InfrastructureStatus Web>SiteSecurityAndPerformance (2011-05-13, FulvioGaleazzi)EditAttach

Dealing with site security and services performance

This page is meant as a means for sharing system administrators' experiences as to how to deal with most common site problems, in particular:

keeping the site safer against attacks from hackers
fixing or alleviating performance issues (like a server eating up a lot of memory, or some service replying very slowly)

Please edit the wiki and add your suggestions for making our VO a better and safer place to "live" in.

Dealing with site security and services performance
- Site security Tips
  - Limit the number of useless services running at boot
  - Limit SSH connectivity
- Services performance Tips
  - WMS on SL4

Site security Tips

Limit the number of useless services running at boot

Although rather obvious, I keep finding many sites which are running un-needed service. Having a service running will eat both memory and CPU time, and in some cases (like for httpd or sendmail) may represent a potential breach in your site. Hence, on my systems, I tipically, run the following soon after operating system installation:

/sbin/chkconfig acpid off
/sbin/chkconfig avahi-daemon off
/sbin/chkconfig bluetooth off
/sbin/chkconfig cpuspeed --level 12345 off
/sbin/chkconfig cups off
/sbin/chkconfig firstboot off
/sbin/chkconfig haldaemon off
/sbin/chkconfig hidd off
/sbin/chkconfig isdn off
/sbin/chkconfig mcstrans off
/sbin/chkconfig mdmonitor off
/sbin/chkconfig messagebus off
/sbin/chkconfig microcode_ctl off
/sbin/chkconfig pcmcia off
/sbin/chkconfig pcscd off
/sbin/chkconfig rpcidmapd off
/sbin/chkconfig sendmail off
/sbin/chkconfig setroubleshoot off
/sbin/chkconfig smartd off
/sbin/chkconfig xinetd off
/sbin/chkconfig yum off

Limit SSH connectivity

A simple way to make attacker's life a bit more difficult is to limit the domain allowed to connect to your machines. I will show an example where I limit SSH connectivity, but you can add other services as well:

restrict access, editing /etc/hosts.deny

   [root@myserver ~]# cat /etc/hosts.deny 
   sshd:ALL

allow access from specific domains. What is shown below is just an example. For a UI the file may contain several lines, whereas for CE, SE, WN, siteBDII you may want to limit access only to your local network(s):
```
   [root@myserver ~]# cat /etc/hosts.allow 
   sshd:.infn.it
   sshd:lxplus*.cern.ch
   # some other friend network
   sshd:192.168.0.
```

Services performance Tips

WMS on SL4

At GARR I am experiencing rather poor performance from my SL4-based WMS: to be precise, it is ScientificLinuxCERN 4.8. There seems to be some memory management problem. The machine recently got upgraded to 3 GB of RAM, but still after some time the memory is exhausted and the machine starts swapping to disk. I cannot believe this is "normal", since the machine deals with only about 200 jobs/day. Any help will be appreciated.

-- FulvioGaleazzi - 2011-05-13

Topic revision: r1 - 2011-05-13 - 12:25:20 - FulvioGaleazzi

InfrastructureStatus

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback