LAMP server on VPS test install manual (3)

Caution: This instructions do not consider strict security. You must know much more to keep proper security for publication to world wide. So I recommend this server constructed here should be used for your personal practice how to make LAMP(linux-apache-mysql-perl,php,python) web server. If you want to get farther knowledges, visit related links suggested below. Those would be good help for you.
Note: Placeholders are signed as < ..data.. >. you must fill your data. […] sign as key input.

3. AntiVirus and Security check install

http://www.clamav.net/lang/en/ ClamAntiVirus
https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf Manual(pdf)
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/ Last resort
https://cisofy.com/ Lynis security solution investigator

### Add repository ###

yum -y install epel-release

### ClamAntiVirus ###

yum -y install clamav clamav-scanner-systemd clamav-update
	#other packages than above automated to be installed by dependency.

vi /etc/clamd.d/scan.conf
	#Example
	#^ comment out
	ExcludePath ^/proc/
	ExcludePath ^/sys/
	LocalSocket /var/run/clamd.scan/clamd.sock
	#^remove

vi /etc/freshclam.conf
	#Example
	# Send the RELOAD command to clamd.
	# Default: no
	NotifyClamd /etc/clamd.d/scan.conf

vi /etc/cron.d/clamav-update
	#Example of job definition: every ------>
	# .---------------- minute (0 - 59)
	# |  .------------- hour (0 - 23)
	# |  |  .---------- day of month (1 - 31)
	# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
	# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
	# |  |  |  |  |
	# *  *  *  *  * user-name  command to be executed
	  0  */3  *  *  * root /usr/share/clamav/freshclam-sleep	#you can change time and date

vi /etc/sysconfig/freshclam
	# comment (#remove me line)

chmod g+x -R /var/run/clamd.scan
chmod g+rw /var/run/clamd.scan/clamd.sock

	#selinux setting
setsebool -P antivirus_can_scan_system on
setsebool -P antivirus_use_jit on

systemctl enable clamd@scan
	# automated; ln -s /usr/lib/systemd/system/clamd@scan.service /etc/systemd/system/multi-user.target.wants/clamd@scan.service

systemctl restart clamd@scan

systemctl -l status clamd@scan

### load and refresh database ###

freshclam	#create data base

### Test scan from command line> ###
clamdscan -c /etc/clamd.d/scan.conf --fdpass /var/log/*
	#scan daemon already work on your system check /var/log/message

### Lynis ###

vi /etc/yum.repos.d/cisofy-lynis.repo
#--- cisofy-lynis.repo ------------------
[lynis]
name=CISOfy Software - Lynis package
baseurl = https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey = https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
#----------------------------------------end

yum makecache fast

yum -y install lynis

lynis audit system
	#Run as root
	#maybe later ok

result Files:
– Test and debug information : /var/log/lynis.log
– Report data : /var/log/lynis-report.dat

#Some fixation
#change umask(optional)
It will be good for security, but may cause some trouble when installing some kind of apprication.

cp /etc/profile /etc/profile.d/custom.sh
vi /etc/profile.d/custom.sh
	if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
	    umask 007
	else
	    umask 027
	fi

#chage
if more security chage -E, -I -W …
at leaset…

vi /etc/login.defs
	PASS_MAX_DAYS   <your choice propery>
	PASS_MIN_DAYS   <your choice without 0>
	PASS_MIN_LEN    <your choice over 8 recommended>

#blacklisted unuse modules

vi /etc/modprobe.d/blacklist-devices.conf
blacklist firewire-core
blacklist soundcore
blacklist dvb_usb
blacklist dvb_usb_v2
blacklist usb-storage

modprobe --showconfig | grep blacklist

#ban banner info

vi /etc/postfix/main.cf
	smtpd_banner = $myhostname ESMTP

vi /etc/php.ini
	expose_php = Off
	allow_url_fopen = Off

#others

vi /etc/profile
	002->007
	022->027

leadtime 30min

Leave a Reply

Your email address will not be published. Required fields are marked *