CentOS6 VPS Installing Required Packages

CentOS6 VPS Installing Required Packages for basic and advanced configuration. Such packages and will be needed through the rest of the configuration steps. Initially, you will install and configure MTA eMail services in order to receive emails and alerts notification while you are configuring your system. The required packages will include Development Tools and packages to prepare the VM or VPS for advanced HowTo configuration Articles.

Besides, I will install updates, upgrades, NTP time server, Utilities, and Development Tools, which will prepare the VM/VPS for Linux Security Measures and Hardening Tools. As you probably noticed, the VM or the VPS must go through few layers of staging before start loading and running specific services such Web Hosting Solution services.

Objectives:

1. Installing Required Packages

2. Installing MTA eMail Services

3. Disabling Firewalld and SELinux

4. Setting Basic Configuration

5. Setting Daily System Update Notifier

Prerequisites:

A. Basic Debian or Ubuntu System Knowledge

B. Login to your DigitalOcean or Vultr Account

C. Follow the Courses and Sections by Order

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Installing Required Packages

Run the following steps (1 to 13)

1. Import Gnu Privacy Guard keys

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

2. Enable Additional Repositories

First, I will make sure wget and nano editor are installed:

yum install wget nano -y

Note: Repos update their release, for instance, EPEL repo keeps updating the epel-release, meaning, as of this writing, the EPEL is epel-release-6-8.noarch.rpm, so if you face error “404 not found” while downloading the rpm, increase the version number from 6-8 to 6-9 and try again.

If you still can’t spot the right version, go to the Repo link itself at this link http://dl.fedoraproject.org/pub/epel/6/x86_64/ and search for epel-release-6, write it down and update your wget command below accordingly.

TIP: Copy the all lines in each Repo as one command and make sure all copied lines got executed. You may need to Press Enter to make sure the last line get executed. Besides, I noticed sometimes that importing (the first line) takes longer than expected, skip the first line if it takes so long.

a. Enable EPEL Repo

rpm --import https://fedoraproject.org/static/0608B895.txt
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm

b. Enable the RPMforge

rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
rpm -ivh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

c. Enable Remi RPM Repo

rpm --import http://rpms.famillecollet.com/RPM-GPG-KEY-remi
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -ivh remi-release-6.rpm

d. Enable Psychotic Ninja RPM Repo

wget http://packages.psychotic.ninja/7/base/x86_64/RPMS/psychotic-release-1.0.0-1.el7.psychotic.noarch.rpm 
rpm -Uvh psychotic-release*rpm

3. Set EPEL Repo priority at 10

nano /etc/yum.repos.d/epel.repo

Make sure priority is there and set at 10, enabled=1 as shown below:

[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
[...]

Save: Ctrl-X, Hit Y Key, and Enter.

4. Set Remi Repo at priority 10

nano /etc/yum.repos.d/remi.repo

Make sure priority is there and set at 10, enabled=1 as shown below:

[remi]
name=Les RPM de remi pour Enterprise Linux $releasever - $basearch
#baseurl=http://rpms.famillecollet.com/enterprise/$releasever/remi/$basearch/
mirrorlist=http://rpms.famillecollet.com/enterprise/$releasever/remi/mirror
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi
failovermethod=priority
[...]

Save: Ctrl-X, Hit Y Key, and Enter.

5. Set Psychotic Ninja Repo at priority 10

nano /etc/yum.repos.d/psychotic.repo

Make sure priority is there and set at 10, enabled=1 as shown below:

[psychotic]
name=Psychotic Ninja Enterprise Linux Repository
baseurl=http://packages.psychotic.ninja/$releasever/base/$basearch/RPMS/
enabled=1
priority=10
protect=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-psychotic
gpgcheck=1
[...]

Save: Ctrl-X, Hit Y Key, and Enter.

List the New Repos

You will notice that some are disabled which is fine, but make sure that the following Repos are enabled as shown below:

yum repolist all | grep -i enabled

You should have around 8 Repos enabled.

[...]
base                      CentOS-6 - Base                   enabled:   6,443+132
epel                      Extra Packages for Enterprise Lin enabled:      12,004
extras                    CentOS-6 - Extras                 enabled:       21+29
psychotic                 Psychotic Ninja Enterprise Linux  enabled:          85
remi                      Remi's RPM repository for Enterpr enabled:       3,173
remi-safe                 Safe Remi's RPM repository for En enabled:       0+563
rpmforge                  RHEL 6 - RPMforge.net - dag       enabled: 3,191+1,527
updates                   CentOS-6 - Updates                enabled:    1,166+52

6. Install Tools and Utilities

Note: the following Required Packages such Dependencies, Utilities, and Development Tools are required across all the Web Hosting Solution.

TIP: Copy the whole line as one command and past it inside Putty window. Just hit right click inside Putty window after you copied the whole line below, and it should get pasted right way, then hit enter to execute.

yum install autoconf bison flex git libtool lzop pax unzip zip yum-plugin-priorities perl bzip2 binutils bind-utils gcc make patch libgomp glibc-headers glibc-devel kernel-headers

7. Install Development Tools

yum groupinstall 'Development Tools'

8. Install Performance Tools

yum groupinstall "Performance Tools"

9. Install Network Configuration Tools

Note: If yum can’t find the system-config tools, you can skip them.

yum install system-config-network-tui system-config-firewall net-tools

10. Install Dynamic Kernel Module Support

yum install dkms -y

11. Check for kernel Updates

yum install kernel* -y

12. Check if System Reboot Required

a. Create system-status.sh file

nano /root/system-status.sh

Open the following file, copy its content to system-status.sh window.

Save: Ctrl-X, Hit Y Key, and Enter.

b. Set Execute Permission

chmod +rwx /root/system-status.sh

c. Run system-status.sh file

/root/system-status.sh

If system reboot required, you will see the following message:

***System Reboot Required***

Reboot and come back to check for updates.

reboot

13. Check for Update

yum update -y

Check System Status Again if Reboot Required

/root/system-status.sh

Installing MTA eMail Services

Run the following steps (1 to 6)

I need MTA (SMTP) service such Postfix for email notification, however, Red Hat Base systems might have Sendmail package installed, meaning, I have to disable Sendmail before installing Postfix. It’s your choice, but I highly recommend using Postfix since it’s going to be used as standard Mail Server if you decide to build Web Hosting Solution.

1. Stop Sendmail Service

service sendmail stop

If you read the following output: That means the service is not installed, go to the next step. However, if the service stopped, then execute the next command to turn sendmail off.

“sendmail: unrecognized service”

2. Disable Sendmail Startup

chkconfig sendmail off

3. Install Postfix or Double check if it’s Installed

Note: If postfix already installed, then make sure it’s started and enabled on the startup.

yum install postfix

4. Start and Enable Postfix at Startup

service postfix start

chkconfig postfix on

5. Forward Root Emails

nano /etc/aliases

Add your email to the end of aliases file. Notice the last line.

#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     root
[...]
# Person who should get root's mail
root:           [email protected]

Save: Ctrl-X, Hit Y Key, and Enter.

Refresh Aliases for changes to take effect

newaliases

6. Finally, restart Postfix

service postfix restart

Shutting down postfix:                               [  OK  ]
Starting postfix:                                    [  OK  ]

Disabling Firewall and SELinux

SELinux is a Mandatory Access Control (MAC), and due to its complex security implementation into the kernel, I found out that it conflicts with most Web Hosting Services and Web Hosting Control Panels. For more information https://wiki.centos.org/HowTos/SELinux

Note: Later on using course4, I’ll show you how to use a crafted IPtables Script as Stateful Firewall and other Security hardening tools.

Run the following steps (1 to 5)

1. Disable System Firewall

system-config-firewall

Note: Remove the Star to disable the Firewall.

2. Check Firewall IP v4 and v6 Rules

iptables -L

Make sure are empty, should look as follows:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

And IPv6 Firewall

ip6tables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

3. Enable IPtables at Startup

chkconfig iptables on

chkconfig ip6tables on

4. Edit SELinux Config File

nano /etc/selinux/config

Disable it as shown below:

Note: You might see it disabled already, however, verify. Besides, you might see blank file, that means is not installed; in either case hit Ctrl-x to exit and continue.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled 
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Save: Ctrl-X, Hit Y Key, and Enter.

Note: no need to reboot if SELinux already disabled.

5. Check if System Reboot Required

/root/system-status.sh

If SELinux, was enabled and you disabled it, then you must reboot for changes to take effect.

Setting Basic Configuration

Run the following steps (1 to 8)

1. Display Nano Editor Cursor in the Status Bar

nano /etc/nanorc

Scroll down little bit using the arrow key, and comment out # set const in order to show Cursor Movements Line Number.

From:

# set const

To:

set const

Or You might find using Fedora as:

set constantshow

Save: Ctrl-X, Hit Y Key, and Enter.

2. Install Network Time Protocol

yum install ntp

Configure ntp on Startup

chkconfig ntpd on

Start NTP Service

service ntpd start

Starting ntpd:                                  [  OK  ]

3. Set Time Zone

There are 2 choices to change the Time Zone, either using a Menu Driven way, or Manually Change/Set the Time Zone.

Time Zone Menu Driven

tzselect

Finally, you will be prompted to confirm your time:

Therefore TZ='America/New_York' will be used.
Local time is now: Thu Jun 2 16:08:05 EDT 2016.
Universal Time is now: Thu Jun 2 20:08:05 UTC 2016.
Is the above information OK?
1) Yes
2) No

Then Check the Date

date

The date command output should show you Local time

Thu Jun 2 16:12:51 EDT 2016

Note: If the date command showing you Universal Time instead of Local Time, then set your time manually using the below steps.

Set your VPS time Manually

a. Pick your time zone from

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

b. Backup the current time zone

cp /etc/localtime /root/old.timezone

c. Remove the current time and confirm

rm /etc/localtime

rm: remove regular file `/etc/localtime’? yes

d. Set the New time zone based on the upper wikipedia link

ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

e. Check your time

date

You should see the Local time.

4. (Optional) For more local time accuracy, edit /etc/ntp.conf

nano /etc/ntp.conf

Scroll down to pool.ntp.org section

For Example, USA users, change ntp servers

From:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

To:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst

Save: Ctrl-X, Hit Y Key, and Enter.

I have changed the upper pool NTP servers based on this link http://www.pool.ntp.org/zone/us just pick based on your country or area.

Restart NTP service

service ntpd restart

Shutting down ntpd:                             [  OK  ]
Starting ntpd:                                  [  OK  ]

Force Time Zone Update Using Specific NTP Server

Copy and paste all 4 lines one shot.

service ntpd stop
ntpdate -s us.pool.ntp.org
service ntpd start
date

5. Add Warning Messages and MOTD

Very important to set Warning Messages at Web Console, SSH prompt, and Message of the Day. If an intruder penetrated your server and you are trying to get the authority involved because of data lose, first thing they would ask you “Have you set a Warning Messages and MOTD at Login Prompt?”, if not, your case will be dropped.

a. Add Web Console Message

nano /etc/issue

Copy and paste the following warning message at the end of issue file

******************************************************************
*                                                                *
*                           - WARNING -                          *
*                                                                *
*               THIS SYSTEM IS PRIVATE PROPERTY FOR              *
*                THE USE OF AUTHORIZED USERS ONLY                *
*                                                                *
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

b. Edit MOTD file

nano /etc/motd

Copy and paste the following MOTD at the end. Before you save, edit the current MOTD message to suite your company needs. I believe, all you need to change is the company name.

******************************************************************
***                                                            ***
***                   W A R N I N G ! ! !                      ***
***                                                            ***
***  THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF YOUR       ***
***  COMPANY NAME INC. ADMIN STAFF AUTHORIZED USERS ONLY!      ***
***  ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED   ***
***  TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO    ***
***  SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO         ***
***  IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR  ***
***  OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR  ***
***  SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. ***
***  UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL    ***
***  CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO  ***
***  LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL     ***
***  EXTENT OF THE LAW.                                        ***
***                                                            ***
***  UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,  ***
***  CIVIL AND CRIMINAL LAWS.                                  ***
***                                                            ***
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

c. Force sshd to display Pre-Login Message

nano /etc/ssh/sshd-banner

Copy and paste the following Warning Message inside sshd-banner

******************************************************************
*                                                                *
*                           - WARNING -                          *
*                                                                *
*               THIS SYSTEM IS PRIVATE PROPERTY FOR              *
*                THE USE OF AUTHORIZED USERS ONLY                *
*                                                                *
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

d. Edit sshd_config Configuration file

nano /etc/ssh/sshd_config

Enable Banner Message

Hit Ctrl-w and search for word banner, set as shown below. If you can’t find it, add it to the end of the file.

Banner /etc/ssh/sshd-banner

Save: Ctrl-X, Hit Y Key, and Enter.

e. Restart sshd Service

service sshd restart

6. Change Root Prompt Color

nano /root/.bashrc

Open the following file, add either Red or yellow code to the end of .bashre file

Note: for security reason, wordpress doesn’t show codes carry back slashes, therefore, I had them in a text file.

Save: Ctrl-X, Hit Y Key, and Enter.

Logout from root or Exit your Putty session; relogin to test it.

[root@node1 ~]#

For more styling and colors, check this link https://wiki.archlinux.org/index.php/Color_Bash_Prompt

Enable Green Color Prompt for other Users

Open the file again and add the Green color at the end of any user’s .bashrc file. For example, I am going to enable green color for my user imad.

TIP: if you haven’t created extra users yet, you can use adduser command to create extra user and passwd to set a password for that user. In case you don’t want to create extra users, you can skip this step.

nano /home/imad/.bashrc

Save: Ctrl-X, Hit Y Key, and Enter.

Login as regular user:

[root@node1 ~]# su -l imad
imad@node1:~$ exit
logout
[root@node1 ~]#

Setting Daily System Update Notifier

I would like to have the system email me everyday if updates available. There are 2 ways I know of to notify me about if System updates are available on CentOS 6.7. Either install yum-cron or simply configure yum check-update result to be emailed daily as notifier.

yum-cron is toward putting the system update on auto pilot with no System Admin intervention, however, I would like to always have the chance to backup or look at the list of updates before updating, therefore, I won’t use the auto update feature of yum-cron, but of course, I will use it to email me with a list of needed updates.

Run the following steps (1 to 4)

1. Install Yum Cron 

yum install yum-cron

2. Configure Yum Cron

nano /etc/sysconfig/yum-cron

Mine looks as follows. I am showing only the modified fields.

# Don't install, just check (valid: yes|no)
CHECK_ONLY=yes

# Check to see if you can reach the repos before updating (valid: yes|no)
CHECK_FIRST=yes

# by default MAILTO is unset, so crond mails the output by itself
# example:  MAILTO=root
MAILTO=[email protected]

Save: Ctrl-X, Hit Y Key, and Enter.

3. Put yum-cron on Startup

chkconfig yum-cron on

4. Start yum-cron Service

service yum-cron start

That’s it! You should be able to receive daily System updates after the Email Server is configured.

Yum Update Email Notifications

If you would like to receive update Notification, it can be configured with yum check-update output as daily email.

Simple Yum Check Update Email Notification

nano /etc/cron.daily/yum-check-updates.cron

Add the following Daily Yum Update Check inside yum-check-updates.cron file

#!/bin/sh
/usr/bin/yum check-update 2>&1 | /bin/mail -s "yum check-update output" root

Change the File Permission

chmod +rwx /etc/cron.daily/yum-check-updates.cron

List cron.daily Directory, all files should be Green Color

ls -lah /etc/cron.daily/

[...]
-rwxr-xr-x 1 root root 4.9K Jul 24 06:27 0yum.cron
-rwx------. 1 root root 180 Jul 9 2003 logrotate
-rwxr-xr-x 1 root root 87 Sep 27 23:29 yum-check-updates.cron

root at the end, indicates that the result will be sent to root, and since you configured aliases above, root emails will be sent to the email you specified. Keep in mind that you won’t receive any updates right now since the email server has not been configured yet.

Let’s Check Yum Updates Again

yum update -y

Check if System Reboot Required

/root/system-status.sh

Subject Related

By Godaddy Initial CentOS Setup | HowToForge CentOS Initial Setup