LAMP server on VPS test install manual (5)

Caution: This instruction does not consider strict security. You must know much more to keep proper security for publication to world-wide. So I recommend this server constructed here should be used for your personal practice how to make web server. If you want to know more, the related links below will be your help.

5. Security install

http://www.clamav.net/lang/en/ ClamAntiVirus
https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf Manual(pdf)
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/ Last resort
https://cisofy.com/ Lynis security solution investigator

#ClamAntiVirus

yum -y install clamav clamav-scanner-systemd clamav-update
	#Note: installed by dependency > -data,-lib,-filesystem -scanner -server -server-systemd

	#selinux setting
setsebool -P antivirus_can_scan_system on
setsebool -P clamd_use_jit on

ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.bak
vi /etc/clamd.d/scan.conf
	#Example
	#^ comment out
	LogFile /var/log/clamd.scan
	ExcludePath ^/sys/
	#^remove

cp /etc/freshclam.conf /etc/freshclam.conf.bak
vi /etc/freshclam.conf
	#Example

vi /etc/cron.d/clamav-update
	#Example of job definition: every ------>
	# .---------------- minute (0 - 59)
	# |  .------------- hour (0 - 23)
	# |  |  .---------- day of month (1 - 31)
	# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
	# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
	# |  |  |  |  |
	# *  *  *  *  * user-name  command to be executed
	  0  */3  *  *  * root /usr/share/clamav/freshclam-sleep	#you can change time and date

cp /etc/sysconfig/freshclam /etc/sysconfig/freshclam.bak
vi /etc/sysconfig/freshclam
	# comment (#remove me line)

chmod g+w -R /var/run/clamd.scan
freshclam	#create data base

systemctl  enable clamd@scan
	# automated; ln -s /usr/lib/systemd/system/clamd@scan.service /etc/systemd/system/multi-user.target.wants/clamd@scan.service

systemctl  start clamd@scan
systemctl  status clamd@scan

#Test from command line>
clamdscan -c /etc/clamd.d/scan.conf --fdpass /var/log/*
	#scan daemon already work on your system check /var/log/message

#Firewall

firewall-cmd --get-zones
	block dmz drop external home internal public trusted work
firewall-cmd --get-services
	RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability
	http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd
	pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client
	transmission-client vdsm vnc-server wbem-https
firewall-cmd --get-icmptypes
firewall-cmd --list-all-zones
firewall-cmd --list-services --zone=public

#Lynis

cd /etc/yum.repos.d
vi cisofy-lynis.repo
	[lynis]
	name=CISOfy Software - Lynis package
	baseurl=https://packages.cisofy.com/community/lynis/rpm/
	enabled=1
	gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
	gpgcheck=1
yum makecache fast
yum -y install lynis

lynis audit system
	#Run as root
	#maybe later ok

du -ach /home
	# total size of that directory

modinfo
	#module information viewer

LAMP server on VPS test install manual (4)

Caution:This instruction does not consider strict security. You must know much more to keep proper security for publication to world wide. So I recommend this server constructed here should be used for your personal practice how to make LAMP(linux-apache-mysql-perl,php,python) web server. If you want to get farther knowledge, visit the related links suggested below. Those would be good help for you.

4. Setting System Control Tool

http://www.openlmi.org/ OpenLMI

#Add repository

yum -y install epel-release

yum -y install openlmi-scripts*

firewall-cmd --add-port 5989/tcp --permanent
firewall-cmd --reload

systemctl enable tog-pegasus.service
	#symbolic link has been updated.
systemctl start tog-pegasus.service
systemctl -l status tog-pegasus.service
	#You might be warned because you don't have ssl settings yet.
	#systemctl works at low level, so need more security.
	#c.f.

firewall-cmd --get-zones
firewall-cmd --get-services

lmi
	lmi> hwinfo;	#Get hardwear information
	lmi> system;	#Get system information

#Tips for TeraTerm users

You can be more comfortable for teraterm command line and ttmacros. e.g.

One click auto connect( Be careful, the easier the leakier, secret key and pass… )
shell “C:\Program Files (x86)\teraterm\ttermpro.exe” <your url or ip of ssh server >:\<port number> /ssh /2 /auth=publickey /user=<your user> /keyfile=”Path/to/private_key/file” /passwd=”\<your password>”.

Auto login and su root
shell “C:\Program Files (x86)\teraterm\ttpmacro.exe” /V login.ttl

login.ttl

hostname = '<your host url or ip>'
sshport ='<ssh port>'
Username = '<user>'
Userpass ='<user password>'
Rootpass ='<root password>'

msg = hostname
strconcat msg ':'
strconcat msg sshport
strconcat msg ' /ssh /2 /auth=publickey /user='
strconcat msg Username
strconcat msg ' /keyfile="C:\Program Files (x86)\teraterm\id_rsa" /passwd='
strconcat msg Userpass

connect msg

; set username
UserPrompt = '$'
RootPrompt = '#'
PasswordPrompt = ':'
timeout = 30

; login
wait   UserPrompt
sendln 'su root'

wait   PasswordPrompt
sendln Rootpass

wait RootPrompt
sendln 'cd'

; OK, auto login complete. current dir = /root

exit

LAMP server on VPS test install manual (3)

Caution: This instructions do not consider strict security. You must know much more to keep proper security for publication to world wide. So I recommend this server constructed here should be used for your personal practice how to make LAMP(linux-apache-mysql-perl,php,python) web server. If you want to get farther knowledges, visit related links suggested below. Those would be good help for you.
Note: Placeholders are signed as < ..data.. >. you must fill your data. […] sign as key input.

3. AntiVirus and Security check install

http://www.clamav.net/lang/en/ ClamAntiVirus
https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf Manual(pdf)
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/ Last resort
https://cisofy.com/ Lynis security solution investigator

### Add repository ###

yum -y install epel-release

### ClamAntiVirus ###

yum -y install clamav clamav-scanner-systemd clamav-update
	#other packages than above automated to be installed by dependency.

vi /etc/clamd.d/scan.conf
	#Example
	#^ comment out
	ExcludePath ^/proc/
	ExcludePath ^/sys/
	LocalSocket /var/run/clamd.scan/clamd.sock
	#^remove

vi /etc/freshclam.conf
	#Example
	# Send the RELOAD command to clamd.
	# Default: no
	NotifyClamd /etc/clamd.d/scan.conf

vi /etc/cron.d/clamav-update
	#Example of job definition: every ------>
	# .---------------- minute (0 - 59)
	# |  .------------- hour (0 - 23)
	# |  |  .---------- day of month (1 - 31)
	# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
	# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
	# |  |  |  |  |
	# *  *  *  *  * user-name  command to be executed
	  0  */3  *  *  * root /usr/share/clamav/freshclam-sleep	#you can change time and date

vi /etc/sysconfig/freshclam
	# comment (#remove me line)

chmod g+x -R /var/run/clamd.scan
chmod g+rw /var/run/clamd.scan/clamd.sock

	#selinux setting
setsebool -P antivirus_can_scan_system on
setsebool -P antivirus_use_jit on

systemctl enable clamd@scan
	# automated; ln -s /usr/lib/systemd/system/clamd@scan.service /etc/systemd/system/multi-user.target.wants/clamd@scan.service

systemctl restart clamd@scan

systemctl -l status clamd@scan

### load and refresh database ###

freshclam	#create data base

### Test scan from command line> ###
clamdscan -c /etc/clamd.d/scan.conf --fdpass /var/log/*
	#scan daemon already work on your system check /var/log/message

### Lynis ###

vi /etc/yum.repos.d/cisofy-lynis.repo
#--- cisofy-lynis.repo ------------------
[lynis]
name=CISOfy Software - Lynis package
baseurl = https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey = https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
#----------------------------------------end

yum makecache fast

yum -y install lynis

lynis audit system
	#Run as root
	#maybe later ok

result Files:
– Test and debug information : /var/log/lynis.log
– Report data : /var/log/lynis-report.dat

#Some fixation
#change umask(optional)
It will be good for security, but may cause some trouble when installing some kind of apprication.

cp /etc/profile /etc/profile.d/custom.sh
vi /etc/profile.d/custom.sh
	if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
	    umask 007
	else
	    umask 027
	fi

#chage
if more security chage -E, -I -W …
at leaset…

vi /etc/login.defs
	PASS_MAX_DAYS   <your choice propery>
	PASS_MIN_DAYS   <your choice without 0>
	PASS_MIN_LEN    <your choice over 8 recommended>

