- Install OS (CentOS)
- yum update
- SELinux with diff port sshd
- # yum provides semanage
# yum install policycoreutils-python
# semanage port -a -t ssh_port_t -p tcp 2234 - firewall firewall-cmd --permanent --zone=public --add-port=2234/tcp && firewall-cmd --reload
- # yum provides semanage
- add iptables rules to autoruns:
- creat file with rules /iptables/iptables_ruls.sh
-
#!/bin/bash export IPT="iptables" # Внешний интерфейс export WAN=ens192 export WAN_IP=x.x.x.x # Локальная сеть export LAN1=ens224 export LAN1_IP_RANGE=10.1.1.0/24 # Очищаем правила $IPT -F $IPT -F -t nat $IPT -F -t mangle $IPT -X $IPT -t nat -X $IPT -t mangle -X # Запрещаем все, что не разрешено $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # Разрешаем localhost и локалку $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -i $LAN1 -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -o $LAN1 -j ACCEPT # Рзрешаем пинги $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Разрешаем исходящие подключения сервера $IPT -A OUTPUT -o $WAN -j ACCEPT #$IPT -A INPUT -i $WAN -j ACCEPT # разрешаем установленные подключения $IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT # Отбрасываем неопознанные пакеты $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A FORWARD -m state --state INVALID -j DROP # Отбрасываем нулевые пакеты $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Закрываемся от syn-flood атак $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP # Блокируем доступ с указанных адресов #$IPT -A INPUT -s 84.122.21.197 -j REJECT #Дропаем негодяев #filter all FORWARD $IPT -I FORWARD -j LOG --log-prefix "IPSET ALLOW" $IPT -I FORWARD -m set --match-set ban src -j DROP $IPT -I FORWARD -m set --match-set ban src -j LOG --log-prefix "IPSET BLOCK" # Пробрасываем порт в локалку $IPT -t nat -A PREROUTING -p tcp --dport 3390 -i ${WAN} -j DNAT --to 10.1.1.51:3389 $IPT -A FORWARD -i $WAN -d 10.1.1.51 -p tcp -m tcp --dport 3389 -j ACCEPT $IPT -t nat -A PREROUTING -p tcp --dport 3391 -i ${WAN} -j DNAT --to 10.1.1.55:3389 $IPT -A FORWARD -i $WAN -d 10.1.1.55 -p tcp -m tcp --dport 3389 -j ACCEPT # Разрешаем доступ из локалки наружу $IPT -A FORWARD -i $LAN1 -o $WAN -j ACCEPT # Закрываем доступ снаружи в локалку $IPT -A FORWARD -i $WAN -o $LAN1 -j REJECT # Включаем NAT $IPT -t nat -A POSTROUTING -o $WAN -s $LAN1_IP_RANGE -j MASQUERADE # открываем доступ к SSH #$IPT -A INPUT -i $WAN -p tcp --dport 3390 -j ACCEPT #$IPT -A INPUT -i $WAN -p tcp --dport 3391 -j LOG --log-prefix "IP port 3391" #$IPT -A INPUT -i $WAN -p tcp --dport 3391 -j DROP #$IPT -A INPUT -i $WAN -p tcp --dport 3391 -j ACCEPT $IPT -A INPUT -i $WAN -p tcp --dport 2200 -j LOG --log-prefix "IP DROP SSH 2200" $IPT -A INPUT -i $WAN -p tcp --dport 2200 -j ACCEPT $IPT -A INPUT -i $WAN -p tcp --dport 22 -j LOG --log-prefix "IP DROP SSH 22" $IPT -A INPUT -i $WAN -p tcp --dport 22 -j DROP $IPT -A INPUT -i $WAN -p tcp --dport 80 -j LOG --log-prefix "IP DROP WEB 80" $IPT -A INPUT -i $WAN -p tcp --dport 80 -j DROP # Открываем доступ к почтовому серверу #$IPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT #$IPT -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT #$IPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT #$IPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT #$IPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT #$IPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT #Открываем доступ к web серверу #$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT #$IPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT #Открываем доступ к DNS серверу #$IPT -A INPUT -i $WAN -p udp --dport 53 -j ACCEPT # Включаем логирование #$IPT -N block_in #$IPT -N block_out #$IPT -N block_fw #$IPT -A INPUT -j block_in #$IPT -A OUTPUT -j block_out #$IPT -A FORWARD -j block_fw #$IPT -A block_in -j LOG --log-level info --log-prefix "--IN--BLOCK" #$IPT -A block_in -j DROP #$IPT -A block_out -j LOG --log-level info --log-prefix "--OUT--BLOCK" #$IPT -A block_out -j DROP #$IPT -A block_fw -j LOG --log-level info --log-prefix "--FW--BLOCK" #$IPT -A block_fw -j DROP # Сохраняем правила /sbin/iptables-save > /etc/sysconfig/iptables
- chmod +x /iptables/iptables_ruls.sh
echo "/sbin/iptables-restore < /iptables/iptables_ruls.sh " >> /etc/rc.d/rc.local
- yum install -y mc mtr nano open-vm-tools screen wget nmap unzip yum-utils net-tools
- install htop
- wget dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
- rpm -ihv epel-release-7-11.noarch.rpm
- yum install htop
- yum install yum-utils epel-release -y
- install dhcpd
- yum install dhcp
- vi /etc/dhcp/dhcpd.conf
-
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
log-facility local6;default-lease-time 600;
max-lease-time 7200;subnet 10.1.1.0 netmask 255.255.255.0 {
range 10.1.1.100 10.1.1.200;
option domain-name-servers 8.8.8.8, 8.8.4.4;
option domain-name "DC.ksi.kiev.ua";
option routers 10.1.1.1;
option broadcast-address 10.1.1.255;
##reservationhost 2 {
hardware ethernet 00:0C:29:5C:EE:11; fixed-address 10.1.1.51;
}host 1 {
hardware ethernet 00:0c:29:db:a9:19; fixed-address 10.1.1.55;
}}
subnet 10.2.1.0 netmask 255.255.255.0 {
range 10.2.1.100 10.2.1.200;
option domain-name-servers 8.8.8.8, 8.8.4.4;
option domain-name "DC.ksi.kiev.ua";
option routers 10.2.1.1;
option broadcast-address 10.2.1.255;
##reservationhost 2 {
hardware ethernet 00:0C:29:5C:EE:11; fixed-address 10.2.1.51;
}host 1 {
hardware ethernet 00:0c:29:db:a9:19; fixed-address 10.2.1.55;
}}
- Edit /etc/systemd/system/dhcpd.service
#
[Unit]
Description=DHCPv4 Server Daemon
Documentation=man:dhcpd(8) man:dhcpd.conf(5)
Wants=network-online.target
After=network-online.target
After=time-sync.target[Service]
Type=notify
ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid[Install]
WantedBy=multi-user.target - systemctl disable dhcpd
- systemctl enable dhcpd
- service dhcpd start/stop
- service dhcpd enable
- allow IP forwarding
- $ sysctl -w net.ipv4.ip_forward=1
- vi /etc/sysctl.conf
- net.ipv4.ip_forward = 1
- install httpd
- cd /etc/yum.repos.d && wget https://repo.codeit.guru/codeit.el`rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release)`.repo
- yum info httpd show version pakeges httpd, would latest
- yum install httpd
- systemctl start httpd
- systemctl enable httpd
- sudo firewall-cmd --add-service=http --permanent
- sudo firewall-cmd --reload
- install mariyaDB
- sudo tee /etc/yum.repos.d/MariaDB.repo<<EOF
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.4/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF - sudo yum makecache fast
- sudo yum info mariadb-server mariadb
- sudo yum -y install MariaDB-server MariaDB-client
- sudo systemctl enable --now mariadb
- sudo systemctl start --now mariadb
- sudo mysql_secure_installation
- Unistall if need mariyaDB
- systemctl stop mariadb.service
- yum remove MariaDB-server MariaDB-client
- systemctl status mariadb.service
- rm /usr/share/mysql
- remove libs mariyaDB
- yum shell
-
remove mariadb-libs & runs
- or rpm -qa | grep mariadb-libs and rpm -ev {pakage}
- systemctl restart httpd
- sudo yum-config-manager --enable remi-php72
- sudo tee /etc/yum.repos.d/MariaDB.repo<<EOF
- Install PHP 7.3
- sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
- yum --enablerepo=remi-php73 install php php-mysql php-mbstring
- yum info php-fpm
- php73-php-fpm.x86_64
- yum --enablerepo=remi-php73 search php | grep php73
- Install PHP 5.6 (if need)
- yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
- yum-config-manager --enable remi-php56
- yum install php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo php-fpm
- Disable SELinux
- show status
- sestatus
- vi /etc/selinux/config -->
SELINUX=disabled
- show status
- Install PhpMyAdmin
- wget https://files.phpmyadmin.net/phpMyAdmin/4.9.0.1/phpMyAdmin-4.9.0.1-all-languages.zip
- unzip phpMyAdmin-4.9.0.1-all-languages.zip
- cd /var/www/html/phpmyadmin
- mv phpMyAdmin-4.9.0.1-all-languages /var/www/html/phpmyadmin
- cp config.sample.inc.php config.inc.php
- chmod -R 755 phpmyadmin/
18 июль2019
Комментарии
RSS лента комментариев этой записи