ServerSetupFedora: Difference between revisions

From DrewWiki
Jump to navigation Jump to search
(Created ServerSetupFedora27)
 
m (Drew moved page ServerSetupFedora27 to ServerSetupFedora)
 
(3 intermediate revisions by the same user not shown)
Line 8: Line 8:


==Install etckepper and initalize it==
==Install etckepper and initalize it==
<syntaxhighlight>
<syntaxhighlight lang=bash>
sudo dnf install etckeeper
sudo dnf install etckeeper
sudo etckeepeer init
sudo etckeepeer init
Line 14: Line 14:


==Install fail2ban, enable, and start it==
==Install fail2ban, enable, and start it==
<syntaxhighlight>
<syntaxhighlight lang=bash>
sudo dnf install fail2ban
sudo dnf install fail2ban
sudo systemctl enable fail2ban
sudo systemctl enable fail2ban
Line 21: Line 21:


==Disable root login via password ssh==
==Disable root login via password ssh==
<syntaxhighlight>
<syntaxhighlight lang=bash>
$ grep Root /etc/ssh/sshd_config
$ grep Root /etc/ssh/sshd_config
PermitRootLogin prohibit-password
PermitRootLogin prohibit-password
Line 28: Line 28:
==Add TCP/22 to firewalld==
==Add TCP/22 to firewalld==
Done in kickstart, manually though:
Done in kickstart, manually though:
<syntaxhighlight>
<syntaxhighlight lang=bash>
firewall-cmd --permanent --add-port=80/tcp --add-port=443/tcp
firewall-cmd --permanent --add-port=22/tcp --add-port==80/tcp--add-port=443/tcp
firewall-cmd --reload
firewall-cmd --reload
</syntaxhighlight>
</syntaxhighlight>
Line 35: Line 35:
==Enable sudo==
==Enable sudo==
User drew is added to wheel in kickstart, manually though:
User drew is added to wheel in kickstart, manually though:
<syntaxhighlight>
<syntaxhighlight lang=bash>
$ sudo visudo
$ sudo visudo
drew ALL=(ALL) NOPASSWD:ALL
drew ALL=(ALL) NOPASSWD:ALL
Line 41: Line 41:


==dnf upgrade==
==dnf upgrade==
<syntaxhighlight>
<syntaxhighlight lang=bash>
sudo dnf upgrade -y
sudo dnf upgrade -y
</syntaxhighlight>
</syntaxhighlight>
Line 47: Line 47:
==Enable SElinux==
==Enable SElinux==
Done in kickstart, however:
Done in kickstart, however:
<syntaxhighlight>
<syntaxhighlight lang=bash>
$ grep enforcing /etc/selinux/config
$ grep enforcing /etc/selinux/config
SELINUXTYPE=enforcing
SELINUXTYPE=enforcing
Line 54: Line 54:


==Extend days of sysstat logging==
==Extend days of sysstat logging==
<syntaxhighlight>
<syntaxhighlight lang=bash>
$ grep -vE '^($|#)' /etc/sysconfig/sysstat
$ grep -vE '^($|#)' /etc/sysconfig/sysstat
HISTORY=365
HISTORY=365
Line 63: Line 63:
=Install other software=
=Install other software=
Do this in kickstart
Do this in kickstart
<syntaxhighlight>
<syntaxhighlight lang=bash>
# dnf install -y man screen wget strace rsync mailx fdupes logwatch grep lsof screen binutils tar mcelog nfs-utils \
# dnf install -y man screen wget strace rsync mailx fdupes logwatch grep lsof screen binutils tar mcelog nfs-utils \
OpenIPMI ipmitool sysstat clamav clamav-update iscsi-initiator-utils samba openvpn lldpad ntp \
OpenIPMI ipmitool sysstat clamav clamav-update iscsi-initiator-utils samba openvpn lldpad ntp \
Line 75: Line 75:


===add .forward file===
===add .forward file===
<syntaxhighlight>
<syntaxhighlight lang=bash>
$ sudo echo drew > /root/.forward
$ sudo echo drew > /root/.forward
$ sudo echo "andrew: drew" >> /etc/aliases
$ sudo echo "andrew: drew" >> /etc/aliases
Line 88: Line 88:
===Configure lm-sensors===
===Configure lm-sensors===
Do this in kickstart
Do this in kickstart
<syntaxhighlight>
<syntaxhighlight lang=bash>
$ sudo sensors-detect --auto
$ sudo sensors-detect --auto
</syntaxhighlight>
</syntaxhighlight>
Line 94: Line 94:
===lldpad===
===lldpad===
Do this in kickstart
Do this in kickstart
<syntaxhighlight>
<syntaxhighlight lang=bash>
$ sudo systemctl enable llpdad
$ sudo systemctl enable llpdad
$ sudo systemctl start llpdad
$ sudo systemctl start llpdad
Line 101: Line 101:
===mcelog===
===mcelog===
Do this in kickstart
Do this in kickstart
<syntaxhighlight>
<syntaxhighlight lang=bash>
systemctl enable mcelog
systemctl enable mcelog
systemctl start mcelog
systemctl start mcelog
Line 107: Line 107:


===SMARTmon HDD Alerts===
===SMARTmon HDD Alerts===
<syntaxhighlight>
<syntaxhighlight lang=bash>
DEVICESCAN -H -m root -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q
DEVICESCAN -H -m root -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q
/dev/sda -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sda -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
Line 131: Line 131:
==Configure logrotate==
==Configure logrotate==
Do this via kickstart.  
Do this via kickstart.  
<syntaxhighlight>
<syntaxhighlight lang=bash>
compress
compress
</syntaxhighlight>
</syntaxhighlight>
Line 145: Line 145:
==Enable samba==
==Enable samba==
Add TCP139,445/24 to IPTables
Add TCP139,445/24 to IPTables
<syntaxhighlight>
<syntaxhighlight lang=bash>
sudo systemctl enable smb;  
sudo systemctl enable smb;  
sudo systemctl start smb
sudo systemctl start smb
Line 151: Line 151:


