Last active
January 17, 2022 07:00
-
-
Save flacodirt/5328929 to your computer and use it in GitHub Desktop.
CentOS 6.x LAMP Server Provisioning Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
clear | |
clear | |
echo '#' | |
echo '# CentOS 6.x LAMP Server Provisioning Script' | |
echo '#' | |
echo '# This script will guide you through the initial server provisioning for a standard CentOS 6.x LAMP server.' | |
echo '# The basic provisioning tasks to be ran immediately after provisioning are fully automated with user prompts.' | |
echo '# The rest of the script is for copy/paste reference to pick/choose as desired.' | |
echo '#' | |
echo '# [x] iptables lockdown' | |
echo '# [x] Change root password' | |
echo '# [x] Add administrators group' | |
echo '# [x] Add administrators group to sudoers' | |
echo '# [x] Add admin user' | |
echo '# [x] Disable root remote login' | |
echo '# [x] Optionally enable EPEL Repo' | |
echo '# [x] Optionally install Desktop packages' | |
echo '# [x] Install common and development packages' | |
echo '# [x] Update server' | |
echo '# [/] Configure SSH Keys and restrict SSH logins by key only' | |
echo '# [/] Configure MySQL' | |
echo '# [/] Configure Apache' | |
echo '# [/] Configure PHP' | |
echo '# [/] Configure git' | |
echo '# [/] Configure vimrc options' | |
echo '#' | |
echo '# @author dirt' | |
echo '# @version 1.0.1' | |
echo '# @date Created October 15th 2013' | |
echo '# @date Last updated May 24th 2015' | |
echo '# @link https://gist.github.com/dirte/5328929' | |
echo '# @wget https://gist.githubusercontent.com/dirte/5328929/raw/a6194c601426eb476b02193b85efd6d65ac928af/provision_centos_server.sh' | |
echo '#' | |
read -p "Press any key to begin provisioning or [CTRL]+[C] to quit." | |
clear | |
echo '# iptables lockdown' | |
iptables -L -v -n | |
iptables -P INPUT ACCEPT | |
iptables -F | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
iptables -P INPUT DROP | |
iptables -P FORWARD DROP | |
iptables -P OUTPUT ACCEPT | |
iptables -L -v -n | |
/sbin/service iptables save | |
/sbin/service iptables restart | |
echo '# Change root password' | |
echo 'Enter new password: ' | |
passwd | |
echo '# Add administrators group' | |
echo -n "Enter name for administrators group (Default: admins): " | |
read -e ADMINSGROUP | |
if [ -z "$ADMINSGROUP" ] | |
then | |
$ADMINSGROUP="admins" | |
fi | |
groupadd $ADMINSGROUP | |
echo '# Add administrators group to sudoers' | |
tstmp=$( date +%F-%H-%M-%S ) | |
cp /etc/sudoers /etc/sudoers.$tstmp.bak | |
echo "%$ADMINSGROUP ALL = (ALL) ALL" >> /etc/sudoers | |
echo '# Add admin user' | |
echo -n "Enter name for administrator user: " | |
read -e ADMINUSER | |
useradd $ADMINUSER -G $ADMINSGROUP | |
echo -n "Enter new password for $ADMINUSER: " | |
passwd $ADMINUSER | |
echo '# Disable root remote login' | |
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$tstmp.bak | |
sed -i 's/#PermitRootLogin/PermitRootLogin/g' /etc/ssh/sshd_config | |
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config | |
echo "AllowGroups $ADMINGROUP" >> /etc/ssh/sshd_config | |
echo '# Change SSH port' | |
echo -n 'Enter new SSH port: ' | |
read -e SSHPORT | |
sed -i "s/#Port/Port/g" /etc/ssh/sshd_config | |
sed -i "s/Port 22/Port $SSHPORT/g" /etc/ssh/sshd_config | |
iptables -D INPUT -p tcp --dport 22 -j ACCEPT | |
iptables -A INPUT -p tcp --dport $SSHPORT -j ACCEPT | |
/sbin/service iptables save | |
/sbin/service iptables restart | |
/etc/init.d/sshd restart | |
echo '# EPEL Repo' | |
echo -n "Enable EPEL Repository (Y/N)? (Default: Y): " | |
read -e ENABLEEPEL | |
if [ -z "$ENABLEEPEL" ] | |
then | |
$ENABLEEPEL="Y" | |
fi | |
shopt -s nocasematch | |
if [ "$ENABLEEPEL" == "Y" ] | |
then | |
#lynx http://mirror.pnl.gov/epel/6/i386/repoview/epel-release.html | |
wget http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm | |
sudo rpm -Uvh epel-release-6-8.noarch.rpm | |
fi | |
shopt -u nocasematch | |
echo '# Desktop? ' | |
echo -n "Enable Gnome X Window (Desktop) (Y/N)? (Default: N): " | |
read -e ENABLEDESKTOP | |
if [ -z "$ENABLEDESKTOP" ] | |
then | |
$ENABLEDESKTOP="N" | |
fi | |
read -p "Press any key to begin updating and installing packages or [CTRL]+[C] to quit." | |
# Gnome: "Desktop" "Desktop Platform" "Fonts" | |
# KDE: "KDE Desktop" | |
# MATE: "Mate Desktop" | |
# Xfce: "Xfce" | |
shopt -s nocasematch | |
if [ "$ENABLEDESKTOP" == "Y" ] | |
then | |
echo '# Install Desktop' | |
sudo yum groupinstall -y "X Window System" "Desktop" "Desktop Platform" "Fonts" "Xfce" | |
fi | |
shopt -u nocasematch | |
echo '# Install common packages' | |
sudo yum groupinstall -y "Base" "Development Tools" | |
sudo yum install -y gcc apr-devel apr-util-devel wget telnet tar sudo perl python iptables man openssh openssl openssl-devel git | |
echo '# Update server' | |
sudo yum update | |
echo "# You will need to exit from SSH and log back into SSH (remember port $SSHPORT) as the admin ($ADMINUSER) from this point on" | |
echo '# When you return, execute the script with the argument ADMIN to skip the completed steps (@TODO)' | |
echo '# Example: provision_centos_server.sh ADMIN' | |
exit | |
## Rest below is manual copy/paste steps to pick/choose from as desired. | |
# PowerStack repo (IF you want it - not recommended for production servers) | |
# rpm -Uvh http://download.powerstack.org/powerstack-release-0-2.noarch.rpm | |
# SSH Keys Example (force logon by Key only - recommended) | |
# (on workstation) | |
ssh-keygen -b 4096 -t rsa -f ~/.ssh/id_rsa | |
ssh-copy-id -i ~/.ssh/id_rsa.pub $ADMINUSER@<YOUR_SERVER_IP> | |
ssh-add | |
# (may need to logoff/logon workstation if get Agent sign error) | |
# (on server) | |
chown -R $ADMINUSER:$ADMINUSER ~/.ssh | |
chmod 700 ~/.ssh | |
chmod 600 ~/.ssh/authorized_keys | |
restorecon -Rv ~/.ssh | |
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$tstmp.bak | |
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
# MySQL Example | |
sudo yum install -y mysql-server | |
sudo cp /etc/my.cnf /etc/my.cnf.$tstmp.bak | |
echo -n "Enter new MySQL port: " | |
read -e MYSQLPORT | |
sudo sed -i "s/port=3306/port=$MYSQLPORT/g" /etc/my.cnf | |
sudo service mysqld restart | |
sudo /usr/bin/mysql_secure_installation | |
# Apache Example | |
sudo yum install -y httpd | |
sudo vi /etc/httpd/conf/httpd.conf | |
ServerName 127.0.0.1:80 | |
sudo vi /etc/httpd/conf.d/vhosts.conf | |
NameVirtualHost *:80 | |
<VirtualHost *:80> | |
ServerAdmin root@domain.com | |
DocumentRoot /var/www/vhosts/domain.com/public_html | |
ServerName www.domain.com | |
ServerAlias domain.com | |
ErrorLog /var/www/vhosts/domain.com/logs/error_log | |
CustomLog /var/www/vhosts/domain.com/logs/access_log common | |
<Directory /var/www/vhosts/domain.com> | |
Options All | |
AllowOverride All | |
</Directory> | |
</VirtualHost> | |
# PHP Example | |
#Get latest version from lynx: | |
#lynx http://mirror.pnl.gov/epel/6/i386/repoview/epel-release.html | |
wget http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm | |
sudo rpm -Uvh epel-release-6-8.noarch.rpm | |
sudo yum install -y php php-common php-cli php-gd php-mbstring php-mcrypt php-mysql php-pdo php-pear php-pecl-apc php-pecl-xdebug php-soap php-tidy php-xml php-xmlrpc | |
# XDebug Config | |
sudo echo "xdebug.var_display_max_children=-1" >> /etc/php.d/xdebug.ini | |
sudo echo "xdebug.var_display_max_data=-1" >> /etc/php.d/xdebug.ini | |
sudo echo "xdebug.var_display_max_depth=-1" >> /etc/php.d/xdebug.ini | |
# git Example | |
sudo yum install -y git | |
cd /var/www/vhosts | |
git clone git@github.com:x/y.git | |
sudo usermod -a -G apache $ADMINUSER | |
sudo usermod -a -G $ADMINUSER apache | |
# logoff/logon | |
echo "umask 007" >> /etc/sysconfig/httpd | |
sudo chgrp -R $ADMINUSER /var/www/vhosts/domain.com | |
sudo chmod 2770 /var/www/vhosts/domain.com | |
# vimrc options (TODO: Check for updated version via lynx) | |
wget https://gist.github.com/dirte/5245083/raw/eed54c62294ee996816ac0481d03b7537f8bec35/.vimrc | |
# bash options | |
# @TODO | |
# alias | |
# @TODO |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment