debian services installed

apt-get update
apt-get upgrade
apt-get install build-essential
mkdir -p /var/src


ADDING A STATIC IP TO ETH0

nano /etc/network/interfaces
#First IP address
auto eth0
iface eth0 inet static
        address x.x.x.77
        netmask 255.255.255.0
        gateway x.x.x.254
        dns-nameservers x.x.x.x

#Second IP address
auto eth0:1
iface eth0:1 inet static
        address x.x.x.78
        netmask 255.255.255.0

/etc/init.d/network restart

SMARTMONTOOLS

apt-get install smartmontools
nano /etc/default/smartmontools
start_smartd=yes

nano /etc/smartd.conf
DEVICESCAN -m root -M exec /usr/share/smartmontools/smartd-runner
/dev/hda -H -m moc.niamod|liameruoy#moc.niamod|liameruoy


MONITORING

apt-get install munin munin-node
nano /etc/munin/munin.conf

vi /var/www/munin/.htaccess
AuthType Basic
AuthName "Admin Only"
AuthUserFile /var/www/.htpasswd
<limit GET PUT POST>
require valid-user
</limit>
htpasswd -c /var/www/munin/.htpasswd admin

apt-get install monit
nano /etc/default/monit.conf

  1. check FTP server

check process proftpd with pidfile /var/run/vsftpd/vsftpd.pid
start program = "/etc/init.d/vsftpd start"
stop program = "/etc/init.d/vsftpd stop"
if failed port 21 protocol ftp then restart
if 5 restarts within 5 cycles then timeout

  1. check MySQL

check process mysql with pidfile /var/run/mysqld/mysqld.pid
group mysql
start program = "/etc/init.d/mysql start"
stop program = "/etc/init.d/mysql stop"
if failed host 127.0.0.1 port 3306 then restart
if 5 restarts within 5 cycles then timeout

  1. check WEB server

#check process apache with pidfile /path/apache/logs/httpd.pid
#group nogroup
#start program = "/etc/init.d/apache start"
#stop program = "/etc/init.d/apache stop"
#if failed host www.11h10.com port 80 protocol http
#and request "/token" then restart

#qmail
check process qmail with pidfile /var/run/tcpserver_smtpd.pid
group qmail
start program = "/etc/init.d/qmail start"
stop program = "/etc/init.d/qmail stop"
if failed port 25 protocol smtp then restart
if 5 restarts within 5 cycles then timeout

  1. consumption

if cpu is greater than 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 500 MB for 5 cycles then restart
if children > 250 then restart
if loadavg(5min) greater than 10 for 8 cycles then stop
if 3 restarts within 5 cycles then timeout


IPTABLES
nano /etc/network/iptables
MYIP=192.168.2.13

iptables -t filter -F INPUT
iptables -t filter -F OUTPUT

iptables -t filter -Z INPUT
iptables -t filter -Z OUTPUT

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth1 -d $MYIP -p tcp —sport 53 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -d $MYIP -p udp —sport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -s $MYIP -p tcp —dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -s $MYIP -p udp —dport 53 -j ACCEPT

nano /etc/init.d/iptables-conf
#! /bin/sh
set -e

iptables_start() {
if [ -f /etc/network/iptables ]; then
. /etc/network/iptables
fi
}

iptables_stop() {
iptables -t filter -F INPUT
iptables -t filter -F OUTPUT
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
}

case "$1" in
start)
echo -n "Apply Iptables configuration"
iptables_start
echo "."
;;
stop)
echo -n "Clear Iptables configuration"
iptables_stop
echo "."
;;

restart)
echo -n "Reloading Iptables configuration"
iptables_stop
iptables_start
echo "."
;;

*)
echo "Usage: /etc/init.d/iptables-conf {start|stop|restart}"
exit 1
esac

exit 0

chmod +x iptables-conf
update-rc.d iptables-conf start 99 2 3 4 5 . stop 20 0 1 6 .
/etc/init.d/iptables-conf start


OPENSSL (update)

wget http://www.openssl.org/source/openssl-0.9.8i.tar.gz
./config —prefix=/usr —openssldir=/etc/ssl threads shared zlib-dynamic
make
make install

redo keys (dovecot, vsftp, apache)


