CentOS LAMP Server Create

This uses digitalocean for server and volume creation, but most of this could be used for any CentOS LAMP server.

Create Droplet

  • log into digitalocean.com

  • Create > Droplets <name> 1 GB / 30 GB Disk / Centos 7 / NYC1 IP

Some Upkeep [root]

yum install -y vim
yum -y update (see /var/log/yum.log for all updates)
shutdown -r now

Additional repos

yum install -y epel-release

sudo user

Create non-root user and give sudo access [root]

adduser <user>; passwd <user>
mkdir /home/<user>/.ssh; cp .ssh/authorized_keys /home/<user>/.ssh
chown -R <user>:<user> /home/<user>/.ssh
gpasswd -a <user> wheel

Set sudo timeout (minutes)

sudo visudo # replace 'Defaults env_reset' with following
    Defaults env_reset,timestamp_timeout=30

Set up digitalocean agent for monitoring [root]

curl -sSL https://agent.digitalocean.com/install.sh \| sh

history should display date/time

export HISTTIMEFORMAT="%Y-%m-%d %H:%M " # add this to ~/.bashrc, /root/.bashrc

Set local time and keep in sync

sudo timedatectl set-timezone America/New_York
sudo yum -y install ntp
sudo systemctl start ntpd
sudo systemctl enable ntpd

Turn off cron information to /var/log/messages

sudo vim /etc/rc.local # add /usr/bin/systemd-analyze set-log-level notice
sudo /usr/bin/systemd-analyze set-log-level notice
sudo chmod +x /etc/rc.d/rc.local

Set /usr/local/lib in library path

See https://serverfault.com/a/372998

sudo vim /etc/ld.so.conf.d/usrlocal.conf
> /usr/local/lib
sudo ldconfig -v

LAMP and Security Stack

Set up LAMP stack

See https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-centos-7

sudo yum -y install httpd
sudo systemctl start httpd.service
sudo systemctl enable httpd.service
sudo yum -y install mariadb-server mariadb
sudo systemctl start mariadb
sudo mysql_secure_installation
sudo systemctl enable mariadb.service
sudo yum -y install php php-mysql
sudo systemctl restart httpd.service
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=smtp
sudo firewall-cmd --reload
sudo systemctl enable firewalld
sudo yum install -y python-certbot-apache

install additional PHP versions

See https://stackoverflow.com/a/50079574/799921 and https://blog.remirepo.net/post/2016/04/16/My-PHP-Workstation

# this is done once
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
sudo yum install yum-utils -y

# this is done for each new version
sudo yum install php74y -y
sudo yum install php74-php-fpm -y
sudo vim /etc/opt/remi/php74/php-fpm.d/www.conf
    listen = 127.0.0.1:9074 # 9000 + 74 for the php version
sudo yum install php74-php-mysqlnd -y
sudo yum install php74-php-xml -y
sudo yum install php74-php-gd -y

# optimize memory usage
sudo vim /etc/opt/remi/php74/php.ini
    409c409
    < memory_limit = 128M
    ---
    > memory_limit = 256M
    846c846
    < upload_max_filesize = 2M
    ---
    > upload_max_filesize = 4M
sudo vim /etc/opt/remi/php74/php-fpm.d/www.conf
    104c104
    < pm = dynamic
    ---
    > pm = ondemand
    115c115
    < pm.max_children = 50
    ---
    > pm.max_children = 25
    141c141
    < ;pm.max_requests = 500
    ---
    > pm.max_requests = 500

sudo systemctl enable php74-php-fpm
sudo systemctl start php74-php-fpm

# this is done for each vhost
sudo vim /etc/httpd/sites-available/www.steeplechasers.org.conf # match the listen port above
    24c24
    <     SetHandler "proxy:fcgi://127.0.0.1:9073"
    ---
    >     SetHandler "proxy:fcgi://127.0.0.1:9074"
sudo apachectl restart

Create a2ensite, a2dissite

See http://www.tecmint.com/apache-virtual-hosting-in-centos/

sudo vim /usr/bin/a2ensite
     #!/bin/bash
     if test -d /etc/httpd/sites-available && test -d /etc/httpd/sites-enabled  ; then
     echo "-----------------------------------------------"
     else
     mkdir /etc/httpd/sites-available
     mkdir /etc/httpd/sites-enabled
     fi

     avail=/etc/httpd/sites-available/$1.conf
     enabled=/etc/httpd/sites-enabled/
     site=`ls /etc/httpd/sites-available/`

     if [ "$#" != "1" ]; then
                     echo "Use script: a2ensite virtual_site"
                     echo -e "\nAvailable virtual hosts:\n$site"
                     exit 0
     else

     if test -e $avail; then
     sudo ln -s $avail $enabled
     else

     echo -e "$avail virtual host does not exist! Please create one!\n$site"
     exit 0
     fi
     if test -e $enabled/$1.conf; then

     echo "Success!! Now restart Apache server: sudo systemctl restart httpd"
     else
     echo  -e "Virtual host $avail does not exist!\nPlease see available virtual hosts:\n$site"
     exit 0
     fi
     fi

 sudo chmod +x /usr/local/bin/a2ensite

 sudo vim /usr/bin/a2dissite
     #!/bin/bash
     avail=/etc/httpd/sites-enabled/$1.conf
     enabled=/etc/httpd/sites-enabled
     site=`ls /etc/httpd/sites-enabled/`

     if [ "$#" != "1" ]; then
                     echo "Use script: a2dissite virtual_site"
                     echo -e "\nAvailable virtual hosts: \n$site"
                     exit 0
     else

     if test -e $avail; then
     sudo rm  $avail
     else
     echo -e "$avail virtual host does not exist! Exiting!"
     exit 0
     fi

     if test -e $enabled/$1.conf; then
     echo "Error!! Could not remove $avail virtual host!"
     else
     echo  -e "Success! $avail has been removed!\nPlease restart Apache: sudo systemctl restart httpd"
     exit 0
     fi
     fi

 sudo mkdir /etc/httpd/sites-available /etc/httpd/sites-enabled
 sudo vim /etc/httpd/conf/httpd.conf
    353a354
    > IncludeOptional sites-enabled/*.conf