#blacklisted unuse modules

vi /etc/modprobe.d/blacklist-devices.conf
blacklist firewire-core
blacklist soundcore
blacklist dvb_usb
blacklist dvb_usb_v2
blacklist usb-storage

modprobe --showconfig | grep blacklist

#ban banner info

vi /etc/postfix/main.cf
	smtpd_banner = $myhostname ESMTP

vi /etc/php.ini
	expose_php = Off
	allow_url_fopen = Off

#others

vi /etc/profile
	002->007
	022->027

leadtime 30min

LAMP server on VPS test install manual (2)

Caution: This instructions do not consider strict security. You must know much more to keep proper security for publication to world wide. So I recommend this server constructed here should be used for your personal practice how to make LAMP(linux-apache-mysql-perl,php,python) web server. If you want to get farther knowledges, visit related links suggested below. Those would be good help for you.
Note: Placeholders are signed as < ..data.. >. you must fill your data. […] sign as key input.

2. SSH secure console set

http://www.vim.org/ Vim
http://hp.vector.co.jp/authors/VA016670/unix/vi_reference.html vi commands(jp)
http://www.oualline.com/vim-book.html Vim Tutorial and Reference _PDF_
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml IANA Service Name and Transport Protocol Port Number
https://selinuxproject.org/page/Main_Page SELinux project
http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf SElinux textbook

On VNC panel>

https://cp.myvps.jp/Home.aspx Onamae Home
root login

#update system

yum update
	#===wait for a while===

Note: VNC browser view is uncomfortable because of not working cut and paste with Windows clipboard, that You would be better to create SSH connect as soon as possible.

On Client>

Connect by password auth(temporally).
TeraTermPro ; at Windows e.g.
shell “C:\Program Files (x86)\teraterm\ttermpro.exe”
Host: <your vps host ip or name>
Port:22
User: <wheel user id> temporally connection with root and pass
Password authentication.
You can login with your user not root.

login: <root id>
Password:<root password>
wheel user was set before, when the OS was installed.

### VIM setting ###
cd ~

vi .vimrc
#—.vimrc——-
set nocompatible
set fileformats=unix,dos
set history=50
set number
set list
set showmatch
syntax on
highlight Comment ctermfg=LightCyan
set wrap
#—————-end

### CF Check volumes and partations ###

yum -y install system-storage-manager

ssm list

### change wheel user policy ###

cd /etc/pam.d
cp su su.bak
vi su
  auth       required     pam_wheel.so use_uid
  #↑ comment out
  #vi command : move cursor to target and press [x] [ESC] then type [:wq]

### make sshd_config secure to change well known port ###
Check the IANA website and see the “Service Name and Transport Protocol Port Number Registry”.
You may choose new port number for your ssh connect from 32768 to 61000(linux ready private number). Other number may be OK, but that must be checked conflict against known port number.

### change port ###

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak	#save original file

vi /etc/ssh/sshd_config
	Port <new ssh port>
	#vi command:enter [i] and move cursor to target and hit key your number
	#[ESC] then type [:wq] if you make miss, you can recover hit [ESC][u]
	#learn how to use vim at vim tutor.

### selinux confirm enforcing and set new port ###

sestatus
vi /etc/selinux/config
	SELINUX=enforcing;	#Do Not choose permissive or disabled

yum install policycoreutils-python
semanage port -a -t ssh_port_t -p tcp <new ssh port>
	#The new ssh port number must not be maced other preset port

### firewalld ###

cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh.xml
vi /etc/firewalld/services/ssh.xml
	port=<new ssh port>

firewall-cmd --reload
systemctl restart sshd
systemctl -l status sshd	#check the port number had been changed

### key generate ###

vi /etc/ssh/sshd_config
	#HostKey /etc/ssh/ssh_host_key
	#HostKey /etc/ssh/ssh_host_ecdsa...
	#HostKey /etc/ssh/ssh_host_ed255...
		#It would be better, 
                   that you comment-out all the way of authentications except RSA key.
	LogLevel verbose
	#PermitRootLogin no    #end of this chapter, you must remove #
	MaxAuthTries 2
	MaxSessions 4
	RSAAuthentication yes
	PubkeyAuthentication yes
	PasswordAuthentification no
	#GSSAPIA.......
	#GSSAPIC.......
	#X11Forwarding
	Banner none

cd	#root home
mkdir .ssh
cd .ssh
ssh-keygen
	$Enter...save the key(...id_rsa): [enter]
	$Enter passphrase... <key password>
	#id_rsa(private key), id_rsa.pub(public key)  is generated in directory of /root/.ssh

mkdir /home/<your user id>/.ssh

cd id_rsa.pub /home/<your user id>/.ssh/authorized_keys
	# Change the public key name along with the sshd_config, and copy for login-user.
        # By SSHSCR Receive [/root/.ssh/id_rsa]  to [proper directory local PC] e.g "C:\Program Files (x86)\teraterm"

rm -fR /root/.ssh    #you don't need root .ssh, invalid root login at this sshd.

