Skip to content

Instantly share code, notes, and snippets.

@warlley

warlley/centos6-barebones-vps-rails-server-walkthrough

Forked from sr75/centos6-barebones-vps-rails-server-walkthrough
Created May 18, 2013 04:21
Show Gist options
  • Save warlley/5603223 to your computer and use it in GitHub Desktop.
Save warlley/5603223 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
centos6-barebones-vps-rails-server-walkthrough
# CentOS 6.3 barebones walkthrough script for a new vps rails server instance
# assumes you already have a personal ssh key locally
# script implements the following security approaches:
# disables root login
# configures ssh setup for sys user
# opens up standard ports
#
# setup includes:
# rvm & ruby-1.9.3-p286
# mysql
# nginx
# passenger
# postfix
# change root password
passwd root
yum update
yum groupinstall "Development Tools"
yum install ntp
ntpdate pool.ntp.org
# add locate shell command & trigger indexing
yum install mlocate
sudo /etc/cron.daily/mlocate.cron
# postfix & tools
yum install postfix telnet mailx
yum -y install gcc gcc-c++ make openssl openssl-devel git expect pcre pcre-devel readline-devel libxml2 libxml2-devel libxslt libxslt-devel
yum install zlib zlib-devel curl-devel
yum install ImageMagick ImageMagick-devel
# install mysql rpms for 5.6
wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-shared-5.6.10-1.el6.x86_64.rpm/from/http://cdn.mysql.com/
wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-client-5.6.10-1.el6.x86_64.rpm/from/http://cdn.mysql.com/
wget http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-server-5.6.10-1.el6.x86_64.rpm/from/http://cdn.mysql.com/
yum -y install gcc
yum -y install gcc-c++
yum -y install compat-libstdc++-33
yum -y install libstdc++-devel
yum -y install elfutils-libelf-devel
yum -y install glibc-devel
yum -y install libaio-devel
yum -y install sysstat
yum remove mysql-libs
yum clean dbcache
rpm -ivh MySQL-shared-5.6.10-1.el6.x86_64.rpm
rpm -ivh MySQL-server-5.6.10-1.el6.x86_64.rpm
rpm -ivh MySQL-client-5.6.10-1.el6.x86_64.rpm
# get mysql secret created
sudo cat /root/.mysql_secret
sudo service mysql start
mysql -uroot -p
# set your mysql root password
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourrootpassword');
chkconfig --levels 235 mysql on
# when in production
mysql_secure_installation
# firewall - add ports
iptables -I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p udp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# mysql
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
# smtp
iptables -I OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
# save firewall settings on reboot
service iptables save
# setup sys user and password
useradd sysadmin
passwd sysadmin
vi /etc/sudoers
# add the following line below "root ALL=(ALL) ALL"
# sysadmin ALL=(ALL) ALL
# save file and exit -> :wq!
#disable root login from ssh, so nobody is able to brute force a root login
vi /etc/ssh/sshd_config
#uncomment "PermitRootLogin yes" and change it to "PermitRootLogin no"
# save file and exit -> :wq!
/etc/init.d/sshd restart
logout
# setup for ssh access (replace hostname & paths as necessary)
scp ~/.ssh/id_rsa.pub sysadmin@hostname:/home/sysadmin/
# login as sys user
ssh sysadmin@hostname
mkdir /home/sysadmin/.ssh
mv /home/sysadmin/id_rsa.pub /home/sysadmin/.ssh/authorized_keys
chown -R sysadmin:sysadmin /home/sysadmin/.ssh
chmod 700 /home/sysadmin/.ssh
chmod 600 /home/sysadmin/.ssh/authorized_keys
# create or update .bash_profile
touch .bash_profile
# Install RVM:
curl -L get.rvm.io | bash -s stable
# Reload your shell environment:
source ~/.bash_profile
# Find the requirements (follow the instructions):
rvm requirements
rvm install ruby-1.9.3-p194
rvm use ruby-1.9.3-p194 --default
vi .gemrc
# copy the following into the file
---
:backtrace: false
:benchmark: false
:bulk_threshold: 1000
:sources:
- http://rubygems.org/
:update_sources: true
:verbose: true
gem: --no-ri --no-rdoc
# save file and exit -> :wq!
gem install bundler
gem install rake
gem install passenger
passenger-install-nginx-module
# choose option 1
# install to the following folder -> /home/sysadmin/nginx
# follow instructions at the end of install
# or install latest from repo
wget http://nginx.org/packages/centos/6/x86_64/RPMS/nginx-1.2.8-1.el6.ngx.x86_64.rpm
rpm -ivh nginx-1.2.8-1.el6.ngx.x86_64.rpm
sudo chkconfig --add nginx
sudo chkconfig --level 35 nginx on
sudo service nginx start
# setup init for nginx
sudo vi /etc/init.d/nginx
# copy the following into the file
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon (place in /etc/init.d/nginx)
# sudo chmod +x /etc/init.d/nginx
# sudo /sbin/chkconfig nginx on
# sudo /sbin/chkconfig --list nginx
# sudo /etc/init.d/nginx status
# sudo /etc/init.d/nginx configtest
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /home/sysadmin/nginx/conf/nginx.conf
# pidfile: /home/sysadmin/nginx/logs/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/home/sysadmin/nginx/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/home/sysadmin/nginx/conf/nginx.conf"
lockfile=/var/lock/subsys/nginx
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
sleep 1
start
}
reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac
# save file and exit -> :wq!
# configure init for nginx
sudo chmod +x /etc/init.d/nginx
sudo /sbin/chkconfig nginx on
sudo /sbin/chkconfig --list nginx
sudo /etc/init.d/nginx status
sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx start
# postfix (barebones config to send simple emails)
sudo /etc/init.d/postfix start
# postfix auto start at boot time
sudo /sbin/chkconfig --add postfix
sudo /sbin/chkconfig postfix on
# done!
logout
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment