All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
New server build - Terminal/CLI only
I am working to build a server without any panel. I've used cPanel, DirectAdmin and CentOS Web Panel mostly. This means I never really got down and dirty with apache, php, or security. I'm doing this to learn, to make a lean server, and why not?
Essentially, I am making a file in notepad++ to copy and paste commands in CLI, so that I can rebuild a server in short order. It won't be a commercial server..just for my own personal use.
I'm looking for your inputs to see what I've missed or could do better.
Add Users
-- Add users to sudoers
-- change passwords
-- create .ssh dirs, set perms, and populate for cert loginDisable modify sshd_config
-- set root login without-password
-- turn on pub key auth
-- AllowUsers for my usersInstall initial tools via yum
Set hostname and hosts in /etc
Update kernal to 5.x
- Generate a new grub2 config and set to new kernal
- Remove most old kernals
Reboot
Set BBR
Install PHP7.2 and httpd
-- Start/enable httpd
-- Configure for virtual hosts
-- Generate test index.html fileSet time/timezone/NTP
- Install rar and 7zip
- Add alias lines to .bashrc
- Yum update everything
Install fail2ban
-- set options in jail.local
-- enable and startInstall certbot and generate certs with https redirects and cron job
Install CSF
-- Use sed to modify TCP_IN (UDP, in/out too) for only the ports I'll be using
-- enable/start csf and lfdAttach storage, modify fstab
- Set perms for extra HDD drive (file storage)
Secure web dirs as needed
-- use htpasswd to generate password file
-- use .htaccess to set Authtype Basic
-- chmod 640 to the .htaccess fileFinal yum update
- Reboot
Comments
Don't do it that way, it is crazy. Learn an orchestration tool like ansible or saltstack. Then you just run a script to remotely install everything when you spin up a new server.
I want to learn the basics first...ansible is after I get smarter.
Looks clean, I'd do the ntp earlier to make troubleshooting easier.
Httpd is there, do you need mariadb/mysql?
Unclear if this is for vm or dedi, may want to monitor raid health if the latter.
Postfix/config for root account recipient
Maybe something like vnstat to give you network usage statistics over time?
Not yet, not sure what will go on this box. Right now it's not doing a whole lot. I'll find a purpose.
It's a VPS / KVM.
I didn't install postfix, but it's there, and I installed mutt to read the emails. Got the excessive resources emails already.
I'll use hetrix to keep an eye on what's happening on the server.
I did the same when I got my hands on a Debian VPS for the firs time. Made a .txt file containing all commands which I run when ever I make a clean Debian based VPS. But I don't deal with this GRUB, bootloader etc. as I use the template provided by provider. Need to learn ansible or saltstack though, seems like it will make life easy.
Sure no worries don't need to monitor raid then.
I thought the purpose was what to do to install a new server though, best not to rely on what might be in a base install and over plan.
Good call, but I was more thinking something to monitor your bandwidth usage to compare to your host if they ever claimed overuse etc.
It seems you have performed everything required to set up a server, however I just want to remind you to change SSH port to non-standard port.
Good tip. Got it in sshd_config.
That's a good point too. I didn't go very far in a 'generic' build; there are a lot of hard-coded paths/files that only point to this domain. Have to work on that.
why are you installing fail2ban and CSF together?
I thought one was a firewall, the other more like an IDS. I really only use fail2ban for SSH port though, and if it's a changed port, it probably won't be hammered much.
Don't forget that a little bit of swap is always advisable ;-)
Can you share the file when you're ready? I'm too lazy to do my own.
I think it's better this way than going straight up to something like that
Certainly learn how to do everything by hand before automating it. But trying to run everything from a giant static script means a lot of ways to go wrong. Everyone's templates vary and something like ansible can allow for that.
A couple suggestions:
1) DigitalOcean and Linode have excellent provisioning tutorials, they will save you a lot of time.
2) If you are primarily focused on a no-panel option, why don't you try either easyengine.io or webinoly.com. Both are open source CLI server management and well tested.
Good luck.
That's a pretty slick way to get a server up fast! Just one command!
Most definitely. I think ansible will be the way to go.
Definitely set up at least 1 server completely from scratch, you can use the provider templates as a good starting point and build from there. You will learn so much about Linux and the location of various files etc that will be useful to you in your journey.
This. I've found it varies wildly depending on setup--it's a lot to keep track.
Webroot lives either at |home|user|public_html or |var|www|examplecom|html
Web users, nobody vs apache
httpd.conf is at user|local|apache|conf or |etc|httpd|conf
And that's comparing with just Centos7 and CWP. I'm sure it also changes for other control panels, and other distros...
Please don't.
Is there a specific reason for this? RH backports lots of stuff to their kernel, and while the stock kernel is 3.10, it's not a vanilla 3.10 kernel.
I would disable root login via SSH altogether. You don't really lose anything, and if the server is borked, you'll probably need to login via the console anyway.
It's better to start from scratch is you one to learn for sure. Do not use ready templates. If the server broke this is good you will know what you have done wrong and re-do it. It is good when a server is fully ready for work to create a image of the OS. Good Luck
No, not really. I wanted to use BBR, and that needed (I think) 4.9, so I figured since I was updating, get the latest.
Yes. Lots and lots of this. I probably reloaded this latest one 4 times already.
If you want to automate adding users, setting up ssh keys, etc, and it's for your own use - Spin up a VM and create a FreeIPA server. Then you can just join the servers to the kerberos/IPA realm and you'll have access to all of them via the same credentials as your IPA.
You'd just install the freeipa-client software, and the only other command you'd have to run to setup your NTP, ssh, users, etc is:
# ipa-client-install --mkhomedir
You can also add bash functions to .bashrc:
This for example
hh () { history | grep $1 ;}
will use hh to grep text in command history
So
hh xyz
will be equal tohistory | grep xyz
Why hh?
Because 'h' is already an alias for history command in my .bashrc....