?

Log in

No account? Create an account
entries friends calendar profile my webpage Previous Previous Next Next
The time has come... - Tina Marie's Ramblings
Red hair and black leather, my favorite colour scheme...
skywhisperer
skywhisperer
The time has come...
...to upgrade my server. It's getting harder and harder to maintain current software on a RedHat 7.3 kernel. The latest problem is that I need a newer glibc to update mySQL, and I can't update glibc without a new kernel. And gcc simply won't compile anything later then the latest 3.x release. I suspect I'm going to run into more and more of these problems as time goes on.

So - it's time for a major upgrade.

Despite the wide availability of cheaper hosting, I'm going to stay with http://www.ev1servers.net. I've never been off the 'net for more then 5 minutes in the last 3 years, their backup power never flickered even through hurricanes, and their tech support totally rules.

The new box will have RHEL 4 on it. I'm constantly amazed by how little I knew about running a server when I set this one up, and I'm going to make a lot of changes in the way users work. The box now has a /www directory that contains all the web content, requiring me to manage countless pointless user accounts. The new setup will have a www in the home directory for every user, and their domains will be subdirectories off that, allowing me to give one username and password for ftp and shell access to all their domains. I'm seriously thinking about a database-based solution (Cyrus) for my POP3 users who don't need shell access, making maintenance of the virtusertable less hassle. I'd like to continue my trend of moving more data into mySQL and out of text configuration files. And I'm going to try INN, since I've got some users who want remote access, and leafnode won't do NNTP authentication.

The plan is to order the new server, set it up, then move one set of domains at a time. I figure 2-3 weeks for setup, then I can start moving people.

It's going to be an interesting month.

Tags:
Current Mood: hopeful hopeful

4 comments or Leave a comment
Comments
alioth1 From: alioth1 Date: February 2nd, 2006 06:58 pm (UTC) (Link)
Some advice from one with bitter experience (although my move was from RH 7.1 to Debian, but I use CentOS 4 at work, which is basically self-supported RHEL 4 - it's built from exactly the same source)...

1. Learn about SElinux now. It is probably turned on by default for your server. You need to know a little bit about SElinux if you want Apache to be able to look in people's home directories at all because that's disabled by default so you'll find your current plans foiled without being able to grok SElinux. SElinux is complex and powerful, and if it's on, don't turn it off - it may save you from getting pwned by Romanian phishers (especially if any of your users run things like phpbb or other random 3rd party scripts). But you need to know a bit about making SElinux policies, what ls -Z does, chcon and all that sort of jazz.

2. Turn on your iptables rules before you actually make it live, therefore when you lock yourself out of your own box, you don't take anyone else out at the same time :-) You've probably figured that one already from bitter experience!

3. Dump sendmail, replace it with Postfix. I know you've gone through a lot of pain with sendmail, but going from zero experience with Postfix, I had Postfix + ClamAV + SpamAssassin + Cyrus IMAP working pretty damned quickly. In fact, most of my time was spent configuring Cyrus. (The only fly in the ointment is I needed a 3rd party - i.e not in DAG or RHEL - 'spamdeliver' program to do server-wide spam assassination. You won't need to bother with this if you have your users deal with spam themselves since they can just use procmail or whatever). It's also easy to set up things like backup MXs and virtual hosts with Postfix, although I've not yet needed to do the latter with Postfix. Since you're starting with a clean sheet, now is a great time to dump that hideous festering wart that is Sendmail.

4. Get the DAG repository added to your yum.repos.d (actually, I'm not sure if RHEL uses yum like CentOS - if not, look at the DAG page and see how it's added for RHEL4 proper). DAG contains a lot of useful stuff that's simply missing from RHEL and it's good quality, and it saves messing around trying to maintain stuff built from source. DAG is good quality too.
In particular DAG has things like ClamAV which RHEL lacks.

http://dag.wieers.com/home-made/apt/

I know the URL includes the words 'home-made' but the DAG repository is top quality. I've had no problems with it whatsoever either for Fedora Core or RHEL (I only use ClamAV from DAG for our servers, but I use it extensively for desktop machines because it contains things like MP3 and AAC support and other things I like to use on a desktop).
You can configure yum to only use DAG for certain packages if you want to make sure you only ever pull RHEL packages for things you don't specifically want from DAG.

5. Consider ThePlanet. I'm not sure what deals they have at the moment, but I've been using them for about a year now and I've had excellent reliability and connectivity, and twice as much memory and disk for the same price as ev1servers - and it comes without the taint of doing business with SCO. Also, you get access to a decent news feed included (or at least I did).
On the other hand - if you're getting your own proper feed (i.e. not using 'suck', i.e. INN pretending to be a Usenet reader) can you tell me where you're getting it from? I'd love to get a (text groups only) feed and run INN.
skywhisperer From: skywhisperer Date: February 2nd, 2006 10:01 pm (UTC) (Link)
1. Learn about SElinux now.

On order: http://www.amazon.com/gp/product/0596007167/sr=1-1/qid=1138916150/ref=pd_bbs_1/104-2414165-3348751?%5Fencoding=UTF8

I didn't realize it would be on by default, but I was going to look into adding it anway.

2. Turn on your iptables rules before you actually make it live...

Been there, done that, reinstalled the OS. :) One of the things I couldn't do with the old OS was deal with the SSH port intelligently. I get hundreds of password-guessing attacks a day - I want to be able to let, say, 3 attempts, then disable that IP address for an hour, then 5 more and it goes off for a day. The old kernel didn't support that.

3. Dump sendmail, replace it with Postfix.

I promise I'll look at it. :) Cyrus looks scary - I might have to bug you a bit when I tackle that.

I expect I'm going to end up with a perl 'provisionUser' script, that creates everything I need, and I'll just have to work cyrus into that instead of unix mailboxes. My goal with cyrus was to eliminate the need for unix users for POP3/IMAP only accounts, but I've never tried Kerberos before. I'm going to need to give them SMTP access too, and since both use the SASL library, I'm hoping to make it all work. Also ordered:
http://www.amazon.com/gp/product/059600012X/sr=1-1/qid=1138916807/ref=pd_bbs_1/104-2414165-3348751?%5Fencoding=UTF8
I'm hoping it's not too out-of-date.

4. Get the DAG repository added to your yum.repos.d

Definately. It'll be so nice to be able to keep stuff updated without all the hassle I've been going through lately.

5. Consider ThePlanet

I've already got the new box at ev1. I ordered it last night.

I'm not getting a feed yet - I was just going to do the suck thing to start with, since I've been doing it with leafnode for years. Looking into a real feed is down the road a ways, but I believe I can get one from Internet America (where I get my DSL).







alioth1 From: alioth1 Date: February 4th, 2006 03:12 pm (UTC) (Link)
I've not used Kerberos yet (although on a related authentication note, I have set up LDAP for authentication, of the OpenLDAP kind not the Microsoft embrace and extend InactiveDirectory kind). I've written some Perl programs which use LDAP to authenticate users logging on to a web based system and the like - it's not terribly difficult with the right Perl modules (which I think come as default).
alioth1 From: alioth1 Date: February 2nd, 2006 07:01 pm (UTC) (Link)
Oh yes, use egress filtering in your firewall rules so if a hacker/spammer/phisher gets in, they cannot wget their nasty script to do the spamming. (Does iptables have the ability to filter by user? If so use that for users who must be able to get out, but block everything owned by user httpd).
4 comments or Leave a comment