Starting from the minimal CentOS 7 distribution, there are a number of things which need to be done different to make the server useful, and not install a lot of things which we aren't using.
Set default editor to nano
I hate vi, as I can't use it without a cheat sheet, so let's set the default editor to nano.
As root: export EDITOR=/bin/nano
To start, let's follow the tecmint recipe
Start with this great article at tecmint: http://www.tecmint.com/things-to-do-after-minimal-rhel-centos-7-installation which takes you step-by-step through more than everything you will want to do (a good procedural checklist). We are skipping some of these items, so only do the steps indicated below.
2. Configure Network with Static IP Address
3. Set Hostname of Server
4. Update or Upgrade CentOS Minimal Install
6. Install Apache HTTP Server
The firewall instructions do not work. Use these instead:
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
7. Install PHP
If you require PHP7.1 instead of PHP5.4, install as follows:
Add the webtatic repos and PHP 7.1:
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install mod_php71w php71w-common
If you intend to host Joomla 3.x, also install these PHP packages:
yum install php71w-bcmath php71w-devel php71w-gd php71w-intl php71w-mbstring php71w-mcrypt php71w-mysqlnd php71w-opcache php71w-pdo php71w-xml
Then restart Apache: sudo systemctl restart httpd
8. Install MariaDB Database
Do NOT allow the database service to be accessed through the firewall, unless explicitly required for mission.
Consider if the use of this server *requires* MySQL, as some applications specifically name target version of MySQL. If MySQL is required, follow the instructions at: https://devops.profitbricks.com/tutorials/install-mysql-on-centos-7
13. Install Nmap to Monitor Open Ports
15. Installing Wget
17. Installing Webmin
Use the instructions from the current distribution version web site at: http://www.webmin.com/rpm.html
Open port 10000:
firewall-cmd --permanent --zone=public --add-port=10000/tcp sudo firewall-cmd --reload
22. Install and Configure sudo
Create non-root user using our "clientadmin" naming pattern for username.
adduser username
passwd username
then give all permissions using visudo per instructions
vi cheatsheet: http://www.lagmonster.org/docs/vi.html
24. Install Rootkit Hunter
After install, initialize the file change database: rkhunter --propupd
Keep in-mind that when updates are applied to the system, rkhunter will see this activity as possibly malicious and will warn you of these file changes. Check for root kits before applying updates. After applying updates, re-init the file database using the above command.
Set a cron job to check for root kits daily
crontab -e
In the editor paste-in: @daily /usr/bin/rkhunter
Then control-x to save and exit.
Set email address to receive reports
nano /etc/rkhunter.conf
Search for line containing: "MAIL-ON-WARNING" and change.
Add more goodies
Add network utilities
yum install bind-utils
Setup NTP
To install automatic time checking: yum install ntp
Start and enable the service:
systemctl start ntpd.service
systemctl enable ntpd.service
To test: ntpstat
timedatectl status
See also: https://www.cyberciti.biz/faq/linux-unix-bsd-is-ntp-client-working/
Reference: https://www.tecmint.com/install-ntp-server-in-centos/
Install and secure PhpMyAdmin
https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-with-apache-on-a-centos-7-server
Ignore their instructions for IPs to require/allow. Instead in the first <Directory> block, insert lines after "Require ip 127.0.0.1" for the local and VPN subnets, ie.
Require ip 192.168.xxx.0/22
Install backupdb
backupdb : A Rotating Backup Shell Script for MySQL and PostgreSQL
Command-line email for delivery of email alerts
yum install mailx
test:
echo blah | mail -s "test" This email address is being protected from spambots. You need JavaScript enabled to view it.
Install SSL certificates
scp {pathto/file} This email address is being protected from spambots. You need JavaScript enabled to view it.:/etc/httpd/ssl.d/.
Install VMware Tools
If you are using VMware, here are the ordinary instructions to install VMware Tools:
HOWEVER, the VMware installer script recommends using Open VM Tools per this article.
Open VMware Tools provides the following:
- Synchronization of the guest OS clock with the virtualization platform
- Enables the virtual infrastructure to perform graceful power operations (shut down) and file system quiescing of the virtual machine
- Provides a heartbeat from guest to the virtualization infrastructure to support vSphere High Availability (HA)
- Publishes information about the guest OS to the virtualization platform, including resource utilization and networking information
- It does NOT provide cut-n-paste between host and guest. If you need this and other useful features, see the optional open-vm-tools-desktop package, which depends on X.
Installation is easier than all the cdrom mount hoopla anyways: yum install open-vm-tools
Installing Joomla
Joomla system requirements
Install PostGre Relational Database
Follow the instructions at: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-on-centos-7
Cheat Sheet
The following commands are useful for day-to-day administration:
What IP address is being used?: ifconfig
List all services:
systemctl list-unit-files --type=service
systemctl restart httpd.service
systemctl start mariadb.service
firewall-cmd --zone=public --list-all
nmap 127.0.0.1
webmin: https://[local-ip]:10000
rkhunter -c -sk