LAMP server on VPS test install manual (2)

Caution: This instructions do not consider strict security. You must know much more to keep proper security for publication to world wide. So I recommend this server constructed here should be used for your personal practice how to make LAMP(linux-apache-mysql-perl,php,python) web server. If you want to get farther knowledges, visit related links suggested below. Those would be good help for you.
Note: Placeholders are signed as < ..data.. >. you must fill your data. […] sign as key input.

2. SSH secure console set

http://www.vim.org/ Vim
http://hp.vector.co.jp/authors/VA016670/unix/vi_reference.html vi commands(jp)
http://www.oualline.com/vim-book.html Vim Tutorial and Reference _PDF_
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml IANA Service Name and Transport Protocol Port Number
https://selinuxproject.org/page/Main_Page SELinux project
http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf SElinux textbook

On VNC panel>

https://cp.myvps.jp/Home.aspx Onamae Home
root login

#update system

yum update
	#===wait for a while===

Note: VNC browser view is uncomfortable because of not working cut and paste with Windows clipboard, that You would be better to create SSH connect as soon as possible.

On Client>

Connect by password auth(temporally).
TeraTermPro ; at Windows e.g.
shell “C:\Program Files (x86)\teraterm\ttermpro.exe”
Host: <your vps host ip or name>
Port:22
User: <wheel user id> temporally connection with root and pass
Password authentication.
You can login with your user not root.

login: <root id>
Password:<root password>
wheel user was set before, when the OS was installed.

### VIM setting ###
cd ~

vi .vimrc
#—.vimrc——-
set nocompatible
set fileformats=unix,dos
set history=50
set number
set list
set showmatch
syntax on
highlight Comment ctermfg=LightCyan
set wrap
#—————-end

### CF Check volumes and partations ###

yum -y install system-storage-manager

ssm list

### change wheel user policy ###

cd /etc/pam.d
cp su su.bak
vi su
  auth       required     pam_wheel.so use_uid
  #↑ comment out
  #vi command : move cursor to target and press [x] [ESC] then type [:wq]

### make sshd_config secure to change well known port ###
Check the IANA website and see the “Service Name and Transport Protocol Port Number Registry”.
You may choose new port number for your ssh connect from 32768 to 61000(linux ready private number). Other number may be OK, but that must be checked conflict against known port number.

### change port ###

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak	#save original file

vi /etc/ssh/sshd_config
	Port <new ssh port>
	#vi command:enter [i] and move cursor to target and hit key your number
	#[ESC] then type [:wq] if you make miss, you can recover hit [ESC][u]
	#learn how to use vim at vim tutor.

### selinux confirm enforcing and set new port ###

sestatus
vi /etc/selinux/config
	SELINUX=enforcing;	#Do Not choose permissive or disabled

yum install policycoreutils-python
semanage port -a -t ssh_port_t -p tcp <new ssh port>
	#The new ssh port number must not be maced other preset port

### firewalld ###

cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh.xml
vi /etc/firewalld/services/ssh.xml
	port=<new ssh port>

firewall-cmd --reload
systemctl restart sshd
systemctl -l status sshd	#check the port number had been changed

### key generate ###

vi /etc/ssh/sshd_config
	#HostKey /etc/ssh/ssh_host_key
	#HostKey /etc/ssh/ssh_host_ecdsa...
	#HostKey /etc/ssh/ssh_host_ed255...
		#It would be better, 
                   that you comment-out all the way of authentications except RSA key.
	LogLevel verbose
	#PermitRootLogin no    #end of this chapter, you must remove #
	MaxAuthTries 2
	MaxSessions 4
	RSAAuthentication yes
	PubkeyAuthentication yes
	PasswordAuthentification no
	#GSSAPIA.......
	#GSSAPIC.......
	#X11Forwarding
	Banner none

cd	#root home
mkdir .ssh
cd .ssh
ssh-keygen
	$Enter...save the key(...id_rsa): [enter]
	$Enter passphrase... <key password>
	#id_rsa(private key), id_rsa.pub(public key)  is generated in directory of /root/.ssh

mkdir /home/<your user id>/.ssh

cd id_rsa.pub /home/<your user id>/.ssh/authorized_keys
	# Change the public key name along with the sshd_config, and copy for login-user.
        # By SSHSCR Receive [/root/.ssh/id_rsa]  to [proper directory local PC] e.g "C:\Program Files (x86)\teraterm"

rm -fR /root/.ssh    #you don't need root .ssh, invalid root login at this sshd.

firewall-cmd --reload

systemctl restart sshd

systemctl -l status sshd
        #check the port number had been changed
	#remain keep this connect and

### New connection ###
On Client>
TeraTermPro: login:++id_rsa(key)
#if success this key connection, you can close 1st and 2nd TeraTermPro safely.

### Setting root mail transparent ###

vi /etc/aliases
	# Person who should get root's mail
	#root:          marc
	   #| comment off and change 'marc' to your e-mail address
	root:             i@<ip>.jp

newaliases

echo test | mail root
    #If you find mail from "root@<ip>", that would be success settings.

### Setting auto update ###

yum -y install yum-cron yum-utils

vi /etc/yum/yum-cron.conf
	apply_updates = yes
	#Do not do this before yum update, it may fail of dependency.

vi /etc/cron.daily/0yum-daily.cron

vi /etc/yum/yum-cron-hourly.conf
vi /etc/cron.hourly/0yum-hourly.cron

systemctl start yum-cron
systemctl enable yum-cron
systemctl restart yum-cron
systemctl -l  status yum-cron

### update system ###

yum -y update

### Note Result ###

cat /etc/passwd > p.txt
yum list installed > y.txt
journalctl > f.txt
	save to client
reboot

lead-time 30min

Leave a Reply

Your email address will not be published. Required fields are marked *