OVH Dedicated server
... after making partion with their (OVH) inner tools, following procedures:
passwd
yum install nano
cp ~/.bashrc ~/.bashrc.orig.$(date +%F)
nano ~/.bashrc
export PS1="{\w}\n[\[\e[31m\]\u\[\e[m\]@\[\e[34;40m\]\H\[\e[m\] \W\[$(tput sgr0)\]]\\$ "
export HISTTIMEFORMAT="%h %d %H:%M:%S "
export HISTSIZE=100000
export HISTFILESIZE=100000
export HISTCONTROL=ignoredups
export HISTIGNORE="ls:ps:history"
export HISTFILE=~/.terminal_history
df -h
lvs
pvs
lsblk
umount /cache/lv_cache_meta
umount /cache/lv_cache
nano /etc/fstab
#UUID=ac3bad7b-ecba-41ac-a6e5-e5dcd070fe33 /cache/lv_cache xfs defaults 0 0
#UUID=83063739-99f2-4ae9-81e7-07eae2e37bde /cache/lv_cache_meta xfs defaults 0 0
reboot
lvdisplay
lvconvert --type cache-pool --cachemode writethrough --poolmetadata vg/lvcachemeta vg/lvcache
lsblk
pvs
lvs -a -o +devices
lvconvert --type cache --cachepool vg/lvcache vg/centos7
lvs -a -o +devices
lsblk
Enabling quota on the / (root) partition
Normally you would enable quota in the /etc/fstab file, but if the filesystem is the root filesystem "/", then quota has to be enabled by a boot parameter of the Linux Kernel.
Edit the grub configuration file:
nano /etc/default/grubsearch fole the line that starts with GRUB_CMDLINE_LINUX and add rootflags=uquota,gquota to the commandline parameters so that the resulting line looks like this:
GRUB_CMDLINE_LINUX="vconsole.keymap=us selinux=0 net.ifnames=0 biosdevname=0 crashkernel=auto vconsole.font=latarcyrheb-sun16 rhgb quiet rootflags=uquota,gq$
GRUB_DISABLE_RECOVERY="true"
and apply the changes by running the following command.
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bak
grub2-mkconfig -o /boot/grub2/grub.cfgand reboot the server.
rebootNow check if quota is enabled:
mount | grep ' / 'When quota is active, we can see "usrquota,grpquota" in the mount option list.
SWAPPINESS
Tuning Virtual Memory
nano /etc/sysctl.conf
# Minimizing the amount of swapping
#vm.swappiness = 18
vm.swappiness = 60
vm.vfs_cache_pressure = 50
vm.overcommit_memory=1
vm.overcommit_ratio=75
vm.dirty_ratio = 50
vm.dirty_background_ratio = 5
# Increases the size of file handles and inode cache & restricts core dumps
#fs.file-max = 2097152
fs.file-max = 100000
fs.suid_dumpable = 0
# Change the amount of incoming connections and incoming connections backlog
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 262144
# Increases the size of file handles and inode cache & restricts core dumps
#fs.file-max = 2097152
fs.file-max = 100000
fs.suid_dumpable = 0
# Change the amount of incoming connections and incoming connections backlog
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 262144
# Increase the maximum amount of memory buffers
net.core.optmem_max = 25165824
# Increase the default and maximum send/receive buffers
net.core.rmem_default = 31457280
net.core.rmem_max = 67108864
net.core.wmem_default = 31457280
net.core.wmem_max = 67108864
# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter = 1
# Enable ignoring to ICMP requests and broadcasts request
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
ACCESS BACKUP STORAGE and MAKE NEW FOLDERS on there
yum install ncftp
SERVER_HOST=xx.xx.xx.xx
SERVER_USERNAME=xxxxxx
FTP_USERNAME=nsxxxxxx.ip-xx-xx-xxx.eu
FTP_PASSWORD=xxxxxx
FTP_HOSTNAME=ftpback-rbx3-xxx.ovh.net
cat > ~/.netrc <<EOF
machine $FTP_HOSTNAME
login $FTP_USERNAME
password $FTP_PASSWORD
EOF
chmod 600 ~/.netrc
ncftp -u $FTP_USERNAME -p $FTP_PASSWORD $FTP_HOSTNAME
mkdir backups
MariDB-10
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
yum -y install epel-release
yum -y update
yum -y groupinstall 'Development Tools'
yum install yum-utils
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php81
yum install ntp httpd mod_ssl php php-mysql php-mbstring phpmyadmin
echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf
service httpd restart
yum install iptables-services
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
yum info mariadb-server
cd /etc/yum.repos.d/
nano mariadb.repo https://mariadb.com/kb/en/yum/
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash
[mariadb]
name = MariaDB-10.3.34
baseurl= http://archive.mariadb.org/mariadb-10.3.34/yum/centos/$releasever/$basearch
gpgkey= https://archive.mariadb.org/PublicKey
gpgcheck=1 yum-config-manager --enable MariaDB.repo
yum info mariadb-server
yum update
rpm --import https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY
yum clean all
yum install MariaDB-server
systemctl enable mysql.service
systemctl start mysql.service
nano /etc/my.cnf
[mysqld]
datadir = /var/lib/mysql
socket = /var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links = 0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
character-set-server = utf8mb4
performance_schema = ON
#max_allowed_packet=32M
max_allowed_packet = 16M
open_files_limit = 65535
#Configure tmp_table_size and max_heap_table_size
#Both directives should have the same size and will help you prevent disk writes. The tmp_table_siz$
max_heap_table_size = 16M # Increase to higher amount, if you have lots of temporary tables because of missing indices in JOINs
tmp_table_size = 16M
#max_connections = 100
max_connections = 150
#thread_cache_size = 50
#thread_cache_size = 26
thread_cache_size = 50
thread_stack = 192K
#query_cache_type=OPTION
#Set the query cache type. Possible options are as follows:
#0 : Don't cache results in or retrieve results from the query cache.
#1 : Cache all query results except for those that begin with SELECT S_NO_CACHE.
#2 : Cache results only for queries that begin with SELECT SQL_CACHE
# query_cache_size = 16M
query_cache_type = 1
query_cache_size = 16M
query_cache_limit = 4M
#query_cache_min_res_unit = 2k
query_cache_min_res_unit = 4k
# CALCULATIONS: 1048576 = 1M
key_buffer_size = 26M
read_buffer_size = 64k
read_rnd_buffer_size = 64k
sort_buffer_size = 1M
join_buffer_size = 2M
#interactive_timeout = 60
#wait_timeout = 60
#connect_timeout = 60
#wait_timeout=300
#interactive_timeout = 300
interactive_timeout = 50
wait_timeout = 1800
connect_timeout = 20
innodb-flush-log-at-trx-commit = 2
#Enabling MySQL Slow query Logs
slow-query-log = 1
slow-query-log-file = /var/lib/mysql/mysql-slow.log
long_query_time = 1
#skip-character-set-client-handshake !!! STOPS SEND-MAIL PROCESS
#skip-name-resolve=1 !!! STOPS SEND-MAIL PROCESS
# Skip reverse DNS lookup of clients
#skip-name-resolve {with opened doesn't allow sending}
#innodb_buffer_pool_size = 378435456
#innodb_buffer_pool_size = 128M !!!previous stable
innodb_buffer_pool_size = 512M
innodb_log_file_size = 64M
#innodb_buffer_pool_size = 256M - equation
#innodb_additional_mem_pool_size = 16106127
# NEWLY ADDED
#according mysqltuner recommendations
#innodb_file_per_table = on
#innodb_log_file_size = 32M
myisam_sort_buffer_size = 64M
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover = BACKUP
#key_buffer = 36M
key_buffer = 36M
#InnoDB Multi-byte UTF-8 support
innodb_large_prefix = true
innodb_file_format = barracuda
innodb_file_per_table = true
#[client]
#default-character-set=utf8mb4
[mysqld_safe]
log-error = /var/log/mariadb/mariadb.log
pid-file = /var/run/mariadb/mariadb.pid
open_files_limit = 65535
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
[mysqldump]
quick
max_allowed_packet = 32M
#[mysql]
#no-auto-rehash
#default-character-set = utf8mb4
Set MySQL Passwords and Configure phpMyAdmin
mysql_secure_installationcp /etc/httpd/conf.d/phpMyAdmin.conf /etc/httpd/conf.d/phpMyAdmin.conf.orig.$(date +%F)
cp /etc/phpMyAdmin/config.inc.php /etc/phpMyAdmin/config.inc.php.orig.$(date +%F)
nano /etc/httpd/conf.d/phpMyAdmin.conf # Require ip 127.0.0.1
# Require ip ::1
Require all granted
nano /etc/phpMyAdmin/config.inc.php[...] /* Authentication type */ $cfg['Servers'][$i]['auth_type'] = 'http'; [...]
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig.$(date +%F)
nano /etc/ssh/sshd_config
#
Port 269
#AddressFamily any
systemctl restart sshd
iptables -I INPUT -p tcp --dport 269 -m state --state NEW -j ACCEPT
chkconfig iptables on
iptables -I INPUT -p tcp -m tcp --dport 269 -m state --state NEW -j LOG --log-level 1 --log-prefix "Possible ATTACKS"
== Portmapper servers ==
Portmapper is a service usually used with NFS. When this is not properly firewalled, it can be abused to conduct DDOS attacks. We recommend that all portmapper services be behind a firewall, and restricted to only IPs that need to contact them.
For Linux machines, please add firewall rules to block port 111 on both UDP and TCP:
iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP
service iptables save
iptables -L --line-numbers -n
How to Install and Uninstall remi-release.noarch Package on CentOS 7 / RHEL 7
1. Install "remi-release.noarch" package
yum makecache
yum install remi-release.noarch
2. Uninstall "remi-release.noarch" package
yum remove remi-release.noarch
yum autoremove
(for instance, additional setting) yum-config-manager --disable remi-php72
Fixing GD error
php --ri gd
PHP Warning: PHP Startup: Unable to load dynamic library 'gd' (tried: /usr/lib64/php/modules/gd (/usr/lib64/php/modules/gd: cannot open shared object file: No such file or directory), /usr/lib64/php/modules/gd.so (libwebp.so.7: cannot open shared object file: No such file or directory)) in Unknown on line 0
yum remove libwebp7
yum install libwebp7
yum install php-gd
== Imagick with WebP support ==
yum install php-devel
yum install ImageMagick-devel
Install wepb from source:
- wget https://storage.googleapis.com/downloads.webmproject.org/releases/webp/l...
tar xvzf libwebp-1.3.2.tar.gzcd libwebp-1.3.2./configuremake && sudo make install
Install Imagick from source with webp support:
wget https://imagemagick.org/download/ImageMagick.tar.gz- tar xzvf ImageMagick.tar.gz
- cd ImageMagick-7.1.1-28
-
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig./configure --with-webp=yes sudo make && sudo make install
Install Imagick using PECL:
sudo pecl install imagick
echo "extension=imagick.so" > /etc/php.d/20-imagick.ini
php -r "print_r(Imagick::queryFormats());"
php -i |grep "ImageMagick supported formats"
MEMCACHED
cd /tmp
wget https://launchpad.net/libmemcached/1.0/1.0.18/+download/libmemcached-1.0...
tar xzvf libmemcached-1.0.18.tar.gz
cd libmemcached-*
phpize
./configure
make
make install
pecl install igbinary
Add the following lines to your php.ini:
; Load igbinary extension
extension=igbinary.so
; Use igbinary as session serializer
session.serialize_handler=igbinary
; Enable or disable compacting of duplicate strings
; The default is On.
igbinary.compact_strings=On
; If uncommented, use igbinary as the serializer of APCu
; (APCu 5.1.10 or newer is strongly recommended)
;apc.serializer=igbinary
pecl install msgpack
Memcached Library
cd /tmp
wget http://memcached.org/latest
mv latest latest.tar.gz
tar xzvf latest.tar.gz
cd memcached-1.6.23
./configure && make && make test && sudo make install
Install Memcached PHP Extension
If you want to use Memcached as a caching database for PHP-based applications. Then, you will need to install Memcached PHP extension on your server.
cd ..
wget http://pecl.php.net/get/memcached-3.2.0.tgz
tar xzvf memcached-3.2.0.tgz
cd memcached-3.2.0
phpize
| ./configure --enable-memcached-igbinary --enable-memcached-msgpack |
make
make test
make install
cp /usr/local/src/php5-build/memcached-2.2.0/memcached.ini /etc/php.d/memcached.ini
nano /etc/php.d/memcached.ini
; Enable memcached extension module
extension=memcached.so
; ----- Options to use the memcached session handler
; RPM note : save_handler and save_path are defined
; for mod_php, in /etc/httpd/conf.d/php.conf
; for php-fpm, in /etc/php-fpm.d/*conf
; Use memcache as a session handler
;session.save_handler=memcached
; Defines a comma separated list of server urls to use for session storage
;session.save_path="localhost:11211"
; ----- Configuration options
; http://php.net/manual/en/memcached.configuration.phpmemcached.serializer = "igbinary"
Configure Memcached Service
By default, Memcached is configured to listen on port 11211 on all interface. So it is recommended to configure Memcached to listen on the local (127.0.0.1) interface only. This will protect your server from denial of service attacks. You can do it by editing the Memcached default configuration file /etc/sysconfig/memcached:
nano /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
# max connection 1024
#MAXCONN="2048"
MAXCONN="1024"
# set ram size to 1024 - 1GiB
CACHESIZE="1024"
#CACHESIZE="512"
# disable UDP and listen to loopback ip 127.0.0.1, for network connection use real ip e.g., 10.0.0.5
OPTIONS="-l 127.0.0.1 -U 0"
OPTIONS="-vv >> /var/log/memcached 2>&1"
updatedb
locate bin/memcached
/usr/local/bin/memcached
ln -s /usr/local/bin/memcached /usr/bin/memcached
memcached --version
And let's create daemon "service.file"
nano /usr/lib/systemd/system/memcached.service
[Unit]
Description=Memcached
Before=httpd.service
After=network.target
[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/memcached
ExecStart=/usr/bin/memcached -u $USER -p $PORT -m $CACHESIZE -c $MAXCONN $OPTIONS
[Install]
WantedBy=multi-user.target
ln -s /usr/lib/systemd/system/memcached.service /etc/systemd/system/multi-user.target.wants/memcached.service
or
systemctl enable memcached
groupadd memcached
adduser --system -g memcached --no-create-home memcached
systemctl start memcached
systemctl status memcached
uploadprogress
cd /tmp
wget https://pecl.php.net/get/uploadprogress-2.0.2.tgz
phpize
./configure --enable-uploadprogress
make
| uploadprogress support | enabled |
|---|---|
| Version | 2.0.2 |
| Directive | Local Value | Master Value |
|---|---|---|
| uploadprogress.file.contents_template | /tmp/upload_contents_%s | /tmp/upload_contents_%s |
| uploadprogress.file.filename_template | /tmp/upt_%s.txt | /tmp/upt_%s.txt |
| uploadprogress.get_contents | 1 | 1 |
cat /etc/php.d/uploadprogress.ini
extension=uploadprogress.so
uploadprogress.get_contents=On
uploadprogress.file.filename_template=/tmp/upt_%s.txt
uploadprogress.file.contents_template=/tmp/upload_contents_%s
.htaccess
# Reroute HTTPS upload requests to HTTP for progress bar support.
<IfModule mod_ssl.c>
RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} filefield/ahah|filefield/progress
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>