Get a CentOS Server Web-Ready

By John Swindells 20 Oct 2015 | Comment
| Share:

Here are the command-line steps needed to get a bare CentOS 7.2 distro ready for full LAMP (Apache-MySQL-PHP) hosting:

(Note - replace mysite.com with the domain name of your own website, and server1.mysite.com with this server's hostname.)

hostname 
vi /etc/hosts
	(Set public IP address to proper FQDN)
hostname server1.mysite.com
vi /etc/sysconfig/network
	(Set HOSTNAME=server1.mysite.com)

yum install -y perl-CPAN netutils bind-utils logwatch rsync smartmontools php php-mysql php-devel mysqltuner mysqltop mariadb mariadb-server mariadb-devel httpd
systemctl enable httpd.service
systemctl enable mariadb.service
systemctl enable smartd.service
systemctl start httpd.service
systemctl start mariadb.service
systemctl start smartd.service

adduser mysite.com
mkdir /home/mysite.com/www
chown -R mysite.com.apache /home/mysite.com

yum install -y php-pear php-xml php-posix gcc gcc-devel make json
echo extension=json.so >> /etc/php.d/json.ini
yum install -y php-mbstring php-gd
systemctl restart httpd.service
vi /etc/php.ini 
	(set memory limit, check error-reporting)

Add the RPMForge module, to give you many more packages in yum.  Check for the latest RPM at wiki.centos.org/RPMForge.
rpm -ivh ftp://rpmfind.net/linux/dag/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

yum install -y sysstat htop smem
systemctl enable sysstat.service
systemctl start sysstat.service
sar -q

vi /etc/my.cnf 
	(add slow-logging)
touch /var/log/mysql-slow.log
chown mysql.mysql /var/log/mysql-slow.log
systemctl restart mariadb.service

usermod  -G apache mysite.com
passwd mysite.com

yum install -y vsftpd
systemctl enable vsftpd.service
systemctl start vsftpd.service

Add firewall rules for MySQL, FTP and SMTP.  We need to replace my_ip with our personal IP address.  By the way, we don't accept non-localhost SMTP connect requests.
iptables -I INPUT -p tcp --dport 3306 -s 127.0.0.1/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3306 -s my_ip/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -I INPUT -p tcp --dport 21 -s my_ip/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 20 -s my_ip/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A INPUT -p tcp --dport 20 -j DROP
iptables -I INPUT -p tcp --dport 25 -s 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -L --line-numbers
iptables-save

Keep yum packages up to date:
yum install -y yum-cron
systemctl enable yum-cron.service
systemctl start yum-cron.service

vi /etc/aliases 
	(send root email to external account, eg, root me@mydomain.com)
yum install -y postfix
systemctl enable postfix.service
systemctl start postfix.service

newaliases

For GeoIP support:
yum install -y geoip geoip-devel
pecl install geoip
echo  "extension=geoip.so" > /etc/php.d/geoip.ini
systemctl restart httpd.service

For ImageMagick support:
yum install -y ImageMagick ImageMagick-devel
pecl install Imagick
echo "extension=imagick.so" > /etc/php.d/imagick.ini
systemctl restart httpd.service

For php file upload progress support:
pecl install uploadprogress
echo "extension=uploadprogress.so" > /etc/php.d/uploadprogress.ini

cd /etc/httpd/conf.d/
vi vhosts.conf
	(Add virtualhost entries)
service httpd restart

yum install -y fail2ban
systemctl enable fail2ban.service
systemctl start fail2ban.service

For sendmail TLS/SSL support (using a 'real' SSL certificate):
yum install -y sendmail sendmail-cf
Edit these lines in /etc/mail/sendmail.mc:
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/mydomain.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/private/mydomain-nopass.key')dnl
/etc/mail/make
systemctl enable saslauthd.service
systemctl start saslauthd.service
systemctl enable sendmail.service
systemctl start sendmail.service

Share:

2 Comments

by John Swindells on 16 October 2013
Good instructions for adding DKIM support (using opendkim): Set Up DKIM (DomainKeys Identified Mail) Working With Postfix On CentOS Using OpenDKIM
Reply
by Gregg on 25 March 2011
Great stuff, as a server newb I'd love to see a few comments describing some of the tasks like how to add rules for ports 20 and 21 add how to add an ftp exclusion and where those variables are in the files.

Thanks though, great stuff.

Reply
Add your comment