Denyhosts is a script that checks logs for brute force login attacks. If an IP goes over a certain number of failures denyhosts will add the IP to /etc/hosts.deny blocking that host from accessing the server.
yum install denyhosts
If you have a static IP or one that doesn’t change very often you should add it to /etc/hosts.allow. This prevents denyhosts from blocking that IP if you fail to login. To find out what your external IP address is go to a site like whatismyip. Your IP will be displayed on the page. Add a line like: sshd:18.104.22.168 to /etc/hosts.allow. Replace 22.214.171.124 with the IP you received.
The denyhosts config file is located in /etc/denyhosts/denyhosts.cfg. The config file explains all the settings. You can set it up to send out email reports. Also thresholds for failed logins can be changed. I usually just leave it alone.
This setup is fairly basic and is for CentOS 6.
First time setup
Start the database service mysqld start
This script will walk you through the basic securing of mysql. It will also set the root password for mysql. The defaults should be fine here.
This part is for users who want to run mysql on a separate disk from the OS. You will need to have created a filesystem and mounted it some place else on the system to do this. I mount my mysql partition at /mysql1 for example. I’m not including partitioning or filesystem creation here because you really should know that if you are reading and doing this. Also I realize my.cnf can be changed to point to this new location but it’s easier to just use a symlink from the default location.
service mysqld stop to stop the database.
Now copy all the files from the default mysql location to the new mount point.
find /usr/lib/mysql -print |cpio -pdvm /mysql1/mysql
Move old files to a different location in case we break something.
mv mysql mysql.os
Now create a symlink to the new location.
ln -s /mysql1/mysql
service mysqld start
I’m not going to put specifics here. Configuring mysql depends a lot on your hardware and how large your database is. I set mine up to use innodb. For a small database I setup a single data file set to autoextend. For a larger database I use the file per table setting. Most other settings depend on how much ram you want to give mysql. On my server I have it setup to use about 1GB of ram. Typically mysql will use less than what you configure it for if it doesn’t need it.
This is an example of my mysql config file. My database is about 1GB in size. The server has a lot of ram so I give MySQL a decent amount to use.
key_buffer = 16M
max_allowed_packet = 1M
table_cache = 64
sort_buffer_size = 512K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
innodb_data_file_path = ibdata1:4096M:autoextend
innodb_buffer_pool_size = 512M
innodb_additional_mem_pool_size = 2M
innodb_log_file_size = 128M
innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50
Before doing this backup your databases using mysqldump.
service mysqld stop
yum update I usually update the entire system at the same time.
service mysqld start
/usr/bin/mysql_upgrade This script updates all of the mysql internal tables. It is not always needed but it is good to run after an update.
I am building this from source. I realize the package comes with cent but I want to keep it up to date. If you build your own from source make sure yum doesn’t stomp on it.
gcc, gcc-c++, gd-devel
webalizer source from http://www.webalizer.org
GeoIP source from http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
tar zxvf GeoIP.tar.gz
cd into the directory created
make && make install
tar zxvf webalizer.tar.gz file
cd into directory created
./configure –prefix=/usr/local/webalizer –sysconfdir=/usr/local/etc/webalizer –enable-geoip
make && make install
Setup ld properly
This step prevents this error “error while loading shared libraries: libGeoIP.so.1: cannot open shared object file: No such file or directory” when running webalizer.
vi geoip.conf (This can be named anything.conf)
add “/usr/local/lib” to the file and save it.
Update GeoIP database
Download from http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
mv GeoIP.dat /usr/local/share/GeoIP/GeoIP.dat
cp webalizer.conf.sample yourdomain.com.conf
vi yourdomain.com.conf and change the following lines
LogFile /var/log/httpd/yourdomain.com-access_log point to your access_log file
OutputDir /var/www/yourdomain.com/webalizer point to where you want to serve your stats from. Usually some place under your web root. You might want to protect it with an htaccess file.
/usr/local/webalizer/bin/webalizer -c /usr/local/etc/webalizer/yourdomain.com.conf
If it runs fine add to run in your crontab.