firewall-cmd --reload

systemctl restart sshd

systemctl -l status sshd
        #check the port number had been changed
	#remain keep this connect and

### New connection ###
On Client>
TeraTermPro: login:++id_rsa(key)
#if success this key connection, you can close 1st and 2nd TeraTermPro safely.

### Setting root mail transparent ###

vi /etc/aliases
	# Person who should get root's mail
	#root:          marc
	   #| comment off and change 'marc' to your e-mail address
	root:             i@<ip>.jp

newaliases

echo test | mail root
    #If you find mail from "root@<ip>", that would be success settings.

### Setting auto update ###

yum -y install yum-cron yum-utils

vi /etc/yum/yum-cron.conf
	apply_updates = yes
	#Do not do this before yum update, it may fail of dependency.

vi /etc/cron.daily/0yum-daily.cron

vi /etc/yum/yum-cron-hourly.conf
vi /etc/cron.hourly/0yum-hourly.cron

systemctl start yum-cron
systemctl enable yum-cron
systemctl restart yum-cron
systemctl -l  status yum-cron

### update system ###

yum -y update

### Note Result ###

cat /etc/passwd > p.txt
yum list installed > y.txt
journalctl > f.txt
	save to client
reboot

lead-time 30min

LAMP server on VPS test install manual (1)

Caution: This instructions do not consider strict security. You must know much more to keep proper security for publication to world wide. So I recommend this server constructed here should be used for your personal practice how to make LAMP(linux-apache-mysql-perl,php,python) web server. If you want to get farther knowledges, visit related links suggested below. Those would be good help for you.
Note: Placeholders are signed as < ..data.. >. you must fill your data. […] sign as key input.

0. Introduction

Onamae.com VPS(KVM) plan
Virtual 2 core cpu and 1GB memory 20GBHDD+80GBHDD(scarable)

Install planning

  1. OS install
  2. SSH secure console set
  3. Antivirus and security check
  4. Secure Web (Openssl,MariaDB,Apache,Perl)
  5. PHP
  6. Domain and SSL authorized certification
  7. phpMyadmin
  8. CakePHP
  9. WordPress
  10. AIDE
  11. Running System

1. OS install

Download latest OS image from official site. https://www.centos.org/
The full contents version has oversize for DVD.
Upload the image to vps provider’s storage, follow the instruction.

Note:Mouse does not work on Google Chrome. You need FireFox web browser. e.g, path at Windows
shell “C:\Program Files (x86)\Mozilla Firefox\firefox.exe” https://cp.myvps.jp/Home.aspx

Control Panel >
Server List >kvm************ [click]
Power Off (Confirm stop power)
OS re-install tab
OS:[custom OS] > pull down the list and the last one is the latest you uploaded.
Semi-virtual driver (virtio) [on]
VNC console key map [ja]
video [vmvga]
Disks [Custom][100GB] <expand, partationing is auto set
> [confirm] >[execute] >[return to server list] >[power on]
>Power on ready? [yes]
Server list >kvm************ [click]
See console view
click and start [click]
Next view get from the icon right above
[Enter] to start install

The installer view >
keyboard [Japanese] #pick by ‘j’
Selected install device Basic expanded to 80GB+20GB
It’s ok with default set.
If you know about linux filesystem, I reccomend to create customized partation like this;
pool name = <you like …>
filesystem = xfs
partations = / , /var , /tmp, /home (each size would be your choice within your VPS limitation)
/boot and /swap should be remained default.

KDUMP off
Selected software as webserver(MariaDB,perl,php,python) + developer
Enabling the network connection

>[Start Installer]
root pass <root password>
create user <your id > to be administrator pass <your-ids password>
===wait for a while(about 30 min)===
Reboot [click]
reject customOS disk [click]
Forced reject the install disk from check box at the top of view.
When the progress bar is displayed and, is showed the login : prompt, you made success install.
enter your user and pass, try login.

login: <your user>
Password:<your pass>
$ su root
Password:<root pass>
# prompt changed

lead time 60-90min(depends on network speed)