You are here

AltaOS configuration script

Submitted by Nurlan Bayaman on Tue, 06/23/2020 - 11:22

Configure environment and installed packages


0) Defining some variable values to use later in the installation script

if grep -q "QEMU" /proc/bus/input/devices; then
    PORT=19759
else
    PORT=19753
fi
export PORT
IP="$( ip route get 8.8.8.8 | awk 'NR==1 {print $NF}' )"
IP6="$( ip -6 addr | grep inet6 | awk -F '[ \t]+|/' '{print $3}' | grep -v ^::1 )"
IFACE=$(ip addr | grep $IP | awk '{print $NF}')
OWNER=""
TIMESTAMP=$(date +%s)
SECONDS=0
# There is no DB at this point yet, so commenting out
# MYSQL_VER=`mysql --version|awk '{ print $5 }'|awk -F\-MariaDB, '{ print $1 }'`

1) Configure:
PHP
Memcached

echo "Configuring PHP"
sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/php.ini
sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/php.ini
sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/php.ini
sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/php.ini
sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/php.ini
dnf -y install scl-utils
 
echo "Configuring memcached..."
cat <<'EOT' >> /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="1024"
OPTIONS="-l 127.0.0.1"
EOT
systemctl enable memcached
systemctl start  memcached
 
echo ".. done"

2) Setting up auth ssh and configuring the system

61

3) Creating global aliases for user SSH sessions

56

4) Configuring hourly and daily AltaGrade cron-tasks

cat > /etc/cron.hourly/altagrade << 'EOF'
#!/bin/bash
sh /etc/ag/scripts/update-drupal 1 > /dev/null
if [ -e /etc/ag/updates/update.sh.old ]; then
  if ! cmp --silent /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old
    then
      chmod 755 /etc/ag/updates/update.sh
      sh /etc/ag/updates/update.sh
      mv /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old
  fi
fi
exit
EOF
chmod 755 /etc/cron.hourly/altagrade
 
cat > /etc/cron.daily/altagrade << 'EOF'
#!/bin/bash
sed -ie 's/CentOS/AltaOS/' /etc/webmin/config >/dev/null 2>&1
sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1
sed -ie 's/slider_enabled=true/slider_enabled=false/' /etc/webmin/authentic-theme/settings.js >/dev/null 2>&1
exit
EOF
chmod 755 /etc/cron.daily/altagrade
/etc/cron.daily/altagrade

5) Configuring Webmin and Virtualmin

55

6) Installing style.css file for Virtualmin

29

7) Configuring Apache

echo "=================================================================================="
echo "Configuring Apache"
sed -ie '/SSLProtocol/c\SSLProtocol All -SSLv2 -SSLv3' /etc/httpd/conf/httpd.conf
sed -ie '/SSLCipherSuite/c\SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"' /etc/httpd/conf/httpd.conf
sed -ie '/SSLCipherSuite/i\SSLHonorCipherOrder on' /etc/httpd/conf/httpd.conf
 
# per https://support.plesk.com/hc/en-us/articles/213399589-Websites-are-slow-and-a-warning-appears-in-logs-mod-fcgid-ap-pass-brigade-failed
echo 'FcgidMaxRequestsPerProcess 500' >> /etc/httpd/conf.d/fcgid.conf
echo 'FcgidOutputBufferSize 0' >> /etc/httpd/conf.d/fcgid.conf
sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/00-dav.conf
sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/10-php.conf
 
# Maybe we can turn the below ones off.
sed -ie 's/LoadModule proxy/#LoadModule proxy/' /etc/httpd/conf.modules.d/00-proxy.conf
sed -ie 's@#LoadModule proxy_module@LoadModule proxy_module@g' /etc/httpd/conf.modules.d/00-proxy.conf
sed -ie 's@#LoadModule proxy_fcgi_module@LoadModule proxy_fcgi_module@g' /etc/httpd/conf.modules.d/00-proxy.conf
sed -ie 's@LoadModule lbmethod_heartbeat@#LoadModule lbmethod_heartbeat@g' /etc/httpd/conf.modules.d/00-proxy.conf
 
echo ".. done"

8) Configuring MariaDB settings

echo "=================================================================================="
echo "Configuring MariaDB settings .."
dnf install expect -y
 
# Setting the database root password
 
MYSQL_ROOT_PASSWORD=`date +%s | sha256sum | base64 | head -c 16 ; echo`
 
SECURE_MYSQL=$(expect -c "
 
set timeout 3
spawn mysql_secure_installation
 
expect \"Enter current password for root (enter for none):\"
send \"$CURRENT_MYSQL_PASSWORD\r\"
 
expect \"Set root password?\"
send \"y\r\"
 
expect \"New password:\"
send \"$MYSQL_ROOT_PASSWORD\r\"
 
expect \"Re-enter new password:\"
send \"$MYSQL_ROOT_PASSWORD\r\"
 
expect \"Remove anonymous users?\"
send \"y\r\"
 
expect \"Disallow root login remotely?\"
send \"y\r\"
 
expect \"Remove test database and access to it?\"
send \"y\r\"
 
expect \"Reload privilege tables now?\"
send \"y\r\"
expect eof
")
 
echo "$SECURE_MYSQL"
 
if grep -q pass= /etc/webmin/mysql/config; then
  sed -i "/pass=/c\pass=$MYSQL_ROOT_PASSWORD" /etc/webmin/mysql/config
else
  echo pass=$MYSQL_ROOT_PASSWORD >> /etc/webmin/mysql/config
fi
 
 
if ! grep -Fq "default-character-set = utf8mb4" /etc/my.cnf
then
  rm -f  /etc/my.cnf
cat > /etc/my.cnf << 'EOF'
[client]
default-character-set = utf8mb4
 
[mysql]
default-character-set = utf8mb4
 
[mysqld]
character-set-client-handshake = FALSE
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
 
#skip-networking
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
slow_query_log = 1
slow_query_log_file = /var/log/mariadb/slow.log
 
query_cache_size = 128M
query_cache_limit = 16M
 
thread_cache_size = 8
myisam_sort_buffer_size = 64M
read_rnd_buffer_size = 8M
read_buffer_size = 2M
sort_buffer_size = 2M
table_cache = 512
max_allowed_packet=1024M
key_buffer = 384M
wait_timeout=600
max_connections = 600
tmp_table_size = 256M
max_heap_table_size = 256M
 
innodb_large_prefix=true
innodb_file_format=barracuda
innodb_file_per_table = true
 
innodb_additional_mem_pool_size = 16M
innodb_flush_log_at_trx_commit = 0
innodb_log_buffer_size  = 8M
innodb_buffer_pool_size = 1G
innodb_thread_concurrency =     16
innodb_lock_wait_timeout =     120
innodb_data_file_path   = ibdata1:10M:autoextend
innodb_file_io_threads  = 4
innodb_max_dirty_pages_pct =    90
 
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
 
!includedir /etc/my.cnf.d
EOF
dnf remove expect -y
  echo ".. done"
 
fi

9) Installing drush and wp-cli

# Installing drush
wget https://github.com/drush-ops/drush/releases/download/8.1.16/drush.phar
php drush.phar core-status
chmod +x drush.phar
mv drush.phar /usr/local/bin/drush
drush -y init
 
# Fixing https://github.com/drush-ops/drush/issues/2065
sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/php.ini
sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/opt/remi/php70/php.ini
 
# Installing wp-cli
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp
#if [ ! -d /etc/ag ]; then
#  mkdir /etc/ag
#fi
#mkdir /etc/ag/wp
#cd /etc/ag/wp
#wget https://raw.githubusercontent.com/wp-cli/wp-cli/v1.5.1/utils/wp-completion.bash
#chmod 755 wp-completion.bash
#echo "source /etc/ag/wp/wp-completion.bash" >> /etc/profile.d/globaliases.sh

10) Configuring Let's Encrypt per https://certbot.eff.org/lets-encrypt/centosrhel8-apache
Only documented steps, the rest is commented out

#Restart Apache see known CentOS 8 bug: https://community.letsencrypt.org/t/localhost-crt-does-not-exist-or-is-empty/103979
systemctl restart httpd
 
#Install certificates
certbot --apache -m info@altagrade.com --agree-tos -n -d $HOSTNAME
 
# Install script to auto-replace the ssl_le.pem files for domains
 
#cat > /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh << 'EOF'
#!/bin/sh
 
# Re-create the ssl_le.pem files for Pound 
#for domain in $RENEWED_DOMAINS; do
#  cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > $RENEWED_LINEAGE/ssl_le.pem
#done
 
#exit
#EOF
#chmod 755 /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh
 
# Set up automatic renewal
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

11) Installing and configuring Pound

sed -i '/Listen/c\#Listen' /etc/httpd/conf.d/ssl.conf
#Setup
mv /etc/pound.cfg /etc/pound.cfg.orig
cat > /etc/pound.cfg << EOF
ListenHTTP
  Address ${IP}
  Port 80
  Service
    URL "/.well-known/acme-challenge/.*"
    BackEnd
      Address ${IP}
      Port 8888
    End
  End
End
 
Service
    BackEnd
	Address ${IP}
        Port    8888
    End
End
 
EOF

12) Configuring automatic core updates for Drupal websites

57

13) Installing and configuring Varnish

58

14) Maldet, BFD

if [ ! -d /usr/local/bfd ]; then
  echo "=================================================================================="
  echo "Installing and configuring Brute Force Detection .."
  cd /usr/src
  wget http://www.rfxn.com/downloads/bfd-current.tar.gz
  tar xzf bfd-current.tar.gz
  rm -f bfd-current.tar.gz*
  cd bfd-1.5*
  ./install.sh
  sed -ie 's/TRIG="15"/TRIG="5"/' /usr/local/bfd/conf.bfd
  sed -ie 's/EMAIL_ALERTS="0"/EMAIL_ALERTS="1"/' /usr/local/bfd/conf.bfd
  sed -ie 's/EMAIL_ADDRESS="root"/EMAIL_ADDRESS="security"/' /usr/local/bfd/conf.bfd
  rm -f /usr/local/bfd/alert.bfd
  echo 'EB=0' >> /usr/local/bfd/alert.bfd
  echo 'if [ "$EMAIL_LOGLINES" == "" ]; then' >> /usr/local/bfd/alert.bfd
  echo '        EMAIL_LOGLINES=50' >> /usr/local/bfd/alert.bfd
  echo 'fi' >> /usr/local/bfd/alert.bfd
  echo 'EV=`nice -n 19 tail -n 5000 $LP | grep $ATTACK_HOST | tail -n $EMAIL_LOGLINES`' >> /usr/local/bfd/alert.bfd
  echo 'cat <<EOF' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo '$ATTACK_HOST has been blocked and blacklisted by AltaGrade for exceeded login failures on $HOSTNAME.' >> /usr/local/bfd/alert.bfd
  echo "If the IP address belongs to your team, then please clear it from the firewall's block-list and add it allowed hosts." >> /usr/local/bfd/alert.bfd
  echo 'Alternatively file a support request on https://my.altagrade.com and we will gladly do it for you.' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo 'SOURCE ADDRESS: $ATTACK_HOST' >> /usr/local/bfd/alert.bfd
  echo 'TARGET SERVICE: $MOD' >> /usr/local/bfd/alert.bfd
  echo 'FAILED LOGINS: $ATTACK_COUNT' >> /usr/local/bfd/alert.bfd
  echo 'EXECUTED COMMAND: $BAN_COMMAND' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo "SOURCE LOGS FROM SERVICE '\$MOD' (GMT \$TIME_ZONE):" >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo '$EV' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo '-----------------------------------------------' >> /usr/local/bfd/alert.bfd
  echo 'AltaGrade Brute Force Detection System' >> /usr/local/bfd/alert.bfd
  echo '' >> /usr/local/bfd/alert.bfd
  echo 'EOF' >> /usr/local/bfd/alert.bfd
 
  sed -ie 's/#root:/root:/' /etc/aliases
  sed -ie 's/marc/[email protected]/' /etc/aliases
  echo "#owner: ${OWNER}" >> /etc/aliases
  newaliases
  echo ".. done"
fi
 
if [ ! -d /usr/local/maldetect ]; then
  echo "=================================================================================="
  echo "Installing Linux Malware Detect .."
  cd /usr/src
  wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
  tar xzf maldetect-current.tar.gz
  rm -rf maldetect-current.tar.gz
  cd maldetect*
  ./install.sh
  # Installing inotify-tools per https://www.rfxn.com/appdocs/README.maldetect
  dnf -y install inotify-tools
  # Configuring malware detection settings
  sed -ie 's/email_alert="0"/email_alert="1"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/email_addr="[email protected]"/email_addr="security"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/email_ignore_clean="1"/email_ignore_clean="0"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/quarantine_hits="0"/quarantine_hits="1"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/quarantine_clean="0"/quarantine_clean="1"/' /usr/local/maldetect/conf.maldet
  sed -ie 's/quarantine_suspend_user="0"/quarantine_suspend_user="1"/' /usr/local/maldetect/conf.maldet
  echo "/home/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths
  echo "/home/.*/domains/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths
  echo ".. done"
fi

15) Setup firewald

if [ ! -d /etc/apf ]; then
  echo "=================================================================================="
  echo "Installing APF .."
 
