Configure environment and installed packages
0) Defining some variable values to use later in the installation script
if grep -q "QEMU" /proc/bus/input/devices; then PORT=19759 else PORT=19753 fi export PORT IP="$( ip route get 8.8.8.8 | awk 'NR==1 {print $NF}' )" IP6="$( ip -6 addr | grep inet6 | awk -F '[ \t]+|/' '{print $3}' | grep -v ^::1 )" IFACE=$(ip addr | grep $IP | awk '{print $NF}') OWNER="" TIMESTAMP=$(date +%s) SECONDS=0 # There is no DB at this point yet, so commenting out # MYSQL_VER=`mysql --version|awk '{ print $5 }'|awk -F\-MariaDB, '{ print $1 }'`
1) Configure:
PHP
Memcached
echo "Configuring PHP" sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/php.ini sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/php.ini sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/php.ini sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/php.ini sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/php.ini dnf -y install scl-utils echo "Configuring memcached..." cat <<'EOT' >> /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="1024" OPTIONS="-l 127.0.0.1" EOT systemctl enable memcached systemctl start memcached echo ".. done"
2) Setting up auth ssh and configuring the system
613) Creating global aliases for user SSH sessions
564) Configuring hourly and daily AltaGrade cron-tasks
cat > /etc/cron.hourly/altagrade << 'EOF' #!/bin/bash sh /etc/ag/scripts/update-drupal 1 > /dev/null if [ -e /etc/ag/updates/update.sh.old ]; then if ! cmp --silent /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old then chmod 755 /etc/ag/updates/update.sh sh /etc/ag/updates/update.sh mv /etc/ag/updates/update.sh /etc/ag/updates/update.sh.old fi fi exit EOF chmod 755 /etc/cron.hourly/altagrade cat > /etc/cron.daily/altagrade << 'EOF' #!/bin/bash sed -ie 's/CentOS/AltaOS/' /etc/webmin/config >/dev/null 2>&1 sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1 sed -ie 's/slider_enabled=true/slider_enabled=false/' /etc/webmin/authentic-theme/settings.js >/dev/null 2>&1 exit EOF chmod 755 /etc/cron.daily/altagrade /etc/cron.daily/altagrade
5) Configuring Webmin and Virtualmin
556) Installing style.css file for Virtualmin
297) Configuring Apache
echo "==================================================================================" echo "Configuring Apache" sed -ie '/SSLProtocol/c\SSLProtocol All -SSLv2 -SSLv3' /etc/httpd/conf/httpd.conf sed -ie '/SSLCipherSuite/c\SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"' /etc/httpd/conf/httpd.conf sed -ie '/SSLCipherSuite/i\SSLHonorCipherOrder on' /etc/httpd/conf/httpd.conf # per https://support.plesk.com/hc/en-us/articles/213399589-Websites-are-slow-and-a-warning-appears-in-logs-mod-fcgid-ap-pass-brigade-failed echo 'FcgidMaxRequestsPerProcess 500' >> /etc/httpd/conf.d/fcgid.conf echo 'FcgidOutputBufferSize 0' >> /etc/httpd/conf.d/fcgid.conf sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/00-dav.conf sed -ie 's|LoadModule|#LoadModule|' /etc/httpd/conf.modules.d/10-php.conf # Maybe we can turn the below ones off. sed -ie 's/LoadModule proxy/#LoadModule proxy/' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@#LoadModule proxy_module@LoadModule proxy_module@g' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@#LoadModule proxy_fcgi_module@LoadModule proxy_fcgi_module@g' /etc/httpd/conf.modules.d/00-proxy.conf sed -ie 's@LoadModule lbmethod_heartbeat@#LoadModule lbmethod_heartbeat@g' /etc/httpd/conf.modules.d/00-proxy.conf echo ".. done"
8) Configuring MariaDB settings
echo "==================================================================================" echo "Configuring MariaDB settings .." dnf install expect -y # Setting the database root password MYSQL_ROOT_PASSWORD=`date +%s | sha256sum | base64 | head -c 16 ; echo` SECURE_MYSQL=$(expect -c " set timeout 3 spawn mysql_secure_installation expect \"Enter current password for root (enter for none):\" send \"$CURRENT_MYSQL_PASSWORD\r\" expect \"Set root password?\" send \"y\r\" expect \"New password:\" send \"$MYSQL_ROOT_PASSWORD\r\" expect \"Re-enter new password:\" send \"$MYSQL_ROOT_PASSWORD\r\" expect \"Remove anonymous users?\" send \"y\r\" expect \"Disallow root login remotely?\" send \"y\r\" expect \"Remove test database and access to it?\" send \"y\r\" expect \"Reload privilege tables now?\" send \"y\r\" expect eof ") echo "$SECURE_MYSQL" if grep -q pass= /etc/webmin/mysql/config; then sed -i "/pass=/c\pass=$MYSQL_ROOT_PASSWORD" /etc/webmin/mysql/config else echo pass=$MYSQL_ROOT_PASSWORD >> /etc/webmin/mysql/config fi if ! grep -Fq "default-character-set = utf8mb4" /etc/my.cnf then rm -f /etc/my.cnf cat > /etc/my.cnf << 'EOF' [client] default-character-set = utf8mb4 [mysql] default-character-set = utf8mb4 [mysqld] character-set-client-handshake = FALSE character-set-server = utf8mb4 collation-server = utf8mb4_unicode_ci #skip-networking datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock symbolic-links=0 slow_query_log = 1 slow_query_log_file = /var/log/mariadb/slow.log query_cache_size = 128M query_cache_limit = 16M thread_cache_size = 8 myisam_sort_buffer_size = 64M read_rnd_buffer_size = 8M read_buffer_size = 2M sort_buffer_size = 2M table_cache = 512 max_allowed_packet=1024M key_buffer = 384M wait_timeout=600 max_connections = 600 tmp_table_size = 256M max_heap_table_size = 256M innodb_large_prefix=true innodb_file_format=barracuda innodb_file_per_table = true innodb_additional_mem_pool_size = 16M innodb_flush_log_at_trx_commit = 0 innodb_log_buffer_size = 8M innodb_buffer_pool_size = 1G innodb_thread_concurrency = 16 innodb_lock_wait_timeout = 120 innodb_data_file_path = ibdata1:10M:autoextend innodb_file_io_threads = 4 innodb_max_dirty_pages_pct = 90 [mysqld_safe] log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid !includedir /etc/my.cnf.d EOF dnf remove expect -y echo ".. done" fi
9) Installing drush and wp-cli
# Installing drush wget https://github.com/drush-ops/drush/releases/download/8.1.16/drush.phar php drush.phar core-status chmod +x drush.phar mv drush.phar /usr/local/bin/drush drush -y init # Fixing https://github.com/drush-ops/drush/issues/2065 sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/php.ini sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/opt/remi/php70/php.ini # Installing wp-cli curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar chmod +x wp-cli.phar mv wp-cli.phar /usr/local/bin/wp #if [ ! -d /etc/ag ]; then # mkdir /etc/ag #fi #mkdir /etc/ag/wp #cd /etc/ag/wp #wget https://raw.githubusercontent.com/wp-cli/wp-cli/v1.5.1/utils/wp-completion.bash #chmod 755 wp-completion.bash #echo "source /etc/ag/wp/wp-completion.bash" >> /etc/profile.d/globaliases.sh
10) Configuring Let's Encrypt per https://certbot.eff.org/lets-encrypt/centosrhel8-apache
Only documented steps, the rest is commented out
#Restart Apache see known CentOS 8 bug: https://community.letsencrypt.org/t/localhost-crt-does-not-exist-or-is-empty/103979 systemctl restart httpd #Install certificates certbot --apache -m info@altagrade.com --agree-tos -n -d $HOSTNAME # Install script to auto-replace the ssl_le.pem files for domains #cat > /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh << 'EOF' #!/bin/sh # Re-create the ssl_le.pem files for Pound #for domain in $RENEWED_DOMAINS; do # cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > $RENEWED_LINEAGE/ssl_le.pem #done #exit #EOF #chmod 755 /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh # Set up automatic renewal echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
11) Installing and configuring Pound
sed -i '/Listen/c\#Listen' /etc/httpd/conf.d/ssl.conf #Setup mv /etc/pound.cfg /etc/pound.cfg.orig cat > /etc/pound.cfg << EOF ListenHTTP Address ${IP} Port 80 Service URL "/.well-known/acme-challenge/.*" BackEnd Address ${IP} Port 8888 End End End Service BackEnd Address ${IP} Port 8888 End End EOF
12) Configuring automatic core updates for Drupal websites
5713) Installing and configuring Varnish
5814) Maldet, BFD
if [ ! -d /usr/local/bfd ]; then echo "==================================================================================" echo "Installing and configuring Brute Force Detection .." cd /usr/src wget http://www.rfxn.com/downloads/bfd-current.tar.gz tar xzf bfd-current.tar.gz rm -f bfd-current.tar.gz* cd bfd-1.5* ./install.sh sed -ie 's/TRIG="15"/TRIG="5"/' /usr/local/bfd/conf.bfd sed -ie 's/EMAIL_ALERTS="0"/EMAIL_ALERTS="1"/' /usr/local/bfd/conf.bfd sed -ie 's/EMAIL_ADDRESS="root"/EMAIL_ADDRESS="security"/' /usr/local/bfd/conf.bfd rm -f /usr/local/bfd/alert.bfd echo 'EB=0' >> /usr/local/bfd/alert.bfd echo 'if [ "$EMAIL_LOGLINES" == "" ]; then' >> /usr/local/bfd/alert.bfd echo ' EMAIL_LOGLINES=50' >> /usr/local/bfd/alert.bfd echo 'fi' >> /usr/local/bfd/alert.bfd echo 'EV=`nice -n 19 tail -n 5000 $LP | grep $ATTACK_HOST | tail -n $EMAIL_LOGLINES`' >> /usr/local/bfd/alert.bfd echo 'cat <<EOF' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '$ATTACK_HOST has been blocked and blacklisted by AltaGrade for exceeded login failures on $HOSTNAME.' >> /usr/local/bfd/alert.bfd echo "If the IP address belongs to your team, then please clear it from the firewall's block-list and add it allowed hosts." >> /usr/local/bfd/alert.bfd echo 'Alternatively file a support request on https://my.altagrade.com and we will gladly do it for you.' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo 'SOURCE ADDRESS: $ATTACK_HOST' >> /usr/local/bfd/alert.bfd echo 'TARGET SERVICE: $MOD' >> /usr/local/bfd/alert.bfd echo 'FAILED LOGINS: $ATTACK_COUNT' >> /usr/local/bfd/alert.bfd echo 'EXECUTED COMMAND: $BAN_COMMAND' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo "SOURCE LOGS FROM SERVICE '\$MOD' (GMT \$TIME_ZONE):" >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '$EV' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo '-----------------------------------------------' >> /usr/local/bfd/alert.bfd echo 'AltaGrade Brute Force Detection System' >> /usr/local/bfd/alert.bfd echo '' >> /usr/local/bfd/alert.bfd echo 'EOF' >> /usr/local/bfd/alert.bfd sed -ie 's/#root:/root:/' /etc/aliases sed -ie 's/marc/[email protected]/' /etc/aliases echo "#owner: ${OWNER}" >> /etc/aliases newaliases echo ".. done" fi if [ ! -d /usr/local/maldetect ]; then echo "==================================================================================" echo "Installing Linux Malware Detect .." cd /usr/src wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar xzf maldetect-current.tar.gz rm -rf maldetect-current.tar.gz cd maldetect* ./install.sh # Installing inotify-tools per https://www.rfxn.com/appdocs/README.maldetect dnf -y install inotify-tools # Configuring malware detection settings sed -ie 's/email_alert="0"/email_alert="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/email_addr="[email protected]"/email_addr="security"/' /usr/local/maldetect/conf.maldet sed -ie 's/email_ignore_clean="1"/email_ignore_clean="0"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_hits="0"/quarantine_hits="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_clean="0"/quarantine_clean="1"/' /usr/local/maldetect/conf.maldet sed -ie 's/quarantine_suspend_user="0"/quarantine_suspend_user="1"/' /usr/local/maldetect/conf.maldet echo "/home/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths echo "/home/.*/domains/.*/public_html/stats" >> /usr/local/maldetect/ignore_paths echo ".. done" fi
