Initial script on in.altagrade.org
Create a script /root/compress-etc-ag.sh that automates copying certain Webmin directories every time this page is saved and then prepares the /etc/ag directory for downloading by compressing it:
#!/bin/sh if [ -e /home/altaorg/domains/in.altagrade.org/www/altaos.txt ]; then echo $AGE if [ $AGE -lt 120 ] then rm -rf /home/altaorg/domains/in.altagrade.org/public_html/ag.tar.gz cd /etc rm -rf ag/webmin mkdir ag/webmin cp -R webmin/authentic-theme ag/webmin cp -R webmin/status ag/webmin cp -R webmin/custom ag/webmin echo $(cat /etc/webmin/webmin.acl | grep altagrade) > /etc/ag/webmin/webmin.acl tar cvzf ag.tar.gz ag mv ag.tar.gz /home/altaorg/domains/in.altagrade.org/public_html fi fi
and schedule it to trigger every minute:
* * * * * /root/compress-etc-ag.sh > /dev/null 2>&1
Auto-installation script for the newly deployed systems
This page generates a script for an automatic installation of operating system for AltaGrade dedicated and virtual private servers. The script incorporates all the steps on this page and referenced steps of other nodes in this book hierarchy. Introduction fields will be ignored. Make sure to properly reference steps on other nodes to get them included. To reference another node place only its nid in the source code field of any paragraph.
Newly created Virtualizor systems can pull the script by the following commands placed in the `Extra` parameter:
#!/bin/sh yum -y update && yum -y install wget && cd /etc && wget http://in.altagrade.org:8080/ag.tar.gz && tar xzf ag.tar.gz && rm -rf ag.tar.gz && cd /usr/src && wget http://in.altagrade.org:8080/altaos.txt && yum -y install wget dos2unix && dos2unix altaos.txt && mv altaos.txt altaos.sh && chmod 755 altaos.sh && mkdir /root/.altaos && sh ./altaos.sh | tee /root/.altaos/altaos-install.log
Additional notes:
- To install AltaOS on EU-based server, don't forget to include EU IP addresses to `Allow from` rule for in.altagrade.org in the Apache configuration file (/etc/httpd/conf/httpd.conf).
0) Check if the system is freshly installed before doing anything else, because we don't want to run the installation script twice
if [ -d /etc/webmin ]; then echo "It seems this script has already been executed on this server." echo "This script should be run only once as otherwise it will duplicate entries in number of configuration files!" exit 0 fi
1) Defining some variable values to use later in the installation script
if grep -q "QEMU" /proc/bus/input/devices; then PORT=19759 else PORT=19753 fi export PORT IP="$( ip route get 8.8.8.8 | awk 'NR==1 {print $NF}' )" IP6="$( ip -6 addr | grep inet6 | awk -F '[ \t]+|/' '{print $3}' | grep -v ^::1 )" IFACE=$(ip addr | grep $IP | awk '{print $NF}') OWNER="" TIMESTAMP=$(date +%s) SECONDS=0 # There is no DB at this point yet, so commenting out # MYSQL_VER=`mysql --version|awk '{ print $5 }'|awk -F\-MariaDB, '{ print $1 }'`
2) Installing additional packages
echo "==================================================================================" echo "Installing additional packages .." yum -y makecache fast && yum -y install yum-plugin-fastestmirror yum -y install epel-release yum -y install perl nano rsync make vim screen wget mlocate gcc pcre-devel \ nmap openssh-clients ImageMagick gcc-c++ bzip2 net-tools iptables-services \ ntpdate yum-cron perl-LWP-Protocol-https deltarpm patch lsof git psacct \ yum-utils bash-completion at e2fsprogs sudo libxml2-devel htop pam-devel \ perl-Authen-PAM echo "..done" echo "==================================================================================" echo "Enabling services .." systemctl enable psacct && systemctl start psacct systemctl enable yum-cron.service && systemctl start yum-cron.service echo "..done" if [ ! -f /usr/local/bin/composer ]; then echo "==================================================================================" echo "Installing Composer .." cd /usr/src curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer echo "..done" fi
