You are here

Installing additional packages

Submitted by Alan Mels on Thu, 07/02/2020 - 22:28

0) Installing Composer

if [ ! -f /usr/local/bin/composer ]; then
  cd /usr/src
  curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer
fi

1) Installing Memcached

dnf -y install memcached
rm -f /etc/sysconfig/memcached
cat <<'EOT' >> /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="1024"
OPTIONS="-l 127.0.0.1,::1"
EOT
systemctl enable memcached
systemctl start  memcached

2) Installing PHP 7.4

rpm -Uvhl http://rpms.remirepo.net/enterprise/remi-release-8.rpm
 
dnf -y install php74 php74-php-pecl-mysql php74-php-mysqlnd php74-php-curl php74-php-simplexml php74-php-devel php74-php-gd php74-php-json php74-php-mcrypt php74-php-mbstring php74-php-opcache php74-php-pear php74-php-pecl-apcu php74-php-pecl-geoip php74-php-pecl-imagick php74-php-pecl-json-post php74-php-pecl-memcache php74-php-pecl-zip php74-php-pspell php74-php-soap php74-php-xml php74-php-xmlrpc php74-php-pecl-uploadprogress php74-php-imap php74-php-pecl-xmldiff php74-php-bcmath php74-php-fpm
 
source /opt/remi/php74/enable
dnf -y install php74-php-tidy
pear channel-update pear.php.net
pear install Cache_Lite
 
sed -ie 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' /etc/opt/remi/php74/php.ini
sed -ie 's/post_max_size = 8M/post_max_size = 16M/' /etc/opt/remi/php74/php.ini
sed -ie 's/max_execution_time = 30/max_execution_time = 600/' /etc/opt/remi/php74/php.ini
sed -ie 's/max_input_time = 60/max_input_time = 600/' /etc/opt/remi/php74/php.ini
sed -ie 's/memory_limit = 128M/memory_limit = 1280M/' /etc/opt/remi/php74/php.ini

3) Enabling PHP-FPM 7.4.7 Server

systemctl enable php74-php-fpm
systemctl start php74-php-fpm

4) Installing and configuring Let's Encrypt per https://certbot.eff.org/lets-encrypt/centosrhel8-apache

dnf -y install certbot python3-certbot-apache
 
# Install script to auto-replace the ssl_le.pem files for domains
mkdir /etc/letsencrypt/renewal-hooks
mkdir /etc/letsencrypt/renewal-hooks/deploy
cat > /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh << 'EOF'
#!/bin/sh
 
# Re-create the ssl_le.pem files for Pound 
for domain in $RENEWED_DOMAINS; do
  cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > $RENEWED_LINEAGE/ssl_le.pem
done
 
exit
EOF
chmod 755 /etc/letsencrypt/renewal-hooks/deploy/replace_pems.sh
 
# Install cron-tab to trigger auto-renew
(crontab -l && echo "0 0,12 * * 7 python -c 'import random; import time; time.sleep(random.random() * 3600)' && /etc/ag/scripts/renew-certs" | sort | uniq) | crontab -

5) Installing and configuring Pound

sed -i '/Listen/c\#Listen' /etc/httpd/conf.d/ssl.conf
dnf -y install Pound && systemctl enable pound && systemctl start pound
mv /etc/pound.cfg /etc/pound.cfg.orig
cat > /etc/pound.cfg << EOF
ListenHTTP
  Address ${IP}
  Port 80
  Service
    URL "/.well-known/acme-challenge/.*"
    BackEnd
      Address ${IP}
      Port 8888
    End
  End
End
 
Service
    BackEnd
	Address ${IP}
        Port    8888
    End
End
 
EOF

6) Installing and configuring Varnish

dnf -y install @varnish
systemctl enable varnish --now
# Configure Apache for Varnish
sed -ie 's/Listen 80/Listen 8080/' /etc/httpd/conf/httpd.conf
echo 'RemoteIPHeader X-Forwarded-For' >> /etc/httpd/conf/httpd.conf
echo "RemoteIPInternalProxy $IP" >> /etc/httpd/conf/httpd.conf
sed -ie 's/%h/%a/' /etc/httpd/conf/httpd.conf
sed -ie 's/6081/8888/' /usr/lib/systemd/system/varnish.service
# Crazy, but there is always an extra systemd entry for Varnish. Probably this should be reported to Varnish or Webmin.
rm -rf /usr/lib/systemd/system/varnish.servicee
 
 
systemctl daemon-reload
systemctl restart varnish
 
cat > /etc/varnish/default.vcl << EOF
vcl 4.0;
 
backend default {
    .host = "${IP}";
    .port = "8080";
}
 
acl purge {
  "localhost";
  "127.0.0.1";
}
 
sub vcl_deliver {
  # If proxying via cloudflare, then send 520 responses in place of 500/503
  if ((resp.status == 500 || resp.status == 503) && req.http.cf-connecting-ip) {
    set resp.status = 520;
  }
}
 
sub vcl_recv {
 
#  if (req.http.host == "demo.altagrade.com") {
#     if (req.url !~ "^/user") {
#         unset req.http.cookie;
#     }
#  }
 
#  if (req.http.Host == "sub.domain.com" || req.http.Host == "db.domain.net" ) {
#    return (pass);
#  }
 
  if (req.url == "/check-altagrade-varnish") {
    return(synth(200, "Varnish up"));
  }
 
 # Check the incoming request type is "PURGE", not "GET" or "POST".
  if (req.method == "PURGE") {
    # Check if the IP is allowed.
    if (!client.ip ~ purge) {
      # Return error code 405 (Forbidden) when not.
      return (synth(405, "Not allowed."));
    }
    return (purge);
  }
 
# Do not cache these paths.
  if (req.url ~ "^/status\.php$" ||
      req.url ~ "^/update\.php" ||
      req.url ~ "^/install\.php" ||
      req.url ~ "^/apc\.php$" ||
      req.url ~ "^/admin" ||
      req.url ~ "^/admin/.*$" ||
      req.url ~ "^/user" ||
      req.url ~ "^/user/.*$" ||
      req.url ~ "^/users/.*$" ||
      req.url ~ "^/info/.*$" ||
      req.url ~ "^/flag/.*$" ||
      req.url ~ "^.*/ajax/.*$" ||
      req.url ~ "^.*/ahah/.*$" ||
      req.url ~ "^/system/files/.*$") {
 
    return (pass);
  }
 
 # Always cache the following file types for all users. This list of extensions
  # appears twice, once here and again in vcl_backend_response so make sure you edit both
  # and keep them equal.
  if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {
    unset req.http.Cookie;
  }
 
  # Remove all cookies that Drupal doesn't need to know about. We explicitly
  # list the ones that Drupal does need, the SESS and NO_CACHE. If, after
  # running this code we find that either of these two cookies remains, we
  # will pass as the page cannot be cached.
  if (req.http.Cookie) {
    # 1. Append a semi-colon to the front of the cookie string.
    # 2. Remove all spaces that appear after semi-colons.
    # 3. Match the cookies we want to keep, adding the space we removed
    #    previously back. (\1) is first matching group in the regsuball.
    # 4. Remove all other cookies, identifying them by the fact that they have
    #    no space after the preceding semi-colon.
    # 5. Remove all spaces and semi-colons from the beginning and end of the
    #    cookie string.
    set req.http.Cookie = ";" + req.http.Cookie;
    set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
    set req.http.Cookie = regsuball(req.http.Cookie, ";(SESS[a-z0-9]+|SSESS[a-z0-9]+|NO_CACHE)=", "; \1=");
    set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
    set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
 
    if (req.http.Cookie == "") {
      # If there are no remaining cookies, remove the cookie header. If there
      # aren't any cookie headers, Varnish's default behavior will be to cache
      # the page.
      unset req.http.Cookie;
    }
    else {
      # If there is any cookies left (a session or NO_CACHE cookie), do not
      # cache the page. Pass it on to Apache directly.
      return (pass);
    }
  }
 
 
}
EOF

7) Configuring firewall...

For an AltaGrade server with mail enabled we need:

  1. firewall-cmd --list-services
  2. http https imap imaps pop3 pop3s smtp smtps ssh
  3.  
  4. firewall-cmd --list-ports
  5. 587/tcp 53/tcp 10000-10100/tcp 53/udp 19759/tcp 8080/tcp 8888/tcp

however, we will configure minimal number of services and ports by default for most customers that do not have mail.

# Remove unnecessary services
firewall-cmd --permanent --remove-service=ftp
firewall-cmd --permanent --remove-service=dhcpv6-client
firewall-cmd --permanent --remove-service=imap
firewall-cmd --permanent --remove-service=imaps
firewall-cmd --permanent --remove-service=pop3
firewall-cmd --permanent --remove-service=pop3s
firewall-cmd --permanent --remove-service=smtp
firewall-cmd --permanent --remove-service=smtps
 
# Remove ports which come open by default
firewall-cmd --permanent --zone=public --remove-port=1025-65535/tcp
firewall-cmd --permanent --zone=public --remove-port=10000-10100/tcp
firewall-cmd --permanent --zone=public --remove-port=20000/tcp
firewall-cmd --permanent --zone=public --remove-port=2222/tcp
firewall-cmd --permanent --zone=public --remove-port=20/tcp
firewall-cmd --permanent --zone=public --remove-port=587/tcp
firewall-cmd --permanent --zone=public --remove-port=53/tcp
firewall-cmd --permanent --zone=public --remove-port=53/udp
 
# Open needed ports
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=8888/tcp
firewall-cmd --permanent --zone=public --add-port=${PORT}/tcp
firewall-cmd --permanent --zone=public --add-port=19955/tcp
 
firewall-cmd --reload

8) Installing drush

# Installing drush
wget https://github.com/drush-ops/drush/releases/download/8.3.3/drush.phar
php drush.phar core-status
chmod +x drush.phar
mv drush.phar /usr/local/bin/drush
drush -y init
 
# Fixing https://github.com/drush-ops/drush/issues/2065
# sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/php.ini
# sed -i '/disable_functions/c\disable_functions = pcntl_exec' /etc/opt/remi/php74/php.ini

9) Installing brush

cd /usr/local/src
git clone https://github.com/backdrop-contrib/brush.git
ln -s /usr/local/src/brush/brush /usr/local/bin

10) Installing and configuring fail2ban

To check of activated jails on fail2ban, run the command below:
fail2ban-client status sshd

To unban an IP address, use the following command.

fail2ban-client set [JAIL-NAME] unbanip [IP-ADDRESS]

dnf install fail2ban -y
 
# Start and enable
systemctl start fail2ban
systemctl enable fail2ban
 
# Replace local fail2ban configuration
rm -rf /etc/fail2ban/jail.local
echo "[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host that matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
# VPN's ip address and subnet
ignoreip = 127.0.0.1/8 10.0.0.1/24 66.160.206.199
 
# "bantime" is the number of seconds that a host is banned.
bantime = 60m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 5m
# "maxretry" is the number of failures before a host gets banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend=systemd
 
[sshd]
enabled = true
port = ssh
action = firewallcmd-ipset
logpath = %(sshd_log)s
 
[webmin-auth]
enabled = true
port    = 19955
 
[proftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
 
[postfix]
enabled  = true
port     = smtp,465,submission
 
[dovecot]
enabled = true
port    = pop3,pop3s,imap,imaps,submission,465,sieve
 
[postfix-sasl]
enabled  = true
port     = smtp,465,submission,imap,imaps,pop3,pop3s" >> /etc/fail2ban/jail.local
 
# Restart fail2ban
systemctl restart fail2ban