Hi.
We're thinking about moving from having our sites hosted somewhere else to doing it in house. We've been using Fedora for our intranet and have had no problem with it at all. But since we're a law firm and have some sensitive information on our sites, I have to do some research on security before moving to hosting it ourselves.
So, my question for all of you:
Are there any reasons to stay away from using Fedora as the OS for our web server? Any big issues that are attributable to Fedora (rather than Apache, etc)?
I thank you for your help in advance.

-nb

The question I would have is what is the server currently hosted on? Win/Solais/AIX/Linux, etc? If it is currently on Linux, I would say that Fedora would also work for you. I would have someone do a security check of the system beofre putting it online, and make sure you keep the box updated with patches. I feel that it would be a great platform as long as you configure it correctly (like any OS).

Quella

It should be as secure as any other linux distro as long as you keep it patched.

Of course anonymous opinions are relatively worthless. Go with something you know you can secure.

It should be as secure as any other linux distro as long as you keep it patched.

Of course anonymous opinions are relatively worthless. Go with something you know you can secure.

Well, maybe anonymous opinions are usually worthless, but not in this case.....we've used and trusted Fedora for internal use and it's been great. But it's an entirely different story to use it on something exposed to the outside world. So opinions from people that have been using it are very valuable to me at this point. I just have to do my Due Dilligence before firing up a fedora server to host our sites.....
It's mainly an issue of bringing the server in-house I suppose. Right now it's easy...if the sites go down, or if there's a security issue, I can just say "Nope. Isn't my fault. It's those guys over there." But if I'm running it myself, it's my fault if everything crashes and our home page is replaced with lawyer jokes.

Anyway, long winded response and thank you for your opinions.

I've been running FC1 and FC2 "exposed" (behind a pix) for some time. Fedora dose a great job of making patching systems easy. I think Yum was mentioned above and that is the key (too bad it's not turned on by default). If you keep the server patched and use IPTables to secure the system you "should" only be exposed to problems with applications the webserver is running.

If your worried about your system you can use nmap and nessus on the box from inside and outside your network to determine your exposures.

One other opinion - if you are engaged in a commercial operation, you would be better off with a commercial version of Linux, instead of a more-or-less bleeding-edge/hobbyist distribution. Sure, support costs money, but it can (will!) end up saving your posterior when problems crop up. And they will...

btw fedoraforum.org is on fedora :)

One other opinion - if you are engaged in a commercial operation, you would be better off with a commercial version of Linux, instead of a more-or-less bleeding-edge/hobbyist distribution. Sure, support costs money, but it can (will!) end up saving your posterior when problems crop up. And they will...

And what sort of problems would those be that couldn't be fixed by a clueful admin (either on their own initiative or by Googling for the problem or looking on Redhat's Bugzilla, the latter of which is probably what your expensive "support" would do anyway!)? As I've said elsewhere, consider hardware support first and then, if your budget can stretch to it, look at a commercially supported Linux.

Heck, I had a problem with an FC2 server crashing once a week almost like clockwork, but it didn't take me long to realise that I'd power cycled it without a proper shutdown a few weeks earlier and left behind some bad inodes, which the full backups were hitting on a regular basis. Fix was straightforward - force a full fsck on an unclean shutdown (and do a full fsck there and then to fix it). Someone less competent might have gone crying to Red Hat for a fix, which might not have been so easy to find (remember that Linux doesn't log anything on a complete machine crash !).

My opinion is that part of a good system administrators job should be the ability to fix most or all of the *software* problems that crop up without the need to talk to the distro vendor directly. Yes, if you have a buffoon for an admin or don't even employ one at all, then you'll certainly need commercial support. But remember that hardware support is paramount - if a motherboard, disk, power supply etc. dies, then no amount of leet Linux admin skills is going to save you.

I had a problem with an FC2 server crashing once a week almost like clockwork, but it didn't take me long to realise that I'd power cycled it without a proper shutdown a few weeks earlier and left behind some bad inodes, which the full backups were hitting on a regular basis. Fix was straightforward - force a full fsck on an unclean shutdown (and do a full fsck there and then to fix it).

Really?
Cuz I had a few chrashes also like once a week or two weeks.
Your solution (do a full fsck) might work.

I guess I'll wait and see.
Thanks

And what sort of problems would those be that couldn't be fixed by a clueful admin (either on their own initiative or by Googling for the problem or looking on Redhat's Bugzilla, the latter of which is probably what your expensive "support" would do anyway!)? As I've said elsewhere, consider hardware support first and then, if your budget can stretch to it, look at a commercially supported Linux.
I don't disagree with you - but I work with some extremely high-volume, "enterprise" systems (not admin, thank ghu!) and have picked up a lot of paranoia from the IT guys, as well as some insights into what insurance, liabllity, and not to mention financial backers kind of insist upon. Heck, the VCs almost had a coronary :eek: when they were told we were putting some Linux-based servers into the mix - until they were told it was RHAS.

