ServerSetupFedora22: Difference between revisions

From DrewWiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(53 intermediate revisions by the same user not shown)
Line 1: Line 1:
<pre> # yum install man screen lm_sensors wget rsync fail2ban mailx sendmail-cf \
'''To-do:''' This page is outdated and needs better formatting.
nut clamav clamav-update nfs-utils strace smartmontools logwatch etckeeper \
OpenIPMI ipmitool php-pecl-apc.x86_64</pre>


# Install etckeeper
= Immediate post install steps =
# Disable root login via ssh
 
# Enable sudo
==Install etckepper and fail2ban==
# Install fail2ban
Initalize and ensure service is running
# yum remove unneeded software
<syntaxhighlight lang=bash>
# yum update<br><br>
sudo yum install etckeeper fail2ban
# Configure GRUB serial console redirection
sudo etckeepeer init
# Configure kdump for system panics
sudo systemctl enable fail2ban
## Append kernel grub.conf crashkernel=128M for F14
sudo systemctl start fail2ban
## /etc/sysctl.conf :: kernel.sysrq =1
</syntaxhighlight>
# Configure NUT for UPS alerts
 
# Configure Time Server for local network access
==Disable root login via password ssh==
## Add UDP 123 to IPTables
<syntaxhighlight lang=bash>
# Configure syslog for network client writes
$ grep Root /etc/ssh/sshd_config
## Add UDP 514 to IPTables<br><br>
PermitRootLogin prohibit-password
# Mount raid array
</syntaxhighlight>
# Configure md alerts
 
# Enable NFS
==Add TCP22/0 to IPTables==
##Add TCP 2049 to IPTables
 
##Disable NFSv2/3 /etc/sysconfig/nfs
==Enable sudo==
## $ service rpcbind start ; chkconfig rpcbind on
<syntaxhighlight lang=bash>
## $ service nfslock start ; chkconfig nfslock on
$ sudo grep drew /etc/sudoers
## $ service nfs start ;  chkconfig nfs on
drew ALL=(ALL) NOPASSWD:ALL
# Enable samba
</syntaxhighlight>
## Add TCP port 139/445 to IPTables
 
# Enable iSCSI
==yum remove unneeded software==
# ^ Configure bacula and web interface<br><br>
 
# Setup mail relay
==yum update==
## $ echo drew > /root/.forward
 
## echo "andrew: drew" >> /etc/aliases; newaliases
==Enable SElinux==
## echo "root: drew" >> /etc/aliases; newaliases
 
## Remove 127.0.0.1 /etc/mail/sendmail.mc
==Extend days of sysstat logging==
## Add TCP port 25 to IPTables
<syntaxhighlight lang=bash>
# Configure smartd to monitor hard drives
$ grep -vE '^($|#)' /etc/sysconfig/sysstat
# ^ Configure thermal alerts for server
HISTORY=365
# Configure logwatch
COMPRESSAFTER=10
# Setup clamav virus protection for Samba and weekly scan<br><br>
SADC_OPTIONS=""
# Setup cron jobs
</syntaxhighlight>
## Keep anacron from waking me up at night! # vi /etc/anacrontab // START_HOURS_RANGE<br><br>
 
# ^ Configure Snort passive IDS
= Install rest of software =
# ^ Transparent Proxy with Squid for bandwidth utilization tally<br><br>
<syntaxhighlight lang=bash>
# Upload firmware for tv tuner card
$ sudo yum install man screen wget strace rsync mailx fdupes logwatch grep lsof screen binutils tar mcelog nfs-utils \
# Setup mythtv
OpenIPMI ipmitool sysstat clamav clamav-update iscsi-initiator-utils samba openvpn lldpad ntp \
# Configure MythWeb
php-pecl-apc lm_sensors hddtemp smartmontools apcupsd apcupsd-cgi
# Force http to https redirection
</syntaxhighlight>
## Add TCP port 443 to IPTables
 
# Configure MediaWiki
= Configure system, monitoring, mail, AV, and VPN =
# Configure webdav for tomboy notes / foxit marks
* Configure GRUB serial console redirection
# Configure mod_auth_pam for httpd authentication<br><br>
* Configure kdump for system panics
# ^ Verify all log files in /var/log are not giving any errors or notifications
* Configure lm-sensors, smartd/hddtemp+thermal alerts, lldpad, mcelog, and SMARTmon for temperature alerts.
# ^ Check logs for whats growing!
:* ls -alR /var/log | grep ^- | awk {'print $5" "$8'} | sort -k 2| sort -n
<syntaxhighlight lang=bash> DEVICESCAN -H -m root -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q
/dev/sda -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdb -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdc -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdd -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sde -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,47 -d sat
</syntaxhighlight>
 
* Configure apcupsd for UPS alerts
* Configure Time Server for local network access
** Add UDP123/24 to IPTables
* Configure rsyslog for network clients
** Add UDP514/24 to IPTables
* Setup mail relay
** Remove 127.0.0.1 /etc/mail/sendmail.mc
** <syntaxhighlight lang=bash># echo drew > /root/.forward; echo "andrew: drew" >> /etc/aliases; newaliases; echo "root: drew" >> /etc/aliases; newaliases</syntaxhighlight>
** Add TCP25/0 to IPTables
* Configure logwatch
* Setup clamav virus protection for Samba and weekly scan
* Configure OpenVPN
 
= Configure RAID and filesharing =
* Mount raid array
* Configure md alerts
* Enable samba
** Add TCP139,445/24 to IPTables
** <syntaxhighlight lang=bash># systemctl enable smb; systemctl start smb</syntaxhighlight>
<syntaxhighlight lang=bash>  
[global]
        workgroup = WORKGROUP
        server string = drewserv
        security = user
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = no
        show add printer wizard = no
        printcap name = /dev/null
        disable spoolss = yes
[share]
        path = /mnt/raid5
        valid users = drew pbr
        read only = No
create mode = 0665
directory mode = 0775
</syntaxhighlight>
* Enable iSCSI
** Add TCP3260/24
* ^ Configure bacula and web interface
 
=Setup cron jobs=
Keep anacron from waking me up at night!  
<syntaxhighlight lang=bash>
# vi /etc/anacrontab // START_HOURS_RANGE
</syntaxhighlight>
 
=Configure Web Services=
* ddclient for dynamicdns updates
* Configure MythTV / MythWeb / minidlna
** Add TCP80/24 and TCP443/0 for web services, TCP1900/0 TCP8200/0, TCP34531/0 for minidlna
 
<syntaxhighlight lang=bash>  
port=8200
media_dir=/mnt/raid5/media
db_dir=/var/cache/minidlna
log_dir=/var/log/minidlna
album_art_names=Cover.jpg/cover.jpg/AlbumArtSmall.jpg/albumartsmall.jpg/AlbumArt.jpg/albumart.jpg/Album.jpg/album.jpg/Folder.jpg/folder.jpg/Thumb.jpg/thumb.jpg
inotify=yes
enable_tivo=no
strict_dlna=no
notify_interval=900
serial=12345678
model_number=1
root_container=B
</syntaxhighlight>
 
* Configure pecl-php-apc / DrewWiki / WebDAV
 
= Completing / Wrap-up =
* Verify all log files in /var/log are not giving any errors or notifications
* Check logs for whats growing!  
<syntaxhighlight lang=bash>
# ls -alR /var/log | grep ^- | awk {'print $5" "$8'} | sort -k 2| sort -n
</syntaxhighlight>
* Create MondoRescue restore image

Latest revision as of 01:52, 25 January 2018

To-do: This page is outdated and needs better formatting.

Immediate post install steps

Install etckepper and fail2ban

Initalize and ensure service is running

sudo yum install etckeeper fail2ban
sudo etckeepeer init
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Disable root login via password ssh

$ grep Root /etc/ssh/sshd_config
PermitRootLogin prohibit-password

Add TCP22/0 to IPTables

Enable sudo

$ sudo grep drew /etc/sudoers
drew	ALL=(ALL) NOPASSWD:ALL

yum remove unneeded software

yum update

Enable SElinux

Extend days of sysstat logging

$ grep -vE '^($|#)' /etc/sysconfig/sysstat
HISTORY=365
COMPRESSAFTER=10
SADC_OPTIONS=""

Install rest of software

$ sudo yum install man screen wget strace rsync mailx fdupes logwatch grep lsof screen binutils tar mcelog nfs-utils \
OpenIPMI ipmitool sysstat clamav clamav-update iscsi-initiator-utils samba openvpn lldpad ntp \
php-pecl-apc lm_sensors hddtemp smartmontools apcupsd apcupsd-cgi

Configure system, monitoring, mail, AV, and VPN

  • Configure GRUB serial console redirection
  • Configure kdump for system panics
  • Configure lm-sensors, smartd/hddtemp+thermal alerts, lldpad, mcelog, and SMARTmon for temperature alerts.
 DEVICESCAN -H -m root -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q
/dev/sda -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdb -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdc -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdd -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sde -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,47 -d sat
  • Configure apcupsd for UPS alerts
  • Configure Time Server for local network access
    • Add UDP123/24 to IPTables
  • Configure rsyslog for network clients
    • Add UDP514/24 to IPTables
  • Setup mail relay
    • Remove 127.0.0.1 /etc/mail/sendmail.mc
    • # echo drew > /root/.forward; echo "andrew: drew" >> /etc/aliases; newaliases; echo "root: drew" >> /etc/aliases; newaliases
      
    • Add TCP25/0 to IPTables
  • Configure logwatch
  • Setup clamav virus protection for Samba and weekly scan
  • Configure OpenVPN

Configure RAID and filesharing

  • Mount raid array
  • Configure md alerts
  • Enable samba
    • Add TCP139,445/24 to IPTables
    • # systemctl enable smb; systemctl start smb
      
 
[global]
        workgroup = WORKGROUP
        server string = drewserv
        security = user
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = no
        show add printer wizard = no
        printcap name = /dev/null
        disable spoolss = yes
[share]
        path = /mnt/raid5
        valid users = drew pbr
        read only = No
	create mode = 0665
	directory mode = 0775
  • Enable iSCSI
    • Add TCP3260/24
  • ^ Configure bacula and web interface

Setup cron jobs

Keep anacron from waking me up at night!

# vi /etc/anacrontab // START_HOURS_RANGE

Configure Web Services

  • ddclient for dynamicdns updates
  • Configure MythTV / MythWeb / minidlna
    • Add TCP80/24 and TCP443/0 for web services, TCP1900/0 TCP8200/0, TCP34531/0 for minidlna
 
port=8200
media_dir=/mnt/raid5/media
db_dir=/var/cache/minidlna
log_dir=/var/log/minidlna
album_art_names=Cover.jpg/cover.jpg/AlbumArtSmall.jpg/albumartsmall.jpg/AlbumArt.jpg/albumart.jpg/Album.jpg/album.jpg/Folder.jpg/folder.jpg/Thumb.jpg/thumb.jpg
inotify=yes
enable_tivo=no
strict_dlna=no
notify_interval=900
serial=12345678
model_number=1
root_container=B
  • Configure pecl-php-apc / DrewWiki / WebDAV

Completing / Wrap-up

  • Verify all log files in /var/log are not giving any errors or notifications
  • Check logs for whats growing!
# ls -alR /var/log | grep ^- | awk {'print $5" "$8'} | sort -k 2| sort -n
  • Create MondoRescue restore image