Dawno nie było wpisu, dzisiaj coś na temat przygotowania serwera z CentoOS 7
Założenia, tworzymy serwer tak aby w miarę poprawnie wsio chodziło i działało:
1. Minimalna instalacja CentoOS 7.1, skonfigurowana sieć oraz działające połączenie z internetem, ip testowego serwera to 192.168.10.1 nazwa: vm1.test.pl, zarządzanie serwerem przy pomocy ISPConfig
2. Aktualizacja systemu
yum update -y
3. Instalacja podstawowego oprogramowania
yum install mc net-tools nano patch wget NetworkManager-tui
4. Edycja /etc/hosts
mcedit /etc/hosts
i dodajemy
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.1 vm1.test.pl vm1
5. Wyłączenie SELinux, na ogół bardziej przeszkadza niż pomaga, ISPConfig go nie lubi
Edycja
/etc/selinux/config i zmiana ustawienia SELINUX=disabled:
mcedit /etc/selinux/config
6. Pierwszy restart
reboot
7. Dodanie archiwów i instalacja softu
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* yum -y install epel-release yum -y install yum-priorities
8. Edycja konfiguracji epel:
dodajemy linie priority=10 do sekcji [epel]
mcedit /etc/yum.repos.d/epel.repo
9. Aktualizacja systemu
yum update -y
10. Instalacja „Development Tools”:
yum -y groupinstall 'Development Tools'
11. Dodanie quoty do dysku:
yum -y install quota mcedit /etc/default/grub
dodajemy rootflags=uquota,gquota do linii parametrów
12. Zapisanie zmian w grubie:
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bak grub2-mkconfig -o /boot/grub2/grub.cfg
13. Reset serwera
reboot
14. Sprawdzamy czy quota jest aktywna:
mount | grep ' / '
i szukamu tekstu: usrquota,grpquota oraz
quotacheck -avugm quotaon -avug
15. Instalacja LAMP’a – Apache, MySQL (MariaDB), phpMyAdmin, itd:
yum -y install ntp httpd mod_ssl mariadb-server php php-mysql php-mbstring phpmyadmin
16. Instalacja Dovecot:
yum -y install dovecot dovecot-mysql dovecot-pigeonhole
17. Tworzenie konfiga dla Dovecot
touch /etc/dovecot/dovecot-sql.conf ln -s /etc/dovecot/dovecot-sql.conf /etc/dovecot-sql.conf
18. Dodanie dovecot do serwisów:
systemctl enable dovecot systemctl start dovecot
19. Instalacja Postfix’a:
yum -y install postfix systemctl enable mariadb.service systemctl start mariadb.service systemctl stop sendmail.service systemctl disable sendmail.service systemctl enable postfix.service systemctl restart postfix.service
20. Instalacja GetMail:
yum -y install getmail
21: Ustawienie MySQL’a – wyłączamy logowanie na root bez hasła:
mysql_secure_installation
22. Ustawienie phpMyAdmin’a:
mcedit /etc/httpd/conf.d/phpMyAdmin.conf
i zamieniamy:
# Require ip 127.0.0.1 # Require ip ::1 Require all granted
mcedit /etc/phpMyAdmin/config.inc.php
i zamieniamy:
$cfg['Servers'][$i]['auth_type'] = 'http';
23. Włączenie apacha:
systemctl enable httpd.service systemctl restart httpd.service
24. Instalacja antyvirusa i antyspama:
yum -y install amavisd-new spamassassin clamav clamav-update unzip bzip2 perl-DBD-mysql
25. Włączenie freshclam:
mcedit /etc/freshclam.conf
i trzeba zakomentować słowo „Example”
26. Aktualizacja definicji AV i włączenie serwisów:
sa-update freshclam systemctl enable amavisd.service
27: Instalacja php’a:
yum -y install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel php-fpm
28. Edycja php.ini
mcedit /etc/php.ini
i zamieniamy:
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
timezone:
date.timezone = "Europe/Warsaw"
cgi.fix_pathinfo:
cgi.fix_pathinfo=1
29. Włączenie: php-fpm
systemctl start php-fpm.service systemctl enable php-fpm.service systemctl enable httpd.service systemctl restart httpd.service
30. Instalacja mod_python:
yum -y install python-devel cd /usr/local/src/ wget http://dist.modpython.org/dist/mod_python-3.5.0.tgz tar xfz mod_python-3.5.0.tgz cd mod_python-3.5.0 ./configure make make install
31. Włączenie modułu perl’a w httpd:
echo 'LoadModule python_module modules/mod_python.so' > /etc/httpd/conf.modules.d/10-python.conf systemctl restart httpd.service
32. Instalacja PuerFTPd
yum -y install pure-ftpd systemctl enable pure-ftpd.service systemctl start pure-ftpd.service
33. Włączenie SSL w ftp:
yum install openssl mcedit /etc/pure-ftpd/pure-ftpd.conf
i zamieniamy:
# Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 1
34. Generowanie certyfikatu SSL dla FTP’a:
mkdir -p /etc/ssl/private/ openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem chmod 600 /etc/ssl/private/pure-ftpd.pem systemctl restart pure-ftpd.service
35. Instalacja BIND’a:
yum -y install bind bind-utils
tworzenie konfiguracji:
cp /etc/named.conf /etc/named.conf_bak cat /dev/null > /etc/named.conf mcedit /etc/named.conf
i dodajemy:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-recursion {"none";};
recursion no;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.conf.local";
Instalacja w systemie:
touch /etc/named.conf.local systemctl enable named.service systemctl start named.service
36: Instalacja statystyk Webalizer i AWStats
yum -y install webalizer awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder
37: Instalacja Jailkit
cd /usr/local/src/ wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz tar xvfz jailkit-2.17.tar.gz cd jailkit-2.17 ./configure make make install
38. Instalacja fail2ban:
yum -y install iptables-services fail2ban fail2ban-systemd systemctl mask firewalld.service systemctl enable iptables.service systemctl enable ip6tables.service systemctl stop firewalld.service systemctl start iptables.service systemctl start ip6tables.service
39. Edycja konfiga fail2ban:
mcedit /etc/fail2ban/jail.local
i dodajemy:
[sshd] enabled = true action = iptables[name=sshd, port=ssh, protocol=tcp] [pure-ftpd] enabled = true action = iptables[name=FTP, port=ftp, protocol=tcp] maxretry = 3 [dovecot] enabled = true action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] maxretry = 5 [postfix-sasl] enabled = true action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp] maxretry = 3
Instalacja w systemie:
systemctl enable fail2ban.service systemctl start fail2ban.service
40. Instalacja rkhunter:
yum -y install rkhunter
41. Instalacja Mailman’a:
yum -y install mailman
edycja konfiga:
touch /var/lib/mailman/data/aliases postmap /var/lib/mailman/data/aliases /usr/lib/mailman/bin/newlist mailman
dodajemy do aliasów:
mcedit /etc/aliases
mailman: "|/usr/lib/mailman/mail/mailman post mailman" mailman-admin: "|/usr/lib/mailman/mail/mailman admin mailman" mailman-bounces: "|/usr/lib/mailman/mail/mailman bounces mailman" mailman-confirm: "|/usr/lib/mailman/mail/mailman confirm mailman" mailman-join: "|/usr/lib/mailman/mail/mailman join mailman" mailman-leave: "|/usr/lib/mailman/mail/mailman leave mailman" mailman-owner: "|/usr/lib/mailman/mail/mailman owner mailman" mailman-request: "|/usr/lib/mailman/mail/mailman request mailman" mailman-subscribe: "|/usr/lib/mailman/mail/mailman subscribe mailman" mailman-unsubscribe: "|/usr/lib/mailman/mail/mailman unsubscribe mailman"
instalacja w systemie:
newaliases
42. Konfiguracja mail man’a:
nano /etc/httpd/conf.d/mailman.conf
i dopisujemy:
# # httpd configuration settings for use with mailman. # ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/ ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/ AllowOverride None Options ExecCGI Order allow,deny Allow from all #Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /pipermail /var/lib/mailman/archives/public/ Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all AddDefaultCharset Off # Uncomment the following line, to redirect queries to /mailman to the # listinfo page (recommended). # RedirectMatch ^/mailman[/]*$ /mailman/listinfo
43. Tworzenie plików wirtualnych katalogów
touch /etc/mailman/virtual-mailman postmap /etc/mailman/virtual-mailman
44. Uruchomienie maillman’a:
systemctl enable mailman.service systemctl start mailman.service
45. Instalacja webmaila Roundcube:
yum -y install roundcubemail mcedit /etc/httpd/conf.d/roundcubemail.conf
i dopisujemy:
# # Round Cube Webmail is a browser-based multilingual IMAP client # Alias /roundcubemail /usr/share/roundcubemail Alias /webmail /usr/share/roundcubemail # Define who can access the Webmail # You can enlarge permissions once configured # # # # Apache 2.4 # Require local # # # # Apache 2.2 # Order Deny,Allow # Deny from all # Allow from 127.0.0.1 # Allow from ::1 # # Options none AllowOverride Limit Require all granted # Define who can access the installer # keep this secured once configured # # # # Apache 2.4 # Require local # # # # Apache 2.2 # Order Deny,Allow # Deny from all # Allow from 127.0.0.1 # Allow from ::1 # # Options none AllowOverride Limit Require all granted # Those directories should not be viewed by Web clients. Order Allow,Deny Deny from all Order Allow,Deny Deny from all
46. Restart HTTPd:
