18 июль2019

setup web server apache+php7.3+mariyaDB+phpMyAdmin

Written by Super User. Posted in Articles Unix

Create article based on Link2

  1. Install OS (CentOS)
  2. yum update
  3. SELinux with diff port sshd
    1. # yum provides semanage
      # yum install policycoreutils-python
      # semanage port -a -t ssh_port_t -p tcp 2234
    2. firewall   firewall-cmd --permanent --zone=public --add-port=2234/tcp  && firewall-cmd --reload
  4. add iptables rules to autoruns:
    1. creat file with rules    /iptables/iptables_ruls.sh
    2. #!/bin/bash

export IPT="iptables"

# Внешний интерфейс
export WAN=ens192
export WAN_IP=x.x.x.x

# Локальная сеть
export LAN1=ens224
export LAN1_IP_RANGE=10.1.1.0/24

# Очищаем правила
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# Запрещаем все, что не разрешено
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Разрешаем localhost и локалку
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $LAN1 -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o $LAN1 -j ACCEPT

# Рзрешаем пинги
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Разрешаем исходящие подключения сервера
$IPT -A OUTPUT -o $WAN -j ACCEPT
#$IPT -A INPUT -i $WAN -j ACCEPT

# разрешаем установленные подключения
$IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

# Отбрасываем неопознанные пакеты
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP

# Отбрасываем нулевые пакеты
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Закрываемся от syn-flood атак
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# Блокируем доступ с указанных адресов
#$IPT -A INPUT -s 84.122.21.197 -j REJECT


#Дропаем негодяев
#filter all FORWARD  $IPT -I FORWARD -j LOG --log-prefix "IPSET ALLOW"
$IPT -I FORWARD -m set --match-set ban src -j DROP
$IPT -I FORWARD -m set --match-set ban src -j LOG --log-prefix "IPSET BLOCK"


# Пробрасываем порт в локалку
$IPT -t nat -A PREROUTING -p tcp --dport 3390 -i ${WAN} -j DNAT --to 10.1.1.51:3389
$IPT -A FORWARD -i $WAN -d 10.1.1.51 -p tcp -m tcp --dport 3389 -j ACCEPT

$IPT -t nat -A PREROUTING -p tcp --dport 3391 -i ${WAN} -j DNAT --to 10.1.1.55:3389
$IPT -A FORWARD -i $WAN -d 10.1.1.55 -p tcp -m tcp --dport 3389 -j ACCEPT


# Разрешаем доступ из локалки наружу
$IPT -A FORWARD -i $LAN1 -o $WAN -j ACCEPT
# Закрываем доступ снаружи в локалку
$IPT -A FORWARD -i $WAN -o $LAN1 -j REJECT

# Включаем NAT
$IPT -t nat -A POSTROUTING -o $WAN -s $LAN1_IP_RANGE -j MASQUERADE

# открываем доступ к SSH
#$IPT -A INPUT -i $WAN -p tcp --dport 3390 -j ACCEPT
#$IPT -A INPUT -i $WAN -p tcp --dport 3391 -j LOG --log-prefix "IP port 3391"
#$IPT -A INPUT -i $WAN -p tcp --dport 3391 -j DROP

#$IPT -A INPUT -i $WAN -p tcp --dport 3391 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 2200 -j LOG --log-prefix "IP DROP SSH 2200"
$IPT -A INPUT -i $WAN -p tcp --dport 2200 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 22 -j LOG --log-prefix "IP DROP SSH 22"
$IPT -A INPUT -i $WAN -p tcp --dport 22 -j DROP

$IPT -A INPUT -i $WAN -p tcp --dport 80 -j LOG --log-prefix "IP DROP WEB 80"
$IPT -A INPUT -i $WAN -p tcp --dport 80 -j DROP

# Открываем доступ к почтовому серверу
#$IPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
#$IPT -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
#$IPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
#$IPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
#$IPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
#$IPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

#Открываем доступ к web серверу
#$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#Открываем доступ к DNS серверу
#$IPT -A INPUT -i $WAN -p udp --dport 53 -j ACCEPT

# Включаем логирование
#$IPT -N block_in
#$IPT -N block_out
#$IPT -N block_fw

#$IPT -A INPUT -j block_in
#$IPT -A OUTPUT -j block_out
#$IPT -A FORWARD -j block_fw

#$IPT -A block_in -j LOG --log-level info --log-prefix "--IN--BLOCK"
#$IPT -A block_in -j DROP
#$IPT -A block_out -j LOG --log-level info --log-prefix "--OUT--BLOCK"
#$IPT -A block_out -j DROP
#$IPT -A block_fw -j LOG --log-level info --log-prefix "--FW--BLOCK"
#$IPT -A block_fw -j DROP

# Сохраняем правила
/sbin/iptables-save  > /etc/sysconfig/iptables
    3. chmod +x /iptables/iptables_ruls.sh 
      echo "/sbin/iptables-restore < /iptables/iptables_ruls.sh " >> /etc/rc.d/rc.local
  5. yum install -y mc mtr nano open-vm-tools screen wget nmap unzip yum-utils net-tools
  6. install htop
    1. wget dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
    2. rpm -ihv epel-release-7-11.noarch.rpm
    3.  yum install htop
  7. yum install yum-utils epel-release -y
  8. install dhcpd
    1.  yum install dhcp
    2.  vi /etc/dhcp/dhcpd.conf

