TOP

Martin Carr.com

Centos Commands

Virtualmin

      //////////// INSTALL VIRTUALMIN //////////////

      wget http://software.virtualmin.com/gpl/scripts/install.sh
      
      /bin/sh install.sh --minimal
      
      yum update
      
      yum install awscli
      
      virtualmin check-config
      
      /etc/init.d/webmin stop
      /etc/init.d/webmin start
      
      virtualmin disable-feature --mail --all-domains
      virtualmin disable-feature --mail --domain martincarr.com
      virtualmin delete-domain --domain domain-1.co.uk --domain domain-2.co.uk 

      ///////// CENTOS DISABLE PING //////////
      /etc/sysctl.conf
      net.ipv4.icmp_echo_ignore_all = 1
      systemctl restart network.service	// restart network services
      
      
      //////////// CENTOS SET HOSTNAME /////////////
      hostnamectl set-hostname website.com

Firewall

      //////////// CENTOS FIREWALL //////////////

      firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 25 -j ACCEPT
      firewall-cmd --list-all 	// list open ports
      firewall-cmd --list-ports [services, all]
      firewall-cmd --state
      firewall-cmd --reload
      firewall-cmd --zone=public --permanent --add-service=http
      
      # firewall-cmd --zone=public --add-service=http --permanent
      # firewall-cmd --zone=public --add-port=80/tcp --permanent
      # firewall-cmd --zone=public --remove-port=3000/tcp --permanent
      # firewall-cmd --zone=public --add-port=22022/tcp --permanent
      # firewall-cmd --add-service=samba --permanent
      # firewall-cmd --reload
      
      # firewall-cmd --zone=public --list-ports
      # lsof -i -P |grep http

      
/////////////////// UFW /////////////////

apt-get install ufw
ufw status (verbose)
ufw enable
ufw default deny incoming
ufw allow 22
ufw allow apache mysql

lsof -i -P -n | grep LISTEN  // list open ports

Fail 2 Ban

          /////////////// FAIL TO BAN ///////////////////

          yum install epel-release
          yum install fail2ban fail2ban-systemd
          
          apt install fail2ban
          systemctl restart fail2ban
          fail2ban-client status
          systemctl restart fail2ban
          fail2ban-client set sshd unbanip 192.168.1.100
          
          tail -f /var/log/auth.log
          cat /var/log/auth.log | grep 'sshd.*Failed'
          tail -f /var/log/fail2ban.log
          
          zgrep 'Ban' /var/log/fail2ban.log*
          
          cat /var/log/auth.log | grep 'Failed password'
          
fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"

SECURITY

          //////// CHECK for Break In's Centos /////////

          cat /var/log/secure | grep 'sshd.*Failed'

Lets Encrypt - Certbot

          // ADD PPA
          apt-get update
          apt-get install software-properties-common
          add-apt-repository universe
          add-apt-repository ppa:certbot/certbot
          apt-get update
          
          // INSTALL
          sudo apt-get install certbot python-certbot-apache
          
          // GET CETIFICATE
          certbot --apache
          
          // JUST GET CERTIFICATE (THINK NO PROMTS)
          certbot certonly --apache
          
          
          ///////// CERTBOT ON CENTOS /////////
          
          yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
          yum install certbot python2-certbot-apache
          certbot --apache
          certbot --no-redirect
          
          // automatic renewal
          echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null

General Commands

# yum update	// Update Centos

Network Interface

# ifconfig	//Display ethernet addaptor settings
# ifdown eth0	//Turn down Lan interface
# ifup eth0	//Turn up Lan interface
# iwconfig	//Show wlan Interface

# /etc/sysconfig/network-scripts/ifcfg-eth0	//To configure ethernet addaptor 0
BOOTPROTO=static	 
IPADDR=192.168.0.3	 
NETMASK=255.255.255.0	 
 	 
# /etc/sysconfig/network	//To edit the hostname and the gateway address
NETWORKING=yes	 
HOSTNAME=martincarr.com	 
GATEWAY=192.168.0.1	 
 	 
# /etc/resolv.conf | nameserver 8.8.8.8 8.8.4.4	//To edit the DNS nameservers
# /etc/hostname	//Change hostname
# /hosts	//Loopback Address

Starting & Stopping Services

httpd, mariadb, sshd, network, iptables, smb, nmb, dhcpd	
 	 
# service httpd start	//Start Apache on Centos
# chkconfig httpd on	//Enable at Start Up Centos
# chkconfig	//List all runlevels Centos | grep httpd
# systemctl enable httpd	//Enable Service at Boot
# systemctl start httpd	//Start Stop or Restart
# systemctl is-enabled httpd	//Check status of service
# systemctl list-unit-files	//Show the run level at boot-up (can | grep httpd)

Mounting Disks

# df -h	//Shows disks, mounts and space
# lsblk | head -8 | expand | column -t	//As above and shows if is disk or partition
# blkid	//Display UID of the USB Key
# cfdisk	//Partition utility
# mkdir /mnt/usb	//Create folder to mount device (Give correct permissons!!)
# mount -t vfat /dev/sda1 /mnt/usb	//Mount
# mount -a	//Mount all drives in fstab
# umount /mnt/usb	//Unmount device (umount not unmout!)
# mount /mnt/usb -o remount	//Re -mount a spacific disk
# /etc/fstab	//File for storing automatically mounting

////////////////// Mount CD ///////////// 
# mount /dev/cdrom /mnt 
# cd /mnt

Crontab

# crontab -l	//Crontab List
# crontab - e	//Crontab to Create New and Edit	 
 	 
# */1 * * * * /home/user/script.sh	//Runs every minute
# 00 00 * * * /home/user/script.sh	//Runs at Midnight every day
# /var/spool/cron/crontabs	//Crontab files stored

SSH & Copy to Remote Server

# etc/ssh/sshd_config	//config - change port from 22 and disable root
# ssh-keygen	//Generate public and private key in /home/user/.ssh

# ssh-copy-id -i /home/martin/.ssh/id_rsa.pub '-p 50055 martin@192.168.0.5'  //Copy the public key accross
# rsync -rvz -e 'ssh -p 50055' --progress originalfile.sql martin@192.168.0.5:/home/user/backupfile.sql  // copy file

Apache

# yum -y groupinstall 'Web Server'	//Install all the various packages (didn't work on CENTOS)
# /var/www/html	//Document root
# chown martin:apache html	//set html directory ':apache' - allows 755 on the folder 
	//and Apache still ok to serve files
    
# /etc/httpd/conf/httpd.conf	//Main configuration file
# apachectl graceful	//Tests Apache config and if OK will then restart the service
# apachectl -V	//Check Apache version
# apachectl configtest	//Test configuration of Apache
Password protect folder httpd.conf	//SEE BELOW

PHP

          //////////// PHP 7 if Needed ///////////////

          apt-get install php7.2-curl php7.2-gd php7.2-zip

DHCP

# yum -y install dhcp	//install command
# /etc/dhcp/dhcpd.conf	//See 'conf file' on Pi -used minimal settings

Own Cloud

# /var/www/html/owncloud/	//Gave 777 permissions ??
# yum install php-pecl-zip	//Module was missing
# /var/www/html/owncloud/setup-owncloud.php	//navigate to and install	
# /etc/php.ini	//Changed 'post_max_size' & 'upload_max_filesize' 100Mb'

MySQL

# yum install mysql mysql-server	//Install Client & Server
# systemctl start mariadb	//Start the Service 
# mysql_secure_installation (start mysql first!)	//Run the secure installation 
# mysqldump -uroot -pPassword sid > /home/martin/sid_backup.sql  //Creat a Back-Up

PHP My Admin

# yum install phpmyadmin	// Install PHPMyAdmin
# /etc/httpd/conf.d/phpMyAdmin.conf	// Comment out line 22 & 23 and add 
	// 'Allow from All' underneath (for Apache 2.2)

Samba

# yum install samba samba-client samba-common	//Install Samba
# /etc/samba/smb.conf	//Added smb.conf that was working

Notes:- problems viewing share on Raspberry Pi - /etc/samba/smb.conf enabled 'wins support = yes' 
and 'name resolve order = lmhosts host wins bcast' - check windows Firewalls - 
Log off/on or rebooted Windows after changes service nmb start !! don't forget to restart nmb too !!

Log Files

# last	// Show Log-in user activity
# last -f /var/log/btmp | grep 'Jun 23'	// Show failed Log-in attempts
 	 
# tail -f -n100 /var/log/secure	// Shows log-in sessions
# tail -f -n100 /var/log/messages	// Show general system messages
# tail -f -n100 /var/log/cron	// Show scheduled tasks
# tail -f -n50 /var/log/httpd/access_log	// Apache Log
# tail -f -n50 /var/log/httpd/error_log	Apache // Error log
 	 
# tcpdump -i any port 80 | top	// Think needs additional module to work

FTP

# yum install vsftpd	//You can log in intially with root/password
# sftp://vmdocs.co.uk:port-umber (for file zilla)	// No root log in as ssh is has root disabled
# etc/vsftpd/vsftpd.conf | anonymous_enable=NO | 
# local_enable=yes - write_enable=yes | userlist_enable=YES
# userlist_deny=NO	
# /etc/vsftpd/user_list	// if above userlist_deny=NO, allows users in user_list log in
# /etc/vsftpd/ftpusers	// is also checked for users that are denied access
# SFTP is a sub-system of SSH	// (no root login for SSH = no root login for SFTP)    

NOTES :- Configuration file for VSFTPD !! All this controls FTP on Port 21 not SFTP !!

Packages

# systemctl	// Lists installed packages
# yum history list	// List Yum history
# yum search 'name' | yum search all 'name'	// Search fo packages
# yum -y install httpd	// Install a package without comfimation prompt
# yum remove httpd	// Remove package

SE Linux

# vi /etc/selinux/config	// To edit how SELinux works //set permisive
# setenforce 0	// Turn off SELinux until reboot
# sestatus	// Show status of SELinux

Apache Password Protect Folder

<Directory /var/www/html/working>
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>

# /etc/httpd/conf/httpd.conf 	//add above to

# htpasswd -c /etc/httpd/conf/<passwdfile> <user> //create password file for user 
# htpasswd -D /etc/httpd/conf/<;passwdfile> <user> //delete password for user

Tiger VNC Set Up

# yum install tigervnc-server	// install the server

create a normal user
# su - usernaame	 // log on as user
# vncpasswd 	// enter password
# exit 	// back to root

# /etc/sysconfig/vncservers 	//edit as below
VNCSERVERS="30:martin 10:realone 20:realtwo"
VNCSERVERARGS[10]="-geometry 1280x1024"
VNCSERVERARGS[20]="-geometry 1280x1024"
VNCSERVERARGS[30]="-geometry 1280x1024"

# service vncserver start
# chkconfig vncserver on //start at boot

Installing Centos 6.7 on HP Test Server (Old Way with RAID)

1. Installing CentOS 6.6 from USB Drive
2. Download Centos 6.6 DVD.iso image
3. Make a USB Drive with 'ISOtoUSB'
4. Boot from USB & select location Hard Drive when prompted
5. Configure LAN on localhost set up page

Setting Up the Software RAID
Select 'Custom Set-up when it comes to disk partitioning
'A' Create 'RAID PARTITIONS' (1 x 200Mb and the other to FILL the rest of the capacity)
'B' Create 'RAID DEVICES' For '/boot' use the 'sda 200Mb' and the 'sdb 200Mb' and 
for the 'LVM' 'sda remainder' and 'sdb remainder'
'C' Create 'LOGICAL VOLUME GROUP' - 
1. /swap (2 x Ram) using partition type 'swap' 
2. /home 10Gig using partition type 'Ext4' and 
3. / (root) using partition type 'Ext4' and use the rest of the space.

On the next screen, change 'Install boot loader to 'RAID Device'

Installing Centos 6.7 on HP Test Server (07/2017)

        
        
1. Install from USB (1st Boot device already set to USB)
2. Install from sda1 on single drive
3. Configure Static IP LAN on Set Up!
4. Install Standard Web Server (Maybe could use Minimal Install?).

Log In with Win SCP to 192.168.0.50
1. # /etc/selinux/config	// Set to 'disabled'
2. # service iptables stop	// Stop the firewall
3. # chkconfig iptables off	// Turn off after reboot
4. # reboot
5. # service iptables status	 // Check Firewall is off
6. # sestatus	// Check setatus is off
7. !! Upgrade PHP see above 'PHP' !!

sh <(curl https://installer.plesk.com/one-click-installer || wget -O - https://installer.plesk.com/one-click-installer)

////////////// POST PLESK INSTALL ///////////
1. Tools and Settings / Update and Upgrades / Add Remove Components...
   Cross check with existing Server if possible (if NOT see below Centos 7 for examples) 
       
2. Tools and Settings / IP Addresses / Change to Shared

Install Centos 7 ready for Plesk

1. select minimal install
2. set IP Address Static
3. set host name

Setting up Parallels on Centos 7

# systemctl stop firewalld	// stop the firewall
# systemctl disable firewalld	// disable the firewall
# nano /etc/selinux/config	// set selinux to disabled
# sestatus	// check selinux status
# systemctl status firewalld	// check status of firewall

sh <(curl https://installer.plesk.com/one-click-installer || wget -O - https://installer.plesk.com/one-click-installer)

https://192.168.0.50:8443
Chooose Web Designer / Power User	// Install liscense etc...

Tools and Settings / Updates and Upgrades / Add Remove Components 

E.g. Firewall, Spamassasin, Mod Security 

Firewall Notes...?
Firewall config to allow 'Passive FTP' add custom rule to Parallels (TCP - incoming - 49152-65534)
Edit ProFTP on the server vi /etc/proftpd.conf and add 'PassivePorts 49152 65534' just under 
'global' tag and restart xineted with /etc/init.d/xinetd restart

Plesk Commands

# tail -f /usr/local/psa/var/log/maillog	// monitor mail log