Setting up denyhosts in centos 6

Denyhosts is a script that checks logs for brute force login attacks. If an IP goes over a certain number of failures denyhosts will add the IP to /etc/hosts.deny blocking that host from accessing the server.

Installation
yum install denyhosts

Configuration
If you have a static IP or one that doesn’t change very often you should add it to /etc/hosts.allow. This prevents denyhosts from blocking that IP if you fail to login. To find out what your external IP address is go to a site like whatismyip. Your IP will be displayed on the page. Add a line like: sshd:123.123.123.123 to /etc/hosts.allow. Replace 123.123.123.123 with the IP you received.

The denyhosts config file is located in /etc/denyhosts/denyhosts.cfg. The config file explains all the settings. You can set it up to send out email reports. Also thresholds for failed logins can be changed. I usually just leave it alone.

Setting up MySQL in CentOS

This setup is fairly basic and is for CentOS 6.

Packages

mysql, mysql-server

First time setup

Start the database service mysqld start

Run /usr/bin/mysql_secure_installation

This script will walk you through the basic securing of mysql.  It will also set the root password for mysql.  The defaults should be fine here.

Hardware

This part is for users who want to run mysql on a separate disk from the OS.  You will need to have created a filesystem and mounted it some place else on the system to do this.  I mount my mysql partition at /mysql1 for example.  I’m not including partitioning or filesystem creation here because you really should know that if you are reading and doing this.   Also I realize my.cnf can be changed to point to this new location but it’s easier to just use a symlink from the default location.

service mysqld stop to stop the database.

Now copy all the files from the default mysql location to the new mount point.

find /usr/lib/mysql -print |cpio -pdvm /mysql1/mysql

Move old files to a different location in case we break something.

cd /var/lib

mv mysql mysql.os

Now create a symlink to the new location.

cd /var/lib

ln -s /mysql1/mysql

service mysqld start

Configuration

I’m not going to put specifics here.  Configuring mysql depends a lot on your hardware and how large your database is.  I set mine up to use innodb.  For a small database I setup a single data file set to autoextend.  For a larger database I use the file per table setting.  Most other settings depend on how much ram you want to give mysql.  On my server I have it setup to use about 1GB of ram.  Typically mysql will use less than what you configure it for if it doesn’t need it.

/etc/my.cnf

This is an example of my mysql config file.  My database is about 1GB in size.  The server has a lot of ram so I give MySQL a decent amount to use.

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql

key_buffer = 16M
max_allowed_packet = 1M
table_cache = 64
sort_buffer_size = 512K
read_buffer_size = 256K
read_rnd_buffer_size = 512K

innodb_data_file_path = ibdata1:4096M:autoextend
innodb_buffer_pool_size = 512M
innodb_additional_mem_pool_size = 2M
innodb_log_file_size = 128M
innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50

 

Upgrading

Before doing this backup your databases using mysqldump.

service mysqld stop

yum update I usually update the entire system at the same time.

service mysqld start

/usr/bin/mysql_upgrade  This script updates all of the mysql internal tables.  It is not always needed but it is good to run after an update.

Setting up webalizer in centos 6

I am building this from source.  I realize the package comes with cent but I want to keep it up to date.  If you build your own from source make sure yum doesn’t stomp on it.

Packages needed

gcc, gcc-c++, gd-devel

Download

webalizer source from http://www.webalizer.org

GeoIP source from http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz

Compile

tar zxvf GeoIP.tar.gz

cd into the directory created

./configure

make && make install

tar zxvf webalizer.tar.gz file

cd into directory created

./configure –prefix=/usr/local/webalizer –sysconfdir=/usr/local/etc/webalizer –enable-geoip

make && make install

Setup ld properly

This step prevents this error “error while loading shared libraries: libGeoIP.so.1: cannot open shared object file: No such file or directory” when running webalizer.

cd /etc/ld.so.conf.d

vi geoip.conf  (This can be named anything.conf)

add “/usr/local/lib” to the file and save it.

Run ldconfig

Update GeoIP database

Download from http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

gunzip GeoIP.dat.gz

mv GeoIP.dat /usr/local/share/GeoIP/GeoIP.dat

Configure webalizer

cd /usr/local/etc/webalizer

cp webalizer.conf.sample yourdomain.com.conf

vi yourdomain.com.conf and change the following lines

LogFile /var/log/httpd/yourdomain.com-access_log point to your access_log file

OutputDir  /var/www/yourdomain.com/webalizer point to where you want to serve your stats from.  Usually some place under your web root.  You might want to protect it with an htaccess file.

HostName       yourdomain.com

GeoIP yes

GeoIPDatabase /usr/local/share/GeoIP/GeoIP.dat

Run webalizer

/usr/local/webalizer/bin/webalizer -c /usr/local/etc/webalizer/yourdomain.com.conf

If it runs fine add to run in your crontab.


Setting up CentOS for Minecraft

Working on updating this post.
Get CentOS here.
Install CentOS, I usually do the basic server install and add packages from there. Once the install is done run yum update to make sure all packages are up to date.

RPMforge setup

Optional packages to add
If you want plugins to store info in a database.
mysql mysql-server mysqlclient
Security related
rkhunter
denyhosts

Add users

Add a user to run minecraft:
    useradd -c "Minecraft" -s/bin/bash -d /home/minecraft -m -g users     minecraft
Add a user for yourself:
    useradd -c "Your name" -s/bin/bash -d /home/username -m -g users username
Set the password for each user added. passwd username

Secure things
Some stuff I do here is actually making the server less secure. I run mine behind a firewall on a trusted network. If you aren’t behind a firewall or your network isn’t trusted do not disable selinux or iptables.
/etc/ssh/sshd_config
Changes to make:(some of these may already be in place)
Protocol 2
PermitRootLogin no
Banner /etc/banners/sshd
Optional change:
This change will make it so only the listed users can login using ssh.
AllowUsers username1 username2 username3 …
/etc/banners/sshd
Add a message here telling people to go away.
Restart ssh /etc/init.d/sshd restart
/etc/selinux/config
Changes to make:
SELINUX=disabled
Disable iptables if you know you don’t need a firewall. If you need iptables make sure you know how to configure it. You will need to open a port for the server.
chkconfig –levels 2345 iptables off
chkconfig –levels 2345 ip6tables off

Install java
From what I have read online java 7 is recommended for the server. I believe Oracle recommends using openjdk on linux. So my choice can be debated. I haven’t had any problems yet. Make sure you keep up to date with the current release though.
Download java 7 here.
Download the JRE most people don’t need the JDK. Make sure you select the correct version for your system. You should be using 64bit. Select the rpm version.

rpm -ivh jre-7u3-linux-x64.rpm

To update java:
yum list |grep jre
should list something like this
jre.x86_64 1.7.0_03-fcs installed
yum remove jre.x86_64
Then run the rpm install command again for the new version.

Setup minecraft startup script and ramdisk
My script.

Controlling the server
startup server
/etc/init.d/minecraft start

stop server
You can set a delay for this so users have time to logout.
/etc/init.d/minecraft stop

restart server
/etc/init.d/minecraft restart

backup server
/etc/init.d/minecraft backup

send a message to the console
The message will appear to all users in game. Useful for messages you repeat throughout the day.
/etc/init.d/minecraft sndmsg ‘Your message here.’

Maintenance tasks
Configure server backups. I have two cronjobs setup to run backups.
The first runs every 5 minutes and syncs the ramdisk copy with the disk copy. The second runs 4 times a day and creates an archive from the disk backup. I also have a shell script to clean out backup copies. I will update this once I post that script.
20 */6 * * * /etc/init.d/minecraft backup >/dev/null 2>&1
*/5 * * * * /etc/init.d/minecraft disksaverun >/dev/null 2>&1

Optional stuff
Mysql
rkhunter
denyhosts