  # per https://superuser.com/questions/1083882/block-port-111-on-centos-7
 
  systemctl stop rpcbind.socket && systemctl disable rpcbind.socket
  systemctl mask fail2ban && systemctl stop fail2ban
  systemctl mask firewalld && systemctl stop firewalld
 
  cd /usr/src
  wget http://www.rfxn.com/downloads/apf-current.tar.gz
  tar xzf apf-current.tar.gz
  rm -f apf-current.tar.gz
  cd apf*
  ./install.sh
  chkconfig apf on
  sed -ie "s/eth0/$IFACE/" /etc/apf/conf.apf
  sed -ie 's/DEVEL_MODE="1"/DEVEL_MODE="0"/' /etc/apf/conf.apf
  sed -ie 's/SET_MONOKERN="0"/SET_MONOKERN="1"/' /etc/apf/conf.apf
  sed -ie 's/ICMP_LIM="30\/s"/ICMP_LIM="100\/s"/' /etc/apf/conf.apf
  sed -ie 's/DLIST_PHP="0"/DLIST_PHP="1"/' /etc/apf/conf.apf
  sed -ie 's/DLIST_SPAMHAUS="0"/DLIST_SPAMHAUS="1"/' /etc/apf/conf.apf
  sed -ie 's/DLIST_DSHIELD="0"/DLIST_DSHIELD="1"/' /etc/apf/conf.apf
  sed -ie 's/IG_TCP_CPORTS=/#IG_TCP_CPORTS=/' /etc/apf/conf.apf
  sed -ie 's/IG_UDP_CPORTS=/#IG_UDP_CPORTS=/' /etc/apf/conf.apf
  sed -i '2s/^/IG_UDP_CPORTS="53,123,465,587,953,2525,6277,1043,6081,6082,8983"\n/' /etc/apf/conf.apf
  sed -i "2s/^/IG_TCP_CPORTS="\"53,80,110,143,443,465,587,953,993,995,1043,2525,5900_5910,8079,8080,8888,8983,10000_10010,20000,${PORT}\""\n/" /etc/apf/conf.apf
  apf -r
  /usr/local/sbin/apf -a 65.49.80.104 "Do not remove this IP address. It belongs to AltaGrade."
 
  echo ".. done"
fi

16) Removing unnecessary services

chown -R root:bin /etc/webmin
systemctl stop wpa_supplicant && dnf -y remove wpa_supplicant
systemctl stop fail2ban && dnf -y remove fail2ban* && rm -rf /var/log/fail2ban.log
systemctl stop proftpd && dnf -y remove proftpd && rm -rf /var/log/proftpd
if [ $PORT == 19759 ]; then
  systemctl stop sound.target && systemctl disable sound.target
fi
 
dnf remove expect -y

17) Finalizing the installation script

# Clean up the Webmin config files
grep -rl 65.49.80.99 /etc | xargs sed -i "s/65.49.80.99/$IP/g"
grep -rl fe80::216:3eff:feca:7117 /etc | xargs sed -i "s/fe80::216:3eff:feca:7117/$IP6/g"
grep -rl host.altagrade.org /etc | xargs sed -i "s/host.altagrade.org/$HOSTNAME/g"
grep -rl eth0 /etc | xargs sed -i "s/eth0/$IFACE/g"
# Per https://www.virtualmin.com/node/43097
rm -rf /var/webmin/module.infos.cache
sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1
/sbin/virtualmin check-config
 
# Install test repository for updates
# cat > /etc/yum.repos.d/testrepo.repo << 'EOF'
# [testrepo]
# name=TestRepo Repository
# baseurl=http://testrepo.altagrade.org:8080
# enabled=1
# gpgcheck=0
# EOF
# dnf -y update
# dnf -y install testrepo
 
# Calculating execution time
executed="$(($SECONDS / 60)) minutes and $(($SECONDS % 60)) seconds"
echo "The installation took $executed"
echo "AltaOS installed on $(date)" > /root/.altaos/.install_date
 
# Sending the final e-mail notification
dnf -y install mailx
echo "Installation of AltaOS on ${HOSTNAME} completed in $executed. The system is rebooting..." | mail -s "AltaOS has been installed on ${HOSTNAME}" 6504506428@vtext.com
 
rm -f /root/recipe*
rm -f /usr/src/altaos.sh
 
updatedb
echo "Rebooting the system..."
#reboot