Centos Commands
Virtualmin
//////////// INSTALL VIRTUALMIN //////////////
wget http://software.virtualmin.com/gpl/scripts/install.sh
/bin/sh install.sh --minimal
yum update
yum install awscli
virtualmin check-config
/etc/init.d/webmin stop
/etc/init.d/webmin start
virtualmin disable-feature --mail --all-domains
virtualmin disable-feature --mail --domain martincarr.com
virtualmin delete-domain --domain domain-1.co.uk --domain domain-2.co.uk
///////// CENTOS DISABLE PING //////////
/etc/sysctl.conf
net.ipv4.icmp_echo_ignore_all = 1
systemctl restart network.service // restart network services
//////////// CENTOS SET HOSTNAME /////////////
hostnamectl set-hostname website.com
Firewall
//////////// CENTOS FIREWALL //////////////
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 25 -j ACCEPT
firewall-cmd --list-all // list open ports
firewall-cmd --list-ports [services, all]
firewall-cmd --state
firewall-cmd --reload
firewall-cmd --zone=public --permanent --add-service=http
# firewall-cmd --zone=public --add-service=http --permanent
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --zone=public --remove-port=3000/tcp --permanent
# firewall-cmd --zone=public --add-port=22022/tcp --permanent
# firewall-cmd --add-service=samba --permanent
# firewall-cmd --reload
# firewall-cmd --zone=public --list-ports
# lsof -i -P |grep http
/////////////////// UFW /////////////////
apt-get install ufw
ufw status (verbose)
ufw enable
ufw default deny incoming
ufw allow 22
ufw allow apache mysql
lsof -i -P -n | grep LISTEN // list open ports
Fail 2 Ban
/////////////// FAIL TO BAN ///////////////////
yum install epel-release
yum install fail2ban fail2ban-systemd
apt install fail2ban
systemctl restart fail2ban
fail2ban-client status
systemctl restart fail2ban
fail2ban-client set sshd unbanip 192.168.1.100
tail -f /var/log/auth.log
cat /var/log/auth.log | grep 'sshd.*Failed'
tail -f /var/log/fail2ban.log
zgrep 'Ban' /var/log/fail2ban.log*
cat /var/log/auth.log | grep 'Failed password'
fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("fail2ban-client status " a[i])}' | grep "Status\|IP list"
SECURITY
//////// CHECK for Break In's Centos /////////
cat /var/log/secure | grep 'sshd.*Failed'
Lets Encrypt - Certbot
// ADD PPA
apt-get update
apt-get install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
apt-get update
// INSTALL
sudo apt-get install certbot python-certbot-apache
// GET CETIFICATE
certbot --apache
// JUST GET CERTIFICATE (THINK NO PROMTS)
certbot certonly --apache
///////// CERTBOT ON CENTOS /////////
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum install certbot python2-certbot-apache
certbot --apache
certbot --no-redirect
// automatic renewal
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null
General Commands
# yum update // Update Centos
Network Interface
# ifconfig //Display ethernet addaptor settings
# ifdown eth0 //Turn down Lan interface
# ifup eth0 //Turn up Lan interface
# iwconfig //Show wlan Interface
# /etc/sysconfig/network-scripts/ifcfg-eth0 //To configure ethernet addaptor 0
BOOTPROTO=static
IPADDR=192.168.0.3
NETMASK=255.255.255.0
# /etc/sysconfig/network //To edit the hostname and the gateway address
NETWORKING=yes
HOSTNAME=martincarr.com
GATEWAY=192.168.0.1
# /etc/resolv.conf | nameserver 8.8.8.8 8.8.4.4 //To edit the DNS nameservers
# /etc/hostname //Change hostname
# /hosts //Loopback Address
Starting & Stopping Services
httpd, mariadb, sshd, network, iptables, smb, nmb, dhcpd
# service httpd start //Start Apache on Centos
# chkconfig httpd on //Enable at Start Up Centos
# chkconfig //List all runlevels Centos | grep httpd
# systemctl enable httpd //Enable Service at Boot
# systemctl start httpd //Start Stop or Restart
# systemctl is-enabled httpd //Check status of service
# systemctl list-unit-files //Show the run level at boot-up (can | grep httpd)
Mounting Disks
# df -h //Shows disks, mounts and space
# lsblk | head -8 | expand | column -t //As above and shows if is disk or partition
# blkid //Display UID of the USB Key
# cfdisk //Partition utility
# mkdir /mnt/usb //Create folder to mount device (Give correct permissons!!)
# mount -t vfat /dev/sda1 /mnt/usb //Mount
# mount -a //Mount all drives in fstab
# umount /mnt/usb //Unmount device (umount not unmout!)
# mount /mnt/usb -o remount //Re -mount a spacific disk
# /etc/fstab //File for storing automatically mounting
////////////////// Mount CD /////////////
# mount /dev/cdrom /mnt
# cd /mnt
Crontab
# crontab -l //Crontab List
# crontab - e //Crontab to Create New and Edit
# */1 * * * * /home/user/script.sh //Runs every minute
# 00 00 * * * /home/user/script.sh //Runs at Midnight every day
# /var/spool/cron/crontabs //Crontab files stored
SSH & Copy to Remote Server
# etc/ssh/sshd_config //config - change port from 22 and disable root
# ssh-keygen //Generate public and private key in /home/user/.ssh
# ssh-copy-id -i /home/martin/.ssh/id_rsa.pub '-p 50055 martin@192.168.0.5' //Copy the public key accross
# rsync -rvz -e 'ssh -p 50055' --progress originalfile.sql martin@192.168.0.5:/home/user/backupfile.sql // copy file
Apache
# yum -y groupinstall 'Web Server' //Install all the various packages (didn't work on CENTOS)
# /var/www/html //Document root
# chown martin:apache html //set html directory ':apache' - allows 755 on the folder
//and Apache still ok to serve files
# /etc/httpd/conf/httpd.conf //Main configuration file
# apachectl graceful //Tests Apache config and if OK will then restart the service
# apachectl -V //Check Apache version
# apachectl configtest //Test configuration of Apache
Password protect folder httpd.conf //SEE BELOW
PHP
//////////// PHP 7 if Needed ///////////////
apt-get install php7.2-curl php7.2-gd php7.2-zip
DHCP
# yum -y install dhcp //install command
# /etc/dhcp/dhcpd.conf //See 'conf file' on Pi -used minimal settings
Own Cloud
# /var/www/html/owncloud/ //Gave 777 permissions ??
# yum install php-pecl-zip //Module was missing
# /var/www/html/owncloud/setup-owncloud.php //navigate to and install
# /etc/php.ini //Changed 'post_max_size' & 'upload_max_filesize' 100Mb'
MySQL
# yum install mysql mysql-server //Install Client & Server
# systemctl start mariadb //Start the Service
# mysql_secure_installation (start mysql first!) //Run the secure installation
# mysqldump -uroot -pPassword sid > /home/martin/sid_backup.sql //Creat a Back-Up
PHP My Admin
# yum install phpmyadmin // Install PHPMyAdmin
# /etc/httpd/conf.d/phpMyAdmin.conf // Comment out line 22 & 23 and add
// 'Allow from All' underneath (for Apache 2.2)
Samba
# yum install samba samba-client samba-common //Install Samba
# /etc/samba/smb.conf //Added smb.conf that was working
Notes:- problems viewing share on Raspberry Pi - /etc/samba/smb.conf enabled 'wins support = yes'
and 'name resolve order = lmhosts host wins bcast' - check windows Firewalls -
Log off/on or rebooted Windows after changes service nmb start !! don't forget to restart nmb too !!
Log Files
# last // Show Log-in user activity
# last -f /var/log/btmp | grep 'Jun 23' // Show failed Log-in attempts
# tail -f -n100 /var/log/secure // Shows log-in sessions
# tail -f -n100 /var/log/messages // Show general system messages
# tail -f -n100 /var/log/cron // Show scheduled tasks
# tail -f -n50 /var/log/httpd/access_log // Apache Log
# tail -f -n50 /var/log/httpd/error_log Apache // Error log
# tcpdump -i any port 80 | top // Think needs additional module to work
FTP
# yum install vsftpd //You can log in intially with root/password
# sftp://vmdocs.co.uk:port-umber (for file zilla) // No root log in as ssh is has root disabled
# etc/vsftpd/vsftpd.conf | anonymous_enable=NO |
# local_enable=yes - write_enable=yes | userlist_enable=YES
# userlist_deny=NO
# /etc/vsftpd/user_list // if above userlist_deny=NO, allows users in user_list log in
# /etc/vsftpd/ftpusers // is also checked for users that are denied access
# SFTP is a sub-system of SSH // (no root login for SSH = no root login for SFTP)
NOTES :- Configuration file for VSFTPD !! All this controls FTP on Port 21 not SFTP !!
Packages
# systemctl // Lists installed packages
# yum history list // List Yum history
# yum search 'name' | yum search all 'name' // Search fo packages
# yum -y install httpd // Install a package without comfimation prompt
# yum remove httpd // Remove package
SE Linux
# vi /etc/selinux/config // To edit how SELinux works //set permisive
# setenforce 0 // Turn off SELinux until reboot
# sestatus // Show status of SELinux
Apache Password Protect Folder
<Directory /var/www/html/working>
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>
# /etc/httpd/conf/httpd.conf //add above to
# htpasswd -c /etc/httpd/conf/<passwdfile> <user> //create password file for user
# htpasswd -D /etc/httpd/conf/<;passwdfile> <user> //delete password for user
Tiger VNC Set Up
# yum install tigervnc-server // install the server
create a normal user
# su - usernaame // log on as user
# vncpasswd // enter password
# exit // back to root
# /etc/sysconfig/vncservers //edit as below
VNCSERVERS="30:martin 10:realone 20:realtwo"
VNCSERVERARGS[10]="-geometry 1280x1024"
VNCSERVERARGS[20]="-geometry 1280x1024"
VNCSERVERARGS[30]="-geometry 1280x1024"
# service vncserver start
# chkconfig vncserver on //start at boot
Installing Centos 6.7 on HP Test Server (Old Way with RAID)
1. Installing CentOS 6.6 from USB Drive
2. Download Centos 6.6 DVD.iso image
3. Make a USB Drive with 'ISOtoUSB'
4. Boot from USB & select location Hard Drive when prompted
5. Configure LAN on localhost set up page
Setting Up the Software RAID
Select 'Custom Set-up when it comes to disk partitioning
'A' Create 'RAID PARTITIONS' (1 x 200Mb and the other to FILL the rest of the capacity)
'B' Create 'RAID DEVICES' For '/boot' use the 'sda 200Mb' and the 'sdb 200Mb' and
for the 'LVM' 'sda remainder' and 'sdb remainder'
'C' Create 'LOGICAL VOLUME GROUP' -
1. /swap (2 x Ram) using partition type 'swap'
2. /home 10Gig using partition type 'Ext4' and
3. / (root) using partition type 'Ext4' and use the rest of the space.
On the next screen, change 'Install boot loader to 'RAID Device'
Installing Centos 6.7 on HP Test Server (07/2017)
1. Install from USB (1st Boot device already set to USB)
2. Install from sda1 on single drive
3. Configure Static IP LAN on Set Up!
4. Install Standard Web Server (Maybe could use Minimal Install?).
Log In with Win SCP to 192.168.0.50
1. # /etc/selinux/config // Set to 'disabled'
2. # service iptables stop // Stop the firewall
3. # chkconfig iptables off // Turn off after reboot
4. # reboot
5. # service iptables status // Check Firewall is off
6. # sestatus // Check setatus is off
7. !! Upgrade PHP see above 'PHP' !!
sh <(curl https://installer.plesk.com/one-click-installer || wget -O - https://installer.plesk.com/one-click-installer)
////////////// POST PLESK INSTALL ///////////
1. Tools and Settings / Update and Upgrades / Add Remove Components...
Cross check with existing Server if possible (if NOT see below Centos 7 for examples)
2. Tools and Settings / IP Addresses / Change to Shared
Install Centos 7 ready for Plesk
1. select minimal install
2. set IP Address Static
3. set host name
Setting up Parallels on Centos 7
# systemctl stop firewalld // stop the firewall
# systemctl disable firewalld // disable the firewall
# nano /etc/selinux/config // set selinux to disabled
# sestatus // check selinux status
# systemctl status firewalld // check status of firewall
sh <(curl https://installer.plesk.com/one-click-installer || wget -O - https://installer.plesk.com/one-click-installer)
https://192.168.0.50:8443
Chooose Web Designer / Power User // Install liscense etc...
Tools and Settings / Updates and Upgrades / Add Remove Components
E.g. Firewall, Spamassasin, Mod Security
Firewall Notes...?
Firewall config to allow 'Passive FTP' add custom rule to Parallels (TCP - incoming - 49152-65534)
Edit ProFTP on the server vi /etc/proftpd.conf and add 'PassivePorts 49152 65534' just under
'global' tag and restart xineted with /etc/init.d/xinetd restart
Plesk Commands
# tail -f /usr/local/psa/var/log/maillog // monitor mail log