/etc/samba/smb.conf
/etc/samba/smb.conf
<syntaxhighlight>
<syntaxhighlight lang=bash>
[global]
[global]
         workgroup = WORKGROUP
         workgroup = WORKGROUP
Line 173: Line 173:
== Setup cron jobs ==
== Setup cron jobs ==
Keep anacron from waking me up at night!  
Keep anacron from waking me up at night!  
<syntaxhighlight>
<syntaxhighlight lang=bash>
$ sudo vi /etc/anacrontab // START_HOURS_RANGE</pre>
$ sudo vi /etc/anacrontab // START_HOURS_RANGE
</syntaxhighlight>
</syntaxhighlight>


Line 182: Line 182:
= Completing / Wrap-up =
= Completing / Wrap-up =
* Verify all log files in /var/log are not giving any errors or notifications
* Verify all log files in /var/log are not giving any errors or notifications
* Check logs for whats growing! <pre># ls -alR /var/log | grep ^- | awk {'print $5" "$8'} | sort -k 2| sort -n</pre>
* Check logs for whats growing! <syntaxhighlight lang=bash># ls -alR /var/log | grep ^- | awk {'print $5" "$8'} | sort -k 2| sort -n</syntaxhighlight>

Latest revision as of 01:13, 7 September 2021

Fedora 27 Net Install ISO

Write to thumb drive https://download.fedoraproject.org/pub/fedora/linux/releases/27/Server/x86_64/iso/Fedora-Server-netinst-x86_64-27-1.6.iso

kickstart.ks

<script src="https://gist.github.com/drew-holt/e00fc2879db092e7c42b4d0101935caf.js"></script>

Immediate post install steps

Install etckepper and initalize it

sudo dnf install etckeeper
sudo etckeepeer init

Install fail2ban, enable, and start it

sudo dnf install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Disable root login via password ssh

$ grep Root /etc/ssh/sshd_config
PermitRootLogin prohibit-password

Add TCP/22 to firewalld

Done in kickstart, manually though:

firewall-cmd --permanent --add-port=22/tcp --add-port==80/tcp--add-port=443/tcp
firewall-cmd --reload

Enable sudo

User drew is added to wheel in kickstart, manually though:

$ sudo visudo
drew	ALL=(ALL) NOPASSWD:ALL

dnf upgrade

sudo dnf upgrade -y

Enable SElinux

Done in kickstart, however:

$ grep enforcing /etc/selinux/config
SELINUXTYPE=enforcing
$ setenforce 1

Extend days of sysstat logging

$ grep -vE '^($|#)' /etc/sysconfig/sysstat
HISTORY=365
COMPRESSAFTER=10
SADC_OPTIONS=""

Install other software

Do this in kickstart

# dnf install -y man screen wget strace rsync mailx fdupes logwatch grep lsof screen binutils tar mcelog nfs-utils \
OpenIPMI ipmitool sysstat clamav clamav-update iscsi-initiator-utils samba openvpn lldpad ntp \
php-pecl-apc lm_sensors hddtemp smartmontools apcupsd apcupsd-cgi

Configure system

Mail

Place holder for postfix config here and firewald rules for TCP25

add .forward file

$ sudo echo drew > /root/.forward
$ sudo echo "andrew: drew" >> /etc/aliases
$ sudo newaliases
$ sudo echo "root: drew" >> /etc/aliases
$ sudo newaliases

Monitoring

Place holder for nagios client config

Configure lm-sensors

Do this in kickstart

$ sudo sensors-detect --auto

lldpad

Do this in kickstart

$ sudo systemctl enable llpdad
$ sudo systemctl start llpdad

mcelog

Do this in kickstart

systemctl enable mcelog
systemctl start mcelog

SMARTmon HDD Alerts

DEVICESCAN -H -m root -M exec /usr/libexec/smartmontools/smartdnotify -n standby,10,q
/dev/sda -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdb -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdc -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sdd -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,45 -d sat
/dev/sde -H -m root -M daily -M exec /home/drew/cron/smartmon.sh -M daily -f -l error -o on -S on -s (S/../.././02|L/../../6/03) -W 0,0,47 -d sat

VPN

Place holder for openvpn server

Configure kdump

Configure apcupsd

Time

Do this via kickstart. Install chrony and configure, add to firewall UDP123/24

Rsyslog

Do this via kickstart. For network clients, add UDP514/24 to IPTables

Configure logrotate

Do this via kickstart.

compress

Configure RAID and filesharing

Mount raid array

Configure md alerts

Setup clamav

Virus protection for Samba and weekly scan

Enable samba

Add TCP139,445/24 to IPTables

sudo systemctl enable smb; 
sudo systemctl start smb

/etc/samba/smb.conf

[global]
        workgroup = WORKGROUP
        server string = drewserv
        security = user
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = no
        show add printer wizard = no
        printcap name = /dev/null
        disable spoolss = yes
[share]
        path = /mnt/raid5
        valid users = drew pbr
        read only = No
	create mode = 0665
	directory mode = 0775

Setup cron jobs

Keep anacron from waking me up at night!

$ sudo vi /etc/anacrontab // START_HOURS_RANGE

Configure Web Services

ddclient for dynamicdns updates

Completing / Wrap-up

  • Verify all log files in /var/log are not giving any errors or notifications
  • Check logs for whats growing!
    # ls -alR /var/log | grep ^- | awk {'print $5" "$8'} | sort -k 2| sort -n