Advice on application web server setup..

Hi,

I have a server setup with a couple of hand configured websites that run our company website and some web based apps for use by staff and customers..

In order to make it easier to manage I was thinking about setting up a new server with a control panel like virtualmin or klaxo.. I have briefly played with both and it seems that klaxo is best suited to a VPS because its so light on resources..

The issue with both is that they are designed to have hosting plans and clients and resellers etc.. etc.. You know all the things that you would need if providing web hosting services.. So seem a little busy and complicated for my needs but would obviously work..

One of the reasons for looking at it is I want to have a more secure system.. For example I want to setup the sites with SSL.. Control panels would obviously make this much easier and all the settings for everything (not only SSL) would have been defined by people more proficient than I am so in theory it would make the whole system more secure..

Would you agree with my logic?

Is a control panel based system likely be a better and more secure setup than I would create by hand mostly following the Linode Library howto's??

TIA

14 Replies

@wipeout:

Would you agree with my logic?

No, because you said you only have "a couple of websites".

Control panels are useful when you have dozens of websites belonging to several customers on the same server, and when you're constantly adding or removing customers and their sites. Almost every commercial and free control panels, from cPanel to Kloxo to Virtualmin to ISPConfig, are designed for this scenario.

When you're running just a couple of sites, it's usually much easier to grab some StackScripts or follow a tutorial in the Linode Library. Modern Linux distributions such as Ubuntu make it very easy to deploy web sites. Enabling SSL and other "intermediate-level" tasks are also as simple as copying and pasting a few lines of code from the Linode Library. These tutorials were written by pros, and other pros have confirmed that they work. Besides, if you can follow a tutorial on a control panel vendor's website to install the control panel in the first place, you can just as easily follow a tutorial in the Linode Library.

Control panels might also introduce security weaknesses. Most control panels are accessible over the web, and they need to run with root privileges in order to modify the system. So any security bug in a control panel can have disastrous consequences. However, since most control panels operate separately from the operating system's built-in update procedure (such as "apt-get update"), it is not easy for a novice user to keep a control panel up to date unless the control panel knows how to update itself. Also, most control panels are accessed using passwords, which are inherently less secure than public key-based SSH logins.

Besides, how often do you plan to add new sites or make drastic changes to existing sites? You probably won't be touching anything for months, once the server has been set up. Any day-to-day changes to the websites themselves will normally take place over FTP or SSH/SFTP, which bypasses the control panel. So the control panel will just sit there, doing nothing, all the while consuming server resources and exposing a public login page that is only a password away from root access.

@wipeout:

…would have been defined by people more proficient than I am…

You owe me a new keyboard, and a HOWTO for securing my sinuses from tea intrusion.

It is very hard to make a general-purpose server control panel with the features customers demand and the security they ought to have. An example of this might be FTP: it should not be used unencrypted across an untrusted network (e.g. the Internet), but many control panels enable it nonetheless. Then there's the use of self-signed SSL certificates…

In other words, you're more proficient at understanding your needs and balancing them with common security practices than the control panel vendors are.

I have used virtualmin more than once, though. If you need a control panel (i.e. people who aren't you are going to want to add/remove sites/domains), it ain't too bad. There's also some interesting grey areas, like Aegir (for Drupal-based sites)… I find control panels that try to do less end up being much, much nicer to work with.

@hoopycat:

(…) control panels that try to do less (…)

And more, grep, cat, tail, vim, awk, xargs, …. oh, yes, I agree, that's my favorite control panel as well! :mrgreen:

@hoopycat:

You owe me a new keyboard, and a HOWTO for securing my sinuses from tea intrusion.

Not sure what you mean.. Should I? :)

@hoopycat:

…like Aegir (for Drupal-based sites)…

My sites do make use of Drupal so might look at this which I didn't know existed before your post.. :)

@hybinet:

No, because you said you only have "a couple of websites".

This has whats been playing on my mind as well.. I don't need to manage hundreds of sites in this setup.. Well not yet anyway, if the business became super successful to an extreme level this may change but I could address management of hundreds of sites then..

Is the answer perhaps to use webmin?

Still allows command line configuration and doesn't mess things up if config files are changed manually (apparently)..

Can be potentially stopped to save resources but seems to only use about 15-20MB memory..

Works with standard distro packages..

So while its not a web hosting type control panel its a good server admin panel which is maybe better suited to my needs..

The best control panel is bash.

@wipeout:

webmin

Webmin is just virtualmin without the user-friendly interface. It's lightweight and relatively easy to install (It even has a Debian/Ubuntu repository for easy updates), but it's not the easiest control panel to use, either. I played with Webmin about 3 years ago, and constantly found myself viewing Webmin in one window and the command line (bash shell) in another window to figure out why Webmin wasn't doing exactly what I told it to do. Then I just got rid of Webmin and switched to the bash shell full time.

Webmin doesn't help you secure your server, either. It listens on port 10000 by default (which every self-respecting hacker knows), and does not use SSL by default. It's not really helpful when it comes to locking down SSH access, which is by far the most important thing that you should do when setting up a Linode. Finally, no control panel will help you solve problems if and when they occur. Something that worked fine one day doesn't work the next day? Good luck fixing that in Webmin! If your server runs out of memory (a common problem with misconfigured Apache servers), Webmin will be dead, too.

As others and myself said in this thread, you don't need a control panel unless you have dozens of client sites. The fact that you might run a few more sites in the future is not a good reason to install a control panel now. Use StackScripts and/or the Linode Library. They will save you money, time, and headaches.

The most secure thing to use is ssh. If your users need access to something on your server, you can make users for them so they can ssh in, and use Linux's permission system to allow them access to only what they need. You can set up groups for different levels of access, and for access to different areas. You can set permissions for each group based on what they need. You can then add users to those groups so they have access to those areas. You can also set permissions on a per-user basis.

Of course, if you have too many customers who need ssh access, it can be a bit cumbersome add all of them to your system and to make sure they're in the correct groups to access what they need, but as long as you pay attention to what you're doing, it's generally more secure than a control panel.

ssh would (could) replace ftp in addition to providing command line access. You can use scp and sftp, which are like regular cp and ftp, except they run through ssh. There are GUI programs for these on the "Big 3" (Windows, Mac, Linux), so if people don't want to type a command to upload files, they can drag and drop.

For Windows users who need ssh, you can point them to Putty, which can be run as a stand alone ssh/telnet client, and anybody who uses PortableApps can put Putty Portable on their flash drive/USB hard disk/whatever they use PortableApps on. ssh should already be built in to Mac OS X, and is standard to virtually all Linux distros (I have yet to see a Linux distro without ssh).

I used webmin about 10-12 years ago and it worked pretty well back then.. I can't see that would have changed..

I agree that the bash shell is the most powerful admin tool but for a lot of things having a control panel is simply quicker and more efficient which is why I am looking for one.. Just haven't been happy with any of their setup's really.. Although I "could" work around them I would prefer it my way but easier to manage and maintain..

Yes, Virtualmin is simply and addon to webmin and to be fair probably works the closest to how I like to structure my server but still not quite there.. So stripping off Virtualmin and having plain Webmin seems like the right way to go..

From a security perspective I never use FTP unless there is simply no alternative, I use SSH for just about all sensitive and administrative access.. The same would be said for webmin, I would not open port 10000 to the internet. A user would have to ssh in first with a port forward setup for port 10000 in order to access Webmin..

I just installed it on a test server and it does use SSL by default with a self signed cert, connections through http are shown a link to the https connection.. I would still use an ssh tunnel though..

Good thing about tunnelling is that you have a console window open anyway when doing any admin stuff which is always useful.. :)

Thanks for all the comments everyone.. Think this may very well be a workable solution for what I am after and in means I don't have to reinstall and move all my sites and apps because webmin should be able to fit right in with my existing config.. Thats going to save a lot of time in itself..

I am convinced that it is best to use BASH as control panel for couple of websites. Is it practical to use a web base file manager? BTW, is there a web base file manager alone that we can install in our Linode?

@hardwire:

BTW, is there a web base file manager alone that we can install in our Linode?

  • Do you want to manage all the files in your server?

Before going that web based route, maybe you should try MC (Midnight Commander).

MC + ssh = instant win!

  • Do you want to play with your personal files?

Check out OwnCloud.

I have installed mc in my linode and it works great! Thank you for sharing it :)

Hi, is there a tool or console application with a text user interface like MC for managing Linux user/group policies?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct