Server Setup Helper

server_commands.txt

#################################
# General Program Installations #
#################################

yum -y install htop screen bzip2 unzip parallel wget nano dos2unix nmap iotop


###########################
# Install Git from Source #
###########################

yum -y groupinstall 'Development Tools'
yum -y install dh-autoreconf curl-devel expat-devel gettext-devel openssl-devel perl-devel zlib-devel
https://github.com/git/git/releases
cd /usr/src/
wget https://github.com/git/git/archive/v*.tar.gz
tar -zxvf ./v*.tar.gz
cd git-*/
make configure
./configure --prefix=/usr/local
make install


##############################################################
# fix forwarded IP addresses from load balancers, cloudflare #
##############################################################

rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
yum -y update
yum -y install mod_extract_forwarded
echo "MEFaccept X.X.X.X" >> /etc/httpd/conf.d/mod_extract_forwarded   # X.X.X.X = IP from LB or IPs from CloudFlare that's seen in REMOTE_ADDR
service httpd restart



#####################
# new database/user #
#####################

CREATE DATABASE `__DATABASE__`;
CREATE USER '__USERNAME__'@'localhost' IDENTIFIED BY '__PASSWORD__';
GRANT ALL PRIVILEGES ON __DATABASE__.* TO '__USERNAME__'@'localhost' WITH GRANT OPTION;
flush privileges;



#####################
# MySQL Backup User #
#####################

CREATE USER '__USERNAME__'@'localhost' IDENTIFIED BY '__PASSWORD__';
GRANT SELECT, LOCK TABLES, SHOW VIEW, EVENT, TRIGGER ON `__DATABASE__`.* TO '__USERNAME__'@'localhost';
flush privileges;



##################
# new linux user #
##################

useradd USER_NAME
passwd USER_NAME
usermod -a -G apache USER_NAME
mkdir /home/USER_NAME/domains/
mkdir /home/USER_NAME/domains/DOMAIN_NAME
mkdir /home/USER_NAME/domains/DOMAIN_NAME/public_html
mkdir /home/USER_NAME/domains/DOMAIN_NAME/logs
chmod +x -R /home/USER_NAME/
chown root /home/USER_NAME/


cd /home/USER_NAME/domains/DOMAIN_NAME/

setfacl -R -m user:apache:rwx ./public_html
setfacl -R -d -m user:apache:rwx ./public_html
setfacl -R -m user:USER_NAME:rwx ./public_html
setfacl -R -d -m user:USER_NAME:rwx ./public_html

setfacl -R -m user:apache:rwx ./logs
setfacl -R -d -m user:apache:rwx ./logs
setfacl -R -m user:USER_NAME:rwx ./logs
setfacl -R -d -m user:USER_NAME:rwx ./logs





###########################
# allow emails from httpd #
###########################

sudo setsebool -P httpd_can_sendmail 1
sudo setsebool -P httpd_can_network_connect 1



######################
# Permissions Issues #
######################

find . -type f -exec chmod 664 {} +
find . -type d -exec chmod 775 {} +
chmod 664 wp-config.php
chown -R apache:apache wp-admin
chown -R apache:apache wp-includes
chown apache:apache wp-content
chown -R apache:apache wp-content/plugins
chown -R apache:apache wp-content/cache
chown -R apache:apache wp-content/upgrade
chown -R apache:apache wp-content/uploads
chown -R apache:apache wp-content/w3tc-config
chown -R USER_NAME:apache wp-content/themes
chown USER_NAME:apache wp-content/*.php
chown USER_NAME:apache *.php
chown USER_NAME:apache *.txt
chown USER_NAME:apache *.html

setfacl -R -m user:apache:rwx ./public_html
setfacl -R -d -m user:apache:rwx ./public_html
setfacl -R -m user:USER_NAME:rwx ./public_html
setfacl -R -d -m user:USER_NAME:rwx ./public_html

setfacl -R -m user:apache:rwx ./logs
setfacl -R -d -m user:apache:rwx ./logs
setfacl -R -m user:USER_NAME:rwx ./logs
setfacl -R -d -m user:USER_NAME:rwx ./logs



##############################
# MySQL my.cnf Configuration #
##############################

[mysqld]

