centosセットアップ自分用メモ
※ centos8のセットアップはこちら
localectl set-locale LANG=ja_JP.UTF-8 timedatectl set-timezone Asia/Tokyo
setenforce 0 vi /etc/selinux/config
SELINUX=disabled
hostnamectl set-hostname systemexpress.systemexpress.co.jp
vi /etc/hosts.allow
sshd:192.168.1. 18.97.9.172 vsftpd:192.168.1. 18.97.9.172
vi /etc/hosts.deny
sshd:all vsftpd:all
useradd -m -s /sbin/nologin webmaster useradd -m -g webmaster yukawa passwd yukawa passwd root
vi /etc/ssh/sshd_config
PermitRootLogin no AllowUsers yukawa
yum -y update yum -y install yum-cron systemctl enable yum-cron
cd /etc/pki/tls/certs openssl genrsa -des3 -out server.key 2048 (適当なパスワードを2回入力) openssl rsa -in server.key -out server.key (上で入力したパスワードを入力) chmod 400 server.key
yum -y install crontabs systemctl enable crond
postfix stop yum -y remove postfix rm -rf /usr/libexec/postfix rm -rf /etc/postfix rm -rf /usr/sbin/post* mv /usr/lib/sendmail.OFF /usr/lib/sendmail
yum -y install sendmail sendmail-devel sendmail-cf vi /etc/mail/sendmail.mc
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confCACERT_PATH',`/etc/pki/tls/certs')dnl define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
vi /etc/mail/local-host-names
localhost localhost.localdomain systemexpress.co.jp
vi /etc/mail/virtusertable
@systemexpress.co.jp info-systemexpress.co.jp @systemexpresssystemexpress.co.jp info-systemexpress.co.jp
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf cd /etc/pki/tls/certs/ openssl req -new -x509 -days 3650 -key server.key -out sendmail.crt -sha256 cat server.key sendmail.crt > sendmail.pem chmod 400 sendmail.* systemctl enable sendmail
yum -y install cyrus-sasl yum -y install cyrus-sasl-plain yum -y install cyrus-sasl-md5 systemctl enable saslauthd
yum -y install dovecot vi /etc/dovecot/dovecot.conf
protocols = imap pop3
vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
vi /etc/dovecot/conf.d/10-ssl.conf
ssl = yes ssl_cert = </etc/pki/tls/certs/mail.crt ssl_key = </etc/pki/tls/certs/server.key
cd /etc/pki/tls/certs/ openssl req -new -x509 -days 3650 -key server.key -out mail.crt -sha256 cat server.key mail.crt > mail.pem chmod 400 mail.* systemctl enable dovecot
yum -y install procmail vi /etc/procmailrc
PATH=/bin:/usr/bin:/usr/local/bin MAILDIR=$HOME/Maildir/ VERBOSE=off LOCKFILE=$HOME/.lockmail FORMAIL=/usr/bin/formail NSLOOKUP=/usr/sbin/nslookup DEFAULT=$MAILDIR
mkdir -p /etc/skel/Maildir/{cur,new,tmp} chmod -R 700 /etc/skel/Maildir/ vi /etc/logrotate.d/procmail
/home/*/Maildir/procmail.log { missingok nocreate notifempty }
yum -y install vsftpd vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NO ascii_upload_enable=YES ascii_download_enable=YES pam_service_name=vsftpd userlist_enable=YES userlist_deny=NO chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd/chroot_list force_dot_files=YES tcp_wrappers=YES use_localtime=YES user_config_dir=/etc/vsftpd/user_conf guest_enable=YES guest_username=webmaster virtual_use_local_privs=YES pasv_enable=YES pasv_addr_resolve=YES #pasv_address= pasv_min_port=4000 pasv_max_port=4029 ssl_enable=YES rsa_cert_file=/etc/pki/tls/certs/ftp.pem force_local_logins_ssl=NO force_local_data_ssl=NO seccomp_sandbox=NO allow_writeable_chroot=YES
vi /etc/vsftpd/chroot_list
(中身は空でよい)
mkdir -p /var/www/html
vi /etc/vsftpd/user_list
yukawa
mkdir /etc/vsftpd/user_conf vi /etc/vsftpd/user_conf/yukawa
local_root=/var/www/html
cd /etc/pki/tls/certs/ openssl req -new -x509 -days 3650 -key server.key -out ftp.crt -sha256 cat server.key ftp.crt > ftp.pem chmod 400 ftp.* systemctl enable vsftpd
yum -y remove mariadb-libs rm -rf /var/lib/mysql/
rpm --import http://dev.mysql.com/doc/refman/5.7/en/checking-gpg-signature.html rpm -ihv http://dev.mysql.com/get/mysql57-community-release-el7-7.noarch.rpm yum --disablerepo=\* --enablerepo='mysql57-community*' list available yum --enablerepo='mysql57-community*' install -y mysql-community-server systemctl start mysqld systemctl enable mysqld
vi /var/log/mysqld.log
(パスワードを確認)
mysql_secure_installation
vi /etc/my.cnf
[mysqld] character-set-server=utf8 sql_mode=NO_ENGINE_SUBSTITUTION skip-character-set-client-handshake default_storage_engine=InnoDB
yum -y install httpd vi /etc/httpd/conf/httpd.conf
#CustomLog logs/access_log combined AllowOverride All (<Directory "/var/www/html">の中) ServerName systemexpress.systemexpress.co.jp DirectoryIndex index.php index.html AddType application/x-httpd-php .php SetEnvIf Request_URI "\.(gif|jpg|jpeg|png|css|js|txt|ico)$" no_log RedirectMatch 404 /favicon.ico RedirectMatch 404 /apple-touch-icon* RedirectMatch 404 /browserconfig.xml NameVirtualHost *:80 <VirtualHost *:80> DocumentRoot /var/www/html/systemexpress.co.jp/www ServerName www.systemexpress.co.jp ServerAlias systemexpress.co.jp ErrorLog logs/www.systemexpress.co.jp-error_log CustomLog logs/www.systemexpress.co.jp-access_log common env=!no_log </VirtualHost> <VirtualHost *:80> DocumentRoot /var/www/html/systemexpress.co.jp/admin ServerName admin.systemexpress.co.jp ErrorLog logs/admin.systemexpress.co.jp-error_log CustomLog logs/admin.systemexpress.co.jp-access_log common env=!no_log </VirtualHost>
vi /etc/mail/trusted-users
apache webmaster
cd /etc/pki/tls/certs/ openssl req -new -x509 -days 3650 -key server.key -out server.crt -sha256 chmod 400 server.crt yum -y install mod_ssl vi /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html/systemexpress.co.jp/admin" ServerName admin.systemexpress.co.jp:443 SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/certs/server.key
mkdir -p /var/www/html/systemexpress.co.jp/www mkdir -p /var/www/html/systemexpress.co.jp/admin chown -R webmaster:webmaster /var/www/html
systemctl enable httpd
yum -y install epel-release rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm yum -y install --enablerepo=remi,remi-php71 php php-mbstring php-mysqlnd php-gd php-imap vi /etc/php.ini
short_open_tag = On max_execution_time = 300 display_errors = On upload_max_filesize = 20M date.timezone = "Asia/Tokyo" mbstring.language = Japanese mbstring.internal_encoding = UTF-8 mbstring.http_input = pass mbstring.http_output = pass mbstring.encoding_translation = On mbstring.detect_order = auto mbstring.substitute_character = none
yum -y install http://www.webmin.com/download/rpm/webmin-current.rpm systemctl enable webmin
firewall-cmd --permanent --zone=public --add-service=ftp firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=imap firewall-cmd --permanent --zone=public --add-service=imaps firewall-cmd --permanent --zone=public --add-service=pop3 firewall-cmd --permanent --zone=public --add-service=pop3s firewall-cmd --permanent --zone=public --add-service=smtp firewall-cmd --permanent --zone=public --add-service=smtps firewall-cmd --permanent --zone=public --add-port=587/tcp firewall-cmd --permanent --zone=public --add-port=4000-4029/tcp # 自宅のIPからのみwebminへの接続を許可 firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address=160.16.199.20 port port=10000 protocol=tcp accept" firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address=153.126.148.172 port port=10000 protocol=tcp accept" firewall-cmd --reload
Copyright(C) systemexpress.co.jp All Rights Reserved. Author Takayuki Yukawa