    3. #
      # DHCP Server Configuration file.
      # see /usr/share/doc/dhcp*/dhcpd.conf.example
      # see dhcpd.conf(5) man page
      #
      log-facility local6;

      default-lease-time 600;
      max-lease-time 7200;

      subnet 10.1.1.0 netmask 255.255.255.0 {
      range 10.1.1.100 10.1.1.200;
      option domain-name-servers 8.8.8.8, 8.8.4.4;
      option domain-name "DC.ksi.kiev.ua";
      option routers 10.1.1.1;
      option broadcast-address 10.1.1.255;
      ##reservation 

      host 2 {
      hardware ethernet 00:0C:29:5C:EE:11; fixed-address 10.1.1.51;
      }

      host 1 {
      hardware ethernet 00:0c:29:db:a9:19; fixed-address 10.1.1.55;
      }

      }

      subnet 10.2.1.0 netmask 255.255.255.0 {
      range 10.2.1.100 10.2.1.200;
      option domain-name-servers 8.8.8.8, 8.8.4.4;
      option domain-name "DC.ksi.kiev.ua";
      option routers 10.2.1.1;
      option broadcast-address 10.2.1.255;
      ##reservation 

      host 2 {
      hardware ethernet 00:0C:29:5C:EE:11; fixed-address 10.2.1.51;
      }

      host 1 {
      hardware ethernet 00:0c:29:db:a9:19; fixed-address 10.2.1.55;
      }

      }
    4. Edit /etc/systemd/system/dhcpd.service

      #

      [Unit]
      Description=DHCPv4 Server Daemon
      Documentation=man:dhcpd(8) man:dhcpd.conf(5)
      Wants=network-online.target
      After=network-online.target
      After=time-sync.target

      [Service]
      Type=notify
      ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid

      [Install]
      WantedBy=multi-user.target
    5. systemctl disable dhcpd
    6. systemctl enable dhcpd
    7. service dhcpd start/stop
    8.  service dhcpd enable
  9. allow IP forwarding
    1. $ sysctl -w net.ipv4.ip_forward=1
    2. vi /etc/sysctl.conf
    3. net.ipv4.ip_forward = 1
  10. install httpd
    1.  cd /etc/yum.repos.d && wget https://repo.codeit.guru/codeit.el`rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release)`.repo
    2. yum info httpd   show version pakeges httpd, would latest
    3. yum install httpd
    4. systemctl start httpd
    5. systemctl enable httpd
  11. sudo firewall-cmd --add-service=http --permanent
  12. sudo firewall-cmd --reload
  13. install mariyaDB
    1. sudo tee /etc/yum.repos.d/MariaDB.repo<<EOF
      [mariadb]
      name = MariaDB
      baseurl = http://yum.mariadb.org/10.4/centos7-amd64
      gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
      gpgcheck=1
      EOF
    2. sudo yum makecache fast
    3. sudo yum info mariadb-server mariadb
    4. sudo yum -y install MariaDB-server MariaDB-client
    5. sudo systemctl enable --now mariadb
    6. sudo systemctl start --now mariadb
    7. sudo mysql_secure_installation
    8. Unistall if need mariyaDB
      1. systemctl stop mariadb.service
      2. yum remove MariaDB-server MariaDB-client
      3. systemctl status mariadb.service
      4. rm /usr/share/mysql
      5. remove libs mariyaDB
        1. yum shell

        2. remove mariadb-libs & runs

        3. or   rpm -qa | grep mariadb-libs and rpm -ev {pakage}
    9. systemctl restart httpd
    10. sudo yum-config-manager --enable remi-php72
  14. Install PHP 7.3
    1. sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
    2.  yum --enablerepo=remi-php73 install php php-mysql  php-mbstring 
    3.  yum info php-fpm
    4. php73-php-fpm.x86_64
    5. yum --enablerepo=remi-php73 search php | grep php73
  15. Install PHP 5.6 (if need)
    1. yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
    2. yum-config-manager --enable remi-php56
    3. yum install php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo php-fpm
  16. Disable SELinux
    1. show status   
      1. sestatus
    2. vi /etc/selinux/config     -->   
      SELINUX=disabled
  17. Install PhpMyAdmin
    1. wget https://files.phpmyadmin.net/phpMyAdmin/4.9.0.1/phpMyAdmin-4.9.0.1-all-languages.zip
    2. unzip phpMyAdmin-4.9.0.1-all-languages.zip
    3. cd /var/www/html/phpmyadmin
    4. mv phpMyAdmin-4.9.0.1-all-languages  /var/www/html/phpmyadmin
    5. cp config.sample.inc.php config.inc.php
    6. chmod -R 755 phpmyadmin/

Комментарии   

0 #1 Super User 12.09.2019 09:36
рад рассмотреть замечания:)
Цитировать