Linux Server configuration

FTP Server (Vsftpd)

Step 1: Install FTP Service with VSFTPD

1. Start by updating the package manager:

sudo yum -y update
2. Install VSFTPD software with the following command:
sudo yum –y install vsftpd
3. Start the service and set it to launch when the system boots with the following:
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
4. Next, create a rule for your firewall to allow FTP traffic on Port 21:
sudo firewall-cmd --zone=public --permanent --add-port=21/tcp
sudo firewall-cmd --zone=public --permanent --add-service=ftp
sudo firewall-cmd –-reload

Step 2: Configuring VSFTPD

1. Before starting, create a copy of the default configuration file:

sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.default
2. Next, edit the configuration file with the following command:
sudo nano /etc/vsftpd/vsftpd.conf
3. Set your FTP server to disable anonymous users and allow local users.
anonymous_enable=NO
local_enable=YES
4. Next, allow a logged-in user to upload files to your FTP server.
write_enable=YES
5. Limit FTP users to their own home directory. This is often called jail or chroot jail. Find and adjust the
entry to match the following:
chroot_local_user=YES
allow_writeable_chroot=YES
6. The vsftpd utility provides a way to create an approved user list. To manage users this way, find the
userlist_enable entry, then edit the file to look as follows:
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
You can now edit the /etc/vsftpd/user_list file, and add your list of users. (List one per line.) The
userlist_deny option lets you specify users to be included; setting it to yes would change the list to users that
are blocked.

7. Once you’re finished editing the configuration file, save your changes. Restart the vsftpd service to
apply changes:
sudo systemctl restart vsftpd

Step 3: Create a New FTP User

1. To create a new FTP user enter the following:

sudo adduser testuser
sudo passwd testuser
2. Add the new user to the userlist:
echo “testuser” | sudo tee –a /etc/vsftpd/user_list
3. Create a directory for the new user, and adjust permissions:
sudo mkdir –p /home/testuser/ftp/upload
sudo chmod 550 /home/testuser/ftp
sudo chmod 750 /home/testuser/ftp/upload
sudo chown –R testuser: /home/testuser/ftp

This creates a home/testuser directory for the new user, with a special directory for uploads. It sets permissions
for uploads only to the /uploads directory.

4. Now, you can log in to your FTP server with the user you created:
ftp 192.168.01

KVM (Kernel-based Virtual Machine) Configuration

1. Over-committing : Which means allocating more virtualized CPUs or memory than the available
resources on the system.
2. Thin provisioning : Which allows the allocation of flexible storage and optimizes the available
space for every guest virtual machine.
3. Disk I/O throttling : Provides the ability to set a limit on disk I/O requests sent from virtual
machines to the host machine.
4. Automatic NUMA balancing : Improves the performance of applications running on NUMA
hardware systems.
5. Virtual CPU hot add capability : Provides the ability to increase processing power as needed on
running virtual machines, without downtime.
Prerequisites
Make sure that your system has the hardware virtualization extensions: For Intel-based hosts, verify the CPU
virtualization extension [vmx] are available using following command.
# grep -e 'vmx' /proc/cpuinfo
For AMD-based hosts, verify the CPU virtualization extension [svm] are available.
# grep -e 'svm' /proc/cpuinfo

Verify that KVM modules are loaded

# lsmod | grep kvm

Make sure system is up-to-date.

# yum update

Step 1: KVM Installation and Deployment

We will install qemu-kvm and qemu-img packages at first. These packages provide the user-level KVM and disk
image manager.
# yum install qemu-kvm qemu-img

1. virt-manager provides a GUI tool to administrate your virtual machines.

2. libvirt-client provides a CL tool to administrate your virtual environment this tool called virsh.
3. virt-install provides the command “virt-install” to create your virtual machines from CLI.
4. libvirt provides the server and host side libraries for interacting with hypervisors and host systems.

Let’s install these above tools using the following command.

#yum groupinstall virtualization-client virtualization-platform virtualization-tools

The virtualization daemon which manage all of the platform is “libvirtd”

#systemctl restart libvirtd

After restarting the daemon, then check its status by running following command.

#systemctl status libvirtd

Step 2: Create VMs using KVM

Although virt-manager is a GUI based tool, we also could launch/start it from terminal as well as from GUI.

#virt-manager

After starting the tool, this window will appear.

By default you will find manager is connected directly to localhost, fortunately you could use the same tool to
mange another host remotely. From “File” tab, just select “Add Connection” and this window will appear.
Check “Connect to remote host” option then provide Hostname/IP of the remote server. If you need establishing
connection to the remote host at every time the manager starting, just check “Auto Connect” option.

Let’s return to our localhost, before creating new virtual machine you should decide where will the files be
stored?! in other words, you should create the Volume Disk (Virtual disk / Disk image ) for your virtual machine.

By Right clicking on localhost and selecting “Details” and then select “Storage” tab.
Next, press “New Volume” button, then enter the name of your new virtual disk (Volume Disk) and enter the size
which you want/need in the “Max Capacity” section.

The allocation size is the actual size for your disk which will be allocated immediately from your
physical disk after finishing the steps.

Note: This is an important technology in storage administration field which called “thin provision”. It
used to allocate the used storage size only, NOT all of available size.

You will note that a label of the new Volume Disk has been appeared in the list.

You should also notice the path of the new disk image (Volume Disk), by default it will be under
/var/lib/libvirt/images, you can verify it using the following command.
# ls -l /var/lib/libvirt/images
Now, we’re ready to create our virtual machine. Let’s hit the button “VM” in the main window, this wizard
window will be appear.

Select the installation method which you will use to create the virtual machine. For now we will use Local install
media, later we will discuss the remaining methods.

Now its time to specify which Local install media to be used, we have two options:

1. From physical [CDROM/DVD].

2. From ISO image.

For our tutorial, lets use ISO image method, so you should provide the path of your ISO image.
The storage has return back, we will use the virtual disk which we have created early to install virtual machine on
it. It will be as shown.

The final step which ask you about the name of your virtual machine and another advanced options lets talk
about it later
Network Time Protocol (NTP) and the chrony suite
Step one: install the chrony service

yum install -y chrony

systemctl start chronyd
systemctl status chronyd
systemctl enable chronyd

Step Two: we need to check whether the system already uses NTP to synchronize our
system clock over the network.

timedatectl | grep "NTP synchronized"

If the output from the last step showed No for NTP synchronized, we need to enable it
using:

timedatectl set-ntp yes

Step three: open the main chrony configuration file with your favorite text editor, as
shown here:

vi /etc/chrony.conf

In the file, scroll down and look for the lines containing the following:

server 0.centos.pool.ntp.org iburst

server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

Replace the values shown with a list of preferred local time servers:

server 0.asia.pool.ntp.org iburst

server 1.asia.pool.ntp.org iburst
server 2.asia.pool.ntp.org iburst
server 3.asia.pool.ntp.org iburst

http://www.pool.ntp.org/
 systemctl start chronyd
systemctl enable chronyd

firewall-cmd --add-service=ntp –permanent

firewall-cmd --reload

To check whether chrony is taking care of your system time synchronization, use the
following:

chronyc trackin

To check the network sources chrony uses for synchronization, use the following:

chronyc sources

To find the list of time zone, use the following command

timedatectl list-timezones

To set the right time zone, use the following command

timedatectl set-timezone Europe/Berlin

Use timedatectl again to check if your local time is correct now:

timedatectl | grep "Local time"

Samba Server
Samba details
Package: samba*
Port no: 137,138,139
Script: /etc/init.d/smb
Service name : smb
 Daemon : smbd
Configuration file : /etc/samba/smb.conf

1. First install Samba4 and required packages from the default CentOS repositories using the yum package
manager tool as shown.

# yum install samba samba-client samba-common

Or
# yum -y install samba*

Configure a fully accessed anonymous share

Create a directory called ‘/samba/anonymous_share’ and set full permission.

mkdir -p /samba/anonymous_share
chmod -R 0777 /samba/anonymous_share

Edit Samba configuration file

vi /etc/samba/smb.conf

Add the following line to the end of the file

[Anonymous share]
path = /samba/share
read only = No
create mask = 0777
directory mask = 0777
guest only = Yes
guest ok = Yes

Start samba services, and enable them to start automatically on every reboot.
systemctl start smb
systemctl start nmb
systemctl enable smb
systemctl enable nmb

We can test the Samba server configuration syntax errors using the command ‘testparm’.
testparm

Allow Samba server default ports through firewall.

firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload
 firewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=138/tcp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=445/tcp
firewall-cmd --permanent --add-port=901/tcp

Restart firewall to apply the changes.

firewall-cmd --reload

2. Create security enabled share in samba server

Now, let us create a password protected samba share so that the users should enter the valid username
and password to access the share folder.

Create a user called “unixmen” and a group called “smbgroup”.