## Cache
table-definition-cache               = 4096
table-open-cache                     = 4096
#table-open-cache-instances          = 1
#thread-cache-size                   = 16
#query-cache-size                    = 32M
#query-cache-type                    = 1

## Per-thread Buffers
#join-buffer-size                    = 512K
#read-buffer-size                    = 512K
#read-rnd-buffer-size                = 512K
#sort-buffer-size                    = 512K

## Temp Tables
max-heap-table-size                  = 128M
tmp-table-size                       = 128M

## Networking
#interactive-timeout                 = 3600
max-connections                      = 250
max-connect-errors                   = 1000000
max-allowed-packet                   = 32M
skip-name-resolve
wait-timeout                         = 600

## MyISAM
key-buffer-size                      = 32M
#myisam-recover                      = FORCE,BACKUP
myisam-sort-buffer-size              = 128M

## InnoDB
innodb-buffer-pool-size              = 2G
innodb-file-format                   = Barracuda
#innodb-file-per-table               = 1
#innodb-flush-method                 = O_DIRECT
innodb-log-file-size                = 512M

## Data
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

## User
user=mysql

# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

## Slow Query Log
#slow-query-log=1
#slow-query-log-file=/tmp/mysql_slow_queries.log
#long-query-time=2
#log-queries-not-using-indexes=1

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid


##############################
# SSL Certificate Generation #
##############################

### Generate the dhparam.pem:
openssl dhparam -out /etc/ssl/nginx/dhparam.pem 2048

### .conf:

# SSL Installation on NGINX:
# https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/1091/0/certificate-installation--nginx

# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate      /etc/ssl/nginx/CERT_FILE.pem;
ssl_certificate_key  /etc/ssl/nginx/CERT_FILE.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/nginx/dhparam.pem;

# intermediate configuration.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/nginx/CERT_FILE.ca-bundle;

resolver 127.0.0.1;




##################
# Install rclone #
##################

curl -O https://downloads.rclone.org/rclone-current-linux-amd64.zip
unzip rclone-current-linux-amd64.zip
cd rclone-*-linux-amd64

sudo cp rclone /usr/bin/
sudo chown root:root /usr/bin/rclone
sudo chmod 755 /usr/bin/rclone

rclone config


####################
# Install CollectD #
####################

yum -y install collectd collectd-nginx collectd-mysql
nano /etc/collectd.conf
chkconfig --levels 235 collectd on
service collectd start
git clone https://github.com/pommi/CGP
# update datadir in conf/config.php
sudo setenforce 0


####################
# Sync Using rsync #
####################

# remote to local
rsync -azP user@remote.addr:/path/to/source/ /path/to/destination/

# local to remote
rsync -azP /path/to/source/ user@remote.addr:/path/to/destination/


########################
# Install Apache 2.4.* #
########################

https://www.softwarecollections.org/en/scls/rhscl/httpd24/


#######################
# Add WordPress Admin #
#######################

INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`) VALUES ('__USERNAME__', MD5('__PASSWORD__'), '__DISPLAY_NAME__', '__EMAIL__', '0');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, (SELECT MAX(id) FROM wp_users), 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}'), (NULL, (SELECT MAX(id) FROM wp_users), 'wp_user_level', '10');


###########
# SELinux #
###########

yum install -y policycoreutils-python
semanage fcontext -a httpd_sys_rw_content_t "/var/www/html/folder1(/.*)?"
semanage fcontext -a httpd_sys_rw_content_t "/var/www/html/folder2(/.*)?"
restorecon -Rv


#######################
# CertBot LetsEncrypt #
#######################

sudo certbot --apache -d domain.com -d www.domain.com


###############################
# WordPress Linux Permissions #
###############################

find . -type f -exec chmod 664 {} +
find . -type d -exec chmod 775 {} +
chmod 664 wp-config.php
chown -R apache:apache wp-admin
chown -R apache:apache wp-includes
chown apache:apache wp-content
chown -R apache:apache wp-content/plugins
chown -R apache:apache wp-content/cache
chown -R apache:apache wp-content/upgrade
chown -R apache:apache wp-content/uploads
chown -R apache:apache wp-content/w3tc-config
chown -R USER_NAME:apache wp-content/themes
chown USER_NAME:apache wp-content/*.php
chown USER_NAME:apache *.php
chown USER_NAME:apache *.txt
chown USER_NAME:apache *.html