sr75/centos6-barebones-vps-rails-server-walkthrough

## centos6-barebones-vps-rails-server-walkthrough
# CentOS 6.4 barebones walkthrough guide for a new vps rails server instance
# assumes you already have a personal ssh key locally
#
# script implements the following security approaches:
#  disables root login
#	configures ssh setup for deployer user
#	opens up standard ports
#
# setup includes:
#	rvm & ruby-1.9.3-p429
#	mysql 5.6
#	nginx 1.4.1
#	memcached
#	postfix


# change root password
passwd root

mkdir tmp && cd tmp

# Add Red Hat Linux 6 (Fedora repo)
wget https://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm

yum update

yum groupinstall "Development Tools"
yum install ntp
ntpdate pool.ntp.org
chkconfig ntpd on

# add locate command & trigger indexing
yum install mlocate
sudo /etc/cron.daily/mlocate.cron

yum -y install gcc gcc-c++ make openssl openssl-devel git expect pcre pcre-devel readline-devel libxml2 libxml2-devel libxslt libxslt-devel

yum install zlib zlib-devel curl-devel

yum install ImageMagick ImageMagick-devel

yum -y install gcc
yum -y install gcc-c++
yum -y install compat-libstdc++-33
yum -y install libstdc++-devel
yum -y install elfutils-libelf-devel
yum -y install glibc-devel
yum -y install libaio-devel
yum -y install sysstat

yum remove mysql-libs
yum clean dbcache

# install mysql rpms for 5.6
# http://dev.mysql.com/downloads/mysql  # Oracle & Red Hat Linux 6
wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-devel-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-shared-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-client-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-server-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/


rpm -ivh MySQL-devel-5.6.11-2.el6.x86_64.rpm

rpm -ivh MySQL-shared-5.6.11-2.el6.x86_64.rpm

rpm -ivh MySQL-client-5.6.11-2.el6.x86_64.rpm

rpm -ivh MySQL-server-5.6.11-2.el6.x86_64.rpm

mysql_install_db --user=mysql

# get mysql secret created
sudo cat /root/.mysql_secret

sudo service mysql start
mysql -uroot -p

# set your mysql root password
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourrootpassword');

chkconfig --levels 235 mysqld on

# when in production
mysql_secure_installation

# create app db & user
CREATE DATABASE appname_envname DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;

# local access config: use localhost
# CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'yourappuserpassword';

# remote access config, use %
CREATE USER 'appuser'@'%' IDENTIFIED BY 'yourappuserpassword';

# grant all to the above app user on app db (change to use localhost if needed)
GRANT ALL PRIVILEGES ON `appname_envname`.* TO 'appuser'@'%';

# reload mysql permissions
FLUSH PRIVILEGES;

# exit mysql
exit

# firewall - open ports as needed per instance

# http
iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# https
iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# ssh
iptables -I INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p udp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# mysql
iptables -I INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

# smtp
iptables -I OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# memcached
iptables -I INPUT -p tcp --dport 11211 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 11211 -m state --state ESTABLISHED -j ACCEPT

# save firewall settings on reboot
service iptables save

# setup sys user and password
useradd deployer
passwd deployer

visudo
# append the following line to eof
eployer  ALL=(ALL)  NOPASSWD: ALL
# save file and exit -> :x

#disable root login from ssh, so nobody is able to brute force a root login
vi /etc/ssh/sshd_config
#uncomment "PermitRootLogin yes" and change it to "PermitRootLogin no"
# save file and exit -> :x

/etc/init.d/sshd restart

logout

# setup for ssh access (replace hostname & paths as necessary)
scp ~/.ssh/id_rsa.pub deployer@hostname:/home/deployer/

# login as sys user
ssh deployer@hostname

mkdir /home/deployer/.ssh
mv /home/deployer/id_rsa.pub /home/deployer/.ssh/authorized_keys

chown -R deployer:deployer /home/deployer/.ssh
chmod 700 /home/deployer/.ssh
chmod 600 /home/deployer/.ssh/authorized_keys

# create or update .bash_profile
touch .bash_profile

# Install RVM:

curl -L https://get.rvm.io | bash -s stable --ruby=1.9.3

# Reload your shell environment:

source ~/.bash_profile

# Find the requirements (follow the instructions):

rvm requirements

rvm install ruby-1.9.3-p429

rvm use ruby-1.9.3-p429 --default

# configure rubygems to install docs with gems on deploy servers
vi .gemrc
# copy the following into the file

---
:backtrace: false
:benchmark: false
:bulk_threshold: 1000
:sources:
- https://rubygems.org/
:update_sources: true
:verbose: true
gem: --no-ri --no-rdoc

# save file and exit -> :x

# nginx stable install or get latest from repo
# http://nginx.org/packages/centos/6/x86_64/RPMS/
wget http://nginx.org/packages/centos/6/x86_64/RPMS/nginx-1.4.1-1.el6.ngx.x86_64.rpm
rpm -ivh nginx-1.4.1-1.el6.ngx.x86_64.rpm

sudo chkconfig --add nginx
sudo chkconfig --level 35 nginx on
sudo service nginx start

# configure init for nginx

sudo chmod +x /etc/init.d/nginx
sudo /sbin/chkconfig nginx on
sudo /sbin/chkconfig --list nginx
sudo /etc/init.d/nginx status
sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx start

# memcached
sudo yum install memcached nc
sudo service memcached start
sudo /sbin/chkconfig --add memcached
sudo /sbin/chkconfig memcached on

# verify memcached stats/settings
echo "stats settings" | nc localhost 11211

# postfix & tools
yum install postfix telnet mailx

# postfix (barebones config to send simple emails)
sudo /etc/init.d/postfix start

# postfix auto start at boot time
sudo /sbin/chkconfig --add postfix
sudo /sbin/chkconfig postfix on
	# CentOS 6.4 barebones walkthrough guide for a new vps rails server instance
	# assumes you already have a personal ssh key locally
	#
	# script implements the following security approaches:
	# disables root login
	# configures ssh setup for deployer user
	# opens up standard ports
	#
	# setup includes:
	# rvm & ruby-1.9.3-p429
	# mysql 5.6
	# nginx 1.4.1
	# memcached
	# postfix


	# change root password
	passwd root

	mkdir tmp && cd tmp

	# Add Red Hat Linux 6 (Fedora repo)
	wget https://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
	rpm -ivh epel-release-6-8.noarch.rpm

	yum update

	yum groupinstall "Development Tools"
	yum install ntp
	ntpdate pool.ntp.org
	chkconfig ntpd on

	# add locate command & trigger indexing
	yum install mlocate
	sudo /etc/cron.daily/mlocate.cron

	yum -y install gcc gcc-c++ make openssl openssl-devel git expect pcre pcre-devel readline-devel libxml2 libxml2-devel libxslt libxslt-devel

	yum install zlib zlib-devel curl-devel

	yum install ImageMagick ImageMagick-devel

	yum -y install gcc
	yum -y install gcc-c++
	yum -y install compat-libstdc++-33
	yum -y install libstdc++-devel
	yum -y install elfutils-libelf-devel
	yum -y install glibc-devel
	yum -y install libaio-devel
	yum -y install sysstat

	yum remove mysql-libs
	yum clean dbcache

	# install mysql rpms for 5.6
	# http://dev.mysql.com/downloads/mysql # Oracle & Red Hat Linux 6
	wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-devel-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

	wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-shared-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

	wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-client-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

	wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-server-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/


	rpm -ivh MySQL-devel-5.6.11-2.el6.x86_64.rpm

	rpm -ivh MySQL-shared-5.6.11-2.el6.x86_64.rpm

	rpm -ivh MySQL-client-5.6.11-2.el6.x86_64.rpm

	rpm -ivh MySQL-server-5.6.11-2.el6.x86_64.rpm

	mysql_install_db --user=mysql

	# get mysql secret created
	sudo cat /root/.mysql_secret

	sudo service mysql start
	mysql -uroot -p

	# set your mysql root password
	SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourrootpassword');

	chkconfig --levels 235 mysqld on

	# when in production
	mysql_secure_installation

	# create app db & user
	CREATE DATABASE appname_envname DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;

	# local access config: use localhost
	# CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'yourappuserpassword';

	# remote access config, use %
	CREATE USER 'appuser'@'%' IDENTIFIED BY 'yourappuserpassword';

	# grant all to the above app user on app db (change to use localhost if needed)
	GRANT ALL PRIVILEGES ON `appname_envname`.* TO 'appuser'@'%';

	# reload mysql permissions
	FLUSH PRIVILEGES;

	# exit mysql
	exit

	# firewall - open ports as needed per instance

	# http
	iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

	# https
	iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

	# ssh
	iptables -I INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p udp --sport 22 -m state --state ESTABLISHED -j ACCEPT

	# mysql
	iptables -I INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

	# smtp
	iptables -I OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

	# memcached
	iptables -I INPUT -p tcp --dport 11211 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p tcp --sport 11211 -m state --state ESTABLISHED -j ACCEPT

	# save firewall settings on reboot
	service iptables save

	# setup sys user and password
	useradd deployer
	passwd deployer

	visudo
	# append the following line to eof
	eployer ALL=(ALL) NOPASSWD: ALL
	# save file and exit -> :x

	#disable root login from ssh, so nobody is able to brute force a root login
	vi /etc/ssh/sshd_config
	#uncomment "PermitRootLogin yes" and change it to "PermitRootLogin no"
	# save file and exit -> :x

	/etc/init.d/sshd restart

	logout

	# setup for ssh access (replace hostname & paths as necessary)
	scp ~/.ssh/id_rsa.pub deployer@hostname:/home/deployer/

	# login as sys user
	ssh deployer@hostname

	mkdir /home/deployer/.ssh
	mv /home/deployer/id_rsa.pub /home/deployer/.ssh/authorized_keys

	chown -R deployer:deployer /home/deployer/.ssh
	chmod 700 /home/deployer/.ssh
	chmod 600 /home/deployer/.ssh/authorized_keys

	# create or update .bash_profile
	touch .bash_profile

	# Install RVM:

	curl -L https://get.rvm.io \| bash -s stable --ruby=1.9.3

	# Reload your shell environment:

	source ~/.bash_profile

	# Find the requirements (follow the instructions):

	rvm requirements

	rvm install ruby-1.9.3-p429

	rvm use ruby-1.9.3-p429 --default

	# configure rubygems to install docs with gems on deploy servers
	vi .gemrc
	# copy the following into the file

	---
	:backtrace: false
	:benchmark: false
	:bulk_threshold: 1000
	:sources:
	- https://rubygems.org/
	:update_sources: true
	:verbose: true
	gem: --no-ri --no-rdoc

	# save file and exit -> :x

	# nginx stable install or get latest from repo
	# http://nginx.org/packages/centos/6/x86_64/RPMS/
	wget http://nginx.org/packages/centos/6/x86_64/RPMS/nginx-1.4.1-1.el6.ngx.x86_64.rpm
	rpm -ivh nginx-1.4.1-1.el6.ngx.x86_64.rpm

	sudo chkconfig --add nginx
	sudo chkconfig --level 35 nginx on
	sudo service nginx start

	# configure init for nginx

	sudo chmod +x /etc/init.d/nginx
	sudo /sbin/chkconfig nginx on
	sudo /sbin/chkconfig --list nginx
	sudo /etc/init.d/nginx status
	sudo /etc/init.d/nginx configtest
	sudo /etc/init.d/nginx start

	# memcached
	sudo yum install memcached nc
	sudo service memcached start
	sudo /sbin/chkconfig --add memcached
	sudo /sbin/chkconfig memcached on

	# verify memcached stats/settings
	echo "stats settings" \| nc localhost 11211

	# postfix & tools
	yum install postfix telnet mailx

	# postfix (barebones config to send simple emails)
	sudo /etc/init.d/postfix start

	# postfix auto start at boot time
	sudo /sbin/chkconfig --add postfix
	sudo /sbin/chkconfig postfix on