Help me choose OS for django server

[Chris Pagnutti]

Hi.  I want to set up a production server for a django application.  constant.com offers Virtual Private Servers which should give me virtually full control over the server, allowing me to install django and all the stuff I need for my app to run properly.

First, is this a good idea?  Do you think I can do this securely using the django, apache, and lighttpd docs? or am I asking for trouble?  What are the major security issues I need to be aware of when administering a server?

Also, if I go this route, I'll need to choose an OS.  I'm running a production server (just Apache + mod_wsgi) using my Arch Linux box, but I don't think arch is the best idea.  I'm sorta trying to decide between CentOS and Ubuntu.  Leaning toward CentOS, but just a little worried it might be missing some of the packages I need.  I've never used CentOS before.  Any advice?

[Nikolas Stevenson-Molnar]

> First, is this a good idea? Do you think I can do this securely using
> the django, apache, and lighttpd docs? or am I asking for trouble?
> What are the major security issues I need to be aware of when
> administering a server?

This depends on your specific security requirements. If you're mainly
concerned with protecting your server and website from unwanted
tampering, then the important things are 1) only allow connections to
ports you're using (HTTP) and restrict access via SSH to your IP or a
local network; 2) make sure the software you're using is secure (the
ones you mention are good; though I think Apache is vulnerable to a type
of DDOS attack: http://en.wikipedia.org/wiki/Slowloris); 3) check your
own code; Django is good about security but that doesn't mean you can't
build an insecure application with it; 4) choose good passwords, etc.
and if you're particularly concerned, consider using keys for your SSH
connection.

> Also, if I go this route, I'll need to choose an OS. I'm running a
> production server (just Apache + mod_wsgi) using my Arch Linux box,
> but I don't think arch is the best idea. I'm sorta trying to decide
> between CentOS and Ubuntu. Leaning toward CentOS, but just a little
> worried it might be missing some of the packages I need. I've never
> used CentOS before. Any advice?

I've used both and haven't noticed much difference for the things I do.
I would recommend nginx in place of lighttpd (better maintained), and if
you're using either of those, Apache isn't necessary (though you will
need a WSGI server, such as Gunicorn).

_Nik

[Some Developer]

On 30/10/2012 19:50, Chris Pagnutti wrote:
> First, is this a good idea? Do you think I can do this securely using
> the django, apache, and lighttpd docs? or am I asking for trouble?
> What are the major security issues I need to be aware of when
> administering a server?

Configure a firewall to block all incoming ports except for port 80,
443, and 22 (some suggest changing the port that SSH listens on but it
has no real security value, a simple port scan by an attacker will
reveal which port it is listening on so don't bother).

Disable root login via SSH.

Disable password logins via SSH.

Rate limit port 22.

Only allow one user (not root) access to the server via SSH.

Use SSH keys for authentication.

Make sure you always have the most recent security updates installed.

Make sure that the database server is not publically accessible (if you
want to access your database server from your home computer connect to
it via an SSH tunnel).

Just a few simple steps to take when securing a server.

[Trevor Joynson]

I highly recommend fail2ban.

And definitely use SSH key only auth (PasswordAuthentication no).

I've had a box with a 32 char random password get brute forced. Took three years to do, but it happened.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

[Fred Stluka]

+1 for fail2ban

It's surprising that a 3-year attack eventually succeeded if you
had fail2ban installed, which should have blocked the attack after
just a couple tries.  Or had you not yet learned about fail2ban?
I got hacked once too, before I learned about fail2ban.  Never
since.

--Fred

---

Fred Stluka -- mailto:fr...@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.

---

[John DeRosa]

+2 for fail2ban.

I love reviewing fail2ban's email, and seeing the script kiddies continuing to try to login to root. Which is login-disabled on all our servers. Keep trying, kids...

John

[Fred Stluka]

Chris,

Yes, CentOS is a good choice.  You can find all of the packages you
need at the EPEL yum repo.

Some brief articles I've written about security tools I always use:
    http://bristle.com/Tips/Unix.htm#logwatch
    http://bristle.com/Tips/Unix.htm#fail2ban
    http://bristle.com/Tips/Unix.htm#tripwire

and 9 other security tips:
    http://bristle.com/Tips/Unix.htm#unix_security

--Fred

---

Fred Stluka -- mailto:fr...@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.

---

--
You received this message because you are subscribed to the Google Groups "Django users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/VmvwRcApvVMJ.

[Chris Pagnutti]

Hi all.  Thanks to everyone for their comments.  If Debian is available, I think I like that idea for the OS.

As for server security, I think I had the basics, but there are some great points in your replies.  

@Nik:

Just following the django docs, it recommends Apache+mod_wsgi for the django app, and either lighttpd or nginx to serve media.  I liked the idea of serving media separately because the app is heavy on video streaming.  Is your suggestion to serve both the app and media using nginx?  Is this more secure?  Better performance?  Can you please point me to some docs that explain how to set up nginx for django?  Will google it in the meantime.

