Skip to content

Instantly share code, notes, and snippets.

@flacodirt

flacodirt/provision_centos_server.sh

Last active January 17, 2022 07:00
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save flacodirt/5328929 to your computer and use it in GitHub Desktop.
Save flacodirt/5328929 to your computer and use it in GitHub Desktop.
Download ZIP
CentOS 6.x LAMP Server Provisioning Script
Raw
provision_centos_server.sh
#!/bin/bash
clear
clear
echo '#'
echo '# CentOS 6.x LAMP Server Provisioning Script'
echo '#'
echo '# This script will guide you through the initial server provisioning for a standard CentOS 6.x LAMP server.'
echo '# The basic provisioning tasks to be ran immediately after provisioning are fully automated with user prompts.'
echo '# The rest of the script is for copy/paste reference to pick/choose as desired.'
echo '#'
echo '# [x] iptables lockdown'
echo '# [x] Change root password'
echo '# [x] Add administrators group'
echo '# [x] Add administrators group to sudoers'
echo '# [x] Add admin user'
echo '# [x] Disable root remote login'
echo '# [x] Optionally enable EPEL Repo'
echo '# [x] Optionally install Desktop packages'
echo '# [x] Install common and development packages'
echo '# [x] Update server'
echo '# [/] Configure SSH Keys and restrict SSH logins by key only'
echo '# [/] Configure MySQL'
echo '# [/] Configure Apache'
echo '# [/] Configure PHP'
echo '# [/] Configure git'
echo '# [/] Configure vimrc options'
echo '#'
echo '# @author dirt'
echo '# @version 1.0.1'
echo '# @date Created October 15th 2013'
echo '# @date Last updated May 24th 2015'
echo '# @link https://gist.github.com/dirte/5328929'
echo '# @wget https://gist.githubusercontent.com/dirte/5328929/raw/a6194c601426eb476b02193b85efd6d65ac928af/provision_centos_server.sh'
echo '#'
read -p "Press any key to begin provisioning or [CTRL]+[C] to quit."
clear
echo '# iptables lockdown'
iptables -L -v -n
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v -n
/sbin/service iptables save
/sbin/service iptables restart
echo '# Change root password'
echo 'Enter new password: '
passwd
echo '# Add administrators group'
echo -n "Enter name for administrators group (Default: admins): "
read -e ADMINSGROUP
if [ -z "$ADMINSGROUP" ]
then
$ADMINSGROUP="admins"
fi
groupadd $ADMINSGROUP
echo '# Add administrators group to sudoers'
tstmp=$( date +%F-%H-%M-%S )
cp /etc/sudoers /etc/sudoers.$tstmp.bak
echo "%$ADMINSGROUP ALL = (ALL) ALL" >> /etc/sudoers
echo '# Add admin user'
echo -n "Enter name for administrator user: "
read -e ADMINUSER
useradd $ADMINUSER -G $ADMINSGROUP
echo -n "Enter new password for $ADMINUSER: "
passwd $ADMINUSER
echo '# Disable root remote login'
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$tstmp.bak
sed -i 's/#PermitRootLogin/PermitRootLogin/g' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
echo "AllowGroups $ADMINGROUP" >> /etc/ssh/sshd_config
echo '# Change SSH port'
echo -n 'Enter new SSH port: '
read -e SSHPORT
sed -i "s/#Port/Port/g" /etc/ssh/sshd_config
sed -i "s/Port 22/Port $SSHPORT/g" /etc/ssh/sshd_config
iptables -D INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport $SSHPORT -j ACCEPT
/sbin/service iptables save
/sbin/service iptables restart
/etc/init.d/sshd restart
echo '# EPEL Repo'
echo -n "Enable EPEL Repository (Y/N)? (Default: Y): "
read -e ENABLEEPEL
if [ -z "$ENABLEEPEL" ]
then
$ENABLEEPEL="Y"
fi
shopt -s nocasematch
if [ "$ENABLEEPEL" == "Y" ]
then
#lynx http://mirror.pnl.gov/epel/6/i386/repoview/epel-release.html
wget http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
sudo rpm -Uvh epel-release-6-8.noarch.rpm
fi
shopt -u nocasematch
echo '# Desktop? '
echo -n "Enable Gnome X Window (Desktop) (Y/N)? (Default: N): "
read -e ENABLEDESKTOP
if [ -z "$ENABLEDESKTOP" ]
then
$ENABLEDESKTOP="N"
fi
read -p "Press any key to begin updating and installing packages or [CTRL]+[C] to quit."
# Gnome: "Desktop" "Desktop Platform" "Fonts"
# KDE: "KDE Desktop"
# MATE: "Mate Desktop"
# Xfce: "Xfce"
shopt -s nocasematch
if [ "$ENABLEDESKTOP" == "Y" ]
then
echo '# Install Desktop'
sudo yum groupinstall -y "X Window System" "Desktop" "Desktop Platform" "Fonts" "Xfce"
fi
shopt -u nocasematch
echo '# Install common packages'
sudo yum groupinstall -y "Base" "Development Tools"
sudo yum install -y gcc apr-devel apr-util-devel wget telnet tar sudo perl python iptables man openssh openssl openssl-devel git
echo '# Update server'
sudo yum update
echo "# You will need to exit from SSH and log back into SSH (remember port $SSHPORT) as the admin ($ADMINUSER) from this point on"
echo '# When you return, execute the script with the argument ADMIN to skip the completed steps (@TODO)'
echo '# Example: provision_centos_server.sh ADMIN'
exit
## Rest below is manual copy/paste steps to pick/choose from as desired.
# PowerStack repo (IF you want it - not recommended for production servers)
# rpm -Uvh http://download.powerstack.org/powerstack-release-0-2.noarch.rpm
# SSH Keys Example (force logon by Key only - recommended)
# (on workstation)
ssh-keygen -b 4096 -t rsa -f ~/.ssh/id_rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub $ADMINUSER@<YOUR_SERVER_IP>
ssh-add
# (may need to logoff/logon workstation if get Agent sign error)
# (on server)
chown -R $ADMINUSER:$ADMINUSER ~/.ssh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
restorecon -Rv ~/.ssh
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$tstmp.bak
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
# MySQL Example
sudo yum install -y mysql-server
sudo cp /etc/my.cnf /etc/my.cnf.$tstmp.bak
echo -n "Enter new MySQL port: "
read -e MYSQLPORT
sudo sed -i "s/port=3306/port=$MYSQLPORT/g" /etc/my.cnf
sudo service mysqld restart
sudo /usr/bin/mysql_secure_installation
# Apache Example
sudo yum install -y httpd
sudo vi /etc/httpd/conf/httpd.conf
ServerName 127.0.0.1:80
sudo vi /etc/httpd/conf.d/vhosts.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin root@domain.com
DocumentRoot /var/www/vhosts/domain.com/public_html
ServerName www.domain.com
ServerAlias domain.com
ErrorLog /var/www/vhosts/domain.com/logs/error_log
CustomLog /var/www/vhosts/domain.com/logs/access_log common
<Directory /var/www/vhosts/domain.com>
Options All
AllowOverride All
</Directory>
</VirtualHost>
# PHP Example
#Get latest version from lynx:
#lynx http://mirror.pnl.gov/epel/6/i386/repoview/epel-release.html
wget http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
sudo rpm -Uvh epel-release-6-8.noarch.rpm
sudo yum install -y php php-common php-cli php-gd php-mbstring php-mcrypt php-mysql php-pdo php-pear php-pecl-apc php-pecl-xdebug php-soap php-tidy php-xml php-xmlrpc
# XDebug Config
sudo echo "xdebug.var_display_max_children=-1" >> /etc/php.d/xdebug.ini
sudo echo "xdebug.var_display_max_data=-1" >> /etc/php.d/xdebug.ini
sudo echo "xdebug.var_display_max_depth=-1" >> /etc/php.d/xdebug.ini
# git Example
sudo yum install -y git
cd /var/www/vhosts
git clone git@github.com:x/y.git
sudo usermod -a -G apache $ADMINUSER
sudo usermod -a -G $ADMINUSER apache
# logoff/logon
echo "umask 007" >> /etc/sysconfig/httpd
sudo chgrp -R $ADMINUSER /var/www/vhosts/domain.com
sudo chmod 2770 /var/www/vhosts/domain.com
# vimrc options (TODO: Check for updated version via lynx)
wget https://gist.github.com/dirte/5245083/raw/eed54c62294ee996816ac0481d03b7537f8bec35/.vimrc
# bash options
# @TODO
# alias
# @TODO
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment