For me, setting the ServerName
property in httpd.conf
fixed the delays (they were up to 10 seconds at worst):
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
ServerName 127.0.0.1:80
These recommendations are off of the top of my head and not intended to be comprehensive.
Check out Bastille, it's a series of scripts that implements best practices in Linux.
Don't send authentication data over plaintext protocols. For example, disable FTP. If you send authentication data via Apache, use SSL.
Disable and remove any unnecessary software including the GUI interface.
Audit any files with the SUID bit set and remove. (This will severely limit non-root abilities. Understand the implications for each individual change.)
Audit public writable directories and remove the writable bit. (Leave /tmp alone.)
Avoid running any daemon as root.
Research all multi-user software that listens on sockets in detail for security best practices.
Avoiding adding users to the system is one of the best approaches. Multi-user systems require greater attention to detail.
Enforce password standards. For example: minimum 10 characters, non-alphanumeric characters, using letters and numbers. This is to make brute forcing more difficult in case of password file compromise. Enforce this via the system.
Lock out users after 5 failed authentication attempts with a minimum of 10 minute lockout. Maintain a password history so users can't use the past 5 passwords.
If you have a larger environment, using network segregation with multiple subnets to isolate risk is an absolute requirement. If a smaller environment, running a firewall on the local system to limit exposure is recommended. For example, only allowing SSH to your IP. tcpwrappers can be used too for an extra layer. (/etc/hosts.allow, /etc/hosts.deny)
And, of course, keeping all software up to date. Especially public facing daemons.
With SSH:
- Disable SSH protocol 1
- Only allow root authentication
without-password
(only keypair)
With Apache:
- Disable any modules that are not needed
- Disable .htaccess and public directories
- Disable FollowSymlink and any unnecessary options
- Do not install PHP if you don't need it.
With MySQL:
- Disable default users.
- Don't use wildcard hosts.
- Be sure to set unique host for every user.
- Don't listen on tcp unless necessary. (Unusually unavoidable.)
- Limit application user privileges as much as possible. (SELECT,INSERT,UPDATE,DELETE ideal for write and SELECT for read)
I'd recommend researching php.ini tuning for security specifically. It's riskier software by default.
Bastille
Best Answer
As long as your platform is a server platform and not workstation, it will work. (windows workstation platforms has limitation on the number of concurrent connections)
Linux is way more efficient, but if your site pass the load tests you expect on windows os... no reason to go to Linux. (besides price, stability, resouece consumptions... :-) )