LAMP server on VPS test install manual (5)

Caution: This instruction does not consider strict security. You must know much more to keep proper security for publication to world-wide. So I recommend this server constructed here should be used for your personal practice how to make web server. If you want to know more, the related links below will be your help.

5. Security install

http://www.clamav.net/lang/en/ ClamAntiVirus
https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf Manual(pdf)
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/ Last resort
https://cisofy.com/ Lynis security solution investigator

#ClamAntiVirus

yum -y install clamav clamav-scanner-systemd clamav-update
	#Note: installed by dependency > -data,-lib,-filesystem -scanner -server -server-systemd

	#selinux setting
setsebool -P antivirus_can_scan_system on
setsebool -P clamd_use_jit on

ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.bak
vi /etc/clamd.d/scan.conf
	#Example
	#^ comment out
	LogFile /var/log/clamd.scan
	ExcludePath ^/sys/
	#^remove

cp /etc/freshclam.conf /etc/freshclam.conf.bak
vi /etc/freshclam.conf
	#Example

vi /etc/cron.d/clamav-update
	#Example of job definition: every ------>
	# .---------------- minute (0 - 59)
	# |  .------------- hour (0 - 23)
	# |  |  .---------- day of month (1 - 31)
	# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
	# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
	# |  |  |  |  |
	# *  *  *  *  * user-name  command to be executed
	  0  */3  *  *  * root /usr/share/clamav/freshclam-sleep	#you can change time and date

cp /etc/sysconfig/freshclam /etc/sysconfig/freshclam.bak
vi /etc/sysconfig/freshclam
	# comment (#remove me line)

chmod g+w -R /var/run/clamd.scan
freshclam	#create data base

systemctl  enable clamd@scan
	# automated; ln -s /usr/lib/systemd/system/clamd@scan.service /etc/systemd/system/multi-user.target.wants/clamd@scan.service

systemctl  start clamd@scan
systemctl  status clamd@scan

#Test from command line>
clamdscan -c /etc/clamd.d/scan.conf --fdpass /var/log/*
	#scan daemon already work on your system check /var/log/message

#Firewall

firewall-cmd --get-zones
	block dmz drop external home internal public trusted work
firewall-cmd --get-services
	RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability
	http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd
	pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client
	transmission-client vdsm vnc-server wbem-https
firewall-cmd --get-icmptypes
firewall-cmd --list-all-zones
firewall-cmd --list-services --zone=public

#Lynis

cd /etc/yum.repos.d
vi cisofy-lynis.repo
	[lynis]
	name=CISOfy Software - Lynis package
	baseurl=https://packages.cisofy.com/community/lynis/rpm/
	enabled=1
	gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
	gpgcheck=1
yum makecache fast
yum -y install lynis

lynis audit system
	#Run as root
	#maybe later ok

du -ach /home
	# total size of that directory

modinfo
	#module information viewer

Leave a Reply

Your email address will not be published. Required fields are marked *