OPENSSH

apt-get install openssh-server
nano /etc/ssh/sshd_config
Port - 22
Protocol 2
PermitRootLogin no
MaxAuthTries 3
MaxStartups 1
LoginGraceTime 60
X11Forwarding no
TCPKeepAlive no
Banner /etc/ssh/banner
ClientAliveCountMax 5
ClientAliveInterval 20
AllowUsers sshadmin

nano /etc/ssh/banner


FAIL2BAN

apt-get install fail2ban
/etc/init.d/fail2ban stop
update-rc.d -f fail2ban remove
nano /etc/init.d/iptables-conf

iptables_start() {
if [ -f /etc/network/iptables ]; then
. /etc/network/iptables
fi
/etc/init.d/fail2ban start
}

iptables_stop() {
/etc/init.d/fail2ban stop
iptables -t filter -F INPUT
iptables -t filter -P INPUT ACCEPT
iptables -t filter -F OUTPUT
iptables -t filter -P OUTPUT ACCEPT
}

nano /etc/fail2ban/fail2ban.conf
socket = /var/run/fail2ban.sock
nano /etc/fail2ban/jail.conf (port 1899)
/etc/init.d/iptables-conf restart


MYSQL

apt-get install mysql-client-5.0 mysql-server-5.0 mysql-common
/etc/init.d/mysql stop
cd /etc/mysql
nano my.cnf
log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 1000M

skip-opt
add-drop-table
add-locks
create-options
set-charset
disable-keys
complete-insert

/etc/init.d/mysql start

mysql_secure_installation


POSTGRESQL

apt-get install libreadline5-dev libz-dev
su - -c "useradd postgres"
passwd postgres
wget postgresql last version
./configure —prefix=/var/pgsql
make
make install
chown -R postgres.postgres /var/pgsql
su postgres
./initdb —encoding=UTF8 —locale=en_CA.UTF8 -D /virtual/pgsql/data
cp contrib/start-scripts/linux /etc/rc.d/init.d/postgresql
chmod a+x /etc/rc.d/init.d/postgresql
nano postgresql (path, user)
update-rc.d postgresql defaults
nano /etc/passwd (bin/false) /virtual/pgsql
psql -d template1 -U postgres
alter user postgres with password 'xxxxx';
nano ../data/pg_hba.conf (set md5 in place of trust)

*
phppgadmin
*

http://downloads.sourceforge.net/phppgadmin/phpPgAdmin-4.2.1.tar.gz?download

nano conf/config.inc.php
$conf['servers'][0]['pg_dump_path'] = '/var/pgsql/bin/pg_dump';
$conf['servers'][0]['pg_dumpall_path'] = '/var/pgsql/bin/pg_dumpall';
$conf['owned_only'] = true;
extra security off


APACHE2

./configure —prefix=/var/apache —enable-auth-digest —enable-file-cache —enable-charset-lite —enable-cache —enable-disk-cache —enable-mem-cache —enable-deflate —enable-mime-magic —enable-cern-meta —enable-expires —enable-headers —enable-usertrack —enable-unique-id —enable-http —enable-info —enable-vhost-alias —enable-rewrite —enable-so —enable-ssl

make
make install
nano /var/apache/conf/httpd.conf


PHP
apt-get install autoconf libmagic-dev libtidy-dev libxml2-dev libbz2-dev libcurl3-dev libjpeg62-dev libpng12-dev libfreetype6-dev libc-client-dev libmcrypt-dev libmhash-dev libmysqlclient-dev libpspell-dev libgmp3-dev

./configure —with-apxs2=/var/apache/bin/apxs —prefix=/varl/php —with-config-file-path=/var/php —enable-bcmath —enable-calendar —enable-exif —enable-ftp —enable-gd-native-ttf —enable-mbstring=all —enable-sockets —enable-sysvsem —enable-sysvshm —enable-mbregex —with-tidy —with-openssl —with-zlib-dir —with-zlib —with-bz2 —with-jpeg-dir —with-curl —with-gd —with-png-dir —with-ttf —with-mime-magic —with-gettext —with-gmp —with-imap —with-kerberos —with-imap-ssl —with-mcrypt —with-mhash —with-mysql —with-pspell —with-regex=php —with-xmlrpc —with-iconv —enable-gd-jis-conv —with-pdo-mysql —with-pgsql=/var/pgsql —with-pdo-pgsql=/var/pgsql

make
apachectl stop
make install
ln -s /var/php/bin/php /usr/bin/php

nano httpd.conf
under tar.gz
AddType application/x-httpd-php .php

cp php-ini-recommanded
nano php.ini
expose_php off
allow_url_fopen = Off
commented extra/mpm (mpm_worker)

error_reporting = E_ALL | E_STRICT
display_errors = On ; A passé à Off quand vous rendez votre site web public
log_errors = On
ignore_repeated_errors = On
error_log = /var/log/php5.log

/etc/logrotate.d/
nano php5
/var/log/php5.log {
weekly
missingok
rotate 4
compress
delaycompress
notifempty
create 640 root root
}
run phpsecinfo


ZEND OPTIMIZER

http://www.zend.com/en/products/guard/downloads
./install


MAINTENANCE

once in a while
touch /forcefsck

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License