CentOS 7 VM for WordPress and MythTV – Post install setup

In the post CentOS 7 base VM for WordPress and MythTV I described how to create a base CentOS 7 VM. This post describes follows on from that post and describes the post installation tasks to make the VM a good solid base for me to run WordPress or MythTV.

When setting up a Linux server there are a lot of choices you make and some of the more important ones are around security. There is an enormous amount you can do to lock down a server but it comes at a cost to time, effort and inconvenience.

This setup is based on my requirements. My MythTV box is sitting on our LAN behind a reasonable firewall, it’s not used to surf the internet, it’s a media player.

The WordPress server is in a DMZ completely separated from the LAN – from the LAN you can get to it but it can’t get to the LAN. It is sitting behind the same SonicWall firewall. I am planning on setting up WordPress to do daily backups of the DB and filesystem. So if it gets hacked then I rollback to a “known good” copy of the VM and then the backups are restored to it. I don’t believe I need firewalls on the host and because only HTTP and HTTPS are exposed I think security is adequate.Initial stuff

Generic

Disable SE Linux

SE Linux has it’s place but it is complicated to administer and is not required for my boxes. When enabled it can cause all sorts of weird things not to work, things that I have spent hours trying to nut out only find it was SE Linux.

Best to disable it right at the beginning!

Backup and then edit the file /etc/selinux/config

Set the following:

SELINUX=disabled

Save the file

Disable the firewall

Run the following:

sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask –now firewalld

Install the GUI – User Manager

This appears under “Sundry” in desktop menu. Run the following:

yum install system-config-users

Miscellaneous

Run the following to install any missing items:

yum install telnet

Enable the epel repo

sudo yum install epel-release
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

Enable software collections, scl:

yum update
yum install centos-release-scl
yum install scl-utils-build

You should edit the file “/etc/yum.conf” and look for the line:

installonly_limit=5

Change this to a 2. This is to stop previous kernels filling up the “/boot” partition. See my post: Low Disk Space on “boot”

Restart the host

Would be good to restart the VM now, just to make sure everything still works and ensure that SELinux is disabled.

Create users and Groups

We some custom users and groups. Create the following:

groupadd sambaguest
useradd sambaguest -d /home/sambaguest -g sambaguest -s /bin/bash
groupadd backup
useradd backup -d /home/backup -g backup -s /bin/bash

 

Install MariaDB

MariaDB replaces MySQL but the version that comes with CentOS is 5.5.60 and we need version 10 for WordPress. You will note we have not yet selected to install either MariaDB or MySQL.

yum install rh-mariadb102

Enable the software collection and start the service

scl enable rh-mariadb102 bash
service rh-mariadb102-mariadb start

Setup MariaDB

mysql_secure_installation    (If you exited bash you will have to run “scl enable rh-mariadb102 bash” again)

You will be prompted with some questions. Below are the questions and my answers:

Enter current password for root = This is the root database user, (First time this will be blank)
Set root password? [Y/n] = Y
New password: ******
Remove anonymous users? [Y/n] = Y
Disallow root login remotely? [Y/n] = n
Remove test database and access to it? [Y/n] = Y
Reload privilege tables now? [Y/n] = Y

I want to be able to connect remotely as the root user so run the following. Note when you first login remember it is the root password for the DB user remote. Where I have “<root password>, again this is the DB root user:

mysql -u root -p
GRANT ALL PRIVILEGES ON *.* TO ‘root’@’%’ IDENTIFIED BY ‘<root password>’ WITH GRANT OPTION;
GRANT ALL ON *.* to ‘root’@’%’;
use mysql;
UPDATE user SET authentication_string=PASSWORD(‘<root password>’) where User=’root’;
UPDATE user SET plugin=”mysql_native_password”;
FLUSH PRIVILEGES;
exit

The ‘WITH GRANT OPTION’ is important otherwise even though you did grant all privileges this doesn’t appear to include GRANT.

You should enable timezones which is required for MythTV if not others. Ensure you are still running “scl enable rh-mariadb102 bash”. Run the following

mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p

This will prompt you for the password for the root user in MariaDB – not the Unix account, the MariaDB root account. You may also get some warnings :

[root@mythsvr2 ~]# mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p
Enter password: 
Warning: Unable to load '/usr/share/zoneinfo/leapseconds' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/tzdata.zi' as time zone. Skipping it.

Now enable MariaDB so it will autostart:

systemctl enable rh-mariadb102-mariadb.service

At this stage I would try to connect remotely as root, using say HeidiSQL. I would then restart the VM and double check that Maria has restarted – it should do.

PostgreSQL 10

This is available in Software collections so begin by installing:

yum install rh-postgresql10 rh-postgresql10-postgresql-devel

Now scl enable PostgreSQL, initialize the DB then enable and start the service:

scl enable rh-postgresql10 bash
postgresql-setup –initdb
systemctl enable rh-postgresql10-postgresql.service
service rh-postgresql10-postgresql start

Note “–initdb” doesn’t ask any questions, just initializes.

To enable remote access, from the LAN etc, we need to edit two files “pg_hba.conf” and “postgresql.conf”. Because this is running under software collections the folder is:

/var/opt/rh/rh-postgresql10/lib/pgsql/data

So run the following commands

systemctl stop rh-postgresql10-postgresql.service
cd /var/opt/rh/rh-postgresql10/lib/pgsql/data
cp pg_hba.conf pg_hba.conf.ootb
cp postgresql.conf postgresql.conf.ootb

Now edit postgresql.conf using your favorite editor and add the following lines at the bottom: access:

# centos7-base customizations
listen_addresses = ‘*’

Now edit “pg_hba.conf” in the same folder and add the following lines:

host all all 0.0.0.0/0 md5
host all all ::/0 md5

In the same file, “pg_hba.conf”, look for the following lines near the bottom:

# “local” is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 ident

and change the highlighted text to as below:

# “local” is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust

Now restart PostgreSQL and try to connect from your LAN computer.

We now need to create a DB “root” user. This is different from the Linux account “root”. Because we need to do this via scl and scl clears environment variables, we can’t simply run “psql” we need to run the following:

su – postgres -c ‘scl enable rh-postgresql10 — psql’

This should put you into psql with a prompt “postgres=#”. To create the “root” DB user run:

CREATE ROLE root SUPERUSER LOGIN PASSWORD ‘<my root DB password>’;

To exit psql type “\q<enter>”.

At this point it would be a good idea to restart the VM and check that PostgreSQL starts on boot and that the login also works.

Apache, PHP and Python

To install Apache 2.4, PHP 7.2 and Python 3.6 and have them all working together I installed them all using Software Collections. You can read about what I did in the post CentOS 7 + PHP 7.2 + Python 3.6 + Apache 2.4

Create Apache users

I authenticate my users using basic authentication created by Apache’s htpasswd. For this box we will create some custom users.

Run

scl enable httpd24 bash
htpasswd -c /srv/conf/apache.users tony
htpasswd /srv/conf/apache.users svnanonymous
exit

So this will create the file and create a user “tony” and one called “svnanonymous”. Also create an Apache group file:

admin: tony
family: tony jackie josh
svn: tony jackie josh svn

Self-signed SSL certificate

The goal is not to use self-signed certificates are these are not trusted by default. However should you want to go down this path, this is what to do.

You should follow the instructions in the post Adding an SSL certificate to Apache , however, as you know we are using the software collections httpd24, which is the Apache httpd, so when the instructions say to move to:

cd /etc/httpd/conf.d

You should instead move to:

/opt/rh/httpd24/root/etc/httpd/conf.d

Otherwise the instructions are fine for creating the ssl certificate.

Next you need to edit the ssl config file for Apache. So edit:

/opt/rh/httpd24/root/etc/httpd/conf/ssl.conf

Add:

NSSEnforceValidCerts off

Change:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

to

SSLCertificateFile /opt/rh/httpd24/root/etc/httpd/conf.d/zoyinc.com.crt

Then change:

SSLCertificateKeyFile /opt/rh/httpd24/root/etc/httpd/conf.d/zoyinc.com.key

to:

SSLCertificateFile /opt/rh/httpd24/root/etc/httpd/conf.d/zoyinc.com.key

You can test your changes by running:

scl enable http24-httpd bash
httpd -t
exit

Tomcat

Follow the instructions in Installing Tomcat 9 behind Apache on CentOS 7

Subversion

Running SVN and using it in Apache and running Apache via scl means SVN also has to be run in scl. The bit that is not obvious is the software collection you need is actually sclo-subversion19.

Note that for software collections:

So you should install sclo-subversion and a number of supporting packages

yum install sclo-subversion19 sclo-subversion19-mod_dav_svn sclo-subversion19-subversion-devel sclo-subversion19-subversion-python sclo-subversion19-subversion-tools

For our purposes the important module is “sclo-subversion19-mod_dav_svn” this delivers the following files:

/opt/rh/httpd24/root/etc/httpd/conf.modules.d/10-subversion.conf
/opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_authz_svn.so
/opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_dav_svn.so
/opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_dontdothat.so

These are clearly the modules we need for Apache.

Create an empty SVN repo if you don’t have one:

scl enable sclo-subversion19 bash
cd /srv
mkdir svn
svnadmin create /srv/svn/zoyinc
chown -R apache.apache svn
exit

Lets create an SVN access file. Create file an access file:

mkdir -p /srv/conf
/srv/conf/svn.access

An example one would be:

Note in the above it is dependant on the earlier section, “Create Apache users”.

Then give it rights apache.apache

chown apache.apache /srv/conf/svn.access

Update the Apache ssl config:

/opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf

find the line:

</VirtualHost>

Just before the above add the following:

Samba

Setup a base smb.conf file. Backup the existing one:

cp /etc/samba/smb.conf /etc/samba/smb.conf.ootb

and replace the contents with the sample Samba config file at the bottom of this article.

The sample smb.conf file requires a couple of folders and users that we created earlier:

mkdir -p /mnt/public
chown -R sambaguest.sambaguest /mnt/public
chmod -R 777 /mnt/public
mkdir -p /srv/backup
chown -R backup.backup /srv/backup
chmod -R 770 /srv/backup

Then enable and start the services

systemctl enable smb.service
systemctl enable nmb.service
systemctl restart smb.service
systemctl restart nmb.service

Samba troubleshooting

Test tools

testparm
This is a Samba tool which will validate your smb.conf file and will give you a “dump of your service definitions”. Note that the dump is not simply a copy of smb.conf it is what are the effective settings. This is a very handy tool.

Hostname

The maximum length of a netbios name is 15 characters and people will always assume the hostname matches the netbios name, so this means the hostname needs to be no more than 15 characters. Originally I called my VM “centos7-template”, which is 16 characters, so had to rename “centos7-base”.

Getting guest working

The “map to guest = bad user” parameter maps login attempts with bad usernames to the guest user,

File limit warning

If you run testparm and see the following warning:

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Edit  “/etc/security/limits.conf” and add the following to the end of the file:

* – nofile 16385

This will permanently fix the warning. You will need to restart the VM for this to be effective. You can also make a temporary change to the file limit by running:

sysctl -w fs.file-max=16385

AWStats – logfile analyzer

AWStats is a great general purpose log file analyzer. I have been using it since 2012 and it is still going strong. Its a really handy way to see if people are actually coming to your site and where they are coming from and so on.

Install the rpm:

yum install awstats

Be warned it has heaps of dependancies, all of which are perl packages.

Run the config as below, it is recommended to cd to the awstats root first:

cd /usr/share/awstats
tools/awstats_configure.pl

These are the options I chose:

Do you want to continue setup from this NON standard directory [yN] ? Y
Config file path (‘none’ to skip web server setup): /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
Do you want me to build a new AWStats config/profile file (required if first install) [y/N] ? Y
Your web site, virtual server or profile name: www.zoyinc.com
Directory path to store config file(s) (Enter for default): <Enter>

The config file is:

/etc/awstats/awstats.www.zoyinc.com.conf

You now need to modify the Apache config. This is because the awstats changes are for httpd 2.2 but we are running 2.4 so it goes from:

Order allow,deny
Allow from all

to

Require all granted

If you don’t make this change you will get this error:

Forbidden
You don’t have permission to access /awstats/awstats.pl on this server.

So open up the Apache config file:

/opt/rh/httpd24/root/etc/httpd/conf/httpd.conf

Look for the awstats section:

#
# This is to permit URL access to scripts/files in AWStats directory.
#
<Directory “/usr/share/awstats/wwwroot”>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

This needs to be changed to:

<Directory “/usr/share/awstats/wwwroot”>
Options None
AllowOverride None
# Order allow,deny
# Allow from all
   Require all granted
</Directory>

Then restart Apache:

systemctl restart httpd24-httpd.service

To check the changes are correct now that you have made the Apache changes and restarted Apache, you should visit some pages on your web server. Now have a look at the access log:

tail -n 100 /var/log/httpd24/access_log

The latest entries in the log, after the changes and restart, should look like:

192.168.202.237 - - [11/Sep/2019:21:44:55 +1200] "GET /awstatsicons/clock/hr6.png HTTP/1.1" 200 314 "http://centos7-base/awstats/awstats.pl?config=www.zoyinc.com&framename=mainright" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
192.168.202.237 - - [11/Sep/2019:21:44:55 +1200] "GET /awstatsicons/clock/hr7.png HTTP/1.1" 200 316 "http://centos7-base/awstats/awstats.pl?config=www.zoyinc.com&framename=mainright" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"

This is because the awstats config changes the format.

Now we need to install GeoIP

This is so we can get country info based on IP. So do the following:

yum install perl-CPAN

Then:

perl -MCPAN -e “install Geo::IP::PurePerl”

You will get various questions, I just hit <Enter> to accept defaults. Be warned it will seem long and take a little time!

Then run:

perl -MCPAN -e “install Geo::IP”

It will take a little bit but not as long as first one.

Look for the following line in the config file, /etc/awstats/awstats.www.zoyinc.com.conf :

#LoadPlugin=”geoip6 GEOIP_STANDARD /pathto/GeoIPv6.dat”

Uncomment the line and change the path so it becomes:

LoadPlugin=”geoip6 GEOIP_STANDARD /usr/share/GeoIP/GeoIP.dat

Search for:

LogFile=”/var/log/httpd/access_log”

And change to:

LogFile=”/var/log/httpd24/access_log”

Now do an initial run

cd /usr/share/awstats/wwwroot/cgi-bin
awstats/awstats.pl?config=www.zoyinc.com

Now you need to add a cron job as the root user. So run:

crontab -e

This will drop you into vi to edit the crontab. Add the following entry:

0 0 * * * /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -update -config=www.zoyinc.com >/dev/null 2>&1

This will run an update each day at midnight.

Copy AWStats data from old server to new

If you are migrating to a new server and want to bring your historical AWStats data then you just need to copy the data files.

In the config file, /etc/awstats/awstats.www.zoyinc.com.conf, the setting “DirData” describes where the data is stored. Just copy the old data from the old to the new. For me this was in:

/var/lib/awstats

You can get to AWStat at:

https://centos7-base/awstats/awstats.pl?config=www.zoyinc.com

Resources

Mystery Data: Upgrade Mariadb 5.5 to Mariadb 10.2 on Centos 7 VestaCP
https://www.mysterydata.com/upgrade-mariadb-5-5-to-mariadb-10-2-on-centos-7-vesta-cp/

Red Hat: How to set up a LAMP stack on Red Hat Enterprise Linux 7
https://developers.redhat.com/blog/2017/03/07/how-to-set-up-a-lamp-stack-on-red-hat-enterprise-linux-7/

TecAdmin: How To Install PHP 7.3, 7.2, 7.1 on CentOS/RHEL 7.6
https://tecadmin.net/install-php7-on-centos7/

Next Cloud: Installing PHP 7.2 on RHEL 7 and CentOS 7
https://docs.nextcloud.com/server/15/admin_manual/installation/php_72_installation.html
– An excellent article on using software collections on CentOS 7 and PHP 7.2 on Apache httpd

Red Hat: How can I make a Red Hat Software Collection persist after a reboot/logout?
https://access.redhat.com/solutions/527703

Manage IQ: Developer setup guide Postgresql software collection
http://manageiq.org/docs/guides/developer_setup/postgresql_software_collection

Big Binary: Configure PostgreSQL to allow remote connection
https://blog.bigbinary.com/2016/01/23/configure-postgresql-to-allow-remote-connection.html

AWStats Documentation – Setups Page
http://www.awstats.org/docs/awstats_setup.html

Plesk: How to confugure GeoIP plugin for AWStats
https://support.plesk.com/hc/en-us/articles/115002097389

 

Samba Config file – smb.conf