sr75 · October 2, 2015 12:38 · jmarkoff · Dec 30, 2012
diff --git a/centos6-barebones-vps-rails-server-walkthrough b/centos6-barebones-vps-rails-server-walkthrough
 # CentOS 6.4 barebones walkthrough guide for a new vps rails server instance
 # assumes you already have a personal ssh key locally
 #
 # script implements the following security approaches:
 #  disables root login 
 #	configures ssh setup for deployer user
 #	opens up standard ports
 #
 # setup includes:
 #	rvm & ruby-1.9.3-p429
 #	mysql 5.6
 #	nginx 1.4.1
 #	memcached
 #	postfix


 # change root password
 passwd root

 mkdir tmp && cd tmp

 # Add Red Hat Linux 6 (Fedora repo)
 wget https://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
 rpm -ivh epel-release-6-8.noarch.rpm

 yum update

 yum groupinstall "Development Tools"
 yum install ntp
 ntpdate pool.ntp.org
 chkconfig ntpd on

 # add locate command & trigger indexing
 yum install mlocate
 sudo /etc/cron.daily/mlocate.cron

 yum -y install gcc gcc-c++ make openssl openssl-devel git expect pcre pcre-devel readline-devel libxml2 libxml2-devel libxslt libxslt-devel

 yum install zlib zlib-devel curl-devel

 yum install ImageMagick ImageMagick-devel

 yum -y install gcc
 yum -y install gcc-c++
 yum -y install compat-libstdc++-33
 yum -y install libstdc++-devel
 yum -y install elfutils-libelf-devel
 yum -y install glibc-devel
 yum -y install libaio-devel
 yum -y install sysstat

 yum remove mysql-libs
 yum clean dbcache

 # install mysql rpms for 5.6
 # http://dev.mysql.com/downloads/mysql  # Oracle & Red Hat Linux 6
 wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-devel-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

 wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-shared-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

 wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-client-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

 wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-server-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/


 rpm -ivh MySQL-devel-5.6.11-2.el6.x86_64.rpm

 rpm -ivh MySQL-shared-5.6.11-2.el6.x86_64.rpm

 rpm -ivh MySQL-client-5.6.11-2.el6.x86_64.rpm

 rpm -ivh MySQL-server-5.6.11-2.el6.x86_64.rpm

 mysql_install_db --user=mysql

 # get mysql secret created
 sudo cat /root/.mysql_secret

 sudo service mysql start
 mysql -uroot -p

 # set your mysql root password
 SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourrootpassword');

 chkconfig --levels 235 mysqld on

 # when in production
 mysql_secure_installation

 # create app db & user
 CREATE DATABASE appname_envname DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;

 # local access config: use localhost
 # CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'yourappuserpassword';

 # remote access config, use %
 CREATE USER 'appuser'@'%' IDENTIFIED BY 'yourappuserpassword';

 # grant all to the above app user on app db (change to use localhost if needed)
 GRANT ALL PRIVILEGES ON `appname_envname`.* TO 'appuser'@'%';

 # reload mysql permissions
 FLUSH PRIVILEGES;

 # exit mysql
 exit

 # firewall - open ports as needed per instance

 # http
 iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

 # https
 iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

 # ssh
 iptables -I INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I OUTPUT -p udp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 # mysql
 iptables -I INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I OUTPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

 # smtp
 iptables -I OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

 # memcached
 iptables -I INPUT -p tcp --dport 11211 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I OUTPUT -p tcp --sport 11211 -m state --state ESTABLISHED -j ACCEPT

 # save firewall settings on reboot
 service iptables save

 # setup sys user and password
 useradd deployer
 passwd deployer

 visudo
 # append the following line to eof
 eployer  ALL=(ALL)  NOPASSWD: ALL
 # save file and exit -> :x

 #disable root login from ssh, so nobody is able to brute force a root login
 vi /etc/ssh/sshd_config
 #uncomment "PermitRootLogin yes" and change it to "PermitRootLogin no"
 # save file and exit -> :x

 /etc/init.d/sshd restart

 logout

 # setup for ssh access (replace hostname & paths as necessary)
 scp ~/.ssh/id_rsa.pub deployer@hostname:/home/deployer/

 # login as sys user
 ssh deployer@hostname

 mkdir /home/deployer/.ssh
 mv /home/deployer/id_rsa.pub /home/deployer/.ssh/authorized_keys

 chown -R deployer:deployer /home/deployer/.ssh
 chmod 700 /home/deployer/.ssh
 chmod 600 /home/deployer/.ssh/authorized_keys

