CentOS System Setup

Notes from 2018…
 
# Upgrade system and clean disk
yum upgrade
yum clean all
 
# Install the basics
yum install -y vim wget curl net-tools lsof bash-completion psmisc
 
# Set hostname
nmtui-hostname
 
# Set network
nmtui-edit
 
# Check auto-starts
systemctl list-unit-files -t service
 
# Enable firewall
systemctl enable firewalld
systemctl start firewalld
 
# Open firewall port for SSH
firewall-cmd –add-service=ssh –permanent
firewall-cmd –add-service=http –permanent
firewall-cmd –add-service=https –permanent
firewall-cmd –reload
 
usermod -a -G backup backup
 
# Allow user1 to change into sitebuild
– skipped
vim /etc/ssh/sshd_config
groupadd permitssh
 
gpasswd -M user1,user2 permitssh
 
# If ssh is running on a non-standard port security context must be set
# yum -y install policycoreutils-python
semanage port -a -t ssh_port_t -p tcp XXXXX
 
# SSL Certificate
vim /etc/letsencrypt/live/dragoncoin.com/dragoncoin.com.pem
# Vim Create Directory If Not Exists: !mkdir -p %:h
—–BEGIN CERTIFICATE—–
 
ggJ0MIICcDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
 
 
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
 
—–END CERTIFICATE—–
—–BEGIN PRIVATE KEY—–
fOiBWgPceWLXspqfvjAieoBqQYy3R/N6mOayB9w43jzZHy/2YraR9P/P7yWSQAhB
kCsIp7OmqKmOmNEQspQ7/YAwtwUkqyTseYu17e0j29lG8hCioGvYKJpJhFQERbdG
NDg8c2PvAgMBAAECggEAQQcJG1UPzgXGgI3vpd6fLZ3DHhdNBoLlg/ish/0cYYRF
HAHA!
—–END PRIVATE KEY—–

 
# Allocate swapfile, set appropriate permissions, create swapfile
sudo dd if=/dev/zero of=/swapfile count=16384 bs=1MiB    #allocate
chmod 600 /swapfile        #secure the directory
mkswap /swapfile        #make swapfile in the /swapfile directory
swapon /swapfile        #configure system to use /swapfile
 
# Check swapfile settings
swapon -s
 
# Make permanent
vim /etc/fstab
# add this line
/swapfile none swap defaults 0 0
 

# Install HAProxy 1.8 using SCL repo
yum install centos-release-scl
yum install rh-haproxy18-haproxy rh-haproxy18-haproxy-syspaths
 
# Run HAProxy if it’s not already started by CRON
systemctl enable rh-haproxy18-haproxy
systemctl restart rh-haproxy18-haproxy
systemctl status rh-haproxy18-haproxy
 
# Set firewall
#firewall-cmd –zone=public –permanent  –add-port=9000/tcp
firewall-cmd –zone=public –add-service=http –permanent
firewall-cmd –zone=public –add-service=https –permanent
firewall-cmd –reload
 
#  This step is a must to resolve error: “cannot bind UNIX socket [/run/haproxy/admin.sock]
crontab -e
@reboot mkdir /run/haproxy && systemctl start rh-haproxy18-haproxy
 
# This step is to resolve 503 service unavailable errors in selinux enforce systems
setsebool -P haproxy_connect_any 1
 
# Edit config file
cp  /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg  /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg.bak
vim /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
 
### Add these lines
 
frontend http_in
        bind *:80
        mode http
        redirect scheme https code 301 if !{ ssl_fc }
 
 
frontend https_in
        bind *:443 ssl crt /etc/certs/dragoncoin.com/dragoncoin.com.pem
        reqadd X-Forwarded-Proto:\ https
 
        # ShellInABox
        acl host_shell hdr(host) -i shell.dragoncoin.com
        use_backend shell if host_shell
 
        # Portainer
        acl host_docker hdr(host) -i docker.dragoncoin.com
        use_backend docker if host_docker
 
        # Project
        acl host_project hdr(host) -i project.dragoncoin.com
        use_backend project if host_project
 
#———————————————————————
# simple passwords to protect certain backends
#———————————————————————
 
userlist shell-users
        user kimconnect insecure-password ‘PASSWORD’
 
#———————————————————————
# backends
#———————————————————————
backend shell
        acl devops-auth http_auth(shell-users)
        http-request auth realm devops if !devops-auth
        mode http
        option forwardfor
        option http-keep-alive
        server static web01 127.0.0.1:8080 check
 
backend project
        mode http
        option forwardfor
        option http-keep-alive
        server web01 127.0.0.1:3000
 
backend docker
        mode http
        stats enable
        option forwardfor
        option http-keep-alive
        server web01 127.0.0.1:9000
Notes from 2015...

su
yum update && yum upgrade

yum install net-tools vim
ip addr show //find interface name
vim /etc/sysconfig/network-scripts/ifcfg-{interface_name} //change IP address and network interface automatic starting behavior
network {hostname} //set server hostname
service network restart

Firewall:
yum install firewalld
firewall-cmd --state
firewall-cmd --get-default-zone //display default zone
optional: firewall-cmd --set-default-zone=work //switch default zone to work
firewall-cmd --list-services //list all services in current zone
firewall-cmd --add-service=http
firewall-cmd --permanent --add-port={port_number}/tcp //open port number
firewall-cmd --reload
firewall-cmd --list-ports
firewall-cmd --get-zones
Optional: systemctl disable|enable firewalld //disable firewall

SELinux:
yum install selinux-policy
getenforce
vim /etc/selinux/config
setenforce 1

Rootkit Hunter:
yum install rkhunter
rkhunter --check

Install command line web browser:
yum install links
links 127.0.0.1 //test http service at localhost

Install nmap to monitor ports:
yum install nmap
nmap 127.0.0.1

Install telnet:
yum install telnet
telnet 127.0.0.1 80

Add EPEL Repo:
yum install epel-release

Other tools:
yum install p7zip ntfs-3g

Install FTP server:
yum install vsftpd
vim /etc/vsftpd/vsftpd.conf //configure FTP server if necessary
firewall-cmd --add-service=ftp
firewall-cmd --permanent --add-port=21/tcp
semanage permissive -a ftpd_t //http://linux.die.net/man/8/ftpd_selinux
firewall-cmd --reload
systemctl restart vsftpd
systemctl enable vsftpd

Add Sudoers:
visudo
Add user below 'root': kimconnect ALL=(ALL) ALL

Cron Jobs:
vim /etc/crontab //configure cron

Leave a Reply

Your email address will not be published. Required fields are marked *