systemctl restart httpd.service
47. Ustawienie bazy:
mysql -u root -p
CREATE DATABASE roundcubedb; CREATE USER roundcubeuser@localhost IDENTIFIED BY 'roundcubepassword'; GRANT ALL PRIVILEGES on roundcubedb.* to roundcubeuser@localhost ; FLUSH PRIVILEGES; exit
48. Konfigurowanie RoundCUbe:
http://192.168.10.1/roundcubemail/installer
49. Zapis konfiga RunCube:
mcedit /etc/roundcubemail/config.inc.php
i piszemy
/* Local configuration for Roundcube Webmail */ // ---------------------------------- // SQL DATABASE // ---------------------------------- // Database connection string (DSN) for read+write operations // Format (compatible with PEAR MDB2): db_provider://user:password@host/database // Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php // NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646' config['db_dsnw'] = 'mysql://roundcubeuser:roundcubepassword@localhost/roundcubedb'; // ---------------------------------- // IMAP // ---------------------------------- // The mail host chosen to perform the log-in. // Leave blank to show a textbox at login, give a list of hosts // to display a pulldown menu or set one host as string. // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls:// // Supported replacement variables: // %n - hostname (_SERVER['SERVER_NAME']) // %t - hostname without the first part // %d - domain (http hostname _SERVER['HTTP_HOST'] without the first part) // %s - domain name after the '@' from e-mail address provided at login screen // For example %n = mail.domain.tld, %t = domain.tld // WARNING: After hostname change update of mail_host column in users table is // required to match old user data records with the new host.config['default_host'] = 'localhost'; // provide an URL where a user can get support for this Roundcube installation // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE! config['support_url'] = ''; // this key is used to encrypt the users imap password which is stored // in the session record (and the client cookie if remember password is enabled). // please provide a string of exactly 24 chars.config['des_key'] = 'FHgaM7ihtMkM1cBwckOcxPdT'; // ---------------------------------- // PLUGINS // ---------------------------------- // List of active plugins (in plugins/ directory) config['plugins'] = array(); // Set the spell checking engine. Possible values: // - 'googie' - the default // - 'pspell' - requires the PHP Pspell module and aspell installed // - 'enchant' - requires the PHP Enchant module // - 'atd' - install your own After the Deadline server or check with the people at http://www.afterthedeadline.com before using their API // Since Google shut down their public spell checking service, you need to // connect to a Nox Spell Server when using 'googie' here. Therefore specify the 'spellcheck_uri'config['spellcheck_engine'] = 'pspell';
50. Instalacja IPSConfig
cd /usr/local/src/ wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xfz ISPConfig-3-stable.tar.gz cd ispconfig3_install/install/ php -q install.php
51. Zmiana domyślnego hasła, z poziomu mysql’a
mysql -u root -p
use dbispconfig;
UPDATE sys_user SET passwort = md5('admin') WHERE username = 'admin';
52. Podpięcie stref DNS
bind zonefiles directory: /var/named bind named.conf path: /etc/named.conf bind named.conf.local path: /etc/named.conf.local
53. Konfiguracja portów na firewallu:
mcedit /etc/sysconfig/iptables
49. Wyłączenie sygnatury Apacha
mcedit /etc/httpd/conf/httpd.conf
i dodajemy
ServerSignature Off ServerTokens Prod
54. Włączenie SSL w postfixsie:
mcedit /etc/postfix/master.cf
i odkomentowanie sekcji smtps
55. Instalacja WebMin’a:
nano /etc/yum.repos.d/webmin.repo
i dodajemy
[Webmin] name=Webmin Distribution Neutral #baseurl=http://download.webmin.com/download/yum mirrorlist=http://download.webmin.com/download/yum/mirrorlist enabled=1
a później
rpm --import http://www.webmin.com/jcameron-key.asc yum install webmin -y chkconfig webmin on service webmin start
Ufff ……. i na sam koniec.
Na końcu warto jeszcze przejrzeć reguły dostępu do serwera do wrażliwych miejsc, warto stosować dostęp tylko dla 127.0.0.1 a do połączenie z zewnątrz używać tuneli SSH.
Możliwość komentowania jest wyłączona.