I don’t really have time for this, but I need to get to know Redhat Enterprise Linux a little since the machine that will eventually be our new server is running on it. In recent years I’ve gotten pretty comfortable with Debian which is great for servers IMO - its racy teen offspring Ubuntu might be getting all the attention lately on the desktop, but Debian is a solid workhorse with a sensible stability / security policy and lots of really sensible and useful tools.
Of course, at their heart all Linux distros are mostly the same, but there are differences in the organisation and package choices so it’s important for me to naturalise myself. I really want to make sure I’m doing things the ‘RHEL way’ as much as possible, both for support purposes and because I don’t administer servers for a living so following recommended practice is much more reliable. Luckily RedHat has a lot of very good documentation on their site, which scores them a good few points.
My first task is to make sure the core services are as secure as possible. The server had only been up for a couple of days, with no DNS pointing at it yet, and it had still had a slew of ssh brute force hack attempts on it, according to the security log. No penetrations but I know from experience that just moving the port that SSH listens on gets rid of the vast majority of these IP range scanning bots attempts.
Then of course there’s the web server. Debian comes with a lovely tool called ‘makejail’ which we used to create a chroot jail for Apache, which adds a little to the security. RHEL doesn’t come with a jail tool, and after talking to support they told me that RHEL’s version of Apache wouldn’t cope with it, and that I’d have to build it from source. That raised some warning flags - not because I can’t build from source (I ran Gentoo a few years back where that’s the only option), but that it suggests this isn’t the usual option. A bit more reading led me to the fact that RHEL comes with SELinux, together with an Apache profile, which seems like a better option than chroot anyway. More investigation needed, I have a support call open through which I’m getting some configuration help.
I’m not that keen on up2date (the package retrieval tool in RHEL) but then I’ve been spoiled by apt/wajig on Debian. I know I could use apt or yum on Redhat too but again, I’m trying to stay ‘RHEL standard’ as much as I can. Not only is up2date less friendly, it seems less powerful too. And, as of this morning, trying to run up2date segfaults! This is despite not having used it for anything other than queries so far and not customising anything yet. Not impressive. I have a support call out on that now too.
I can’t spend any more time on this right now, coding duties beckon. But suggestions from other RHEL users are welcome.