Topic: LAMP stack

[ReetP]

As we know, SME makes a great LAMP stack.

I use it as a web/mail server for several sites.

Clearly there if it is used purely as LAMP there are a lot of services that are enabled by default that could be disabled.

I was thinking of compiling a basic list of services that should be enabled/disabled for a basic LAMP machine and sticking it on a wiki page.

e.g
Disabled

smbd
nmbd

Enabled

httpd-admin
httpd-e-smith
php
mysqld
mysql.init

Any thoughts?

Here's a list from one server that I just use for my website. It runs php56 and a few other contribs and here are the services that it shows:

AWStats                        enabled       
DynDNS                         disabled       
acpid                          enabled       
backup                         disabled       
backupwk                       disabled       
bootstrap-console              enabled       
clamav                         enabled       
clamd                          enabled       
cpuspeed                       enabled       
crond                          enabled       
ctrlaltdel                     enabled       
denyhosts                      disabled       
dhcpd                          disabled       
dnscache                       enabled       
dnscache.forwarder             enabled       
dovecot                        enabled       
fail2ban                       enabled       
fetchmail                      disabled       
freshclam                      enabled       
ftp                            disabled       
haldaemon                      enabled       
horde                          enabled       
httpd-admin                    enabled       
httpd-e-smith                  enabled       
imap                           enabled       
imaps                          enabled       
imp                            enabled       
ippp                           disabled       
ipsec                          enabled       
irqbalance                     enabled       
isdn                           disabled       
klogd                          enabled       
ldap                           enabled       
ldap.init                      enabled       
letsencrypt                    enabled       
local                          enabled       
lpd                            enabled       
masq                           enabled       
messagebus                     enabled       
modPerl                        disabled       
modSSL                         enabled       
mysql.init                     enabled       
mysql55-mysql.init             enabled       
mysql55-mysqld                 enabled       
mysqld                         enabled       
network                        enabled       
nmbd                           enabled       
ntpd                           enabled       
nut                            disabled       
oidentd                        disabled       
pam_abl                        disabled       
pam_tally                      disabled       
php                            enabled       
phpmyadmin                     enabled       
pop3                           disabled       
pop3s                          disabled       
pppoe                          disabled       
pptpd                          disabled       
qmail                          enabled       
qpsmtpd                        enabled       
radiusd                        enabled       
raidmonitor                    enabled       
rsyslog                        enabled       
serial-console                 disabled       
smartd                         disabled       
smb                            enabled       
smbd                           enabled       
smolt                          enabled       
smtp-auth-proxy                disabled       
smtpd                          enabled       
spamassassin                   disabled       
spamd                          enabled       
sqpsmtpd                       enabled       
squid                          disabled       
sshd                           enabled       
ssmtpd                         enabled       
statusreport                   enabled       
tinydns                        enabled       
udev-post                      enabled       
wan                            enabled       
yum                            enabled       


For reference here is the code I used to produce that:

Code: [Select]

#!/bin/perl

use esmith::ConfigDB;

my $configDB  = esmith::ConfigDB->open or die("can't open Config DB");

my @keys = $configDB->keys;

foreach $key (@keys){

    my $status = $configDB->get_prop($key, 'status');
   
    if (defined $status){
        printf ("%-20s %-15s\n",$key, $status);
    }
}


Any thoughts or suggestions appreciated.

[wires12]

Any thoughts or suggestions appreciated.

Horses for courses...

If you want a web/email server to be directly connected to the Internet, Blue Onyx is a better choice. That is what it is designed to do. https://www.blueonyx.it/

It's a direct descendant of the (Sun) Cobalt RaQ server that used to run a fton of sites on the Internet.

[ReetP]

Horses for courses...

True.

If you want a web/email server to be directly connected to the Internet, Blue Onyx is a better choice. That is what is designed to do[/url]

Yup, and SME was designed likewise. Hence server/gateway mode True, it was not originally designed for VMs and cloud, but then what was 20+ years ago?

Personally I've used SME for around 20 years. I know it pretty well and it makes a decent 'secure out of the box' LAMP stack.

I've used it on real hardware of all shapes and forms, and now on VMs, in all sorts of scenarios, and it is still my distro of choice.

It is versatile, easy to configure, and pretty secure.

I wasn't looking for an alternative (I'm not interested in a long debate on what's hot or not), but thoughts on how it could be deployed as a simple LAMP stack without all the local file sharing/printing/et al for those who might be interested.

So really what services need to be running/disabled.

[ReetP]

Couple of starters for 10 as a reminder to self really.

These are enabled by default and not required.

Code: [Select]

config setprop smb status disabled

Code: [Select]

config setprop nmbd status disabled

Code: [Select]

config setprop lpd status disabled
radiusd? I know it is used somewhere - I think for PPTPD connections?

Code: [Select]

config setprop radiusd status disabled
Enable:

Denyhosts

Code: [Select]

config setprop denyhosts status enabled
Spamassassin (I have only one account and the mail is forwarded elsewhere) so pretty well block all other mail.

Code: [Select]

config setprop spamassassin status enabled Sensitivity veryhigh
Smtp authentication - Allow SSMTP only

Code: [Select]

config setprop smtpd Authentication disabled
Queries.

IMAP Server access, Allow private and public (secure IMAPS)
Still runs IMAP on 143.

Surely there should be:

Allow private and public (IMAP + secure IMAPS)  (143 + 993)
Allow private and public (secure IMAPS)  (993 only)

That may be a bug.....

We could

Code: [Select]

config setprop imap status disabled
Any more?

[ReetP]

config show masq

masq=service
    DenylogTarget=drop
    Logging=most
    Stealth=no
    Trace=disabled
    pptp=yes
    status=enabled

Probably disable pptp again

Code: [Select]

config setprop masq pptp disabled

[ReetP]

I understand from.JPP that Imap runs on localhost for horde auth.

So don't disable it unless you don't want webmail