One other opinion - if you are engaged in a commercial operation, you would be better off with a commercial version of Linux, instead of a more-or-less bleeding-edge/hobbyist distribution. Sure, support costs money, but it can (will!) end up saving your posterior when problems crop up. And they will...

I installed RHEL3 several months ago. Since then, two support tickets have been submitted. The replies to both consisted of recommendations to read info on websites already researched while looking for a solution to the problems. I've also recently installed FC2 on a different box. To be frank, except for small variations in menu structure, and higher versions of the kernel, KDE and some apps, FC2 seems about as good as RHEL3 and is a lot less expensive, since I can do my own googleing.

One problem I've encountered with FC2 is that after mounting a remote NFS export (from a SUSE 9.0 box set up as an NFS server) umounting hangs (resource is busy) and kill won't release the NFS mount. Shutdown also hangs trying to unload the NFS share, resulting in the necessity to reset. I've traced it to the quota daemon hanging, but haven't had time to check farther. I satisfied my needs by using ssh and scp.

The NFS umount problem revealed a second problem. I run SUSE 9.0 as my desktop distro (returning after a one year stint with MDK8-MDK10) and have been fond of ReiserFS since SUSE 6.3. If a box abends ReiserFS has never failed (for me, on several different boxes) to automatically restore the fs in seconds without problems. Ext3 on RHEL3/FC2 is my first experience with that journaling system. After an abend FC2 puts up an ext2-like prompt giving me 5 seconds to type 'Y' if I want to fschk. What gives with that? Isn't Ext3, a journaling system, supposed to recover cleanly without having to do an fschk by prompting for operator input? Who would want to boot into an uncleanly dismounted fs and run it, unless recovery was impossible and salvaging was the only option remaining?

The RHEL3 problems? The versions of tar and cpio that come with RHEL3 create backup files that are limited to 2GB. BRU-Linux_17.x didn't work on RHEL3 (the second problem) if you are not going to use tapes as the storge medium. I am going to check out Bacula. Other than those, which aren't really RHEL3 problems, RHEL3 is, IMO, an excellent server, and/or desktop. Were it not for the the odd menu structure and the absence of ReiserFS as a fs option, I would have switched to FC2 for my personal desktop. I could learn to adjust to the odd menu, but I won't adjust to Ext3.

BTW, probing our RHEL3 web server (Internet exposed for employees, but not for public access) with tools from several security web sites revealed that our RHEL3 was 100% stealth. I prefer to use it to browse the web, instead of my Win2K box, because it is considerably more secure.
-----------
GreyGeek

I installed RHEL3 several months ago. Since then, two support tickets have been submitted.
Please note that I mentioned other items, like liability insurance, VCs, etc. Support isn't necessarily all that buying a commercially-backed version gets you. When you're playing with high-stakes systems, there's a lot more to be taken into account than just plain ol' support...

I have not had any problems with FC2.... But the bleeding nature of it's builds result in a security pitfall to many in their respecitve opinions. You probably will not have any problems other than maybe staying on top of the nose bleed release schedule and uncertenty of new releases. But if stuff like this truely keeps you up at night and you aren't going to pay for corp support to blame somebody else if something goes wrong (eg SLES RHEL), go debian stable/woody.....

Heck, the VCs almost had a coronary when they were told we were putting some Linux-based servers into the mix - until they were told it was RHAS.

As long as it's "Other People's Money" (VC's) RHELn is fine, even if you never use the paid support because you rely on better and more timely answers from other sources. We're only talking about one or two servers anyway. Most folks who use Linux servers aren't funded by VC's and most won't have data insurance because they'll rely on backups.

Having been involved in a startup myself, most of the VC's I've met were a mile wide and 1 inch deep. Most get their 'knowledge' from adverts and white papers, and those are supplied by the folks with the biggest PR budget, some of which aren't know for stable or secure software, but are well known for FUD and spin. ;)

It wouldn't bother me in the least to put SUSE 9.0, FC2, Debian, and several other Linux distros into mission critical situations. I'd certainly use them BEFORE I'd ever trust any version of a more commonly used OS. I'd bet the crew of the US YorkTown or the passengers on the flights heading into Sourthern California about a month ago would agree with me on that! :) The YorkTown had FOUR NT servers fall over like donimoes leaving the ship without defensive fire control or rudder control. They had to be towed into port. Now, I've read, WinXX is the primary OS on most Navy battleships. Scary.

how to configure webserver(www) in fc8

Thread closed. This thread is four years old, for crying out loud! start a new one if you have to!

Wayne