Notes from 2018…
# Upgrade system and clean disk
yum upgrade
yum clean all
# Install the basics
yum install -y vim wget curl net-tools lsof bash-completion psmisc
# Set hostname
nmtui-hostname
# Set network
nmtui-edit
# Check auto-starts
systemctl list-unit-files -t service
# Enable firewall
systemctl enable firewalld
systemctl start firewalld
# Open firewall port for SSH
firewall-cmd –add-service=ssh –permanent
firewall-cmd –add-service=http –permanent
firewall-cmd –add-service=https –permanent
firewall-cmd –reload
usermod -a -G backup backup
# Allow user1 to change into sitebuild
– skipped
vim /etc/ssh/sshd_config
groupadd permitssh
gpasswd -M user1,user2 permitssh
# If ssh is running on a non-standard port security context must be set
# yum -y install policycoreutils-python
semanage port -a -t ssh_port_t -p tcp XXXXX
# SSL Certificate
vim /etc/letsencrypt/live/dragoncoin.com/dragoncoin.com.pem
# Vim Create Directory If Not Exists: !mkdir -p %:h
—–BEGIN CERTIFICATE—–
ggJ0MIICcDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG something_something
==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu something_something
—–END CERTIFICATE—–
—–BEGIN PRIVATE KEY—–
fOiBWgPceWLXspqfvjAieoBqQYy3R/N6mOayB9w43jzZHy/2YraR9P/P7yWSQAhB
kCsIp7OmqKmOmNEQspQ7/YAwtwUkqyTseYu17e0j29lG8hCioGvYKJpJhFQERbdG
NDg8c2PvAgMBAAECggEAQQcJG1UPzgXGgI3vpd6fLZ3DHhdNBoLlg/ish/0cYYRF
something_something
—–END PRIVATE KEY—–
# Allocate swapfile, set appropriate permissions, create swapfile
sudo dd if=/dev/zero of=/swapfile count=16384 bs=1MiB #allocate
chmod 600 /swapfile #secure the directory
mkswap /swapfile #make swapfile in the /swapfile directory
swapon /swapfile #configure system to use /swapfile
# Check swapfile settings
swapon -s
# Make permanent
vim /etc/fstab
# add this line
/swapfile none swap defaults 0 0
# Install HAProxy 1.8 using SCL repo
yum install centos-release-scl
yum install rh-haproxy18-haproxy rh-haproxy18-haproxy-syspaths
# Run HAProxy if it’s not already started by CRON
systemctl enable rh-haproxy18-haproxy
systemctl restart rh-haproxy18-haproxy
systemctl status rh-haproxy18-haproxy
# Set firewall
#firewall-cmd –zone=public –permanent –add-port=9000/tcp
firewall-cmd –zone=public –add-service=http –permanent
firewall-cmd –zone=public –add-service=https –permanent
firewall-cmd –reload
# This step is a must to resolve error: “cannot bind UNIX socket [/run/haproxy/admin.sock]
crontab -e
@reboot mkdir /run/haproxy && systemctl start rh-haproxy18-haproxy
# This step is to resolve 503 service unavailable errors in selinux enforce systems
setsebool -P haproxy_connect_any 1
# Edit config file
cp /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg.bak
vim /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
### Add these lines
frontend http_in
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }
frontend https_in
bind *:443 ssl crt /etc/certs/dragoncoin.com/dragoncoin.com.pem
reqadd X-Forwarded-Proto:\ https
# ShellInABox
acl host_shell hdr(host) -i shell.dragoncoin.com
use_backend shell if host_shell
# Portainer
acl host_docker hdr(host) -i docker.dragoncoin.com
use_backend docker if host_docker
# Project
acl host_project hdr(host) -i project.dragoncoin.com
use_backend project if host_project
#———————————————————————
# simple passwords to protect certain backends
#———————————————————————
userlist shell-users
user kimconnect insecure-password ‘PASSWORD’
#———————————————————————
# backends
#———————————————————————
backend shell
acl devops-auth http_auth(shell-users)
http-request auth realm devops if !devops-auth
mode http
option forwardfor
option http-keep-alive
server static web01 127.0.0.1:8080 check
backend project
mode http
option forwardfor
option http-keep-alive
server web01 127.0.0.1:3000
backend docker
mode http
stats enable
option forwardfor
option http-keep-alive
server web01 127.0.0.1:9000
Notes from 2015...
su
yum update && yum upgrade
yum install net-tools vim
ip addr show //find interface name
vim /etc/sysconfig/network-scripts/ifcfg-{interface_name} //change IP address and network interface automatic starting behavior
network {hostname} //set server hostname
service network restart
Firewall:
yum install firewalld
firewall-cmd --state
firewall-cmd --get-default-zone //display default zone
optional: firewall-cmd --set-default-zone=work //switch default zone to work
firewall-cmd --list-services //list all services in current zone
firewall-cmd --add-service=http
firewall-cmd --permanent --add-port={port_number}/tcp //open port number
firewall-cmd --reload
firewall-cmd --list-ports
firewall-cmd --get-zones
Optional: systemctl disable|enable firewalld //disable firewall
SELinux:
yum install selinux-policy
getenforce
vim /etc/selinux/config
setenforce 1
Rootkit Hunter:
yum install rkhunter
rkhunter --check
Install command line web browser:
yum install links
links 127.0.0.1 //test http service at localhost
Install nmap to monitor ports:
yum install nmap
nmap 127.0.0.1
Install telnet:
yum install telnet
telnet 127.0.0.1 80
Add EPEL Repo:
yum install epel-release
Other tools:
yum install p7zip ntfs-3g
Install FTP server:
yum install vsftpd
vim /etc/vsftpd/vsftpd.conf //configure FTP server if necessary
firewall-cmd --add-service=ftp
firewall-cmd --permanent --add-port=21/tcp
semanage permissive -a ftpd_t //http://linux.die.net/man/8/ftpd_selinux
firewall-cmd --reload
systemctl restart vsftpd
systemctl enable vsftpd
Add Sudoers:
visudo
Add user below 'root': kimconnect ALL=(ALL) ALL
Cron Jobs:
vim /etc/crontab //configure cron