 # create or update .bash_profile
 touch .bash_profile

 # Install RVM:

 curl -L https://get.rvm.io | bash -s stable --ruby=1.9.3

 # Reload your shell environment:

 source ~/.bash_profile

 # Find the requirements (follow the instructions):

 rvm requirements

 rvm install ruby-1.9.3-p429

 rvm use ruby-1.9.3-p429 --default

 # configure rubygems to install docs with gems on deploy servers
 vi .gemrc
 # copy the following into the file

 ---
 :backtrace: false
 :benchmark: false
 :bulk_threshold: 1000
 :sources:
 - https://rubygems.org/
 :update_sources: true
 :verbose: true
 gem: --no-ri --no-rdoc

 # save file and exit -> :x

 # nginx stable install or get latest from repo
 # http://nginx.org/packages/centos/6/x86_64/RPMS/
 wget http://nginx.org/packages/centos/6/x86_64/RPMS/nginx-1.4.1-1.el6.ngx.x86_64.rpm
 rpm -ivh nginx-1.4.1-1.el6.ngx.x86_64.rpm

 sudo chkconfig --add nginx
 sudo chkconfig --level 35 nginx on
 sudo service nginx start

 # configure init for nginx

 sudo chmod +x /etc/init.d/nginx
 sudo /sbin/chkconfig nginx on
 sudo /sbin/chkconfig --list nginx
 sudo /etc/init.d/nginx status
 sudo /etc/init.d/nginx configtest
 sudo /etc/init.d/nginx start

 # memcached
 sudo yum install memcached nc
 sudo service memcached start
 sudo /sbin/chkconfig --add memcached
 sudo /sbin/chkconfig memcached on

 # verify memcached stats/settings
 echo "stats settings" | nc localhost 11211

 # postfix & tools
 yum install postfix telnet mailx

 # postfix (barebones config to send simple emails)
 sudo /etc/init.d/postfix start

 # postfix auto start at boot time
 sudo /sbin/chkconfig --add postfix
 sudo /sbin/chkconfig postfix on
	# CentOS 6.4 barebones walkthrough guide for a new vps rails server instance
	# assumes you already have a personal ssh key locally
	#
	# script implements the following security approaches:
	# disables root login
	# configures ssh setup for deployer user
	# opens up standard ports
	#
	# setup includes:
	# rvm & ruby-1.9.3-p429
	# mysql 5.6
	# nginx 1.4.1
	# memcached
	# postfix


	# change root password
	passwd root

	mkdir tmp && cd tmp

	# Add Red Hat Linux 6 (Fedora repo)
	wget https://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
	rpm -ivh epel-release-6-8.noarch.rpm

	yum update

	yum groupinstall "Development Tools"
	yum install ntp
	ntpdate pool.ntp.org
	chkconfig ntpd on

	# add locate command & trigger indexing
	yum install mlocate
	sudo /etc/cron.daily/mlocate.cron

	yum -y install gcc gcc-c++ make openssl openssl-devel git expect pcre pcre-devel readline-devel libxml2 libxml2-devel libxslt libxslt-devel

	yum install zlib zlib-devel curl-devel

	yum install ImageMagick ImageMagick-devel

	yum -y install gcc
	yum -y install gcc-c++
	yum -y install compat-libstdc++-33
	yum -y install libstdc++-devel
	yum -y install elfutils-libelf-devel
	yum -y install glibc-devel
	yum -y install libaio-devel
	yum -y install sysstat

	yum remove mysql-libs
	yum clean dbcache

	# install mysql rpms for 5.6
	# http://dev.mysql.com/downloads/mysql # Oracle & Red Hat Linux 6
	wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-devel-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

	wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-shared-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

	wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-client-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/

	wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-server-5.6.11-2.el6.x86_64.rpm/from/http://cdn.mysql.com/


