Skip to content

Instantly share code, notes, and snippets.

@kapitanluffy

kapitanluffy/provision_centos_server.sh

Forked from flacodirt/provision_centos_server.sh
Created June 21, 2013 00:51
Show Gist options
  • Save kapitanluffy/5828082 to your computer and use it in GitHub Desktop.
Save kapitanluffy/5828082 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
provision_centos_server.sh
#!/bin/bash
clear
clear
echo '#'
echo '# CentOS 6.3 LAMP Server Provisioning Script'
echo '#'
echo '# This script will guide you through the initial server provisioning for a standard CentOS 6.3 LAMP server.'
echo '#'
echo '# [x] iptables lockdown'
echo '# [x] Change root password'
echo '# [x] Add administrators group'
echo '# [x] Add administrators group to sudoers'
echo '# [x] Add admin user'
echo '# [x] Disable root remote login'
echo '# [x] Install common packages'
echo '# [x] Update server'
echo '# [ ] Configure SSH Keys and restrict SSH logins by key only'
echo '# [ ] Configure MySQL'
echo '# [ ] Configure Apache'
echo '# [ ] Configure PHP'
echo '# [ ] Configure git'
echo '# [ ] Configure vimrc options'
echo '#'
echo '# @author brockhensley'
echo '# @version 1.0.1'
echo '# @date Last updated April 6th 2013'
echo '# @link brockhensley.com'
echo '#'
read -p "Press any key to begin provisioning or [CTRL]+[C] to quit."
clear
echo '# iptables lockdown'
iptables -L -v -n
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v -n
/sbin/service iptables save
/sbin/service iptables restart
echo '# Change root password'
echo 'Enter new password: '
passwd
echo '# Add administrators group'
echo -n "Enter name for administrators group (Default: admins): "
read -e ADMINSGROUP
if [ -z "$ADMINSGROUP" ]
then
$ADMINSGROUP = 'admins'
fi
groupadd $ADMINSGROUP
echo '# Add administrators group to sudoers'
tstmp=$( date +%F-%H-%M-%S )
cp /etc/sudoers /etc/sudoers.$tstmp.bak
echo "%$ADMINSGROUP ALL = (ALL) ALL" >> /etc/sudoers
echo '# Add admin user'
echo -n "Enter name for administrator user: "
read -e ADMINUSER
useradd $ADMINUSER -G $ADMINSGROUP
echo -n "Enter new password for $ADMINUSER: "
passwd $ADMINUSER
echo '# Disable root remote login'
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$tstmp.bak
sed -i 's/# PermitRootLogin/PermitRootLogin/g' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
echo "AllowGroups $ADMINGROUP" >> /etc/ssh/sshd_config
echo '# Change SSH port'
echo -n 'Enter new SSH port: '
read -e SSHPORT
sed -i "s/#Port/Port/g" /etc/ssh/sshd_config
sed -i "s/Port 22/Port $SSHPORT/g" /etc/ssh/sshd_config
iptables -D INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport $SSHPORT -j ACCEPT
/sbin/service iptables save
/sbin/service iptables restart
/etc/init.d/sshd restart
read -p "Press any key to begin updating and installing packages or [CTRL]+[C] to quit."
echo '# Install common packages'
sudo yum install -y wget telnet tar sudo perl python iptables man openssh openssl
echo '# Update server'
sudo yum update
echo "# You will need to exit from SSH and log back into SSH (remember port $SSHPORT) as the admin ($ADMINUSER) from this point on"
echo '# When you return, execute the script with the argument ADMIN to skip the completed steps'
echo '# Example: provision_centos_server.sh ADMIN'
exit
# PowerStack repo
# rpm -Uvh http://download.powerstack.org/powerstack-release-0-2.noarch.rpm
# SSH server force SSH keys only
# (on workstation)
ssh-keygen -b 4096 -t rsa -f ~/.ssh/id_rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub $ADMINUSER@<YOUR_SERVER_IP>
ssh-add
# (may need to logoff/logon workstation if get Agent sign error)
# (on server)
chown -R $ADMINUSER:$ADMINUSER ~/.ssh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
restorecon -Rv ~/.ssh
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$tstmp.bak
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
# MySQL
sudo yum install -y mysql-server
sudo cp /etc/my.cnf /etc/my.cnf.$tstmp.bak
echo -n "Enter new MySQL port: "
read -e MYSQLPORT
sudo sed -i "s/port=3306/port=$MYSQLPORT/g" /etc/my.cnf
sudo service mysqld restart
sudo /usr/bin/mysql_secure_installation
# Apache
sudo yum install -y httpd
sudo vi /etc/httpd/conf/httpd.conf
ServerName 127.0.0.1:80
sudo vi /etc/httpd/conf.d/vhosts.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/vhosts/domain.com/public_html
ServerName www.domain.com
ServerAlias domain.com
ErrorLog /var/www/vhosts/domain.com/logs/error_log
CustomLog /var/www/vhosts/domain.com/logs/access_log common
<Directory /var/www/vhosts/domain.com>
Options All
AllowOverride All
</Directory>
</VirtualHost>
# PHP
#lynx http://mirror.pnl.gov/epel/6/i386/repoview/epel-release.html
wget http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm
sudo rpm -Uvh epel-release-6-8.noarch.rpm
sudo yum install -y php php-common php-cli php-gd php-mbstring php-mcrypt php-mysql php-pdo php-pear php-pecl-apc php-pecl-xdebug php-soap php-tidy php-xml php-xmlrpc
sudo echo "xdebug.var_display_max_children=-1" >> /etc/php.d/xdebug.ini
sudo echo "xdebug.var_display_max_data=-1" >> /etc/php.d/xdebug.ini
sudo echo "xdebug.var_display_max_depth=-1" >> /etc/php.d/xdebug.ini
# git
sudo yum install -y git
cd /var/www/vhosts
git clone [email protected]:x/y.git
sudo usermod -a -G apache $ADMINUSER
sudo usermod -a -G $ADMINUSER apache
# logoff/logon
echo "umask 007" >> /etc/sysconfig/httpd
sudo chgrp -R $ADMINUSER /var/www/vhosts/domain.com
sudo chmod 2770 /var/www/vhosts/domain.com
# vimrc options
wget https://gist.github.com/dirte/5245083/raw/eed54c62294ee996816ac0481d03b7537f8bec35/.vimrc
# bash options
# alias
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment