LAMP on CentOS7

Many open source p[projects require LAMP with database and database user ready to go. Here we will look at basic commands on CentOS7 to get it up and running quickly.

After CentOS7 installed update all packages
yum update -y
Install apache web server
yum install httpd
Start service and enable it to start on boot
systemctl start httpd.service
systemctl enable httpd.service
Install MariaDB database server
yum install mariadb-server mariadb
Start mysql services
systemctl start mariadb
Secure mysql installation
mysql_secure_installation
Enable MariaDB to start on boot
systemctl enable mariadb.service
Install PHP with mysql support
yum install php php-mysql
Restart apache web server
systemctl restart httpd.service
Open necessary firewall ports for example http
firewall-cmd –zone=public –permanent –add-service=http
firewall-cmd –reload
And finally create database and user. See example below.
create database mydb;
grant usage on *.* to mydbuser@localhost identified by ‘mypassword’;
grant all privileges on mydb.* to user@localhost ;
FLUSH PRIVILEGES;

Open vSwitch installation on CentOS 7.2
Open vSwitch (OVS) is a production quality, multilayer virtual switch software available for various platforms. The server platforms include x86 based latest Linux distributions e.g. Debian 16 LTS or CentOS 7.2. Popular SDN switch operating system development company Pica8 also bundles the OVS in a custom Ubuntu version for Pronto, Dell, and many other switches.

Below is an effort to provide easy installation instructions for OVS on CentOS 7.2 and also to integrate OVS with the OpenDaylight. Note this blog is updated to use OVS version 2.5.1 (bug fix release for OVS 2.5.0).

Install the requisite packages.
#yum -y install make gcc openssl-devel autoconf automake rpm-build redhat-rpm-config python-devel openssl-devel kernel-devel kernel-debug-devel libtool wget
Necessary steps for building RPM
#mkdir -p ~/rpmbuild/SOURCES
#wget http://openvswitch.org/releases/openvswitch-2.8.0.tar.gz
#cp openvswitch-2.8.0.tar.gz ~/rpmbuild/SOURCES/
#tar xfz openvswitch-2.8.0.tar.gz
#sed ‘s/openvswitch-kmod, //g’ openvswitch-2.8.0/rhel/openvswitch.spec > openvswitch-2.8.0/rhel/openvswitch_no_kmod.spec
Build the RPM
#rpmbuild -bb –nocheck ~/openvswitch-2.8.0/rhel/openvswitch_no_kmod.spec
Install the RPM
#ls -l ~/rpmbuild/RPMS/x86_64/
#yum localinstall ~/rpmbuild/RPMS/x86_64/openvswitch-2.8.0-1.x86_64.rpm
Start the OVS service and enable it for the next boot
#systemctl start openvswitch.service
#chkconfig openvswitch on
This process will install the OVS on the server and start the process. Firewall should be open to accept the incoming TCP connection at port 6633.

Test the OVS Version
#ovs-vsctl -V

Useful OVS commands
#ovs-vsctl show
#ovs-ofctl show br0

Create a new OVS Bridge, add physical ports, connect OVS with ODL controller
#ovs-vsctl add-br ovsbr0
#ovs-vsctl set bridge ovsbr0 protocols=OpenFlow13
#ovs-vsctl list controller
#ovs-vsctl add-port ovsbr0 eth4
#ovs-vsctl add-port ovsbr0 eth8
#ovs-vsctl set-controller ovsbr0 tcp:192.168.1.57:6633
#ovs-vsctl show

First step we will install LAMP
yum -y install mariadb-server mariadb
systemctl start mariadb.service
systemctl enable mariadb.service
Secure MariaDB installation
mysql_secure_installation
Install Apache server
yum -y install httpd
systemctl start httpd.service
systemctl enable httpd.service
Install php with all modules
yum -y install php
yum -y install php-mysql
yum -y install php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel
Restart apache
systemctl restart httpd.service
Now lets install phpMyAdmin
Lets add epel repository
rpm -iUvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Install phpMyAdmin
yum install phpMyAdmin
Make sure we allow access to the software
vi /etc/httpd/conf.d/phpMyAdmin.conf
Change authentication
vi /etc/phpMyAdmin/config.inc.php

[…]
$cfg[‘Servers’][$i][‘auth_type’] = ‘http’; // Authentication method (config, http or cookie based)?
[…]

