franki

devil
Posts: 42
Joined: 2005/02/08 15:41:01
Location: Bangalore

Re: Virtual hosting suggestions.

Postby devil » 2005/04/18 13:20:05

Hope its working out good for u, apart from just one module for apache, there are lots of tweak and twist which can boost yr apache performance and can give u a secure environement to work with....

keep in touch..

cormander
Posts: 100
Joined: 2005/05/16 21:27:57
Location: Utah
Contact:

Re: Virtual hosting suggestions.

Postby cormander » 2005/05/16 21:50:55

Security isn't all about what distro of linux you use, or the software. It's about personal attention to details that programs simply don't look for.

You had mentioned that you almost got stung by an outdated version of phpBB.

An additional step to take in this area is to have systems running that check these kinds of installations daily, and alert you of outdated software. Most OSS projects such as phpBB provide a method to check the version, either by design, or by parsing out their index page for the latest release version number.

I have something like this in the works, and right now it checks phpBB, awstats, formmail, and postnuke. It gets the realtime updated version from the project website, and checks against the string in the filesystem. That script will come out with my next release of open source software.

Another good idea is to look at each of your virtual hosts every once and a while, to see what is being used, and sign up for the newsletters of those applications. So if any security updates are made, you will hopefully know about them before any script kitty does.

hughesjr
Site Admin
Posts: 239
Joined: 2004/12/05 01:51:26
Location: Corpus Christi, Texas, USA
Contact:

Re: Virtual hosting suggestions.

Postby hughesjr » 2005/05/18 18:27:10

I can tell you that CentOS-3 and CentOS-4 are both very good for hosting. ISPs and Hosting Companies all over the world are using CentOS on their servers, several of them have donated servers to the CentOS project that we use to provide updates via Up2date/yum, that we use to provide BT seeds and that we use for developement.

If you visit this page you will see some of our donors:
http://www.centos.org/modules/tinyconte ... .php?id=15

Also, at the bottom of each server at:

http://mirror.centos.org/

Is the donor of that machine.

Frankieh
Posts: 17
Joined: 2005/04/05 09:40:10
Contact:

Re: Virtual hosting suggestions.

Postby Frankieh » 2005/06/16 11:28:02

Hi Devil,

You mention that it isn't that hard to chroot users into their own home directories with SSH.

My goal is to allow the use of the program WinSCP (for the windows users anyway) to log in and access their files/folders.
I have it setup now that they are dumped in their web root when they log in, but I want to enforce that by disallowing access outside their webroot. (up till now I have only allowed accounts to people I trusted and I monitor all changes and commands run so I know what is going on, and I realise that even chroot isn't infallible but as the saying goes "locks only keep out honest people" and I would still be watching activity on the servers anyway but chroot would give me some additional piece of mind.

My attempts so far to create a simple chroot enviroment with SSH have not been all that successful since they need to be able to chmod cgi scripts and all the usual stuff people would do with an FTP client.
Since their are upwards of 100 users, it became very time intensive to setup such an enviroment for each user.

I was looking at using TLS FTP with one of the FTP clients that support locking uses into their home directories but I'd prefer to use SSH if I can because of it's various benefits like (compression for example.)

Is there some mechanism for chrooting SSH that i've not seen yet? some non manual way of doing it?

regards

Franki

dfilion
Posts: 12
Joined: 2004/12/28 01:34:19
Contact:

Re: Virtual hosting suggestions.

Postby dfilion » 2005/09/09 13:52:26

If all you want is scp/sftp access, there is a great little utility, scponly, that is a ssh frontend that only allows scp/sftp and allows locking the user into a directory without a whole chroot setup.


Return to “CentOS 4 - Webhosting Support”

Who is online

Users browsing this forum: No registered users and 2 guests