LAMP server on VPS test install manual (3)

Caution: This instructions do not consider strict security. You must know much more to keep proper security for publication to world wide. So I recommend this server constructed here should be used for your personal practice how to make LAMP(linux-apache-mysql-perl,php,python) web server. If you want to get farther knowledges, visit related links suggested below. Those would be good help for you.
Note: Placeholders are signed as < ..data.. >. you must fill your data. […] sign as key input.

3. AntiVirus and Security check install

http://www.clamav.net/lang/en/ ClamAntiVirus
https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf Manual(pdf)
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/ Last resort
https://cisofy.com/ Lynis security solution investigator

### Add repository ###

yum -y install epel-release

### ClamAntiVirus ###

yum -y install clamav clamav-scanner-systemd clamav-update
	#other packages than above automated to be installed by dependency.

vi /etc/clamd.d/scan.conf
	#Example
	#^ comment out
	ExcludePath ^/proc/
	ExcludePath ^/sys/
	LocalSocket /var/run/clamd.scan/clamd.sock
	#^remove

vi /etc/freshclam.conf
	#Example
	# Send the RELOAD command to clamd.
	# Default: no
	NotifyClamd /etc/clamd.d/scan.conf

vi /etc/cron.d/clamav-update
	#Example of job definition: every ------>
	# .---------------- minute (0 - 59)
	# |  .------------- hour (0 - 23)
	# |  |  .---------- day of month (1 - 31)
	# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
	# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
	# |  |  |  |  |
	# *  *  *  *  * user-name  command to be executed
	  0  */3  *  *  * root /usr/share/clamav/freshclam-sleep	#you can change time and date

vi /etc/sysconfig/freshclam
	# comment (#remove me line)

chmod g+x -R /var/run/clamd.scan
chmod g+rw /var/run/clamd.scan/clamd.sock

	#selinux setting
setsebool -P antivirus_can_scan_system on
setsebool -P antivirus_use_jit on

systemctl enable clamd@scan
	# automated; ln -s /usr/lib/systemd/system/clamd@scan.service /etc/systemd/system/multi-user.target.wants/clamd@scan.service

systemctl restart clamd@scan

systemctl -l status clamd@scan

### load and refresh database ###

freshclam	#create data base

### Test scan from command line> ###
clamdscan -c /etc/clamd.d/scan.conf --fdpass /var/log/*
	#scan daemon already work on your system check /var/log/message

### Lynis ###

vi /etc/yum.repos.d/cisofy-lynis.repo
#--- cisofy-lynis.repo ------------------
[lynis]
name=CISOfy Software - Lynis package
baseurl = https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey = https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
#----------------------------------------end

yum makecache fast

yum -y install lynis

lynis audit system
	#Run as root
	#maybe later ok

result Files:
– Test and debug information : /var/log/lynis.log
– Report data : /var/log/lynis-report.dat

#Some fixation
#change umask(optional)
It will be good for security, but may cause some trouble when installing some kind of apprication.

cp /etc/profile /etc/profile.d/custom.sh
vi /etc/profile.d/custom.sh
	if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
	    umask 007
	else
	    umask 027
	fi

#chage
if more security chage -E, -I -W …
at leaset…

vi /etc/login.defs
	PASS_MAX_DAYS   <your choice propery>
	PASS_MIN_DAYS   <your choice without 0>
	PASS_MIN_LEN    <your choice over 8 recommended>

#blacklisted unuse modules

vi /etc/modprobe.d/blacklist-devices.conf
blacklist firewire-core
blacklist soundcore
blacklist dvb_usb
blacklist dvb_usb_v2
blacklist usb-storage

modprobe --showconfig | grep blacklist

#ban banner info

vi /etc/postfix/main.cf
	smtpd_banner = $myhostname ESMTP

vi /etc/php.ini
	expose_php = Off
	allow_url_fopen = Off

#others

vi /etc/profile
	002->007
	022->027

leadtime 30min

LAMP server on VPS test install manual (2)

Caution: This instructions do not consider strict security. You must know much more to keep proper security for publication to world wide. So I recommend this server constructed here should be used for your personal practice how to make LAMP(linux-apache-mysql-perl,php,python) web server. If you want to get farther knowledges, visit related links suggested below. Those would be good help for you.
Note: Placeholders are signed as < ..data.. >. you must fill your data. […] sign as key input.

2. SSH secure console set

http://www.vim.org/ Vim
http://hp.vector.co.jp/authors/VA016670/unix/vi_reference.html vi commands(jp)
http://www.oualline.com/vim-book.html Vim Tutorial and Reference _PDF_
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml IANA Service Name and Transport Protocol Port Number
https://selinuxproject.org/page/Main_Page SELinux project
http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf SElinux textbook

On VNC panel>

https://cp.myvps.jp/Home.aspx Onamae Home
root login

#update system

yum update
	#===wait for a while===

Note: VNC browser view is uncomfortable because of not working cut and paste with Windows clipboard, that You would be better to create SSH connect as soon as possible.

On Client>

Connect by password auth(temporally).
TeraTermPro ; at Windows e.g.
shell “C:\Program Files (x86)\teraterm\ttermpro.exe”
Host: <your vps host ip or name>
Port:22
User: <wheel user id> temporally connection with root and pass
Password authentication.
You can login with your user not root.

login: <root id>
Password:<root password>
wheel user was set before, when the OS was installed.

### VIM setting ###
cd ~

vi .vimrc
#—.vimrc——-
set nocompatible
set fileformats=unix,dos
set history=50
set number
set list
set showmatch
syntax on
highlight Comment ctermfg=LightCyan
set wrap
#—————-end

### CF Check volumes and partations ###

yum -y install system-storage-manager

ssm list

### change wheel user policy ###

cd /etc/pam.d
cp su su.bak
vi su
  auth       required     pam_wheel.so use_uid
  #↑ comment out
  #vi command : move cursor to target and press [x] [ESC] then type [:wq]

### make sshd_config secure to change well known port ###
Check the IANA website and see the “Service Name and Transport Protocol Port Number Registry”.
You may choose new port number for your ssh connect from 32768 to 61000(linux ready private number). Other number may be OK, but that must be checked conflict against known port number.

### change port ###

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak	#save original file

vi /etc/ssh/sshd_config
	Port <new ssh port>
	#vi command:enter [i] and move cursor to target and hit key your number
	#[ESC] then type [:wq] if you make miss, you can recover hit [ESC][u]
	#learn how to use vim at vim tutor.

### selinux confirm enforcing and set new port ###

sestatus
vi /etc/selinux/config
	SELINUX=enforcing;	#Do Not choose permissive or disabled

yum install policycoreutils-python
semanage port -a -t ssh_port_t -p tcp <new ssh port>
	#The new ssh port number must not be maced other preset port

### firewalld ###

cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh.xml
vi /etc/firewalld/services/ssh.xml
	port=<new ssh port>

firewall-cmd --reload
systemctl restart sshd
systemctl -l status sshd	#check the port number had been changed

### key generate ###

vi /etc/ssh/sshd_config
	#HostKey /etc/ssh/ssh_host_key
	#HostKey /etc/ssh/ssh_host_ecdsa...
	#HostKey /etc/ssh/ssh_host_ed255...
		#It would be better, 
                   that you comment-out all the way of authentications except RSA key.
	LogLevel verbose
	#PermitRootLogin no    #end of this chapter, you must remove #
	MaxAuthTries 2
	MaxSessions 4
	RSAAuthentication yes
	PubkeyAuthentication yes
	PasswordAuthentification no
	#GSSAPIA.......
	#GSSAPIC.......
	#X11Forwarding
	Banner none

cd	#root home
mkdir .ssh
cd .ssh
ssh-keygen
	$Enter...save the key(...id_rsa): [enter]
	$Enter passphrase... <key password>
	#id_rsa(private key), id_rsa.pub(public key)  is generated in directory of /root/.ssh

mkdir /home/<your user id>/.ssh

cd id_rsa.pub /home/<your user id>/.ssh/authorized_keys
	# Change the public key name along with the sshd_config, and copy for login-user.
        # By SSHSCR Receive [/root/.ssh/id_rsa]  to [proper directory local PC] e.g "C:\Program Files (x86)\teraterm"

rm -fR /root/.ssh    #you don't need root .ssh, invalid root login at this sshd.

firewall-cmd --reload

systemctl restart sshd

systemctl -l status sshd
        #check the port number had been changed
	#remain keep this connect and

### New connection ###
On Client>
TeraTermPro: login:++id_rsa(key)
#if success this key connection, you can close 1st and 2nd TeraTermPro safely.

### Setting root mail transparent ###

vi /etc/aliases
	# Person who should get root's mail
	#root:          marc
	   #| comment off and change 'marc' to your e-mail address
	root:             i@<ip>.jp

newaliases

echo test | mail root
    #If you find mail from "root@<ip>", that would be success settings.

### Setting auto update ###

yum -y install yum-cron yum-utils

vi /etc/yum/yum-cron.conf
	apply_updates = yes
	#Do not do this before yum update, it may fail of dependency.

vi /etc/cron.daily/0yum-daily.cron

vi /etc/yum/yum-cron-hourly.conf
vi /etc/cron.hourly/0yum-hourly.cron

systemctl start yum-cron
systemctl enable yum-cron
systemctl restart yum-cron
systemctl -l  status yum-cron

### update system ###

yum -y update

### Note Result ###

cat /etc/passwd > p.txt
yum list installed > y.txt
journalctl > f.txt
	save to client
reboot

lead-time 30min