4

As a webdeveloper I have, like many, my own VPS. However, I am a webdeveloper, not a system manager. For me it's quite challenging to install a VPS and to keep it up to date and secure. It takes me days, if not weeks, to get a server up and running. I also hardly dare to update my server since I'm afraid I screw things up.

So my question to you is what resources can you recommend me that won't only tell me how to install a LAMP server, but also explains how to keep everything up to date and secure?

edit: Installing everything isn't the main problem, the main problem is configuring everything such that is is secure and that it works. Most tutorials just tell me how to install everything, but usually that's just not enough.

In my specific case I have a CentOS VPS for which I need LAMP, ftp and email. I also host multiple domains on one VPS.

Tiddo
  • 1,019
  • 1
  • 9
  • 16
  • It sounds like you're looking for two different types of security: `Keeping things up to date` (what we're answering below), and `How do I configure things to be secure` (a good question, but ***MUCH*** harder to answer -- There are lots of places to learn about security best practices, but the *best* way to learn is to work with someone who already knows them and will help you apply them to your specific environment). – voretaq7 Jan 24 '12 at 21:40

2 Answers2

4

There are two key parts to a server environment: Building it and Maintaining it.

The building part is "easy" -- Howtos will get you there (though the results might not be pretty).

The maintaining part is the hard part: Applying patches (even using modern package management tools) is a bit of a black art: You need to be ready and able to troubleshoot when things break, and you need the skills and knowledge to fix the brokenness (either by actually fixing it or by rolling back your change until you can figure out why it broke).

The best advice I can give you: Get a sysadmin (even a part-time one) to do quarterly assessments and patches. If you want to take this role over yourself then work with them until you feel comfortable.

The second best advice I can give you is build a test environment (any sysadmin you hire should insist on this) and do it yourself:

  • As @Tim said, start with a solid Linux distribution with excellent package management, and stick with the packaged software.
  • At least every 3 months (or whenever there's a security issue that merits it) patch your test environment and give your software a thorough workout. (This is where all that preaching about software testing comes back to bite you: You need good tests to be sure you find any breakage.)
  • When you're confident those patches won't break your software apply them to your production environment.

Note that your test environment need not be extravagant: A VirtualBox VM can often do the job.

A few other bits of free advice:

  1. Have a test environment.
    If you break a test environment you can always restore from a backup and try again.
    If you break the production environment the users get angry.
    (this leads directly to #2...)

  2. Backups. Get you some (if you don't already have 'em).
    Perform regular backups. Perform regular restore tests (to be sure your backups are usable).
    Be confident that even if you make a mistake and destroy the production environment you can fix it.

  3. Do not fear patching: Patch early, and Patch often.
    Problems tend to arise when environments are set up and left alone without regular updates and testing: The chance of something breaking is roughly proportional to the number of changes (updated packages) involved, and regular updates work to keep that number small.
    I practice (and strongly recomment) quarterly maintenance, with emergency fixes between windows as needed.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • There's one more thing: the default package manager of CentOS usually doesn't have the latest stable PHP version, and I do want the latest stable PHP version. Every new version features are added that I like, so I want to keep that up to date. Do you also have any tips for building and maintaining that? – Tiddo Jan 24 '12 at 21:53
1

Your best bet is to roll with a proven distro that has a great package manager. Fedora, Cent, Redhat, OpenSuSe and Debian/Ubuntu all have these. All of these I have listed contain the packages for deploying a standard LAMP setup, and once you have the whole thing setup, you can start a system job, AKA cron job, to check and apply updates on a specified interval.

Tim
  • 3,017
  • 17
  • 15
  • 2
    I'm really not a fan of applying software updates via cron jobs (unless you have an extensive test environment and only push/apply tested fixes). I've seen a lot of environments fall apart because of an untested patch applied by an automated script, and I don't relish a call at 0-dark-thirty saying "OMG HALP THE SERVERS ARE DOWNNNNNN!" – voretaq7 Jan 24 '12 at 21:22
  • The main problem isn't installing everything. I have a CentOS VPS, and with a few yum installs I have the applications installed. However, for me the hard part is configuring everything and making everything secure. Do you also have recommendations for that? – Tiddo Jan 24 '12 at 21:23
  • 3
    A good alternative to automatic updates is to have a cron job send nagging emails when there's security patches to apply. – Shane Madden Jan 24 '12 at 21:24