ServerSetupFedora: Difference between revisions
Jump to navigation
Jump to search
m (Drew moved page ServerSetupFedora27 to ServerSetupFedora) |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 8: | Line 8: | ||
==Install etckepper and initalize it== | ==Install etckepper and initalize it== | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
sudo dnf install etckeeper | sudo dnf install etckeeper | ||
sudo etckeepeer init | sudo etckeepeer init | ||
| Line 14: | Line 14: | ||
==Install fail2ban, enable, and start it== | ==Install fail2ban, enable, and start it== | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
sudo dnf install fail2ban | sudo dnf install fail2ban | ||
sudo systemctl enable fail2ban | sudo systemctl enable fail2ban | ||
| Line 21: | Line 21: | ||
==Disable root login via password ssh== | ==Disable root login via password ssh== | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
$ grep Root /etc/ssh/sshd_config | $ grep Root /etc/ssh/sshd_config | ||
PermitRootLogin prohibit-password | PermitRootLogin prohibit-password | ||
| Line 28: | Line 28: | ||
==Add TCP/22 to firewalld== | ==Add TCP/22 to firewalld== | ||
Done in kickstart, manually though: | Done in kickstart, manually though: | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
firewall-cmd --permanent --add-port=22/tcp --add-port==80/tcp--add-port=443/tcp | firewall-cmd --permanent --add-port=22/tcp --add-port==80/tcp--add-port=443/tcp | ||
firewall-cmd --reload | firewall-cmd --reload | ||
| Line 35: | Line 35: | ||
==Enable sudo== | ==Enable sudo== | ||
User drew is added to wheel in kickstart, manually though: | User drew is added to wheel in kickstart, manually though: | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
$ sudo visudo | $ sudo visudo | ||
drew ALL=(ALL) NOPASSWD:ALL | drew ALL=(ALL) NOPASSWD:ALL | ||
| Line 41: | Line 41: | ||
==dnf upgrade== | ==dnf upgrade== | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
sudo dnf upgrade -y | sudo dnf upgrade -y | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 47: | Line 47: | ||
==Enable SElinux== | ==Enable SElinux== | ||
Done in kickstart, however: | Done in kickstart, however: | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
$ grep enforcing /etc/selinux/config | $ grep enforcing /etc/selinux/config | ||
SELINUXTYPE=enforcing | SELINUXTYPE=enforcing | ||
| Line 54: | Line 54: | ||
==Extend days of sysstat logging== | ==Extend days of sysstat logging== | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
$ grep -vE '^($|#)' /etc/sysconfig/sysstat | $ grep -vE '^($|#)' /etc/sysconfig/sysstat | ||
HISTORY=365 | HISTORY=365 | ||
| Line 63: | Line 63: | ||
=Install other software= | =Install other software= | ||
Do this in kickstart | Do this in kickstart | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
# dnf install -y man screen wget strace rsync mailx fdupes logwatch grep lsof screen binutils tar mcelog nfs-utils \ | # dnf install -y man screen wget strace rsync mailx fdupes logwatch grep lsof screen binutils tar mcelog nfs-utils \ | ||
OpenIPMI ipmitool sysstat clamav clamav-update iscsi-initiator-utils samba openvpn lldpad ntp \ | OpenIPMI ipmitool sysstat clamav clamav-update iscsi-initiator-utils samba openvpn lldpad ntp \ | ||
| Line 75: | Line 75: | ||
===add .forward file=== | ===add .forward file=== | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
$ sudo echo drew > /root/.forward | $ sudo echo drew > /root/.forward | ||
$ sudo echo "andrew: drew" >> /etc/aliases | $ sudo echo "andrew: drew" >> /etc/aliases | ||
| Line 88: | Line 88: | ||
===Configure lm-sensors=== | ===Configure lm-sensors=== | ||
Do this in kickstart | Do this in kickstart | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
$ sudo sensors-detect --auto | $ sudo sensors-detect --auto | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 94: | Line 94: | ||
===lldpad=== | ===lldpad=== | ||
Do this in kickstart | Do this in kickstart | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
$ sudo systemctl enable llpdad | $ sudo systemctl enable llpdad | ||
$ sudo systemctl start llpdad | $ sudo systemctl start llpdad | ||
| Line 101: | Line 101: | ||
===mcelog=== | ===mcelog=== | ||
Do this in kickstart | Do this in kickstart | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
systemctl enable mcelog | systemctl enable mcelog | ||
systemctl start mcelog | systemctl start mcelog | ||
| Line 107: | Line 107: | ||
===SMARTmon HDD Alerts=== | ===SMARTmon HDD Alerts=== | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
DEVICESCAN -H -m root -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q | DEVICESCAN -H -m root -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q | ||
/dev/sda -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat | /dev/sda -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat | ||
| Line 131: | Line 131: | ||
==Configure logrotate== | ==Configure logrotate== | ||
Do this via kickstart. | Do this via kickstart. | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
compress | compress | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 145: | Line 145: | ||
==Enable samba== | ==Enable samba== | ||
Add TCP139,445/24 to IPTables | Add TCP139,445/24 to IPTables | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
sudo systemctl enable smb; | sudo systemctl enable smb; | ||
sudo systemctl start smb | sudo systemctl start smb | ||
| Line 151: | Line 151: | ||
/etc/samba/smb.conf | /etc/samba/smb.conf | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
[global] | [global] | ||
workgroup = WORKGROUP | workgroup = WORKGROUP | ||
| Line 173: | Line 173: | ||
== Setup cron jobs == | == Setup cron jobs == | ||
Keep anacron from waking me up at night! | Keep anacron from waking me up at night! | ||
<syntaxhighlight> | <syntaxhighlight lang=bash> | ||
$ sudo vi /etc/anacrontab // START_HOURS_RANGE | $ sudo vi /etc/anacrontab // START_HOURS_RANGE | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 182: | Line 182: | ||
= Completing / Wrap-up = | = Completing / Wrap-up = | ||
* Verify all log files in /var/log are not giving any errors or notifications | * Verify all log files in /var/log are not giving any errors or notifications | ||
* Check logs for whats growing! < | * Check logs for whats growing! <syntaxhighlight lang=bash># ls -alR /var/log | grep ^- | awk {'print $5" "$8'} | sort -k 2| sort -n</syntaxhighlight> | ||
Latest revision as of 01:13, 7 September 2021
Fedora 27 Net Install ISO
Write to thumb drive https://download.fedoraproject.org/pub/fedora/linux/releases/27/Server/x86_64/iso/Fedora-Server-netinst-x86_64-27-1.6.iso
kickstart.ks
<script src="https://gist.github.com/drew-holt/e00fc2879db092e7c42b4d0101935caf.js"></script>
Immediate post install steps
Install etckepper and initalize it
sudo dnf install etckeeper
sudo etckeepeer init
Install fail2ban, enable, and start it
sudo dnf install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Disable root login via password ssh
$ grep Root /etc/ssh/sshd_config
PermitRootLogin prohibit-password
Add TCP/22 to firewalld
Done in kickstart, manually though:
firewall-cmd --permanent --add-port=22/tcp --add-port==80/tcp--add-port=443/tcp
firewall-cmd --reload
Enable sudo
User drew is added to wheel in kickstart, manually though:
$ sudo visudo
drew ALL=(ALL) NOPASSWD:ALL
dnf upgrade
sudo dnf upgrade -y
Enable SElinux
Done in kickstart, however:
$ grep enforcing /etc/selinux/config
SELINUXTYPE=enforcing
$ setenforce 1
Extend days of sysstat logging
$ grep -vE '^($|#)' /etc/sysconfig/sysstat
HISTORY=365
COMPRESSAFTER=10
SADC_OPTIONS=""
Install other software
Do this in kickstart
# dnf install -y man screen wget strace rsync mailx fdupes logwatch grep lsof screen binutils tar mcelog nfs-utils \
OpenIPMI ipmitool sysstat clamav clamav-update iscsi-initiator-utils samba openvpn lldpad ntp \
php-pecl-apc lm_sensors hddtemp smartmontools apcupsd apcupsd-cgi
Configure system
Place holder for postfix config here and firewald rules for TCP25
add .forward file
$ sudo echo drew > /root/.forward
$ sudo echo "andrew: drew" >> /etc/aliases
$ sudo newaliases
$ sudo echo "root: drew" >> /etc/aliases
$ sudo newaliases
Monitoring
Place holder for nagios client config
Configure lm-sensors
Do this in kickstart
$ sudo sensors-detect --auto
lldpad
Do this in kickstart
$ sudo systemctl enable llpdad
$ sudo systemctl start llpdad
mcelog
Do this in kickstart
systemctl enable mcelog
systemctl start mcelog
SMARTmon HDD Alerts
DEVICESCAN -H -m root -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q
/dev/sda -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdb -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdc -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdd -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sde -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,47 -d sat
VPN
Place holder for openvpn server
Configure kdump
Configure apcupsd
Time
Do this via kickstart. Install chrony and configure, add to firewall UDP123/24
Rsyslog
Do this via kickstart. For network clients, add UDP514/24 to IPTables
Configure logrotate
Do this via kickstart.
compress
Configure RAID and filesharing
Mount raid array
Configure md alerts
Setup clamav
Virus protection for Samba and weekly scan
Enable samba
Add TCP139,445/24 to IPTables
sudo systemctl enable smb;
sudo systemctl start smb
/etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server string = drewserv
security = user
passdb backend = tdbsam
log file = /var/log/samba/log.%m
max log size = 50
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
[share]
path = /mnt/raid5
valid users = drew pbr
read only = No
create mode = 0665
directory mode = 0775
Setup cron jobs
Keep anacron from waking me up at night!
$ sudo vi /etc/anacrontab // START_HOURS_RANGE
Configure Web Services
ddclient for dynamicdns updates
Completing / Wrap-up
- Verify all log files in /var/log are not giving any errors or notifications
- Check logs for whats growing!
# ls -alR /var/log | grep ^- | awk {'print $5" "$8'} | sort -k 2| sort -n