Created
May 8, 2012 06:43
-
-
Save tehpeh/2633089 to your computer and use it in GitHub Desktop.
CentOS Deploy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Setup: | |
------ | |
See ror-deploy.txt for general instructions. | |
Create user: | |
------------ | |
groupadd staff | |
useradd [user] -g staff | |
passwd [user] | |
- visudo: | |
%staff ALL=(ALL) ALL | |
Set hostname (optional): | |
------------------------ | |
- edit /etc/sysconfig/network: | |
HOSTNAME=newhostname | |
- add newhostname to 127.0.0.1 in /etc/hosts: | |
127.0.0.1 newhostname localhost.localdomain localhost | |
::1 localhost.localdomain6 localhost6 | |
- (do not add .local, avahi handles that) | |
reboot | |
Enable firewall: | |
--------- | |
- create script and run set_iptables.sh: | |
#!/bin/bash | |
# | |
# iptables example configuration script | |
# | |
# Flush all current rules from iptables | |
# | |
iptables -F | |
# | |
# Allow SSH connections on tcp port 22 | |
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system | |
# | |
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
# iptables -A INPUT -p udp --dport 5353 -j ACCEPT #avahi | |
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
# | |
# Limit ssh connections to 3 per 5 minutes per IP | |
# | |
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set | |
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 -j DROP | |
# | |
# Set default policies for INPUT, FORWARD and OUTPUT chains | |
# | |
iptables -P INPUT DROP | |
iptables -P FORWARD DROP | |
iptables -P OUTPUT ACCEPT | |
# | |
# Set access for localhost and drop all traffic to 127/8 that doesn't use lo0 | |
# | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |
# | |
# Accept packets belonging to established and related connections | |
# | |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# | |
# Save settings | |
# | |
/sbin/service iptables save | |
/sbin/service iptables restart | |
chkconfig --level 345 iptables on | |
# | |
# List rules | |
# | |
iptables -L -v | |
- ip6tables: TODO: Look up a better solution for this. | |
- default ip6tables here: http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/ | |
DynDNS: | |
------- | |
yum install perl-IO-Socket-SSL | |
wget http://cdn.dyndns.com/ddclient.tar.gz (or from sourceforge for latest) | |
tar -xzvf ddclient.tar.gz | |
cd ddclient-3.7.3/ | |
mkdir /etc/ddclient | |
mkdir /var/cache/ddclient | |
cp ddclient /usr/local/sbin | |
cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf | |
cp sample-etc_rc.d_init.d_ddclient /etc/rc.d/init.d/ddclient | |
- edit the /etc/ddclient/ddclient.conf file so that it contains something like: | |
use=web | |
login=yourdndnslogin | |
password=yourdyndnspassword | |
wildcard=yes | |
server=members.dyndns.org, \ | |
protocol=dyndns2 \ | |
yourhost.dyndns.domain | |
- change permissions: | |
chmod 600 /etc/ddclient/ddclient.conf | |
- start the ddclient daemon: | |
/etc/init.d/ddclient start | |
- launch at boot: | |
chkconfig --add ddclient | |
chkconfig ddclient on | |
- you can check status and troubleshoot using: | |
/etc/init.d/ddclient status | |
/etc/init.d/ddclient stop | |
tail /var/log/messages | |
EPEL repository for yum: | |
------------------------ | |
yum install yum-priorities | |
su -c 'rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm' | |
- enabled repos: | |
yum repolist all | |
- set priorities on enabled repos, listed under: | |
/etc/yum.repos.d/ | |
- recommendation is: | |
[base], [addons], [updates], [extras] ... priority=1 | |
[centosplus] priority=1 (same priority as base and updates) but should be left disabled | |
[contrib] ... priority=2 | |
Third Party Repos (ie. EPEL) ... priority=N (where N is > 10 and based on your preference) | |
Packages: | |
--------- | |
yum update | |
yum install git | |
yum groupinstall "Development Libraries" | |
yum groupinstall "Development Tools" | |
nginx startup: | |
---------------------------- | |
- Copy nginx-initd-centos to /etc/init.d/nginx | |
chmod 755 /etc/init.d/nginx | |
chkconfig --add nginx | |
chkconfig nginx on | |
Rails projects: | |
-------------- | |
Check permissions on home directory, needs to be group and other readable and executable (recursive go+rx). | |
PostgreSQL: | |
----------- | |
yum install postgresql postgresql-server postgresql-devel | |
/etc/init.d/postgresql start | |
createuser [user] | |
createdb [user] | |
chkconfig postgresql on | |
- edit pg_hba.conf: | |
# "local" is for Unix domain socket connections only | |
local all all ident sameuser | |
# IPv4 local connections: | |
host all all 127.0.0.1/32 md5 | |
# IPv6 local connections: | |
host all all ::1/128 md5 | |
- set password for role [user]: | |
psql | |
alter user [user] with password 'password'; | |
- for custom data directory (optional): | |
mkdir -p /usr/local/pgsql/data | |
chown postgres:postgres /usr/local/pgsql/data | |
su postgres | |
initdb –D /usr/local/pgsql/data | |
exit | |
- edit /etc/init.d/postgresql: | |
- PGDATA and PGLOG must point to /usr/local/pgsql | |
/etc/init.d/postgresql restart | |
Sqlite3: | |
-------- | |
wget http://www.sqlite.org/sqlite-autoconf-3070500.tar.gz | |
tar -xzvf sqlite-autoconf-3070500.tar.gz | |
./configure --prefix=/usr/local | |
make | |
make install | |
- make sure 'which sqlite3' points to the new one | |
- might have to force /usr/local/bin as first path for root user in /root/.bash_profile |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment