Dawno nie było wpisu, dzisiaj coś na temat przygotowania serwera z CentoOS 7
Założenia, tworzymy serwer tak aby w miarę poprawnie wsio chodziło i działało:

1. Minimalna instalacja CentoOS 7.1, skonfigurowana sieć oraz działające połączenie z internetem, ip testowego serwera to 192.168.10.1 nazwa: vm1.test.pl, zarządzanie serwerem przy pomocy ISPConfig

2. Aktualizacja systemu

yum update -y

3. Instalacja podstawowego oprogramowania

yum install mc net-tools nano patch wget NetworkManager-tui

4. Edycja /etc/hosts

mcedit /etc/hosts

i dodajemy

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.1 vm1.test.pl vm1

5. Wyłączenie SELinux, na ogół bardziej przeszkadza niż pomaga, ISPConfig go nie lubi

Edycja
/etc/selinux/config i zmiana ustawienia SELINUX=disabled:

mcedit /etc/selinux/config

6. Pierwszy restart

reboot

7. Dodanie archiwów i instalacja softu

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
yum -y install epel-release
yum -y install yum-priorities

8. Edycja konfiguracji epel:

dodajemy linie priority=10 do sekcji [epel]

mcedit /etc/yum.repos.d/epel.repo

9. Aktualizacja systemu

yum update -y

10. Instalacja “Development Tools”:

yum -y groupinstall 'Development Tools'

11. Dodanie quoty do dysku:

yum -y install quota
mcedit /etc/default/grub

dodajemy rootflags=uquota,gquota do linii parametrów

12. Zapisanie zmian w grubie:

cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bak
grub2-mkconfig -o /boot/grub2/grub.cfg

13. Reset serwera

reboot

14. Sprawdzamy czy quota jest aktywna:

mount | grep ' / '

i szukamu tekstu: usrquota,grpquota oraz

quotacheck -avugm
quotaon -avug

15. Instalacja LAMP’a – Apache, MySQL (MariaDB), phpMyAdmin, itd:

yum -y install ntp httpd mod_ssl mariadb-server php php-mysql php-mbstring phpmyadmin

16. Instalacja Dovecot:

yum -y install dovecot dovecot-mysql dovecot-pigeonhole

17. Tworzenie konfiga dla Dovecot

touch /etc/dovecot/dovecot-sql.conf
ln -s /etc/dovecot/dovecot-sql.conf /etc/dovecot-sql.conf

18. Dodanie dovecot do serwisów:

systemctl enable dovecot
systemctl start dovecot

19. Instalacja Postfix’a:

yum -y install postfix

systemctl enable mariadb.service
systemctl start mariadb.service

systemctl stop sendmail.service
systemctl disable sendmail.service
systemctl enable postfix.service
systemctl restart postfix.service

20. Instalacja GetMail:

yum -y install getmail

21: Ustawienie MySQL’a – wyłączamy logowanie na root bez hasła:

mysql_secure_installation

22. Ustawienie phpMyAdmin’a:

mcedit /etc/httpd/conf.d/phpMyAdmin.conf

i zamieniamy:

# Require ip 127.0.0.1
# Require ip ::1
Require all granted
mcedit /etc/phpMyAdmin/config.inc.php

i zamieniamy:

$cfg['Servers'][$i]['auth_type'] = 'http';

23. Włączenie apacha:

systemctl enable httpd.service
systemctl restart httpd.service

24. Instalacja antyvirusa i antyspama:

yum -y install amavisd-new spamassassin clamav clamav-update unzip bzip2 perl-DBD-mysql

25. Włączenie freshclam:

mcedit /etc/freshclam.conf

i trzeba zakomentować słowo “Example”

26. Aktualizacja definicji AV i włączenie serwisów:

sa-update
freshclam
systemctl enable amavisd.service

27: Instalacja php’a:

yum -y install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel php-fpm

28. Edycja php.ini

mcedit /etc/php.ini

i zamieniamy:

error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT

timezone:

date.timezone = "Europe/Warsaw"

cgi.fix_pathinfo:

cgi.fix_pathinfo=1

29. Włączenie: php-fpm

systemctl start php-fpm.service
systemctl enable php-fpm.service
systemctl enable httpd.service
systemctl restart httpd.service

30. Instalacja mod_python:

yum -y install python-devel

cd /usr/local/src/
wget http://dist.modpython.org/dist/mod_python-3.5.0.tgz
tar xfz mod_python-3.5.0.tgz
cd mod_python-3.5.0

./configure
make
make install

31. Włączenie modułu perl’a w httpd:

echo 'LoadModule python_module modules/mod_python.so' > /etc/httpd/conf.modules.d/10-python.conf
systemctl restart httpd.service

32. Instalacja PuerFTPd

yum -y install pure-ftpd

systemctl enable pure-ftpd.service
systemctl start pure-ftpd.service

33. Włączenie SSL w ftp:

yum install openssl
mcedit /etc/pure-ftpd/pure-ftpd.conf

i zamieniamy:

# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS 1

34. Generowanie certyfikatu SSL dla FTP’a:

mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem
systemctl restart pure-ftpd.service

35. Instalacja BIND’a:

yum -y install bind bind-utils

tworzenie konfiguracji:

cp /etc/named.conf /etc/named.conf_bak
cat /dev/null > /etc/named.conf
mcedit /etc/named.conf

i dodajemy:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
	listen-on port 53 { any; };
	listen-on-v6 port 53 { any; };
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query { any; };
	allow-recursion {"none";};
	recursion no;
};
logging {
	channel default_debug {
		file "data/named.run";
		severity dynamic;
	};
};
zone "." IN {
	type hint;
	file "named.ca";
};
include "/etc/named.conf.local";

Instalacja w systemie:

touch /etc/named.conf.local
systemctl enable named.service
systemctl start named.service

36: Instalacja statystyk Webalizer i AWStats

yum -y install webalizer awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder

37: Instalacja Jailkit

cd /usr/local/src/
wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz
tar xvfz jailkit-2.17.tar.gz
cd jailkit-2.17
./configure
make
make install

38. Instalacja fail2ban:

yum -y install iptables-services fail2ban fail2ban-systemd
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl stop firewalld.service
systemctl start iptables.service
systemctl start ip6tables.service

39. Edycja konfiga fail2ban:

mcedit /etc/fail2ban/jail.local

i dodajemy:

[sshd]
enabled = true
action = iptables[name=sshd, port=ssh, protocol=tcp]

[pure-ftpd]
enabled = true
action = iptables[name=FTP, port=ftp, protocol=tcp]
maxretry = 3

[dovecot]
enabled = true
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
maxretry = 5

[postfix-sasl]
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
maxretry = 3

Instalacja w systemie:

systemctl enable fail2ban.service
systemctl start fail2ban.service

40. Instalacja rkhunter:

yum -y install rkhunter

41. Instalacja Mailman’a:

yum -y install mailman

edycja konfiga:

touch /var/lib/mailman/data/aliases
postmap /var/lib/mailman/data/aliases
/usr/lib/mailman/bin/newlist mailman

dodajemy do aliasów:

mcedit /etc/aliases
mailman: "|/usr/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/usr/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/usr/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/usr/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/usr/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/usr/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/usr/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/usr/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/usr/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/usr/lib/mailman/mail/mailman unsubscribe mailman"

instalacja w systemie:

newaliases

42. Konfiguracja mail man’a:

nano /etc/httpd/conf.d/mailman.conf

i dopisujemy:

#
# httpd configuration settings for use with mailman.
#

ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/

AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all

#Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /pipermail /var/lib/mailman/archives/public/

Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AddDefaultCharset Off

# Uncomment the following line, to redirect queries to /mailman to the
# listinfo page (recommended).

# RedirectMatch ^/mailman[/]*$ /mailman/listinfo

43. Tworzenie plików wirtualnych katalogów

touch /etc/mailman/virtual-mailman
postmap /etc/mailman/virtual-mailman

44. Uruchomienie maillman’a:

systemctl enable mailman.service
systemctl start mailman.service

45. Instalacja webmaila Roundcube:

yum -y install roundcubemail
mcedit /etc/httpd/conf.d/roundcubemail.conf

i dopisujemy:

#
# Round Cube Webmail is a browser-based multilingual IMAP client
#

Alias /roundcubemail /usr/share/roundcubemail
Alias /webmail /usr/share/roundcubemail

# Define who can access the Webmail
# You can enlarge permissions once configured

#
#
# # Apache 2.4
# Require local
#
#
# # Apache 2.2
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.1
# Allow from ::1
#
#
Options none
AllowOverride Limit
Require all granted

# Define who can access the installer
# keep this secured once configured

#
#
# # Apache 2.4
# Require local
#
#
# # Apache 2.2
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.1
# Allow from ::1
#
#
Options none
AllowOverride Limit
Require all granted

# Those directories should not be viewed by Web clients.

Order Allow,Deny
Deny from all

Order Allow,Deny
Deny from all

46. Restart HTTPd:

systemctl restart httpd.service

47. Ustawienie bazy:

mysql -u root -p
CREATE DATABASE roundcubedb;
CREATE USER roundcubeuser@localhost IDENTIFIED BY 'roundcubepassword';
GRANT ALL PRIVILEGES on roundcubedb.* to roundcubeuser@localhost ;
FLUSH PRIVILEGES;
exit

48. Konfigurowanie RoundCUbe:

http://192.168.10.1/roundcubemail/installer

49. Zapis konfiga RunCube:

mcedit /etc/roundcubemail/config.inc.php

i piszemy



/* Local configuration for Roundcube Webmail */

// ----------------------------------
// SQL DATABASE
// ----------------------------------
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
$config['db_dsnw'] = 'mysql://roundcubeuser:roundcubepassword@localhost/roundcubedb';

// ----------------------------------
// IMAP
// ----------------------------------
// The mail host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
// required to match old user data records with the new host.
$config['default_host'] = 'localhost';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';

// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = 'FHgaM7ihtMkM1cBwckOcxPdT';

// ----------------------------------
// PLUGINS
// ----------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = array();

// Set the spell checking engine. Possible values:
// - 'googie' - the default
// - 'pspell' - requires the PHP Pspell module and aspell installed
// - 'enchant' - requires the PHP Enchant module
// - 'atd' - install your own After the Deadline server or check with the people at http://www.afterthedeadline.com before using their API
// Since Google shut down their public spell checking service, you need to
// connect to a Nox Spell Server when using 'googie' here. Therefore specify the 'spellcheck_uri'
$config['spellcheck_engine'] = 'pspell';

50. Instalacja IPSConfig

cd /usr/local/src/
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php

51. Zmiana domyślnego hasła, z poziomu mysql’a

mysql -u root -p
use dbispconfig;
UPDATE sys_user SET passwort = md5('admin') WHERE username = 'admin';

52. Podpięcie stref DNS

bind zonefiles directory: /var/named
bind named.conf path: /etc/named.conf
bind named.conf.local path: /etc/named.conf.local

53. Konfiguracja portów na firewallu:

mcedit /etc/sysconfig/iptables

49. Wyłączenie sygnatury Apacha

mcedit /etc/httpd/conf/httpd.conf

i dodajemy

ServerSignature Off
ServerTokens Prod

54. Włączenie SSL w postfixsie:

mcedit /etc/postfix/master.cf

i odkomentowanie sekcji smtps

55. Instalacja WebMin’a:

nano /etc/yum.repos.d/webmin.repo

i dodajemy

[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1

a później

rpm --import http://www.webmin.com/jcameron-key.asc
yum install webmin -y
chkconfig webmin on
service webmin start

Ufff ……. i na sam koniec.
Na końcu warto jeszcze przejrzeć reguły dostępu do serwera do wrażliwych miejsc, warto stosować dostęp tylko dla 127.0.0.1 a do połączenie z zewnątrz używać tuneli SSH.