	rpm -ivh MySQL-devel-5.6.11-2.el6.x86_64.rpm

	rpm -ivh MySQL-shared-5.6.11-2.el6.x86_64.rpm

	rpm -ivh MySQL-client-5.6.11-2.el6.x86_64.rpm

	rpm -ivh MySQL-server-5.6.11-2.el6.x86_64.rpm

	mysql_install_db --user=mysql

	# get mysql secret created
	sudo cat /root/.mysql_secret

	sudo service mysql start
	mysql -uroot -p

	# set your mysql root password
	SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourrootpassword');

	chkconfig --levels 235 mysqld on

	# when in production
	mysql_secure_installation

	# create app db & user
	CREATE DATABASE appname_envname DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;

	# local access config: use localhost
	# CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'yourappuserpassword';

	# remote access config, use %
	CREATE USER 'appuser'@'%' IDENTIFIED BY 'yourappuserpassword';

	# grant all to the above app user on app db (change to use localhost if needed)
	GRANT ALL PRIVILEGES ON `appname_envname`.* TO 'appuser'@'%';

	# reload mysql permissions
	FLUSH PRIVILEGES;

	# exit mysql
	exit

	# firewall - open ports as needed per instance

	# http
	iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

	# https
	iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

	# ssh
	iptables -I INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p udp --sport 22 -m state --state ESTABLISHED -j ACCEPT

	# mysql
	iptables -I INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

	# smtp
	iptables -I OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

	# memcached
	iptables -I INPUT -p tcp --dport 11211 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -I OUTPUT -p tcp --sport 11211 -m state --state ESTABLISHED -j ACCEPT

	# save firewall settings on reboot
	service iptables save

	# setup sys user and password
	useradd deployer
	passwd deployer

	visudo
	# append the following line to eof
	eployer ALL=(ALL) NOPASSWD: ALL
	# save file and exit -> :x

	#disable root login from ssh, so nobody is able to brute force a root login
	vi /etc/ssh/sshd_config
	#uncomment "PermitRootLogin yes" and change it to "PermitRootLogin no"
	# save file and exit -> :x

	/etc/init.d/sshd restart

	logout

	# setup for ssh access (replace hostname & paths as necessary)
	scp ~/.ssh/id_rsa.pub deployer@hostname:/home/deployer/

	# login as sys user
	ssh deployer@hostname

	mkdir /home/deployer/.ssh
	mv /home/deployer/id_rsa.pub /home/deployer/.ssh/authorized_keys

	chown -R deployer:deployer /home/deployer/.ssh
	chmod 700 /home/deployer/.ssh
	chmod 600 /home/deployer/.ssh/authorized_keys

	# create or update .bash_profile
	touch .bash_profile

	# Install RVM:

	curl -L https://get.rvm.io \| bash -s stable --ruby=1.9.3

	# Reload your shell environment:

	source ~/.bash_profile

	# Find the requirements (follow the instructions):

	rvm requirements

	rvm install ruby-1.9.3-p429

	rvm use ruby-1.9.3-p429 --default

	# configure rubygems to install docs with gems on deploy servers
	vi .gemrc
	# copy the following into the file

	---
	:backtrace: false
	:benchmark: false
	:bulk_threshold: 1000
	:sources:
	- https://rubygems.org/
	:update_sources: true
	:verbose: true
	gem: --no-ri --no-rdoc

	# save file and exit -> :x

	# nginx stable install or get latest from repo
	# http://nginx.org/packages/centos/6/x86_64/RPMS/
	wget http://nginx.org/packages/centos/6/x86_64/RPMS/nginx-1.4.1-1.el6.ngx.x86_64.rpm
	rpm -ivh nginx-1.4.1-1.el6.ngx.x86_64.rpm

	sudo chkconfig --add nginx
	sudo chkconfig --level 35 nginx on
	sudo service nginx start

	# configure init for nginx

	sudo chmod +x /etc/init.d/nginx
	sudo /sbin/chkconfig nginx on
	sudo /sbin/chkconfig --list nginx
	sudo /etc/init.d/nginx status
	sudo /etc/init.d/nginx configtest
	sudo /etc/init.d/nginx start

	# memcached
	sudo yum install memcached nc
	sudo service memcached start
	sudo /sbin/chkconfig --add memcached
	sudo /sbin/chkconfig memcached on

	# verify memcached stats/settings
	echo "stats settings" \| nc localhost 11211

	# postfix & tools
	yum install postfix telnet mailx

	# postfix (barebones config to send simple emails)
	sudo /etc/init.d/postfix start

	# postfix auto start at boot time
	sudo /sbin/chkconfig --add postfix
	sudo /sbin/chkconfig postfix on