What are the basics of taking care for a common server? [closed]
I have been instructed to administrate a linux server, running SLES out of the box. It’s a Typo3 web server, and there are running some web apps in Tomcat, too, but there is no sensitive contents on that server (no personal information, no credit card numbers or that like) wich would require special protection. The server is provided by a data center, which does
- any hardware related stuff from disk redundancy to fire protection
- run a firewall, restricted to the very most possible
- backups of the data each night with
- MySQL dumps right before backup starts
Besides the “user application”, I already set up & checked that
- all services start up automatically after reboot
- the server does neither run in, nor reboot into runlevel 5 by exident
- measured values (memory, disk space, CPU) are being monitored
- log file rotation for applications installed manually is configured
- automatic OS updates are enabled
- the system clock does synchronize with a time server
Being left alone this way, when and why do you think this installation will leave the service (let it be an internal error or broken by hackers) because something has been overlooked by the unaware? In your experience, what is strikingly missing in my list?
Solution 1:
If I was asked to “take care of a customer’s server”, I'd probably ask if they mean it "Al Pacino" or "Julia Andrews" way of "take care of". (sarcasm)
Everything depends on what is running on the server. You can (and you should) monitor every important service like DB, RAM, webapp, ... (for example with Nagios).
The restrictive packet filtering is of course good idea.
You should evaluate necessity of remote logins (ssh, rdp, ...) and secure them accordingly.
You should secure services on the server by creating separate users, adjusting access rights, using selinx, whatever.
Sensitive data protection really depends on their sensitivity. But at least protection by access rights and eventually by encryption. But really depends on particular situation.
Letting the server handle (=install) updates automatically is, for me, really stupid idea. Since some updates may need restart of service or even reboot of whole machine, it can result in some funny moments when server "goes down" at 3 a.m. or (even better) when it should serve few hundreds of clients. Better approach is to turn updates off and do them manually like once a month. (In big networks this can be a painful process but I personally like servers "under my control").