Restart Apache
systemctl restart httpd.service
Now we setup virtual hosts

mkdir -p /var/www/html/site1.com/public_html
mkdir -p /var/www/html/site2.com/public_html

useradd webadmin
passwd webadmin

chown -R webadmin:webadmin /var/www/html/site1/public_html
chown -R webadmin:webadmin /var/www/html/site2/public_html

chmod -R 755 /var/www/html

vi /etc/httpd/conf/httpd.conf
IncludeOptional sites-enabled/*.conf

mkdir /etc/httpd/sites-enabled
mkdir /etc/httpd/sites-available

cd sites-available
vi site1.com.conf

ServerName www.site1.com
DocumentRoot /var/www/html/site1/public_html
ServerAlias site1.com
ErrorLog /var/www/html/site1/error.log
CustomLog /var/www/html/site1/requests.log combined

vi site2.com.conf

ServerName www.site2.com
DocumentRoot /var/www/html/site2/public_html
ServerAlias site2.com
ErrorLog /var/www/html/site2/error.log
CustomLog /var/www/html/site2/requests.log combined

ln -s /etc/httpd/sites-available/site1.com.conf /etc/httpd/sites-enabled/site1.com.conf
ln -s /etc/httpd/sites-available/site2.com.conf /etc/httpd/sites-enabled/site2.com.conf

Make sure proper firewall accept ions are added

firewall-cmd –permanent –zone=public –add-service=http
firewall-cmd –permanent –zone=public –add-service=https
firewall-cmd –reload

Install OSSEC Host Intrusion Detection Software
yum install mysql-devel postgresql-devel gcc
wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
tar -zxvf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8.3 cd ossec-hids-2.8.3
./install.sh
Choose local install, provide email and SMTP server for alerts

Install Fail2Ban
yum install fail2ban fail2ban-systemd
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Examine configuration file to make sure settings are as you want them
vi /etc/fail2ban/jail.local
Add ssh jail file
vi /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400
With firewalld enabled and running
systemctl enable fail2ban
systemctl start fail2ban
Tracking logon attempts
cat /var/log/secure | grep ‘Failed password’
Check banned IP address
iptables -L -n
Check fail2ban status
fail2ban-client status
Remove ban from IP
fail2ban-client set sshd unbanip IPADDRESS

Install nagios to monitor server or vm
cd ~
curl -L -O http://nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz
tar xvf nagios-plugins-*.tar.gz
cd nagios-plugins-*
./configure –with-nagios-user=nagios –with-nagios-group=nagios –with-openssl
make
make install
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
systemctl start nagios.service
systemctl restart httpd.service
chkconfig nagios on

If you like to restrict access to Nagios web portion by IP
vi /etc/httpd/conf.d/nagios.conf
Find and comment the following two lines by adding # symbols in front of them:
Order allow,deny
Allow from all
Then uncomment the following lines, by deleting the # symbols, and add the IP addresses or ranges (space delimited) that you want to allow to in the
Allow from line:

# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
Install Clamv virus scanner
yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf
sed -i ‘/^Example/d’ /etc/clamd.d/clamd.conf

freshclam

cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i ‘/^Example/d’ /etc/freshclam.conf

vi /usr/lib/systemd/system/clam-freshclam.service
# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target

[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target

systemctl enable clam-freshclam.service
systemctl start clam-freshclam.service
Add ssl website
Install mod_ssl
yum install mod_ssl
Create certioficate CSR – Certificate Signing Request
openssl req -new -newkey rsa:2048 -nodes -keyout rmohan.key -out rmohan.csr
edit /etc/httpd/sites-available and add below.

SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/rmohan.crt
SSLCertificateKeyFile /etc/pki/tls/private/rmohan.key
SSLCACertificateFile /etc/pki/tls/certs/root-certificate.crt #root certificate provided by ca-certificates, omit this line

ServerAdmin info@rmohan.com
ServerName www.rmohan.com
DocumentRoot /var/www/html/rmohan.com/public_html/
ErrorLog /var/www/html/rmohan.com/logs/error.log
CustomLog /var/www/html/rmohan.com/logs/access.log combined

Finish configuration and setup correct permittions
mkdir /var/www/html/rmohan.com/public_html
chown -R webadmin:webadmin /var/www/html/rmohan.com/public_html
ln -s /etc/httpd/sites-available/rmohan.com.conf / /etc/httpd/sites-enabled/rmohan.com.conf