Last active
December 8, 2020 21:10
-
-
Save donwilson/7367460a1e80c189142e10c83d2eb0fc to your computer and use it in GitHub Desktop.
Server Setup Helper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################# | |
# General Program Installations # | |
################################# | |
yum -y install htop screen bzip2 unzip parallel wget nano dos2unix nmap iotop | |
########################### | |
# Install Git from Source # | |
########################### | |
yum -y groupinstall 'Development Tools' | |
yum -y install dh-autoreconf curl-devel expat-devel gettext-devel openssl-devel perl-devel zlib-devel | |
https://github.com/git/git/releases | |
cd /usr/src/ | |
wget https://github.com/git/git/archive/v*.tar.gz | |
tar -zxvf ./v*.tar.gz | |
cd git-*/ | |
make configure | |
./configure --prefix=/usr/local | |
make install | |
############################################################## | |
# fix forwarded IP addresses from load balancers, cloudflare # | |
############################################################## | |
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm | |
yum -y update | |
yum -y install mod_extract_forwarded | |
echo "MEFaccept X.X.X.X" >> /etc/httpd/conf.d/mod_extract_forwarded # X.X.X.X = IP from LB or IPs from CloudFlare that's seen in REMOTE_ADDR | |
service httpd restart | |
##################### | |
# new database/user # | |
##################### | |
CREATE DATABASE `__DATABASE__`; | |
CREATE USER '__USERNAME__'@'localhost' IDENTIFIED BY '__PASSWORD__'; | |
GRANT ALL PRIVILEGES ON __DATABASE__.* TO '__USERNAME__'@'localhost' WITH GRANT OPTION; | |
flush privileges; | |
##################### | |
# MySQL Backup User # | |
##################### | |
CREATE USER '__USERNAME__'@'localhost' IDENTIFIED BY '__PASSWORD__'; | |
GRANT SELECT, LOCK TABLES, SHOW VIEW, EVENT, TRIGGER ON `__DATABASE__`.* TO '__USERNAME__'@'localhost'; | |
flush privileges; | |
################## | |
# new linux user # | |
################## | |
useradd USER_NAME | |
passwd USER_NAME | |
usermod -a -G apache USER_NAME | |
mkdir /home/USER_NAME/domains/ | |
mkdir /home/USER_NAME/domains/DOMAIN_NAME | |
mkdir /home/USER_NAME/domains/DOMAIN_NAME/public_html | |
mkdir /home/USER_NAME/domains/DOMAIN_NAME/logs | |
chmod +x -R /home/USER_NAME/ | |
chown root /home/USER_NAME/ | |
cd /home/USER_NAME/domains/DOMAIN_NAME/ | |
setfacl -R -m user:apache:rwx ./public_html | |
setfacl -R -d -m user:apache:rwx ./public_html | |
setfacl -R -m user:USER_NAME:rwx ./public_html | |
setfacl -R -d -m user:USER_NAME:rwx ./public_html | |
setfacl -R -m user:apache:rwx ./logs | |
setfacl -R -d -m user:apache:rwx ./logs | |
setfacl -R -m user:USER_NAME:rwx ./logs | |
setfacl -R -d -m user:USER_NAME:rwx ./logs | |
########################### | |
# allow emails from httpd # | |
########################### | |
sudo setsebool -P httpd_can_sendmail 1 | |
sudo setsebool -P httpd_can_network_connect 1 | |
###################### | |
# Permissions Issues # | |
###################### | |
find . -type f -exec chmod 664 {} + | |
find . -type d -exec chmod 775 {} + | |
chmod 664 wp-config.php | |
chown -R apache:apache wp-admin | |
chown -R apache:apache wp-includes | |
chown apache:apache wp-content | |
chown -R apache:apache wp-content/plugins | |
chown -R apache:apache wp-content/cache | |
chown -R apache:apache wp-content/upgrade | |
chown -R apache:apache wp-content/uploads | |
chown -R apache:apache wp-content/w3tc-config | |
chown -R USER_NAME:apache wp-content/themes | |
chown USER_NAME:apache wp-content/*.php | |
chown USER_NAME:apache *.php | |
chown USER_NAME:apache *.txt | |
chown USER_NAME:apache *.html | |
setfacl -R -m user:apache:rwx ./public_html | |
setfacl -R -d -m user:apache:rwx ./public_html | |
setfacl -R -m user:USER_NAME:rwx ./public_html | |
setfacl -R -d -m user:USER_NAME:rwx ./public_html | |
setfacl -R -m user:apache:rwx ./logs | |
setfacl -R -d -m user:apache:rwx ./logs | |
setfacl -R -m user:USER_NAME:rwx ./logs | |
setfacl -R -d -m user:USER_NAME:rwx ./logs | |
############################## | |
# MySQL my.cnf Configuration # | |
############################## | |
[mysqld] | |
## Cache | |
table-definition-cache = 4096 | |
table-open-cache = 4096 | |
#table-open-cache-instances = 1 | |
#thread-cache-size = 16 | |
#query-cache-size = 32M | |
#query-cache-type = 1 | |
## Per-thread Buffers | |
#join-buffer-size = 512K | |
#read-buffer-size = 512K | |
#read-rnd-buffer-size = 512K | |
#sort-buffer-size = 512K | |
## Temp Tables | |
max-heap-table-size = 128M | |
tmp-table-size = 128M | |
## Networking | |
#interactive-timeout = 3600 | |
max-connections = 250 | |
max-connect-errors = 1000000 | |
max-allowed-packet = 32M | |
skip-name-resolve | |
wait-timeout = 600 | |
## MyISAM | |
key-buffer-size = 32M | |
#myisam-recover = FORCE,BACKUP | |
myisam-sort-buffer-size = 128M | |
## InnoDB | |
innodb-buffer-pool-size = 2G | |
innodb-file-format = Barracuda | |
#innodb-file-per-table = 1 | |
#innodb-flush-method = O_DIRECT | |
innodb-log-file-size = 512M | |
## Data | |
datadir=/var/lib/mysql | |
socket=/var/lib/mysql/mysql.sock | |
## User | |
user=mysql | |
# Disabling symbolic-links is recommended to prevent assorted security risks | |
symbolic-links=0 | |
## Slow Query Log | |
#slow-query-log=1 | |
#slow-query-log-file=/tmp/mysql_slow_queries.log | |
#long-query-time=2 | |
#log-queries-not-using-indexes=1 | |
[mysqld_safe] | |
log-error=/var/log/mysqld.log | |
pid-file=/var/run/mysqld/mysqld.pid | |
############################## | |
# SSL Certificate Generation # | |
############################## | |
### Generate the dhparam.pem: | |
openssl dhparam -out /etc/ssl/nginx/dhparam.pem 2048 | |
### .conf: | |
# SSL Installation on NGINX: | |
# https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/1091/0/certificate-installation--nginx | |
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate | |
ssl_certificate /etc/ssl/nginx/CERT_FILE.pem; | |
ssl_certificate_key /etc/ssl/nginx/CERT_FILE.key; | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets off; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
ssl_dhparam /etc/ssl/nginx/dhparam.pem; | |
# intermediate configuration. | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; | |
ssl_prefer_server_ciphers on; | |
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
add_header Strict-Transport-Security max-age=15768000; | |
# OCSP Stapling --- | |
# fetch OCSP records from URL in ssl_certificate and cache them | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
## verify chain of trust of OCSP response using Root CA and Intermediate certs | |
ssl_trusted_certificate /etc/ssl/nginx/CERT_FILE.ca-bundle; | |
resolver 127.0.0.1; | |
################## | |
# Install rclone # | |
################## | |
curl -O https://downloads.rclone.org/rclone-current-linux-amd64.zip | |
unzip rclone-current-linux-amd64.zip | |
cd rclone-*-linux-amd64 | |
sudo cp rclone /usr/bin/ | |
sudo chown root:root /usr/bin/rclone | |
sudo chmod 755 /usr/bin/rclone | |
rclone config | |
#################### | |
# Install CollectD # | |
#################### | |
yum -y install collectd collectd-nginx collectd-mysql | |
nano /etc/collectd.conf | |
chkconfig --levels 235 collectd on | |
service collectd start | |
git clone https://github.com/pommi/CGP | |
# update datadir in conf/config.php | |
sudo setenforce 0 | |
#################### | |
# Sync Using rsync # | |
#################### | |
# remote to local | |
rsync -azP user@remote.addr:/path/to/source/ /path/to/destination/ | |
# local to remote | |
rsync -azP /path/to/source/ user@remote.addr:/path/to/destination/ | |
######################## | |
# Install Apache 2.4.* # | |
######################## | |
https://www.softwarecollections.org/en/scls/rhscl/httpd24/ | |
####################### | |
# Add WordPress Admin # | |
####################### | |
INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`) VALUES ('__USERNAME__', MD5('__PASSWORD__'), '__DISPLAY_NAME__', '__EMAIL__', '0'); | |
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, (SELECT MAX(id) FROM wp_users), 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}'), (NULL, (SELECT MAX(id) FROM wp_users), 'wp_user_level', '10'); | |
########### | |
# SELinux # | |
########### | |
yum install -y policycoreutils-python | |
semanage fcontext -a httpd_sys_rw_content_t "/var/www/html/folder1(/.*)?" | |
semanage fcontext -a httpd_sys_rw_content_t "/var/www/html/folder2(/.*)?" | |
restorecon -Rv | |
####################### | |
# CertBot LetsEncrypt # | |
####################### | |
sudo certbot --apache -d domain.com -d www.domain.com | |
############################### | |
# WordPress Linux Permissions # | |
############################### | |
find . -type f -exec chmod 664 {} + | |
find . -type d -exec chmod 775 {} + | |
chmod 664 wp-config.php | |
chown -R apache:apache wp-admin | |
chown -R apache:apache wp-includes | |
chown apache:apache wp-content | |
chown -R apache:apache wp-content/plugins | |
chown -R apache:apache wp-content/cache | |
chown -R apache:apache wp-content/upgrade | |
chown -R apache:apache wp-content/uploads | |
chown -R apache:apache wp-content/w3tc-config | |
chown -R USER_NAME:apache wp-content/themes | |
chown USER_NAME:apache wp-content/*.php | |
chown USER_NAME:apache *.php | |
chown USER_NAME:apache *.txt | |
chown USER_NAME:apache *.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment