[huskerlug] Re: CERT Advisory

• From: David William Eder <deder@xxxxxxxxxxx>
• To: huskerlug@xxxxxxxxxxxxx
• Date: Sat, 16 Aug 2003 07:33:01 -0500 (CDT)

Oops, change of topic....

I find it interesting that you use Solaris for MySQL.  I have found MySQL
to be unreliable on Solaris with a high load [we believe in fully using
our servers; if the load is below 1.0, then we could have bought a smaller
box (just kiding)].  After a year and a half trying to make it stable, we
finally move to Redhat 9 on a new (that is new to us, another ebay
purchase) server.  The symptoms we were experiencing included data
corruption (MySQL cannot repair the data files), permanently locked tables
(read only access to certain tables even after reboot), and bad indexes
(cannot find records until indexes are rebuild or deleted).

By the time we left Solaris, we were doing check, repair, omtimize, and
analyze on every night and sending mail if it could not be fixed or the
errors were more than fifteen.  Further, we were making hourly backups of
the entire database to a set of diskfiles.  I also spent countless hours
looking for slight optimizations to try to reduce the number and size of
queries on the server. (This probably led to a better product.)

We got tired of not trusting our server.

On the fair side, the Solaris box (and it's failover) were both purchased
on e-bay by my employer.  It is possible that they both had some sort of
hardware problem.  We could never find any.  It could also be a virtual
memory problem.  Sometimes the load would go up because we were running
programs in swap.  If you are running Linux and you swap out certain
portions of Xfree86, switching to another virtual terminal and rebooting
the machine appears to be the only way to get X working again, even after
you free up memory and the load returns to normal.  MySQL on Solaris might
have similar issues.

I have had better experience with Irix.  I had a MySQL/PHP driven website
with 1.2 million page views per week.  The load was much,much higher, but
it weathered the storm (bandwidth use was another story).  It survived
huge inserts, massive indexes, and hundreds of millions of queries each
week.  The load on the Solaris box is small in comparison.

On a side note, by charting the load on a heavily hit website, you can
tell when lunch time and quitting time hit in each timezone. ;)

David.


On Fri, 15 Aug 2003, Jeff Ives wrote:

> My comments is more about people looking for "one" security measure, =
> "one"
> perfect OS, "one"... And simply there is no such thing. It's all about =
> risk
> management vs. functionality. Plus never over look any part because it's
=
> the
> simple exploits that get you most times.
>
> I like dividing up tasks across lots of systems and having different =
> flavors
> of OSs and programs...Like a Novell file server to store the files
> (ncpmount), a Linux system to front end apps (Apache, PHP, etc) and a
> Solaris system to backend (MySQL, etc) all behind a firewall with IP
> masquerading (NAT) and port forwarding.  Try to give each system =
> non-root
> access to each other so if one piece is compromised the entire setup =
> isn't
> loss.
>
> I've always thought if they hacked my apache server that it wouldn't do
=
> them
> much good #1 only port 80 goes to that system, ssh and the like go to a
> different system the system many times use different flavors of Linux =
> and
> 80% share no passwds directly in common.
>
> -----Original Message-----
> From: huskerlug-bounce@xxxxxxxxxxxxx =
> [mailto:huskerlug-bounce@xxxxxxxxxxxxx]
> On Behalf Of Steve
> Sent: Friday, August 15, 2003 5:14 PM
> To: huskerlug@xxxxxxxxxxxxx
> Subject: [huskerlug] Re: CERT Advisory
>
>
> On Friday 15 August 2003 12:26 am, you wrote:
> > Layered security is the only way. First cut off physical access,
then=20
> > =3D
>
> Agreed.  My suggestions were meant for host security only and not to be
=
> all=20
> encompassing for the different layers of security required to provide
a=20
> reasonably secure environment.  After all, how much benefit is there
to=20
> hardening a host if you set it up on the street corner at 17th & Vine? =
> :-)=20
>
> --=20
> Steve Bremer
> RHCE,CCNA
> --
> Real Men don't make backups. They upload it via ftp and let the world=20
> mirror it. -- Linus Torvalds
> --
> GnuPG Key fingerprint =3D 7F06 4D73 7963 BE96 5189  953A E285 CB2C BA03
=
> 2746
> Available on key servers.
>
>  =20
>
>
> ----
> Husker Linux Users Group mailing list
> To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx with a
> subject of UNSUBSCRIBE
>
>
> ----
> Husker Linux Users Group mailing list
> To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
> with a subject of UNSUBSCRIBE
>



----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

• Follow-Ups:
  • [huskerlug] Re: CERT Advisory
    • From: Jeff Ives

Other related posts:

• » [huskerlug] CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory
• » [huskerlug] Re: CERT Advisory

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription