0) Installing Composer
if [ ! -f /usr/local/bin/composer ]; then cd /usr/src curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer fi
1) Installing Memcached
dnf -y install memcached rm -f /etc/sysconfig/memcached cat <<'EOT' >> /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="1024" OPTIONS="-l 127.0.0.1,::1" EOT systemctl enable memcached systemctl start memcached
2) Installing PHP 7.4
rpm -Uvhl http://rpms.remirepo.net/enterprise/remi-release-8.rpm dnf -y install php74 php74-php-pecl-mysql php74-php-mysqlnd php74-php-curl php74-php-simplexml php74-php-devel php74-php-gd php74-php-json php74-php-mcrypt php74-php-mbstring php74-php-opcache php74-php-pear php74-php-pecl-apcu php74-php-pecl-geoip php74-php-pecl-imagick php74-php-pecl-json-post php74-php-pecl-memcache php74-php-pecl-zip php74-php-pspell php74-php-soap php74-php-xml php74-php-xmlrpc php74-php-pecl-uploadprogress php74-php-imap php74-php-pecl-xmldiff php74-php-bcmath php74-php-fpm source /opt/remi/php74/enable dnf -y install php74-php-tidy pear channel-update pear.php.net pear install Cache_Lite sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php74/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php74/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php74/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php74/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php74/php.ini
3) Enabling PHP-FPM 7.4.7 Server
systemctl enable php74-php-fpm systemctl start php74-php-fpm
4) Installing and configuring Let's Encrypt per https://certbot.eff.org/lets-encrypt/centosrhel8-apache
dnf -y install certbot python3-certbot-apache # Install script to auto-replace the ssl_le.pem files for domains mkdir /etc/letsencrypt/renewal-hooks mkdir /etc/letsencrypt/renewal-hooks/deploy cat > /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh << 'EOF' #!/bin/sh # Re-create the ssl_le.pem files for Pound for domain in $RENEWED_DOMAINS; do cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > $RENEWED_LINEAGE/ssl_le.pem done exit EOF chmod 755 /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh # Install cron-tab to trigger auto-renew (crontab -l && echo "0 0,12 * * 7 python -c 'import random; import time; time.sleep(random.random() * 3600)' && /etc/ag/scripts/renew-certs" | sort | uniq) | crontab -
5) Installing and configuring Pound
sed -i '/Listen/c\#Listen' /etc/httpd/conf.d/ssl.conf dnf -y install Pound && systemctl enable pound && systemctl start pound mv /etc/pound.cfg /etc/pound.cfg.orig cat > /etc/pound.cfg << EOF ListenHTTP Address ${IP} Port 80 Service URL "/.well-known/acme-challenge/.*" BackEnd Address ${IP} Port 8888 End End End Service BackEnd Address ${IP} Port 8888 End End EOF
6) Installing and configuring Varnish
dnf -y install @varnish systemctl enable varnish --now # Configure Apache for Varnish sed -ie 's/Listen 80/Listen 8080/' /etc/httpd/conf/httpd.conf echo 'RemoteIPHeader X-Forwarded-For' >> /etc/httpd/conf/httpd.conf echo "RemoteIPInternalProxy $IP" >> /etc/httpd/conf/httpd.conf sed -ie 's/%h/%a/' /etc/httpd/conf/httpd.conf sed -ie 's/6081/8888/' /usr/lib/systemd/system/varnish.service # Crazy, but there is always an extra systemd entry for Varnish. Probably this should be reported to Varnish or Webmin. rm -rf /usr/lib/systemd/system/varnish.servicee systemctl daemon-reload systemctl restart varnish cat > /etc/varnish/default.vcl << EOF vcl 4.0; backend default { .host = "${IP}"; .port = "8080"; } acl purge { "localhost"; "127.0.0.1"; } sub vcl_deliver { # If proxying via cloudflare, then send 520 responses in place of 500/503 if ((resp.status == 500 || resp.status == 503) && req.http.cf-connecting-ip) { set resp.status = 520; } } sub vcl_recv { # if (req.http.host == "demo.altagrade.com") { # if (req.url !~ "^/user") { # unset req.http.cookie; # } # } # if (req.http.Host == "sub.domain.com" || req.http.Host == "db.domain.net" ) { # return (pass); # } if (req.url == "/check-altagrade-varnish") { return(synth(200, "Varnish up")); } # Check the incoming request type is "PURGE", not "GET" or "POST". if (req.method == "PURGE") { # Check if the IP is allowed. if (!client.ip ~ purge) { # Return error code 405 (Forbidden) when not. return (synth(405, "Not allowed.")); } return (purge); } # Do not cache these paths. if (req.url ~ "^/status\.php$" || req.url ~ "^/update\.php" || req.url ~ "^/install\.php" || req.url ~ "^/apc\.php$" || req.url ~ "^/admin" || req.url ~ "^/admin/.*$" || req.url ~ "^/user" || req.url ~ "^/user/.*$" || req.url ~ "^/users/.*$" || req.url ~ "^/info/.*$" || req.url ~ "^/flag/.*$" || req.url ~ "^.*/ajax/.*$" || req.url ~ "^.*/ahah/.*$" || req.url ~ "^/system/files/.*$") { return (pass); } # Always cache the following file types for all users. This list of extensions # appears twice, once here and again in vcl_backend_response so make sure you edit both # and keep them equal. if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") { unset req.http.Cookie; } # Remove all cookies that Drupal doesn't need to know about. We explicitly # list the ones that Drupal does need, the SESS and NO_CACHE. If, after # running this code we find that either of these two cookies remains, we # will pass as the page cannot be cached. if (req.http.Cookie) { # 1. Append a semi-colon to the front of the cookie string. # 2. Remove all spaces that appear after semi-colons. # 3. Match the cookies we want to keep, adding the space we removed # previously back. (\1) is first matching group in the regsuball. # 4. Remove all other cookies, identifying them by the fact that they have # no space after the preceding semi-colon. # 5. Remove all spaces and semi-colons from the beginning and end of the # cookie string. set req.http.Cookie = ";" + req.http.Cookie; set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";"); set req.http.Cookie = regsuball(req.http.Cookie, ";(SESS[a-z0-9]+|SSESS[a-z0-9]+|NO_CACHE)=", "; \1="); set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", ""); set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", ""); if (req.http.Cookie == "") { # If there are no remaining cookies, remove the cookie header. If there # aren't any cookie headers, Varnish's default behavior will be to cache # the page. unset req.http.Cookie; } else { # If there is any cookies left (a session or NO_CACHE cookie), do not # cache the page. Pass it on to Apache directly. return (pass); } } } EOF
7) Configuring firewall...
For an AltaGrade server with mail enabled we need:
firewall-cmd --list-services http https imap imaps pop3 pop3s smtp smtps ssh firewall-cmd --list-ports 587/tcp 53/tcp 10000-10100/tcp 53/udp 19759/tcp 8080/tcp 8888/tcp
however, we will configure minimal number of services and ports by default for most customers that do not have mail.
# Remove unnecessary services firewall-cmd --permanent --remove-service=ftp firewall-cmd --permanent --remove-service=dhcpv6-client firewall-cmd --permanent --remove-service=imap firewall-cmd --permanent --remove-service=imaps firewall-cmd --permanent --remove-service=pop3 firewall-cmd --permanent --remove-service=pop3s firewall-cmd --permanent --remove-service=smtp firewall-cmd --permanent --remove-service=smtps # Remove ports which come open by default firewall-cmd --permanent --zone=public --remove-port=1025-65535/tcp firewall-cmd --permanent --zone=public --remove-port=10000-10100/tcp firewall-cmd --permanent --zone=public --remove-port=20000/tcp firewall-cmd --permanent --zone=public --remove-port=2222/tcp firewall-cmd --permanent --zone=public --remove-port=20/tcp firewall-cmd --permanent --zone=public --remove-port=587/tcp firewall-cmd --permanent --zone=public --remove-port=53/tcp firewall-cmd --permanent --zone=public --remove-port=53/udp # Open needed ports firewall-cmd --permanent --zone=public --add-port=8080/tcp firewall-cmd --permanent --zone=public --add-port=8888/tcp firewall-cmd --permanent --zone=public --add-port=${PORT}/tcp firewall-cmd --permanent --zone=public --add-port=19955/tcp firewall-cmd --reload
8) Installing drush
# Installing drush wget https://github.com/drush-ops/drush/releases/download/8.3.3/drush.phar php drush.phar core-status chmod +x drush.phar mv drush.phar /usr/local/bin/drush drush -y init # Fixing https://github.com/drush-ops/drush/issues/2065 # sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/php.ini # sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/opt/remi/php74/php.ini
9) Installing brush
cd /usr/local/src git clone https://github.com/backdrop-contrib/brush.git ln -s /usr/local/src/brush/brush /usr/local/bin
10) Installing and configuring fail2ban
To check of activated jails on fail2ban, run the command below:
fail2ban-client status sshd
To unban an IP address, use the following command.
fail2ban-client set [JAIL-NAME] unbanip [IP-ADDRESS]
dnf install fail2ban -y # Start and enable systemctl start fail2ban systemctl enable fail2ban # Replace local fail2ban configuration rm -rf /etc/fail2ban/jail.local echo "[DEFAULT] # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host that matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. # VPN's ip address and subnet ignoreip = 127.0.0.1/8 10.0.0.1/24 66.160.206.199 # "bantime" is the number of seconds that a host is banned. bantime = 60m # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 5m # "maxretry" is the number of failures before a host gets banned. maxretry = 5 # "backend" specifies the backend used to get files modification. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config backend=systemd [sshd] enabled = true port = ssh action = firewallcmd-ipset logpath = %(sshd_log)s [webmin-auth] enabled = true port = 19955 [proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data [postfix] enabled = true port = smtp,465,submission [dovecot] enabled = true port = pop3,pop3s,imap,imaps,submission,465,sieve [postfix-sasl] enabled = true port = smtp,465,submission,imap,imaps,pop3,pop3s" >> /etc/fail2ban/jail.local # Restart fail2ban systemctl restart fail2ban
- Log in to post comments
- Copy all the steps