# Managing a Gentoo Webserver... Tools?

## chrissicom

Hey guys, I am managin a few servers and one of them needs upgrading, software and hardware wise. The current system is a P4 with Windows Server 2003 Standard. The new System will be a Dual Opteron with either Windows Server 2003 64-bit or Gentoo or Debian Sarge (as it looks now it will be Windows).

The big problem with the Linux system isn't that I can't get it running and setup it's just extremely time consuming. Let alone setting up Gentoo, compiling the Kernel, emerging Apache, PHP, MySQL etc. took me 3 days and that doesn't include making the system secure. Setting up a Windows box with basic security takes me 2-3 hours. Anyway here's what I need (listed in brackets what I use now):

Webserver (IIS6) with ActivePerl 5.8 and PHP 5.0.4 installed (the new server will probably get 4.4.0)

MySQL 4.0.25, maybe 4.1.x on new server

Mail Server (Mail Enable Professional) - I am running ASSP

DNS Server (Microsoft DNS on Win 2003 with a secondary box)

FTP Server (BulletProof)

The server runs a vast amount of domains and like 50 FTP Accounts and a few hundread Mail Accounts, so user management is a priority task. Also managing the zones in DNS (I use my own nameservers) is an important task. Since I can manage my Windows Server through remote desktop with a nice GUI it's pretty easy to handle everything.

Well my problem with Gentoo isn't that I am too stupid to install it but it takes ages to setup users and stuff so I definitely need to know if there is a reliable web-interface to manage all the things I need (I tried webmin but that is total chaos, I can't even find a tab where to manage ftp users in webmin, i.e. setup user foo to access dir foo).

I've been using Red Hat with Ensim before but I am not willing to spend a few hundread bucks for a control panel when I can have a windows gui free (I have the Windows licences already so I wouldn't need to buy those). Plesk and Helm is no option as well, too expensive.

I have remotely installed Gentoo through a rescue system on a test box via SSH console. Went fine except that I compiled the whole night on a power machine  :Wink: 

I installed Apache2 mod-ssl mod-perl mod-php, PHP 4.4.0, MySQL 4.0.24, phpmyadmin, proftpd so far (also tested webmin but it's a chaotic tool). I didn't dare to install a mail (maybe courier) or dns server (bind) yet. Setting up MySQL isn't the issue because I only need ~10 accounts. But when it comes to FTP the chaos starts.....

- How can I quickly setup 50+ users with different access rights for their webfolders?

- Why does a normal gentoo user have access to the ftp when this user was setup before installing proftpd and is in no relation to FTP?

- Even worse, why can this user browse the whole disk and even delete files in /etc e.g.??? -p.s. this user is not root!! I figured out how to disable root login

- Some people need access to virtual domains, i.e. access different directories for different domains that are no sub-directories of each other

Apache2 is the next problem.....

I know how to setup virtual hosts and run different sites on one ip, but I don't have 2 weeks to write the config for all domains etc.

- How can I quickly setup 20+ domains in less than 30 minutes?

- How can I manage sub-domains (100+) for the domains

- How can I quickly define which domain is allowed to run PHP and which isn't?

I have not installed a mail server yet but I would need to setup at least 250 users and forwarders for different domains. That's a pain in the ...you know what... without a webadmin tool.

Two things left at last....

- When I install software/security updates on Windows I can be 99% sure my Server isn't broken afterwards, Gentoo or Debian doesn't seem to be that easy

- Would you actually recommend Gentoo as a webserver system for such a complex setup or would you tell me to stay with Windows since I can manage everything a lot easier?

----------

## 1U

I'm actually stuck in a similar situation. I've tried plesk and webmin before on Linux and didn't like either. Especially plesk which costs a lot of money and functions terribly with a lot of security holes. My only alternative and the way I'm doing it now is just learning how to set those up individually. It's good to learn the basics of those services as they really aren't too hard to use. Once you understand most of that you can just make scripts that do it for you. There have been a few scripts posted on the forums before to help with virtual hosting. Here's the topic they were posted at:

https://forums.gentoo.org/viewtopic-t-16597-highlight-virtual+hosting.html

I hope that helps.

----------

## chrissicom

I am really thankful on your intention to help, although I am not too satisfied with the abilities of this script. It's too complicated for me in terms of modifying it to my needs and it does to few things than those which I require.

I also couldn't fix the problem yet that basically every user can ftp into the server, how can I tell proftpd to only allow users that have been explitly setup for ftp?

----------

## 1U

I've never used proftpd so I can't really help much on that. However I se Pure-FTPd and in my opinion it's better and more secure. It's never had a rootable exploit yet. Pro-FTPd has been known to have quite a few security holes. Also pure-ftpd is easy to setup and has support for virtual users and mysql. Here's a link to the pure-ftpd website which has great documentation, and it's also available in portage: http://www.pureftpd.org/

Hope that helps and if you decide to really use pure-ftpd I can help a bit as I've used it and read the documentation a few times already.

----------

## chrissicom

I could actually really need help with it. I installed it and a nice GUI for user administration. I have setup everything for MySQL auth.... when I try to connect to my FTP

Resolving host name "85.10.196.207"

    Connecting to 85.10.196.207 Port: 21

    Connected to 85.10.196.207.

    An established connection was aborted by the software in your host machine.

    Server closed connection

I think that's not a problem of the MySQL Auth but before that already. You know what could be wrong?

----------

## 1U

Is this for proftpd or pure-ftpd? Also, what kind of gui are you using for it? I hope you're not running an xorg on the server and that you meant you got a web interface for it.

----------

## chrissicom

No no it's no graphical interface for the OS only a PHP thingy... I am using pureftpd and this tool to manage accounts http://machiel.generaal.net/index.php?subject=user_manager_pureftpd. But the error message I have there doesn't look like pureftpd can't read the data from my mysql database, it looks like an error before that. I have changed the pure-ftpd config file accordingly and also created the pureftpd-mysql.conf file as suggested. Also Port 21 is open in the firewall.

----------

## 1U

Hmm, well the few places I'd recommend checking first are:

Did you compile pure-ftpd with the mysql useflag? 

Is mysql running smoothly and can you get access to the database?

Did you create the required pure-ftpd database in mysql?

And if those 3 are perfect, perhaps you won't mind posting your pure-ftpd config file in here?

Btw, that's a pretty good user interface. I don't use pure-ftpd with mysql at this moment as I'm moving servers, but I did use that before and I really liked it. It may seem a bit simple but actually it has just about every feature that the manual virtual users passwd commands do for pure-ftpd. If your config looks pretty good when I see it, I'll install pure-ftpd with mysql on my own box and test it out to help you further.

----------

## chrissicom

I have posted the config here https://forums.gentoo.org/viewtopic-t-362551.html.

The 3 things you specified are perfectly fine. MySQL is running, I can browse it using phpmyadmin and also connect on the console with all users. Also the pureftpd database is there.

 :Crying or Very sad: 

----------

## Godsmacker777

 *Quote:*   

> 
> 
> the big problem with the Linux system isn't that I can't get it running and setup it's just extremely time consuming. Let alone setting up Gentoo, compiling the Kernel, emerging Apache, PHP, MySQL etc. took me 3 days and that doesn't include making the system secure. Setting up a Windows box with basic security takes me 2-3 hours. 
> 
> 

 

This is the reason a lot of people end up using windows..it's quick and dirty. You say "basic security" using the term security in this manner is kidding yourself.

From my point of view, I think you'd be nuts not to use gentoo. I say this because I believe gentoo is an investment, and a damn good one at that. We can all agree that you can do anything you would like with gentoo, and you can have it done the way you want. Between the configurability and the power, backed with a solid security policy and one of the best package managers out there, there shouldn't be any doubt that gentoo has the potential to be the best.

If I were in your position (I totally understand how important time is in all of this..) I would really make gentoo an investment. Whether or not you set up your opteron system now, I would get gentoo running on something, pick up a good security book (like hacking linux exposed), come up with a solid security policy that meets your needs and requirements and implement it, iron out any wrinkles in the system's setup, and pick up some scripting.

Between gentoo and some good programming, you can not only set up a system to do whatever you, but efficiently and with ease.

I believe that functionality and efficiency are the most important issues here. If you invest yourself now, future systems you set up will go that much smoother and faster. There are plenty of ways to minimize downtime.

----------

## jsmaye

Believe it or not (or just plain refuse to), one CAN have a secure, stable Windows system. And there are unstable, unsecured Linux/Unix systems out there I'm guessing that the 'Spread Firefox' or whatever server that got compromised a few weeks back is a Linux/Apache box, but if not, I stand corrected.

In the short haul, I can build a stable, secure Windows box. It's not impossible, not even THAT difficult. In the long haul, I can build a stable, secure Linux box. It's a little more difficult and time-consuming, but probably the best overall solution.

----------

## chrissicom

Well I usually use the term "basic security" when a system has reached a degree of security where script kiddies can't easily overtake a system anymore. I always say if someone really wants to hack you there's no way to protect yourself because no single-person company can afford NSA security standards.

I totally agree that Gentoo is faster than Windows, maybe more stable... but my Windows box is running without a single crash for a year too so it can be considered stable as well. The little Gentoo quickness is not really of advantage because I don't care if MySQL inserts a line in 0.001 ms or 0.002 ms. You don't notice any performance difference between a good Gentoo and Windows system unless 5000 people access the same MySQL database at once. Linux in general could be a very good system but programmers need to realize that pure speed and stability isn't all that most of us need, we need easy, less-time consuming management possibilites and that's why Windows is still my fav choice.

----------

## jsmaye

I agree - so few of us require Department of Defense-level security (or Microsoft-level - has there EVER been a private company so hammered by miscreants?) that routine security should be sufficient. Also, if I'm charged with maintaining NSA/DoD-level security, it's not going to be provided by the content server, but by hardened external systems between the server and the network.

----------

## Godsmacker777

A couple of points that I feel are worth noting..for later readers if anything:

Setting up a good security policy does take some time, though a "default" install of most distros is better off than a straight up windows install. I think we all know (and can agree) that the underlying design of nix derived oses allows for more secure systems. My point is that there there is nothing saying that by using linux you are going to have a secure system, but that you are off to a good start. The overall design of the windows os limits it's security, and that threshold is lower than the possibilities in the nix relm. 

That being said, I believe webservers should have a "basic level of security" - and in my opinion - that level is beyond what windows is capable of.

Lastly, I don't feel we should support a company such as microsoft. (I'm not going into the stereotypical M$ bash here) Personally I think they're tactics are rather nauseating. Here's a small example:

(from http://www.hardmac.com/niouzcontenu.php?date=2005-08-10#4354 )

 *Quote:*   

> 
> 
> It is known that Vista is rely on DirectX9 for all graphics, animations, etc...
> 
> With Windows XP, it is possible to run OpenGL-based application at full speed thanks to OpenGL drivers that have direct access to the hardware.
> ...

 

I don't know the specifics of this, or even it's validity...but what I can say is that we have all become very accustomed to these scenarios. How can you support them?

someone here on the forums said it well once before - their software is not even worth stealing..

----------

## zietbukuel

Yeah, fuck microsoft!   :Laughing:   :Laughing:   :Laughing: 

----------

## jsmaye

 *zietbukuel wrote:*   

> Yeah, fuck microsoft!    

 

You bumped a year-old thread for that?  :Rolling Eyes: 

----------

## zietbukuel

Yeah, why not?????   :Shocked:   :Shocked:   :Shocked:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## jonnevers

 *zietbukuel wrote:*   

> Yeah, why not?????       

 

b/c this is a support forum not a soapbox. please use OTW or gentoo-chat for this.

----------