15) Setup firewald
if [ ! -d /etc/apf ]; then echo "==================================================================================" echo "Installing APF .." # per https://superuser.com/questions/1083882/block-port-111-on-centos-7 systemctl stop rpcbind.socket && systemctl disable rpcbind.socket systemctl mask fail2ban && systemctl stop fail2ban systemctl mask firewalld && systemctl stop firewalld cd /usr/src wget http://www.rfxn.com/downloads/apf-current.tar.gz tar xzf apf-current.tar.gz rm -f apf-current.tar.gz cd apf* ./install.sh chkconfig apf on sed -ie "s/eth0/$IFACE/" /etc/apf/conf.apf sed -ie 's/DEVEL_MODE="1"/DEVEL_MODE="0"/' /etc/apf/conf.apf sed -ie 's/SET_MONOKERN="0"/SET_MONOKERN="1"/' /etc/apf/conf.apf sed -ie 's/ICMP_LIM="30\/s"/ICMP_LIM="100\/s"/' /etc/apf/conf.apf sed -ie 's/DLIST_PHP="0"/DLIST_PHP="1"/' /etc/apf/conf.apf sed -ie 's/DLIST_SPAMHAUS="0"/DLIST_SPAMHAUS="1"/' /etc/apf/conf.apf sed -ie 's/DLIST_DSHIELD="0"/DLIST_DSHIELD="1"/' /etc/apf/conf.apf sed -ie 's/IG_TCP_CPORTS=/#IG_TCP_CPORTS=/' /etc/apf/conf.apf sed -ie 's/IG_UDP_CPORTS=/#IG_UDP_CPORTS=/' /etc/apf/conf.apf sed -i '2s/^/IG_UDP_CPORTS="53,123,465,587,953,2525,6277,1043,6081,6082,8983"\n/' /etc/apf/conf.apf sed -i "2s/^/IG_TCP_CPORTS="\"53,80,110,143,443,465,587,953,993,995,1043,2525,5900_5910,8079,8080,8888,8983,10000_10010,20000,${PORT}\""\n/" /etc/apf/conf.apf apf -r /usr/local/sbin/apf -a 65.49.80.104 "Do not remove this IP address. It belongs to AltaGrade." echo ".. done" fi
16) Removing unnecessary services
chown -R root:bin /etc/webmin systemctl stop wpa_supplicant && dnf -y remove wpa_supplicant systemctl stop fail2ban && dnf -y remove fail2ban* && rm -rf /var/log/fail2ban.log systemctl stop proftpd && dnf -y remove proftpd && rm -rf /var/log/proftpd if [ $PORT == 19759 ]; then systemctl stop sound.target && systemctl disable sound.target fi dnf remove expect -y
17) Finalizing the installation script
# Clean up the Webmin config files grep -rl 65.49.80.99 /etc | xargs sed -i "s/65.49.80.99/$IP/g" grep -rl fe80::216:3eff:feca:7117 /etc | xargs sed -i "s/fe80::216:3eff:feca:7117/$IP6/g" grep -rl host.altagrade.org /etc | xargs sed -i "s/host.altagrade.org/$HOSTNAME/g" grep -rl eth0 /etc | xargs sed -i "s/eth0/$IFACE/g" # Per https://www.virtualmin.com/node/43097 rm -rf /var/webmin/module.infos.cache sh /etc/ag/cp/new-lang.sh >/dev/null 2>&1 /sbin/virtualmin check-config # Install test repository for updates # cat > /etc/yum.repos.d/testrepo.repo << 'EOF' # [testrepo] # name=TestRepo Repository # baseurl=http://testrepo.altagrade.org:8080 # enabled=1 # gpgcheck=0 # EOF # dnf -y update # dnf -y install testrepo # Calculating execution time executed="$(($SECONDS / 60)) minutes and $(($SECONDS % 60)) seconds" echo "The installation took $executed" echo "AltaOS installed on $(date)" > /root/.altaos/.install_date # Sending the final e-mail notification dnf -y install mailx echo "Installation of AltaOS on ${HOSTNAME} completed in $executed. The system is rebooting..." | mail -s "AltaOS has been installed on ${HOSTNAME}" 6504506428@vtext.com rm -f /root/recipe* rm -f /usr/src/altaos.sh updatedb echo "Rebooting the system..." #reboot
- Log in to post comments