CentOS System Setup

Notes from 2018…
# Upgrade system and clean disk
yum upgrade
yum clean all
# Install the basics
yum install -y vim wget curl net-tools lsof bash-completion psmisc
# Set hostname
# Set network
# Check auto-starts
systemctl list-unit-files -t service
# Enable firewall
systemctl enable firewalld
systemctl start firewalld
# Open firewall port for SSH
firewall-cmd –add-service=ssh –permanent
firewall-cmd –add-service=http –permanent
firewall-cmd –add-service=https –permanent
firewall-cmd –reload
usermod -a -G backup backup
# Allow user1 to change into sitebuild
– skipped
vim /etc/ssh/sshd_config
groupadd permitssh
gpasswd -M user1,user2 permitssh
# If ssh is running on a non-standard port security context must be set
# yum -y install policycoreutils-python
semanage port -a -t ssh_port_t -p tcp XXXXX
# SSL Certificate
vim /etc/letsencrypt/live/dragoncoin.com/dragoncoin.com.pem
# Vim Create Directory If Not Exists: !mkdir -p %:h
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu something_something

# Allocate swapfile, set appropriate permissions, create swapfile
sudo dd if=/dev/zero of=/swapfile count=16384 bs=1MiB    #allocate
chmod 600 /swapfile        #secure the directory
mkswap /swapfile        #make swapfile in the /swapfile directory
swapon /swapfile        #configure system to use /swapfile
# Check swapfile settings
swapon -s
# Make permanent
vim /etc/fstab
# add this line
/swapfile none swap defaults 0 0

# Install HAProxy 1.8 using SCL repo
yum install centos-release-scl
yum install rh-haproxy18-haproxy rh-haproxy18-haproxy-syspaths
# Run HAProxy if it’s not already started by CRON
systemctl enable rh-haproxy18-haproxy
systemctl restart rh-haproxy18-haproxy
systemctl status rh-haproxy18-haproxy
# Set firewall
#firewall-cmd –zone=public –permanent  –add-port=9000/tcp
firewall-cmd –zone=public –add-service=http –permanent
firewall-cmd –zone=public –add-service=https –permanent
firewall-cmd –reload
#  This step is a must to resolve error: “cannot bind UNIX socket [/run/haproxy/admin.sock]
crontab -e
@reboot mkdir /run/haproxy && systemctl start rh-haproxy18-haproxy
# This step is to resolve 503 service unavailable errors in selinux enforce systems
setsebool -P haproxy_connect_any 1
# Edit config file
cp  /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg  /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg.bak
vim /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
### Add these lines
frontend http_in
        bind *:80
        mode http
        redirect scheme https code 301 if !{ ssl_fc }
frontend https_in
        bind *:443 ssl crt /etc/certs/dragoncoin.com/dragoncoin.com.pem
        reqadd X-Forwarded-Proto:\ https
        # ShellInABox
        acl host_shell hdr(host) -i shell.dragoncoin.com
        use_backend shell if host_shell
        # Portainer
        acl host_docker hdr(host) -i docker.dragoncoin.com
        use_backend docker if host_docker
        # Project
        acl host_project hdr(host) -i project.dragoncoin.com
        use_backend project if host_project
# simple passwords to protect certain backends
userlist shell-users
        user kimconnect insecure-password ‘PASSWORD’
# backends
backend shell
        acl devops-auth http_auth(shell-users)
        http-request auth realm devops if !devops-auth
        mode http
        option forwardfor
        option http-keep-alive
        server static web01 check
backend project
        mode http
        option forwardfor
        option http-keep-alive
        server web01
backend docker
        mode http
        stats enable
        option forwardfor
        option http-keep-alive
        server web01
Notes from 2015...

yum update && yum upgrade

yum install net-tools vim
ip addr show //find interface name
vim /etc/sysconfig/network-scripts/ifcfg-{interface_name} //change IP address and network interface automatic starting behavior
network {hostname} //set server hostname
service network restart

yum install firewalld
firewall-cmd --state
firewall-cmd --get-default-zone //display default zone
optional: firewall-cmd --set-default-zone=work //switch default zone to work
firewall-cmd --list-services //list all services in current zone
firewall-cmd --add-service=http
firewall-cmd --permanent --add-port={port_number}/tcp //open port number
firewall-cmd --reload
firewall-cmd --list-ports
firewall-cmd --get-zones
Optional: systemctl disable|enable firewalld //disable firewall

yum install selinux-policy
vim /etc/selinux/config
setenforce 1

Rootkit Hunter:
yum install rkhunter
rkhunter --check

Install command line web browser:
yum install links
links //test http service at localhost

Install nmap to monitor ports:
yum install nmap

Install telnet:
yum install telnet
telnet 80

Add EPEL Repo:
yum install epel-release

Other tools:
yum install p7zip ntfs-3g

Install FTP server:
yum install vsftpd
vim /etc/vsftpd/vsftpd.conf //configure FTP server if necessary
firewall-cmd --add-service=ftp
firewall-cmd --permanent --add-port=21/tcp
semanage permissive -a ftpd_t //http://linux.die.net/man/8/ftpd_selinux
firewall-cmd --reload
systemctl restart vsftpd
systemctl enable vsftpd

Add Sudoers:
Add user below 'root': kimconnect ALL=(ALL) ALL

Cron Jobs:
vim /etc/crontab //configure cron

Leave a Reply

Your email address will not be published. Required fields are marked *