Thanks a whole bunch.

[Lachlan Musicman]

On Wed, Oct 31, 2012 at 2:04 PM, Chris Pagnutti
<chris.p...@gmail.com> wrote:
>
> @Nik:
> Just following the django docs, it recommends Apache+mod_wsgi for the django
> app, and either lighttpd or nginx to serve media. I liked the idea of
> serving media separately because the app is heavy on video streaming. Is
> your suggestion to serve both the app and media using nginx? Is this more
> secure? Better performance? Can you please point me to some docs that
> explain how to set up nginx for django? Will google it in the meantime.

I presume there's a good reason for not using one of the video
streaming services out there (YouT, Vimeo, Blip, torrent into Miro via
rss feed)?

Note that I don't mean to suggest that you *don't* have a good reason
- but I've found that 9 times out of 10, there's no need to eat that
bandwidth cost yourself.

Cheers
L.

--
...we look at the present day through a rear-view mirror. This is
something Marshall McLuhan said back in the Sixties, when the world
was in the grip of authentic-seeming future narratives. He said, “We
look at the present through a rear-view mirror. We march backwards
into the future.”

http://www.warrenellis.com/?p=14314

[Chris Pagnutti]

Yeah.  Hosting the videos ourselves was one of the primary requirements for this project.

On Tuesday, October 30, 2012 3:50:30 PM UTC-4, Chris Pagnutti wrote:

[Waitman Gobble]

--

You received this message because you are subscribed to the Google Groups "Django users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/NTcYbNQTX3gJ.

To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Hi,

It's a great idea, why submit to the beast. There's an h.264 streaming module for Apache that works quite nice, you might check out. Also check to see if you qualify to pay patent royalties, i think under 10 minutes is *gratis*. But you could deliver in webm format, it's a good *free* alternative however I find it tends to spangle the dark tones a bit, and a tad too weak in device/browser support. 

I've used Red Hat / Fedora / RHEL / CentOS since the gay 90's so I'm obviously pro-CentOS. On a personal level I feel like I'm being forced to swim in jello with water wings while using Ubuntu, but it's cozy for many folks. I understand it's popular.

Waitman Gobble

San Jose California

[Chris Pagnutti]

Hi Waitman,

Do you mean that if I stream mp4 videos from my site, I have to pay someone royalties?  

On Tuesday, October 30, 2012 3:50:30 PM UTC-4, Chris Pagnutti wrote:

[Javier Guerra Giraldez]

On Wed, Oct 31, 2012 at 2:17 PM, Chris Pagnutti
<chris.p...@gmail.com> wrote:
> Hi Waitman,
>
> Do you mean that if I stream mp4 videos from my site, I have to pay someone
> royalties?

maybe, maybe not. the point is that H.264 is not free, not gratis,
not open. but there's a "free of charge" use-case as a gift from
MPEG-LA to most harmless users... check first with a lawyer, as it's
far from obvious and could get you in deep troubles

--
Javier

[Christophe Pettus]

On Oct 31, 2012, at 12:41 PM, Javier Guerra Giraldez wrote:

> maybe, maybe not. the point is that H.264 is not free, not gratis,
> not open.

If you are streaming H.264-encoded video free to end users, you don't have to pay fees, and will never have to:

http://www.mpegla.com/Lists/MPEG%20LA%20News%20List/Attachments/231/n-10-08-26.pdf

If you are changing end users, there are potentially fees, but they are quite modest:

http://www.mpegla.com/main/programs/AVC/Documents/AVC_TermsSummary.pdf
--
-- Christophe Pettus
x...@thebuild.com

[Nikolas Stevenson-Molnar]

Apache+mod_wsgi is one solution (the docs also mention several others). Their main point is that you shouldn't serve static content via Django. Ideally, you'd serve static content from another server entirely or via a CDN. If you are serving files + app on the same server, I think it's fine to use nginx for both since unlike the Apache+mod_wsgi setup, nginx isn't actually running the Django app, but simply acting as a proxy.

_Nik

--

You received this message because you are subscribed to the Google Groups "Django users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/Z-S0RK7YEicJ.

[Chris Pagnutti]

So by "another server entirely" you mean to actually subscribe to another hosting service (or a second account on my current service)?  I'm sure it's in the docs if I look, but how would I deal with media uploads that way?

On Tuesday, October 30, 2012 3:50:30 PM UTC-4, Chris Pagnutti wrote:

[Nikolas Stevenson-Molnar]

Whatever gives you separate physical resources. The idea is to prevent your app and static content delivery from interfering (i.e., consuming CPU, memory, bandwidth) with each other. The cheapest and most effective way to accomplish this is using a CDN or something like Amazon's S3. For relatively light usage, it will only cost you a few dollars a month, and you don't need to worry about setting up and maintaining a separate server yourself.

_Nik

--
You received this message because you are subscribed to the Google Groups "Django users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/UQij5ebLzwYJ.