3) Setting up and configuring the system
if [ "$(readlink /etc/localtime)" != "/usr/share/zoneinfo/UTC" ]; then echo "==================================================================================" echo "Setting local time to UTC .." rm -f /etc/localtime ln -s /usr/share/zoneinfo/UTC /etc/localtime echo ".. done" fi if [ ! -d /home/backup ]; then echo "==================================================================================" echo "Creating /home/backup directory .." mkdir /home/backup echo "Creating a symlink /backup to /home/backup .." ln -s /home/backup /backup echo ".. done" fi if [ ! -d /sandbox ]; then echo "==================================================================================" echo "Creating /sandbox directory .." mkdir /sandbox echo ".. done" fi if grep -Fq '# include "/usr/share/nano/nanorc.nanorc"' /etc/nanorc then echo "==================================================================================" echo "Colorifying the Nano editor .." sed -ie 's|# include "/usr/share/nano/sh.nanorc"|include "/usr/share/nano/sh.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/java.nanorc"|include "/usr/share/nano/java.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/python.nanorc"|include "/usr/share/nano/python.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/patch.nanorc"|include "/usr/share/nano/patch.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/php.nanorc"|include "/usr/share/nano/php.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/c.nanorc"|include "/usr/share/nano/c.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/css.nanorc"|include "/usr/share/nano/css.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/html.nanorc"|include "/usr/share/nano/html.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/man.nanorc"|include "/usr/share/nano/man.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/perl.nanorc"|include "/usr/share/nano/perl.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/ruby.nanorc"|include "/usr/share/nano/ruby.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/xml.nanorc"|include "/usr/share/nano/xml.nanorc"|' /etc/nanorc sed -ie 's|# include "/usr/share/nano/nanorc.nanorc"|include "/usr/share/nano/nanorc.nanorc"|' /etc/nanorc echo ".. done" fi # Setting cron job definitions before other scripts start putting their own lines if ! grep -Fq "Example of cron job definition on AltaGrade servers" /var/spool/cron/root then echo "==================================================================================" echo "Setting up cron definitions .." cd /var/spool/cron mv root temp cat > root << 'EOF' # Example of cron job definition on AltaGrade servers: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # # 1. Entry: Minute when the process will be started [0-60] # 2. Entry: Hour when the process will be started [0-23] # 3. Entry: Day of the month when the process will be started [1-28/29/30/31] # 4. Entry: Month of the year when the process will be started [1-12] # 5. Entry: Weekday when the process will be started [0-6] [0 is Sunday] # # every x min = */x # So according to this your 5 8 * * 6 would run 8:05 every Saturday. # Ex: 39 * * * * wget -O - -q -t 1 http://YourDrupalSite.com/cron.php?key=YourDrupalSiteCronKeyHere EOF cat root temp > root echo "..done" fi if ! grep -Fq "▓▓▓█████▓" /etc/banner then echo "==================================================================================" echo "Creating /etc/banner .." cat <<EOT >> /etc/banner ▄▄▄ ▓▓▓ ▓▓▓█████▓ ▄▄▄ ▄████ ▓▓▀███ ▄▄▄ ▓█████▄ ▓█████ ▒▓▓██▄ ▓██▒ ▓ ▓▓▒ ▓▒▒████▄ ▓▓▒ ▀█▒▓██ ▒ ▓█▒▒▓▓██▄ ▒▓▓▀ ██▌▓▓ ▀ ▒▓▓ ▀█▄ ▒▓▓░ ▒ ▓██░ ▒░▒▓▓ ▀█▄ ▒▓▓░▄▄▄░▓▓▓ ░▄█ ▒▒▓▓ ▀█▄ ░██ █▌▒▓▓██ ░██▄▄▄▄██ ▒▓▓░ ░ ▓██▓ ░ ░██▄▄▄▄██ ░▓█ ██▓▒▓▓▀▀█▄ ░██▄▄▄▄██ ░▓█▄ ▌▒▓█ ▄ ▓█ ▓██▒░██████▒▒██▒ ░ ▓█ ▓██▒░▒▓███▀▒░██▓ ▒▓▓▒ ▓█ ▓██▒░▒████▓ ░▒████▒ ▒▒ ▓▒█░░ ▒░▓ ░▒ ░░ ▒▒ ▓▒█░ ░▒ ▒ ░ ▒▓ ░▒▓░ ▒▒ ▓▒█░ ▒▒▓ ▒ ░░ ▒░ ░ ▒ ▒▒ ░░ ░ ▒ ░ ░ ▒ ▒▒ ░ ░ ░ ░▒ ░ ▒░ ▒ ▒▒ ░ ░ ▒ ▒ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ EOT echo ".. done" fi if grep -Fq "#Banner none" /etc/ssh/sshd_config then sed -ie '/#Banner none/c\Banner /etc/banner' /etc/ssh/sshd_config else echo 'Banner /etc/banner' >> /etc/ssh/sshd_config fi if ! grep -Fq "Welcome" /etc/motd then echo "==================================================================================" echo "Creating /etc/motd .." cat <<EOT >> /etc/motd ***************************************************************************** * Welcome to AltaGrade Optimized Operating System! * * * * If you encounter any issues with the server, then please browse our Help * * section on https://www.altagrade.com/docs first. And if you couldn't find * * any solution, then submit a support request at https://my.altagrade.com. * * * ***************************************************************************** EOT echo ".. done" fi if ! grep -Fq "update-webmin" /root/.bashrc; then echo "==================================================================================" echo "Creating root aliases .." cat >> /root/.bashrc << 'EOF' alias update-webmin='yes | /usr/libexec/webmin/update-from-repo.sh' alias update-theme='yes | /usr/libexec/webmin/authentic-theme/theme-update.sh' alias webminpass='/usr/libexec/webmin/changepass.pl /etc/webmin root' alias ps10='ps -auxf | sort -nr -k 4 | head -10' alias cpu10='ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10' alias qchwr='drush pml --no-core --type=module --status=enabled --pipe | xargs drush -y dis' alias repo='sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n' alias psx="ps -eo pcpu,pid -o comm= | sort -k1 -n -r | head -12" alias psg="ps fuxa |grep $1" alias psm="ps -eo pmem,pcpu,rss,vsize,args | sort -k 1 -r | less" alias eba='nano /etc/profile.d/globaliases.sh' alias lba='source /etc/profile.d/globaliases.sh' alias net1='rm -rf /etc/udev/rules.d/70-persistent-net.rules' alias net2='nano /etc/resolv.conf' alias net3='nano /etc/sysconfig/network-scripts/ifcfg*' snd () { rsync --rsh -av -e 'ssh -p 19759' --progress --partial ${1} root@IP:/ } # sync two directories # rsync -azP -e 'ssh -p 19759' local_dir root@IP:/remote_dir EOF echo "..done" fi if grep -Fq 'update_messages = no' /etc/yum/yum-cron.conf then echo "==================================================================================" echo "Enabling automatic OS updates .." sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron.conf sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron.conf sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf sed -ie 's/update_messages = no/update_messages = yes/' /etc/yum/yum-cron-hourly.conf sed -ie 's/download_updates = no/download_updates = yes/' /etc/yum/yum-cron-hourly.conf sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron-hourly.conf echo ".. done" fi if grep -Fq 'installonly_limit=5' /etc/yum.conf then echo "Setting amount of installed kernels to 2 .." sed -ie 's/installonly_limit=5/installonly_limit=2/' /etc/yum.conf systemctl enable yum-cron.service && systemctl start yum-cron.service echo ".. done" fi if [ -f /etc/ag/scripts/login-notify.sh ]; then chmod 755 /etc/ag/scripts/login-notify.sh echo 'session optional pam_exec.so seteuid /etc/ag/scripts/login-notify.sh' >> /etc/pam.d/sshd fi echo '* soft nofile 65535' >> /etc/security/limits.conf echo '* hard nofile 65535' >> /etc/security/limits.conf if ! grep -q 127.0.0.1 "/etc/resolv.conf"; then echo "nameserver 127.0.0.1" >> /etc/resolv.conf fi
4) Creating global aliases for user SSH sessions
245) Configuring hourly and daily AltaGrade cron-tasks
cat > /etc/cron.hourly/altagrade << 'EOF' #!/bin/bash sh /etc/ag/scripts/update-drupal 1 > /dev/null if [ -e /etc/ag/updates/update.sh.old ]; then if ! cmp --silent /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old then chmod 755 /etc/ag/updates/update.sh sh /etc/ag/updates/update.sh mv /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old fi fi exit EOF chmod 755 /etc/cron.hourly/altagrade cat > /etc/cron.daily/altagrade << 'EOF' #!/bin/bash sed -ie 's/CentOS/AltaOS/' /etc/webmin/config >/dev/null 2>&1 sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1 sed -ie 's/slider_enabled=true/slider_enabled=false/' /etc/webmin/authentic-theme/settings.js >/dev/null 2>&1 exit EOF chmod 755 /etc/cron.daily/altagrade /etc/cron.daily/altagrade
6) Creating an 'altagrade' admin user
if ! id "altagrade" >/dev/null 2>&1; then echo "==================================================================================" echo "Creating altagrade user .." # Disabling root password yum -y install "perl(IO::Pty)" passwd -d root useradd -G wheel altagrade openssl rand -base64 12 | passwd altagrade --stdin echo "Setting %wheel group members passwordless sudoers .." sed -ie 's/%wheel/#%wheel/' /etc/sudoers && sed -ie 's/# #%wheel/%wheel/' /etc/sudoers mkdir /home/altagrade/.ssh echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC753VZbicoElj5moS0XZ70ERwse483Cuqc6Jf3YXJvn4+ZGzdjUsUI4+0GHK0aufeFh4YNZQ9QoQnM/3HUKZIGm3/2lYvzY1Z2YtyWz57LSX6o+oskq01Pe+3g+sxbt1yOW/KhClVhTSNzFPtMV5h4//JLxdO1Z6pctXSgq2COZ9fnEAm/AzmYFpuNvg0JmNdWuFkvnSKZrkt9hmw72TTjTE+p9DviTmoq4GCr6l2Pg4y6oTlyQ595yi6wDZe0JK7cdkKMsA4U6kAyHqci7zXOu7HjLdYcKZCohCp/iddHZbERmlZuS1eGbiARYtBZb9FNdUmnUB3nggb4DU3FPeDl' >> /home/altagrade/.ssh/authorized_keys restorecon -R -v /home/altagrade/.ssh sed -i "s/#Port 22/Port ${PORT}/g" /etc/ssh/sshd_config sed -i "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config yum -y install policycoreutils-python semanage port -a -t ssh_port_t -p tcp ${PORT} sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config echo ".. done" fi
7) Installing Webmin and Virtualmin
if [ ! -d /etc/webmin ]; then echo "==================================================================================" echo "Installing control panel .." cd /usr/src wget http://software.virtualmin.com/gpl/scripts/install.sh chmod 755 install.sh # Per https://www.virtualmin.com/node/53190 DISABLE_SCL=1 export DISABLE_SCL ./install.sh -y echo ".. done" fi
8) Configuring Webmin and Virtualmin
499) Installing style.css file for Virtualmin
2910) Installing additional PHP packages, memcached, configuring uploadprogress
echo "==================================================================================" echo "Installing additional PHP packages, memcached, configuring uploadprogress .." yum -y install php-soap php-devel php-pear php-gd php-mbstring php-mcrypt pecl channel-update pecl.php.net pecl install uploadprogress echo extension=uploadprogress.so >> /etc/php.d/uploadprogress.ini yum -y install memcached yum -y install php-pecl-memcache rm -f /etc/sysconfig/memcached cat <<'EOT' >> /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="1024" OPTIONS="-l 127.0.0.1" EOT systemctl enable memcached systemctl start memcached sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/php.ini yum -y install scl-utils rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -Uvhl http://rpms.remirepo.net/enterprise/remi-release-7.rpm yum -y install php73 php73-php-mysqlnd php73-php-curl php73-php-simplexml php73-php-devel php73-php-gd php73-php-json php73-php-mcrypt php73-php-mbstring php73-php-opcache php73-php-pear php73-php-pecl-apcu php73-php-pecl-geoip php73-php-pecl-imagick php73-php-pecl-json-post php73-php-pecl-memcache php73-php-pecl-zip php73-php-pspell php73-php-soap php73-php-xml php73-php-xmlrpc php73-php-pecl-uploadprogress php73-php-imap php73-php-pecl-xmldiff php73-php-bcmath source /opt/remi/php73/enable yum -y install php73-php-tidy pear channel-update pear.php.net pear install Cache_Lite sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php73/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php73/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php73/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php73/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php73/php.ini yum -y install php74 php74-php-mysqlnd php74-php-curl php74-php-simplexml php74-php-devel php74-php-gd php74-php-json php74-php-mcrypt php74-php-mbstring php74-php-opcache php74-php-pear php74-php-pecl-apcu php74-php-pecl-geoip php74-php-pecl-imagick php74-php-pecl-json-post php74-php-pecl-memcache php74-php-pecl-zip php74-php-pspell php74-php-soap php74-php-xml php74-php-xmlrpc php74-php-pecl-uploadprogress php74-php-imap php74-php-pecl-xmldiff php74-php-bcmath source /opt/remi/php74/enable yum -y install php74-php-tidy pear channel-update pear.php.net pear install Cache_Lite sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php74/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php74/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php74/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php74/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php74/php.ini yum -y install php81 php81-php-mysqlnd php81-php-curl php81-php-simplexml php81-php-devel php81-php-gd php81-php-json php81-php-mcrypt php81-php-mbstring php81-php-opcache php81-php-pear php81-php-pecl-apcu php81-php-pecl-geoip php81-php-pecl-imagick php81-php-pecl-json-post php81-php-pecl-memcache php81-php-pecl-zip php81-php-pspell php81-php-soap php81-php-xml php81-php-xmlrpc php81-php-pecl-uploadprogress php81-php-imap php81-php-pecl-xmldiff php81-php-bcmath source /opt/remi/php81/enable yum -y install php81-php-tidy pear channel-update pear.php.net pear install Cache_Lite sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php81/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php81/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php81/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php81/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php81/php.ini echo ".. done"
11) Configuring Apache
echo "==================================================================================" echo "Configuring Apache" sed -ie '/SSLProtocol/c\SSLProtocol All -SSLv2 -SSLv3' /etc/httpd/conf/httpd.conf sed -ie '/SSLCipherSuite/c\SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"' /etc/httpd/conf/httpd.conf sed -ie '/SSLCipherSuite/i\SSLHonorCipherOrder on' /etc/httpd/conf/httpd.conf # per https://support.plesk.com/hc/en-us/articles/213399589-Websites-are-slow-and-a-warning-appears-in-logs-mod-fcgid-ap-pass-brigade-failed echo 'FcgidMaxRequestsPerProcess 500' >> /etc/httpd/conf.d/fcgid.conf echo 'FcgidOutputBufferSize 0' >> /etc/httpd/conf.d/fcgid.conf sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/00-dav.conf sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/10-php.conf # Maybe we can turn the below ones off. sed -ie 's/LoadModule proxy/#LoadModule proxy/' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@#LoadModule proxy_module@LoadModule proxy_module@g' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@#LoadModule proxy_fcgi_module@LoadModule proxy_fcgi_module@g' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@LoadModule lbmethod_heartbeat@#LoadModule lbmethod_heartbeat@g' /etc/httpd/conf.modules.d/00-proxy.conf echo ".. done"
12) Configuring MariaDB settings
echo "==================================================================================" echo "Configuring MariaDB settings .." # Setting the database root password yum install -y expect MYSQL_ROOT_PASSWORD=`date +%s | sha256sum | base64 | head -c 16 ; echo` SECURE_MYSQL=$(expect -c " set timeout 3 spawn mysql_secure_installation expect \"Enter current password for root (enter for none):\" send \"$CURRENT_MYSQL_PASSWORD\r\" expect \"Set root password?\" send \"y\r\" expect \"New password:\" send \"$MYSQL_ROOT_PASSWORD\r\" expect \"Re-enter new password:\" send \"$MYSQL_ROOT_PASSWORD\r\" expect \"Remove anonymous users?\" send \"y\r\" expect \"Disallow root login remotely?\" send \"y\r\" expect \"Remove test database and access to it?\" send \"y\r\" expect \"Reload privilege tables now?\" send \"y\r\" expect eof ") echo "$SECURE_MYSQL" yum remove -y expect if grep -q pass= /etc/webmin/mysql/config; then sed -i "/pass=/c\pass=$MYSQL_ROOT_PASSWORD" /etc/webmin/mysql/config else echo pass=$MYSQL_ROOT_PASSWORD >> /etc/webmin/mysql/config fi if ! grep -Fq "default-character-set = utf8mb4" /etc/my.cnf then rm -f /etc/my.cnf cat > /etc/my.cnf << 'EOF' [client] default-character-set = utf8mb4 [mysql] default-character-set = utf8mb4 [mysqld] character-set-client-handshake = FALSE character-set-server = utf8mb4 collation-server = utf8mb4_unicode_ci #skip-networking datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock symbolic-links=0 slow_query_log = 1 slow_query_log_file = /var/log/mariadb/slow.log query_cache_size = 128M query_cache_limit = 16M thread_cache_size = 8 myisam_sort_buffer_size = 64M read_rnd_buffer_size = 8M read_buffer_size = 2M sort_buffer_size = 2M table_cache = 512 max_allowed_packet=1024M key_buffer = 384M wait_timeout=600 max_connections = 600 tmp_table_size = 256M max_heap_table_size = 256M innodb_large_prefix=true innodb_file_format=barracuda innodb_file_per_table = true innodb_additional_mem_pool_size = 16M innodb_flush_log_at_trx_commit = 0 innodb_log_buffer_size = 8M innodb_buffer_pool_size = 1G innodb_thread_concurrency = 16 innodb_lock_wait_timeout = 120 innodb_data_file_path = ibdata1:10M:autoextend innodb_file_io_threads = 4 innodb_max_dirty_pages_pct = 90 [mysqld_safe] log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid !includedir /etc/my.cnf.d EOF echo ".. done" fi
13) Installing drush and wp-cli
# Installing drush wget https://github.com/drush-ops/drush/releases/download/8.1.16/drush.phar php drush.phar core-status chmod +x drush.phar mv drush.phar /usr/local/bin/drush drush -y init # Fixing https://github.com/drush-ops/drush/issues/2065 sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/php.ini sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/opt/remi/php70/php.ini # Installing wp-cli curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar chmod +x wp-cli.phar mv wp-cli.phar /usr/local/bin/wp #if [ ! -d /etc/ag ]; then # mkdir /etc/ag #fi #mkdir /etc/ag/wp #cd /etc/ag/wp #wget https://raw.githubusercontent.com/wp-cli/wp-cli/v1.5.1/utils/wp-completion.bash #chmod 755 wp-completion.bash #echo "source /etc/ag/wp/wp-completion.bash" >> /etc/profile.d/globaliases.sh
14) Configuring automatic core updates for Drupal websites
2515) Configuring Let's Encrypt per https://certbot.eff.org/lets-encrypt/centosrhel7-apache
yum -y install certbot # Install script to auto-replace the ssl_le.pem files for domains mkdir /etc/letsencrypt/renewal-hooks mkdir /etc/letsencrypt/renewal-hooks/deploy cat > /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh << 'EOF' #!/bin/sh # Re-create the ssl_le.pem files for Pound for domain in $RENEWED_DOMAINS; do cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > $RENEWED_LINEAGE/ssl_le.pem done exit EOF chmod 755 /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh # Install cron-tab to trigger auto-renew (crontab -l && echo "0 0,12 * * 7 python -c 'import random; import time; time.sleep(random.random() * 3600)' && /etc/ag/scripts/renew-certs" | sort | uniq) | crontab -
16) Installing and configuring Pound
sed -i '/Listen/c\#Listen' /etc/httpd/conf.d/ssl.conf yum -y install Pound && systemctl enable pound && systemctl start pound mv /etc/pound.cfg /etc/pound.cfg.orig cat > /etc/pound.cfg << EOF ListenHTTP Address ${IP} Port 80 Service URL "/.well-known/acme-challenge/.*" BackEnd Address ${IP} Port 8888 End End End Service BackEnd Address ${IP} Port 8888 End End EOF
17) Installing and configuring Varnish
1518) Installing APF, BFD and Maldet
if [ ! -d /etc/apf ]; then echo "==================================================================================" echo "Installing APF .." # per https://superuser.com/questions/1083882/block-port-111-on-centos-7 systemctl stop rpcbind.socket && systemctl disable rpcbind.socket systemctl mask fail2ban && systemctl stop fail2ban systemctl mask firewalld && systemctl stop firewalld systemctl enable iptables && systemctl start iptables cd /usr/src wget http://www.rfxn.com/downloads/apf-current.tar.gz tar xzf apf-current.tar.gz rm -f apf-current.tar.gz cd apf* ./install.sh chkconfig apf on sed -ie "s/eth0/$IFACE/" /etc/apf/conf.apf sed -ie 's/DEVEL_MODE="1"/DEVEL_MODE="0"/' /etc/apf/conf.apf sed -ie 's/SET_MONOKERN="0"/SET_MONOKERN="1"/' /etc/apf/conf.apf sed -ie 's/ICMP_LIM="30\/s"/ICMP_LIM="100\/s"/' /etc/apf/conf.apf sed -ie 's/DLIST_PHP="0"/DLIST_PHP="1"/' /etc/apf/conf.apf sed -ie 's/DLIST_SPAMHAUS="0"/DLIST_SPAMHAUS="1"/' /etc/apf/conf.apf sed -ie 's/DLIST_DSHIELD="0"/DLIST_DSHIELD="1"/' /etc/apf/conf.apf sed -ie 's/IG_TCP_CPORTS=/#IG_TCP_CPORTS=/' /etc/apf/conf.apf sed -ie 's/IG_UDP_CPORTS=/#IG_UDP_CPORTS=/' /etc/apf/conf.apf sed -i '2s/^/IG_UDP_CPORTS="53,123,465,587,953,2525,6277,1043,6081,6082,8983"\n/' /etc/apf/conf.apf sed -i "2s/^/IG_TCP_CPORTS="\"53,80,110,143,443,465,587,953,993,995,1043,2525,5900_5910,8079,8080,8888,8983,10000_10010,20000,${PORT}\""\n/" /etc/apf/conf.apf apf -r /usr/local/sbin/apf -a 65.49.80.104 "Do not remove this IP address. It belongs to AltaGrade." echo ".. done" fi if [ ! -d /usr/local/bfd ]; then echo "==================================================================================" echo "Installing and configuring Brute Force Detection .." cd /usr/src wget http://www.rfxn.com/downloads/bfd-current.tar.gz tar xzf bfd-current.tar.gz rm -f bfd-current.tar.gz* cd bfd-1.5* ./install.sh sed -ie 's/TRIG="15"/TRIG="5"/' /usr/local/bfd/conf.bfd sed -ie 's/EMAIL_ALERTS="0"/EMAIL_ALERTS="1"/' /usr/local/bfd/conf.bfd sed -ie 's/EMAIL_ADDRESS="root"/EMAIL_ADDRESS="security"/' /usr/local/bfd/conf.bfd rm -f /usr/local/bfd/alert.bfd echo 'EB=0' >> /usr/local/bfd/alert.bfd echo 'if [ "$EMAIL_LOGLINES" == "" ]; then' >> /usr/local/bfd/alert.bfd echo ' EMAIL_LOGLINES=50' >> /usr/local/bfd/alert.bfd echo 'fi' >> /usr/local/bfd/alert.bfd echo 'EV=`nice -n 19 tail -n 5000 $LP | grep $ATTACK_HOST | tail -n $EMAIL_LOGLINES`' >> /usr/local/bfd/alert.bfd echo 'cat <<EOF' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '$ATTACK_HOST has been blocked and blacklisted by AltaGrade for exceeded login failures on $HOSTNAME.' >> /usr/local/bfd/alert.bfd echo "If the IP address belongs to your team, then please clear it from the firewall's block-list and add it allowed hosts." >> /usr/local/bfd/alert.bfd echo 'Alternatively file a support request on https://my.altagrade.com and we will gladly do it for you.' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo 'SOURCE ADDRESS: $ATTACK_HOST' >> /usr/local/bfd/alert.bfd echo 'TARGET SERVICE: $MOD' >> /usr/local/bfd/alert.bfd echo 'FAILED LOGINS: $ATTACK_COUNT' >> /usr/local/bfd/alert.bfd echo 'EXECUTED COMMAND: $BAN_COMMAND' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo "SOURCE LOGS FROM SERVICE '\$MOD' (GMT \$TIME_ZONE):" >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '$EV' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '-----------------------------------------------' >> /usr/local/bfd/alert.bfd echo 'AltaGrade Brute Force Detection System' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo 'EOF' >> /usr/local/bfd/alert.bfd sed -ie 's/#root:/root:/' /etc/aliases sed -ie 's/marc/info@altagrade.com/' /etc/aliases echo "#owner: ${OWNER}" >> /etc/aliases newaliases echo ".. done" fi if [ ! -d /usr/local/maldetect ]; then echo "==================================================================================" echo "Installing Linux Malware Detect .." cd /usr/src wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar xzf maldetect-current.tar.gz rm -rf maldetect-current.tar.gz cd maldetect* ./install.sh # Installing inotify-tools per https://www.rfxn.com/appdocs/README.maldetect yum -y install inotify-tools # Configuring malware detection settings sed -ie 's/email_alert="0"/email_alert="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/email_addr="you@domain.com"/email_addr="security"/' /usr/local/maldetect/conf.maldet sed -ie 's/email_ignore_clean="1"/email_ignore_clean="0"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_hits="0"/quarantine_hits="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_clean="0"/quarantine_clean="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_suspend_user="0"/quarantine_suspend_user="1"/' /usr/local/maldetect/conf.maldet echo "/home/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths echo "/home/.*/domains/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths echo ".. done" fi
19) Removing unnecessary services
chown -R root:bin /etc/webmin systemctl stop chronyd && yum -y remove chrony systemctl stop wpa_supplicant && yum -y remove wpa_supplicant systemctl stop fail2ban && yum -y remove fail2ban* && rm -rf /var/log/fail2ban.log systemctl stop proftpd && yum -y remove proftpd && rm -rf /var/log/proftpd if [ $PORT == 19759 ]; then systemctl stop sound.target && systemctl disable sound.target fi
20) Finalizing the installation script
# Clean up the Webmin config files grep -rl 65.49.80.99 /etc | xargs sed -i "s/65.49.80.99/$IP/g" grep -rl fe80::216:3eff:feca:7117 /etc | xargs sed -i "s/fe80::216:3eff:feca:7117/$IP6/g" grep -rl host.altagrade.org /etc | xargs sed -i "s/host.altagrade.org/$HOSTNAME/g" grep -rl eth0 /etc | xargs sed -i "s/eth0/$IFACE/g" # Per https://www.virtualmin.com/node/43097 rm -rf /var/webmin/module.infos.cache sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1 /sbin/virtualmin check-config # Install test repository for updates cat > /etc/yum.repos.d/testrepo.repo << 'EOF' [testrepo] name=TestRepo Repository baseurl=http://testrepo.altagrade.org:8080 enabled=1 gpgcheck=0 EOF yum -y update #yum -y install testrepo # Calculating execution time executed="$(($SECONDS / 60)) minutes and $(($SECONDS % 60)) seconds" echo "The installation took $executed" echo "AltaOS installed on $(date)" > /root/.altaos/.install_date # Sending the final e-mail notification yum -y install mailx echo "Installation of AltaOS on ${HOSTNAME} completed in $executed. The system is rebooting..." | mail -s "AltaOS has been installed on ${HOSTNAME}" 6504506428@vtext.com rm -f /root/recipe* rm -f /usr/src/altaos.sh updatedb echo "Rebooting the system..." reboot
- Log in to post comments
- Copy all the steps