tehpeh/centos-deploy.txt

## centos-deploy.txt
Setup:
------

See ror-deploy.txt for general instructions.


Create user:
------------
groupadd staff
useradd [user] -g staff
passwd [user]
- visudo:
%staff  ALL=(ALL)       ALL


Set hostname (optional):
------------------------
- edit /etc/sysconfig/network:
HOSTNAME=newhostname
- add newhostname to 127.0.0.1 in /etc/hosts:
127.0.0.1	newhostname localhost.localdomain localhost
::1		localhost.localdomain6 localhost6
- (do not add .local, avahi handles that)

reboot


Enable firewall:
---------
- create script and run set_iptables.sh:
#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -p udp --dport 5353 -j ACCEPT #avahi
 iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#
# Limit ssh connections to 3 per 5 minutes per IP
#
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 -j DROP
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
#
# Set access for localhost and drop all traffic to 127/8 that doesn't use lo0
#
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Save settings
#
 /sbin/service iptables save
 /sbin/service iptables restart
 chkconfig --level 345 iptables on
#
# List rules
#
 iptables -L -v

- ip6tables: TODO: Look up a better solution for this.
- default ip6tables here: http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/


DynDNS:
-------
yum install perl-IO-Socket-SSL
wget http://cdn.dyndns.com/ddclient.tar.gz (or from sourceforge for latest)
tar -xzvf ddclient.tar.gz
cd ddclient-3.7.3/
mkdir /etc/ddclient
mkdir /var/cache/ddclient
cp ddclient /usr/local/sbin
cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf
cp sample-etc_rc.d_init.d_ddclient /etc/rc.d/init.d/ddclient

- edit the /etc/ddclient/ddclient.conf file so that it contains something like:
use=web
login=yourdndnslogin
password=yourdyndnspassword
wildcard=yes
server=members.dyndns.org,            \
protocol=dyndns2                      \
yourhost.dyndns.domain

- change permissions:
chmod 600 /etc/ddclient/ddclient.conf

- start the ddclient daemon:
/etc/init.d/ddclient start

- launch at boot:
chkconfig --add ddclient
chkconfig ddclient on

- you can check status and troubleshoot using:
/etc/init.d/ddclient status
/etc/init.d/ddclient stop
tail /var/log/messages


EPEL repository for yum:
------------------------
yum install yum-priorities
su -c 'rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm'

- enabled repos:
yum repolist all

- set priorities on enabled repos, listed under:
/etc/yum.repos.d/

- recommendation is:
[base], [addons], [updates], [extras] ... priority=1
[centosplus] priority=1 (same priority as base and updates) but should be left disabled
[contrib] ... priority=2
Third Party Repos (ie. EPEL) ... priority=N  (where N is > 10 and based on your preference)


Packages:
---------
yum update
yum install git
yum groupinstall "Development Libraries"
yum groupinstall "Development Tools"


nginx startup:
----------------------------
- Copy nginx-initd-centos to /etc/init.d/nginx
chmod 755 /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on


Rails projects:
--------------
Check permissions on home directory, needs to be group and other readable and executable (recursive go+rx).


PostgreSQL:
-----------
yum install postgresql postgresql-server postgresql-devel
/etc/init.d/postgresql start
createuser [user]
createdb [user]
chkconfig postgresql on

- edit pg_hba.conf:
# "local" is for Unix domain socket connections only
local   all         all                               ident sameuser
# IPv4 local connections:
host    all         all         127.0.0.1/32          md5
# IPv6 local connections:
host    all         all         ::1/128               md5

- set password for role [user]:
psql
alter user [user] with password 'password';

- for custom data directory (optional):
mkdir -p /usr/local/pgsql/data
chown postgres:postgres /usr/local/pgsql/data
su postgres
initdb –D /usr/local/pgsql/data
exit
- edit /etc/init.d/postgresql:
- PGDATA and PGLOG must point to /usr/local/pgsql
/etc/init.d/postgresql restart


Sqlite3:
--------
wget http://www.sqlite.org/sqlite-autoconf-3070500.tar.gz
tar -xzvf sqlite-autoconf-3070500.tar.gz
./configure --prefix=/usr/local
make
make install

- make sure 'which sqlite3' points to the new one
- might have to force /usr/local/bin as first path for root user in /root/.bash_profile
	Setup:
	------

	See ror-deploy.txt for general instructions.


	Create user:
	------------
	groupadd staff
	useradd [user] -g staff
	passwd [user]
	- visudo:
	%staff ALL=(ALL) ALL


	Set hostname (optional):
	------------------------
	- edit /etc/sysconfig/network:
	HOSTNAME=newhostname
	- add newhostname to 127.0.0.1 in /etc/hosts:
	127.0.0.1 newhostname localhost.localdomain localhost
	::1 localhost.localdomain6 localhost6
	- (do not add .local, avahi handles that)

	reboot


	Enable firewall:
	---------
	- create script and run set_iptables.sh:
	#!/bin/bash
	#
	# iptables example configuration script
	#
	# Flush all current rules from iptables
	#
	iptables -F
	#
	# Allow SSH connections on tcp port 22
	# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
	#
	iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	iptables -A INPUT -p tcp --dport 443 -j ACCEPT
	# iptables -A INPUT -p udp --dport 5353 -j ACCEPT #avahi
	iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
	#
	# Limit ssh connections to 3 per 5 minutes per IP
	#
	iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
	iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 -j DROP
	#
	# Set default policies for INPUT, FORWARD and OUTPUT chains
	#
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT ACCEPT
	#
	# Set access for localhost and drop all traffic to 127/8 that doesn't use lo0
	#
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
	#
	# Accept packets belonging to established and related connections
	#
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	#
	# Save settings
	#
	/sbin/service iptables save
	/sbin/service iptables restart
	chkconfig --level 345 iptables on
	#
	# List rules
	#
	iptables -L -v

	- ip6tables: TODO: Look up a better solution for this.
	- default ip6tables here: http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/


	DynDNS:
	-------
	yum install perl-IO-Socket-SSL
	wget http://cdn.dyndns.com/ddclient.tar.gz (or from sourceforge for latest)
	tar -xzvf ddclient.tar.gz
	cd ddclient-3.7.3/
	mkdir /etc/ddclient
	mkdir /var/cache/ddclient
	cp ddclient /usr/local/sbin
	cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf
	cp sample-etc_rc.d_init.d_ddclient /etc/rc.d/init.d/ddclient

	- edit the /etc/ddclient/ddclient.conf file so that it contains something like:
	use=web
	login=yourdndnslogin
	password=yourdyndnspassword
	wildcard=yes
	server=members.dyndns.org, \
	protocol=dyndns2 \
	yourhost.dyndns.domain

	- change permissions:
	chmod 600 /etc/ddclient/ddclient.conf

	- start the ddclient daemon:
	/etc/init.d/ddclient start

	- launch at boot:
	chkconfig --add ddclient
	chkconfig ddclient on

	- you can check status and troubleshoot using:
	/etc/init.d/ddclient status
	/etc/init.d/ddclient stop
	tail /var/log/messages


	EPEL repository for yum:
	------------------------
	yum install yum-priorities
	su -c 'rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm'

	- enabled repos:
	yum repolist all

	- set priorities on enabled repos, listed under:
	/etc/yum.repos.d/

	- recommendation is:
	[base], [addons], [updates], [extras] ... priority=1
	[centosplus] priority=1 (same priority as base and updates) but should be left disabled
	[contrib] ... priority=2
	Third Party Repos (ie. EPEL) ... priority=N (where N is > 10 and based on your preference)


	Packages:
	---------
	yum update
	yum install git
	yum groupinstall "Development Libraries"
	yum groupinstall "Development Tools"


	nginx startup:
	----------------------------
	- Copy nginx-initd-centos to /etc/init.d/nginx
	chmod 755 /etc/init.d/nginx
	chkconfig --add nginx
	chkconfig nginx on


	Rails projects:
	--------------
	Check permissions on home directory, needs to be group and other readable and executable (recursive go+rx).


	PostgreSQL:
	-----------
	yum install postgresql postgresql-server postgresql-devel
	/etc/init.d/postgresql start
	createuser [user]
	createdb [user]
	chkconfig postgresql on

	- edit pg_hba.conf:
	# "local" is for Unix domain socket connections only
	local all all ident sameuser
	# IPv4 local connections:
	host all all 127.0.0.1/32 md5
	# IPv6 local connections:
	host all all ::1/128 md5

	- set password for role [user]:
	psql
	alter user [user] with password 'password';

	- for custom data directory (optional):
	mkdir -p /usr/local/pgsql/data
	chown postgres:postgres /usr/local/pgsql/data
	su postgres
	initdb –D /usr/local/pgsql/data
	exit
	- edit /etc/init.d/postgresql:
	- PGDATA and PGLOG must point to /usr/local/pgsql
	/etc/init.d/postgresql restart


	Sqlite3:
	--------
	wget http://www.sqlite.org/sqlite-autoconf-3070500.tar.gz
	tar -xzvf sqlite-autoconf-3070500.tar.gz
	./configure --prefix=/usr/local
	make
	make install

	- make sure 'which sqlite3' points to the new one
	- might have to force /usr/local/bin as first path for root user in /root/.bash_profile