Set up VHOST

Backups

Create backup volume

  • [DO console] Volumes > Add Volume > 10 GB

sudo mkfs.ext4 -F /dev/disk/by-id/<volumename>
sudo mkdir -p /mnt/backup
sudo mount -o discard,defaults /dev/disk/by-id/<volumename> /mnt/backup
echo /dev/disk/by-id/<volumename> /mnt/backup ext4 defaults,nofail,discard 0 0 \| sudo tee -a /etc/fstab

Set up backup

See https://www.digitalocean.com/community/tutorials/how-to-install-rsnapshot-on-ubuntu-12-04

sudo yum install -y rsnapshot
sudo yum install -y rsnapshot
sudo vim /etc/rsnapshot.conf
    23c23
    < snapshot_root /.snapshots/
    ---
    > snapshot_root /mnt/backup/snapshots/
    40c40
    < #cmd_cp /usr/bin/cp
    ---
    > cmd_cp /usr/bin/cp
    63c63
    < #cmd_du /usr/bin/du
    ---
    > cmd_du /usr/bin/du
    67c67
    < #cmd_rsnapshot_diff /usr/local/bin/rsnapshot-diff
    ---
    > cmd_rsnapshot_diff /usr/bin/rsnapshot-diff
    93,95c93,95
    < retain alpha 6
    < retain beta 7
    < retain gamma 4
    ---
    > #retain alpha 6
    > #retain beta 7
    > #retain gamma 4
    96a97,100
    > retain hourly 6
    > retain daily 7
    > retain weekly 4
    > retain monthly 3
    120c124
    < #logfile /var/log/rsnapshot
    ---
    > logfile /var/log/rsnapshot
    229c233,234
    < #backup /var/log/rsnapshot localhost/
    ---
    > backup /var/log/rsnapshot localhost/
    > backup /var/www localhost/
sudo rsnapshot configtest
sudo rsnapshot -t hourly
sudo rsnapshot hourly
sudo vim /etc/cron.d/rsnapshot
-  These settings will run add a snapshot to the "hourly" directory
      within our "/backup/" directory every four hours, add a daily
      snapshot everyday at 3:30 am, add a weekly snapshot every
      Monday at 3:00 am, and add a monthly snapshot on the first of
      every month at 2:30 am.
-  It is important to stagger your backups and run larger backup
      intervals first. This means running the monthly backup first
      and progressing to shorter intervals from there in order, as
      we've done in this tutorial. This is necessary so that the
      program does not get caught up trying to do multiple backups at
      the same time, which can cause problems.
    0 \*/4 \* \* \* root /usr/bin/rsnapshot hourly
    30 3 \* \* \* root /usr/bin/rsnapshot daily
    0 3 \* \* 1 root /usr/bin/rsnapshot weekly
    30 2 1 \* \* root /usr/bin/rsnapshot monthly

Resize backup volume (only if necessary)

See https://www.digitalocean.com/community/tutorials/how-to-increase-the-size-of-a-digitalocean-block-storage-volume

  • droplet must be switched off to resize an attached volume

sudo shutdown -h now

  • [DO console] Droplet loutility-server-digitalocean > Volumes > backup > More > Resize Volume > 40GB

  • [DO console] Switch On droplet

  • determine name of volume

ls -l /dev/disk/by-id

total 0
lrwxrwxrwx 1 root root 9 Sep 21 05:47 scsi-0DO_Volume_backup -> ../../sdc
lrwxrwxrwx 1 root root 9 Sep 21 05:44 scsi-0DO_Volume_loutility-server-backup -> ../../sdb
lrwxrwxrwx 1 root root 9 Sep 21 05:44 scsi-0DO_Volume_loutility-server-swap -> ../../sda

  • determine filesystem type

sudo lsblk --fs /dev/disk/by-id/scsi-0DO_Volume_backup

NAME FSTYPE LABEL UUID MOUNTPOINT
sdc ext4 0b21852e-dee8-4828-97b1-92e66d877b2d /mnt/backup

  • resize unpartitioned ext4 volume

sudo resize2fs /dev/disk/by-id/scsi-0DO_Volume_backup

Set up swap volume

See https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-swap-adding.html

  • [DO console] Volumes > Add Volume > 10 GB / swapspace

sudo mkswap /dev/disk/by-id/<volumename>
sudo vim /etc/fstab # add following line
    /dev/disk/by-id/scsi-0DO_Volume_swapspace swap swap defaults 0 0
sudo swapon -va

Security

Set up server level security

sudo yum install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vim /etc/fail2ban/jail.local
-  set ignoreip to your personal ip address
-  set destemail to your personal email address
-  set enabled to true (for desired jails)
-  set bantime to 3600 (globally)
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
.