Useradd unixmen
groupadd smbgroup

Assign the user unixmen to smbgroup, and set samba password to that user.

usermod -a -G smbgroup unixmen

smbpasswd -a unixmen
or
useradd -M -d /samba/josh -s /usr/sbin/nologin -G sambashare josh

 -M -do not create the user’s home directory. We’ll manually create this directory.
 -d /samba/josh - set the user’s home directory to /samba/josh.
 -s /usr/sbin/nologin - disable shell access for this user.
 -G sambashare - add the user to the sambashare group.

Create a new share called “/samba/secure_share” and set the permissions to that share.

mkdir /samba/secure_share
chmod -R 0755 /samba/secure_share
chown -R unixmen:smbgroup /samba/secure_share

Edit samba config file;

vi /etc/samba/smb.conf
Add the below lines at the bottom of samba config file.

[secure_share]
path = /samba/secure_share
writable = yes
browsable = yes
guest ok = no
valid users = @smbgroup

chcon -t samba_share_t /samba/secure_share/

Restart samba services.

systemctl restart smb

systemctl restart nmb

WebDav for file transfer

1. yum install epel-release
2. yum install httpd
3. sed -i 's/^/#&/g' /etc/httpd/conf.d/welcome.conf
4. sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/"
/etc/httpd/conf/httpd.conf
5. systemctl start httpd
6. systemctl enable httpd
7. httpd -M | grep dav
8. mkdir /var/www/html/webdav
9. chown -R apache:apache /var/www/html
10. chmod -R 755 /var/www/html
11. htpasswd -c /etc/httpd/.htpasswd user1
12. chown root:apache /etc/httpd/.htpasswd
13. chmod 640 /etc/httpd/.htpasswd
14. vi /etc/httpd/conf.d/webdev.conf
15. VavLockDB /var/www/html/DavLock
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/webdav/
ErrorLog /var/log/httpd/error.log/httpd/error
CustomLog /var/log/httpd/access.log combined
Alias /webdav /var/www/html/webdav
<Directory /var/www/html/webdav>
DAV On
AuthType Basic
AuthName "webdav"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user1
</Directory>
</VirtualHost>

16. systemctl restart httpd

17. yum install cadaver
18. cadaver http:/192.168.7.234/webdav/
Installing and configuring NFS
First, start by installing the required packages on the NFS server. The packages are nfs-utils which
provides a daemon for the kernel NFS server and related tools such as the contains the showmount
program.

yum install nfs-utils libnfsidmap

Once the installation is complete, start the nfs-server service, enable it to automatically start at system boot, and
then verify its status using the systemctl commands.
systemctl start nfs-server.service
systemctl enable nfs-server.service
systemctl status nfs-server.service

The configuration files for the NFS server are:

 /etc/nfs.conf – main configuration file for the NFS daemons and tools.
 /etc/nfsmount.conf – an NFS mount configuration file.

Next, create the file systems to export or share on the NFS server. For this guide, we will create four file systems,
three of which are used by staff from three departments: human resource, finance and marketing to share files
and one is for root user backups.
# mkdir -p /mnt/nfs_shares/{Human_Resource,Finance,Marketing}
# mkdir -p /mnt/backups
# ls -l /mnt/nfs_shares/

Then export the above file systems in the NFS server /etc/exports configuration file to determine local physical
file systems that are accessible to NFS clients.
/mnt/nfs_shares/Human_Resource 10.20.20.0/24(rw,sync)
/mnt/nfs_shares/Finance 10.20.10.0/24(rw,sync)
/mnt/nfs_shares/Marketing 10.20.30.0/24(rw,sync)
/mnt/backups 10.20.20.9/24(rw,sync,no_all_squash,root_squash)

Here are some of the exports options (read man exports for more information and export options):

 rw – allows both read and write access on the file system.

 sync – tells the NFS server to write operations (writing information to the disk) when requested
(applies by default).
 all_squash – maps all UIDs and GIDs from client requests to the anonymous user.
 no_all_squash – used to map all UIDs and GIDs from client requests to identical UIDs and GIDs
on the NFS server.
 root_squash – maps requests from root user or UID/GID 0 from the client to the anonymous
UID/GID.
To export the above file system, run the exportfs command with the -a flag means export or unexport all
directories, -r means reexport all directories, synchronizing /var/lib/nfs/etab with /etc/exports and files under
/etc/exports.d, and -v enables verbose output.
# exportfs -arv

To display the current export list, run the following command. Note that the exports table also applies some of
the default exports options that are not explicitly defined as shown in the following screenshot.

# exportfs -s

Next, if you have the firewalld service running, you need to allow traffic to the necessary NFS services (mountd,
nfs, rpc-bind) via the firewall, then reload the firewall rules to apply the changes, as follows.

# firewall-cmd --permanent --add-service=nfs

# firewall-cmd --permanent --add-service=rpc-bind
# firewall-cmd --permanent --add-service=mountd
# firewall-cmd –reload

Setting Up NFS Client on Client Systems

Now on the client node(s), install the necessary packages to access NFS shares on the client systems. Run the
appropriate command for your distribution:

# dnf install nfs-utils nfs4-acl-tools [On CentOS/RHEL]

$ sudo apt install nfs-common nfs4-acl-tools [On Debian/Ubuntu]

Then run the showmount command to show mount information for the NFS server. The command should output
the exported file system on the client as shown in the screenshot.

# showmount -e 10.20.20.8

Next, create a local file system/directory for mounting the remote NFS file system and mount it as an ntf file
system.
# mount | grep nfs

To enable the mount to persistent even after a system reboot, run the following command to enter the
appropriate entry in the /etc/fstab.
 # echo "10.20.20.8:/mnt/backups /mnt/backups nfs defaults 0 0">>/etc/fstab
# cat /etc/fstab

Lastly, test if NFS setup is working fine by creating a file on the server and check if the file can be seen in the
client.
# touch /mnt/backups/file_created_on_server.text [On NFS Server]
# ls -l /mnt/backups/file_created_on_server.text [On NFS client]

Then do the reverse.

# touch /mnt/backups/file_created_on_client.text [On NFS Client]
# ls -l /mnt/backups/file_created_on_client.text [On NFS Server]

To unmount the remote file system on the client-side.

# umount /mnt/backups

Providing Web Services

Installing Apache and serving web pages
Enabling system users and building publishing directories
Implementing name-based hosting
Installing, configuring, and testing PHP
Installing a MariaDB database server
Installing phpMyAdmin and phpPgAdmin
Securing Apache
Setting up HTTPS with Secure Sockets Layer (SSL)

Install LAMP Server

Install Apache

Install MariaDB
 yum install mariadb-server mariadb -y
 systemctl start mariadb
  systemctl enable mariadb

Set MySQL root password

 mysql_secure_installation

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y ## Enter Y and press Enter

New password: ## Enter new password
Re-enter new password: ## Enter password again
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone

to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y ## Enter Y and press Enter

... Success!

Normally, root should only be allowed to connect from 'localhost'. This

ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y ## Enter Y and press Enter

... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y ## Enter Y and press Enter
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y ## Enter Y and press Enter

... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Install PHP
 yum install php php-mysql php-gd php-pear -y
or
yum install php* -y
 systemctl restart httpd

Install phpMyAdmin

 yum install phpmyadmin -y

Configure phpMyAdmin
 vi /etc/httpd/conf.d/phpMyAdmin.conf

[...]
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

## Comment the following Section ##

#<Directory /usr/share/phpMyAdmin/>
# <IfModule mod_authz_core.c>
# # Apache 2.4
# <RequireAny>
# Require ip 127.0.0.1
# Require ip ::1
# </RequireAny>
# </IfModule>
# <IfModule !mod_authz_core.c>
# # Apache 2.2
# Order Deny,Allow
# Deny from All
# Allow from 127.0.0.1
# Allow from ::1
# </IfModule>
#</Directory>

<strong>## Add the following lines:</strong>

&lt;Directory /usr/share/phpMyAdmin/&gt;
Options none
AllowOverride Limit
Require all granted
&lt;/Directory&gt;

[...]
Edit “config.inc.php” file and change from “cookie” to “http” to change the
authentication in phpMyAdmin:

 vi /etc/phpMyAdmin/config.inc.php
Change ‘cookie’ to ‘http’.
[...]
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config,
http or cookie based)?
[...]

 systemctl restart httpd

Install Nginx with RTMP Module

 Install Required Dependencies
yum update -y
yum groupinstall 'Development Tools' -y
yum install epel-release -y
yum install -y nginx
yum install nginx_rtmp_module

all this line in nginx.conf file

load_module “/usr/lib/nginx/modules/ngx_rtmp_module.so”;

Installing Zabbix on CentOS

Prerequisites

 Apache web server

 PHP with required extensions
 MySQL/ MariaDB server