Difference between revisions of "CentOS VPS Server Setup Tips"

From PeTechWiki
Jump to navigationJump to search
m
m
 
(41 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Useful Linux Tutorials and Handbooks ==
+
Here are some tips I found useful for setting up virtual private servers with CentOS.
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialInitProcess.html Linux Init Process and PC Boot Procedure]
+
See more pages in [[:Category:Linux]].
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html Linux Network Configuration]
 
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialSysAdmin.html Linux System Administration and Configuration]
 
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialRedHatInstallation.html Linux Tutorial - Fedora Core and Red Hat Linux CD Installation, Version Upgrade, Configuration and Basic Administration]
 
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html Linux Web Server and Domain Configuration Tutorial]
 
* [http://www.yolinux.com/TUTORIALS/unix_for_dos_users.html Linux-UNIX For DOS Users]
 
* [http://www.freeos.com/guides/lsst/ Linux Shell Scripting Tutorial - A Beginner's handbook]
 
  
== Set timezone using /etc/localtime configuration file [any Linux distro] ==
+
== Installing Webmin ==
 +
If you are using the RPM version of Webmin, first download the file from the [http://www.webmin.com/download.html downloads page], or run the command:
 +
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.580-1.noarch.rpm
 +
and then run the command:
 +
rpm -U webmin-1.580-1.noarch.rpm
 +
The rest of the install will be done automatically to the directory <code>/usr/libexec/webmin</code>, the administration username set to <code>root</code> and the password to your current root password. You should now be able to login to Webmin at the URL http://localhost:10000/. Or if accessing it remotely, replace localhost with your system's IP address.
 +
 
 +
Reference: [http://www.webmin.com/rpm.html Webmin - Installing the RPM]
 +
 
 +
=== Webmin Error: Perl module Authen::PAM needed for PAM is not installed ===
 +
 
 +
If you guys are getting this error on your Webmin log file /var/webmin/miniserv.error here’s how I solved the problem.
 +
miniserv.pl started
 +
Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (@INC contains: /usr/libexec/webmin /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib64/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl /usr/lib/perl5/site_perl .) at (eval 10) line 1.
 +
BEGIN failed--compilation aborted at (eval 10) line 1.
 +
First off go to http://nik.pelov.name/Authen-PAM/ and download the latest Authen::PAM. At the time of this writing, the lastest one was Authen-PAM-0.16.
 +
 
 +
Log in as root.
 +
cd /tmp
 +
wget http://www.perl.com/CPAN/authors/id/N/NI/NIKIP/Authen-PAM-0.16.tar.gz
 +
Next step would be extracting the contents of Authen-PAM-0.16.tar.gz.
 +
tar xvzf Authen-PAM-0.16.tar.gz
 +
After that, go to Authen-PAM-0.16 which is the directory that is created once you’ve extracted the contents of Authen-PAM-0.16.tar.gz.
 +
cd Authen-PAM-0.16
 +
We’ll then generate a make file.<br>''Note: You must have '''gcc''' and '''pam-devel''' installed to generate the make file.'' --[[User:J|Jeremy]] ([[User talk:J|talk]]) 22:41, 30 June 2012 (EDT)
 +
perl Makefile.PL
 +
If it returned no errors we can then proceed to executing the following commands.
 +
make
 +
make install
 +
After that everything should be fine now. To check whether the module has been loaded or not do the following command.
 +
perl -e 'use Authen::PAM; print "Installation succestul.\n"'
 +
After that restart Webmin.
 +
service webmin restart
 +
If you look at your /var/webmin/miniserv.error this is what you should see if everything worked out fine.
 +
restarting miniserv
 +
Restarting
 +
miniserv.pl started
 +
PAM authentication enabled
 +
 
 +
Reference: http://rodoabad.joinpgn.com/2008/10/13/webmin-error-perl-module-authenpam-needed-for-pam-is-not-installed/
 +
 
 +
== Set timezone using /etc/localtime configuration file ==
 
Often /etc/localtime is a symlink to the file localtime or to the correct time zone file in the system time zone directory.
 
Often /etc/localtime is a symlink to the file localtime or to the correct time zone file in the system time zone directory.
  
Line 27: Line 62:
 
  Tue Aug 27 14:46:08 EST 2006
 
  Tue Aug 27 14:46:08 EST 2006
 
Reference: [http://www.cyberciti.biz/faq/howto-linux-unix-change-setup-timezone-tz-variable/ Howto: Linux server change or setup the timezone]
 
Reference: [http://www.cyberciti.biz/faq/howto-linux-unix-change-setup-timezone-tz-variable/ Howto: Linux server change or setup the timezone]
 +
 +
 +
== Creating a Swap File ==
 +
# Determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. For example, the block size of a 64 MB swap file is 65536.
 +
# At a shell prompt as root, type the following command with count being equal to the desired block size:<br><code>dd if=/dev/zero of=/swapfile bs=1024 count=65536</code>
 +
# Setup the swap file with the command:<br><code>mkswap /swapfile</code>
 +
# To enable the swap file immediately but not automatically at boot time:<br><code>swapon /swapfile</code>
 +
# To enable it at boot time, edit /etc/fstab to include the following entry:<br><code>/swapfile swap swap defaults 0 0</code><br>The next time the system boots, it enables the new swap file.
 +
# After adding the new swap file and enabling it, verify it is enabled by viewing the output of the command<br><code>cat /proc/swaps</code> or <code>free</code>.
 +
Reference: [http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-swap-creating-file.html Creating a Swap File]
 +
 +
== iptables Setup ==
 +
[root@vps1 ~]# iptables -L -n -v
 +
 +
Chain INPUT (policy DROP 0 packets, 0 bytes)
 +
  pkts bytes target    prot opt in    out    source              destination       
 +
  842 5263K ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
 +
    48  2952 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
30301 8344K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
 +
    7  364 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:20
 +
    13  676 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:21
 +
  1231 64828 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80
 +
    9  464 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:443
 +
    6  240 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:3306
 +
    1    48 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:25
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:465
 +
    0    0            tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:587
 +
    0    0            tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:143
 +
    62  3224 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:993
 +
  502 22432 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited
 +
 +
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 +
  pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain OUTPUT (policy ACCEPT 41521 packets, 36M bytes)
 +
  pkts bytes target    prot opt in    out    source              destination     
 +
 +
References:<br>
 +
[http://www.bokko.nl/iptables-active-and-passive-ftp-in-centos/ Bokko.nl » Iptables active and passive FTP in CentOS]<br>
 +
[http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ 25 Most Frequently Used Linux IPTables Rules Examples]
 +
 +
=== restorecon command not found ===
 +
Problem: Using ''iptables save'' results in the error ''restorecon command not found''.<br>
 +
Solution: Install policycoreutils package.
 +
yum install policycoreutils
 +
Reference:<br>
 +
[http://www.linuxquestions.org/questions/linux-software-2/restorecon-command-not-found-922667/ restorecon command not found]
 +
 +
== Extra Packages for Enterprise Linux (EPEL) ==
 +
The EPEL repository contains more upgraded packages to compliment the default repository. To add the EL6 EPEL repository to ''yum'', run the following command as root:
 +
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
 +
Reference: [http://fedoraproject.org/wiki/EPEL EPEL - FedoraProject]
 +
 +
== How to install mcrypt for PHP 5.3.3 on CentOS ==
 +
Add the EPEL repository to ''yum'' as shown previously, and then run the following command as root:
 +
yum install php53-mcrypt
 +
Reference: [http://serverfault.com/questions/354871/how-to-install-mcrypt-for-php-5-3-3-on-centos-5-7-64-bit How to install mcrypt for PHP 5.3.3 on CentOS 5.7 64 bit?]
 +
 +
== [http://www.sendmail.com/sm/open_source/docs/m4/readme.html Sendmail Configuration] ==
 +
=== Mail Filtering ===
 +
* greet_pause<br>To enable the feature, you need to make two changes. First, in your sendmail.mc file:<br><code>FEATURE(access_db)dnl<br>FEATURE(`greet_pause',5000)</code><br>You probably already have access_db defined; it just needs to appear somewhere prior to greet_pause. The number is how many milliseconds to pause; 5000 = five seconds. Then in your access file you should add this:<br><code>GreetPause:localhost    0</code><br>The second change prevents the pause from applying to connections from your local machine, which would otherwise be annoying when you're sending mail. If you're doing this on a server which accepts mail from multiple machines, you'll want to do the same for the whole local network.
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confBAD_RCPT_THROTTLE BAD_RCPT_THROTTLE]<br>To enable it, add the following code to your sendmail.mc file:<br><code>define(`confBAD_RCPT_THROTTLE', `1')dnl</code><br>The number is how many bad recipients is takes to trigger the throttle, so 1 is the strictest setting.
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confMAX_RCPTS_PER_MESSAGE MAX_RCPTS_PER_MESSAGE]<br><code>define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl</code>
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confCONNECTION_RATE_THROTTLE CONNECTION_RATE_THROTTLE]<br><code>define(`confCONNECTION_RATE_THROTTLE', `3')dnl</code>
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confMAX_DAEMON_CHILDREN MAX_DAEMON_CHILDREN]<br><code>define(`confMAX_DAEMON_CHILDREN', `10')dnl</code>
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confTO_INITIAL timeouts]<br><code>define(`confTO_ICONNECT', `15s')dnl<br>define(`confTO_CONNECT', `3m')dnl<br>define(`confTO_HELO', `2m')dnl<br>define(`confTO_MAIL', `1m')dnl<br>define(`confTO_RCPT', `1m')dnl<br>define(`confTO_DATAINIT', `1m')dnl<br>define(`confTO_DATABLOCK', `1m')dnl<br>define(`confTO_DATAFINAL', `1m')dnl<br>define(`confTO_RSET', `1m')dnl<br>define(`confTO_QUIT', `1m')dnl<br>define(`confTO_MISC', `1m')dnl<br>define(`confTO_COMMAND', `1m')dnl<br>define(`confTO_STARTTLS', `2m')dnl</code>
 +
Reference: [http://www.acme.com/mail_filtering/sendmail_config.html Mail Filtering - Sendmail Config]
 +
 +
=== Sendmail SMTP AUTH ===
 +
Make sure to install cyrus-sasl-plain package:
 +
yum install cyrus-sasl-plain
 +
 +
== Installing denyhosts ==
 +
denyhosts is not available in the repository, so download the latest version from [http://sourceforge.net/projects/denyhosts/files/denyhosts/2.6/DenyHosts-2.6.tar.gz sourceforge].
 +
 +
Reference: [http://linux-one.blogspot.ca/2011/11/linux-centos-62-installation.html linux CentOS 6.2 - installation]
 +
 +
== VPN via the TUN/TAP device ==
 +
 +
If you are using an OpenVZ container, you will need to ask your provider to grant your container access to the tun/tap device.
 +
 +
Reference: [http://wiki.openvz.org/VPN_via_the_TUN/TAP_device VPN via the TUN/TAP device]
 +
 +
[[Category:Linux]]
 +
[[Category:Internet]]

Latest revision as of 11:22, 19 July 2015

Here are some tips I found useful for setting up virtual private servers with CentOS. See more pages in Category:Linux.

Installing Webmin

If you are using the RPM version of Webmin, first download the file from the downloads page, or run the command:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.580-1.noarch.rpm

and then run the command:

rpm -U webmin-1.580-1.noarch.rpm

The rest of the install will be done automatically to the directory /usr/libexec/webmin, the administration username set to root and the password to your current root password. You should now be able to login to Webmin at the URL http://localhost:10000/. Or if accessing it remotely, replace localhost with your system's IP address.

Reference: Webmin - Installing the RPM

Webmin Error: Perl module Authen::PAM needed for PAM is not installed

If you guys are getting this error on your Webmin log file /var/webmin/miniserv.error here’s how I solved the problem.

miniserv.pl started
Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (@INC contains: /usr/libexec/webmin /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib64/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl /usr/lib/perl5/site_perl .) at (eval 10) line 1.
BEGIN failed--compilation aborted at (eval 10) line 1.

First off go to http://nik.pelov.name/Authen-PAM/ and download the latest Authen::PAM. At the time of this writing, the lastest one was Authen-PAM-0.16.

Log in as root.

cd /tmp
wget http://www.perl.com/CPAN/authors/id/N/NI/NIKIP/Authen-PAM-0.16.tar.gz

Next step would be extracting the contents of Authen-PAM-0.16.tar.gz.

tar xvzf Authen-PAM-0.16.tar.gz

After that, go to Authen-PAM-0.16 which is the directory that is created once you’ve extracted the contents of Authen-PAM-0.16.tar.gz.

cd Authen-PAM-0.16

We’ll then generate a make file.
Note: You must have gcc and pam-devel installed to generate the make file. --Jeremy (talk) 22:41, 30 June 2012 (EDT)

perl Makefile.PL

If it returned no errors we can then proceed to executing the following commands.

make
make install

After that everything should be fine now. To check whether the module has been loaded or not do the following command.

perl -e 'use Authen::PAM; print "Installation succestul.\n"'

After that restart Webmin.

service webmin restart

If you look at your /var/webmin/miniserv.error this is what you should see if everything worked out fine.

restarting miniserv
Restarting
miniserv.pl started
PAM authentication enabled

Reference: http://rodoabad.joinpgn.com/2008/10/13/webmin-error-perl-module-authenpam-needed-for-pam-is-not-installed/

Set timezone using /etc/localtime configuration file

Often /etc/localtime is a symlink to the file localtime or to the correct time zone file in the system time zone directory.

Generic procedure to change timezone

Change directory to /etc

# cd /etc

Create a symlink to file localtime:

# ln -sf /usr/share/zoneinfo/EST localtime

OR some distro use /usr/share/zoneinfo/dirname/zonefile format (Red hat and friends)

# ln -sf /usr/share/zoneinfo/EST localtime

OR if you want to set up it to IST (Asia/Calcutta):

# ln -sf /usr/share/zoneinfo/Asia/Calcutta localtime

Please mote that in above example you need to use directory structure i.e. if you want to set the timezone to Calcutta (India) which is located in the Asia directory you will then have to setup using as above.

Use date command to verify that your timezone is changed:

$ date

Output:

Tue Aug 27 14:46:08 EST 2006

Reference: Howto: Linux server change or setup the timezone


Creating a Swap File

  1. Determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. For example, the block size of a 64 MB swap file is 65536.
  2. At a shell prompt as root, type the following command with count being equal to the desired block size:
    dd if=/dev/zero of=/swapfile bs=1024 count=65536
  3. Setup the swap file with the command:
    mkswap /swapfile
  4. To enable the swap file immediately but not automatically at boot time:
    swapon /swapfile
  5. To enable it at boot time, edit /etc/fstab to include the following entry:
    /swapfile swap swap defaults 0 0
    The next time the system boots, it enables the new swap file.
  6. After adding the new swap file and enabling it, verify it is enabled by viewing the output of the command
    cat /proc/swaps or free.

Reference: Creating a Swap File

iptables Setup

[root@vps1 ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  842 5263K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   48  2952 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
30301 8344K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    7   364 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20 
   13   676 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
 1231 64828 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    9   464 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    6   240 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:465 
    0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:587 
    0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143 
   62  3224 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:993 
  502 22432 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 41521 packets, 36M bytes)
 pkts bytes target     prot opt in     out     source               destination      

References:
Bokko.nl » Iptables active and passive FTP in CentOS
25 Most Frequently Used Linux IPTables Rules Examples

restorecon command not found

Problem: Using iptables save results in the error restorecon command not found.
Solution: Install policycoreutils package.

yum install policycoreutils

Reference:
restorecon command not found

Extra Packages for Enterprise Linux (EPEL)

The EPEL repository contains more upgraded packages to compliment the default repository. To add the EL6 EPEL repository to yum, run the following command as root:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Reference: EPEL - FedoraProject

How to install mcrypt for PHP 5.3.3 on CentOS

Add the EPEL repository to yum as shown previously, and then run the following command as root:

yum install php53-mcrypt

Reference: How to install mcrypt for PHP 5.3.3 on CentOS 5.7 64 bit?

Sendmail Configuration

Mail Filtering

  • greet_pause
    To enable the feature, you need to make two changes. First, in your sendmail.mc file:
    FEATURE(access_db)dnl
    FEATURE(`greet_pause',5000)

    You probably already have access_db defined; it just needs to appear somewhere prior to greet_pause. The number is how many milliseconds to pause; 5000 = five seconds. Then in your access file you should add this:
    GreetPause:localhost 0
    The second change prevents the pause from applying to connections from your local machine, which would otherwise be annoying when you're sending mail. If you're doing this on a server which accepts mail from multiple machines, you'll want to do the same for the whole local network.
  • BAD_RCPT_THROTTLE
    To enable it, add the following code to your sendmail.mc file:
    define(`confBAD_RCPT_THROTTLE', `1')dnl
    The number is how many bad recipients is takes to trigger the throttle, so 1 is the strictest setting.
  • MAX_RCPTS_PER_MESSAGE
    define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
  • CONNECTION_RATE_THROTTLE
    define(`confCONNECTION_RATE_THROTTLE', `3')dnl
  • MAX_DAEMON_CHILDREN
    define(`confMAX_DAEMON_CHILDREN', `10')dnl
  • timeouts
    define(`confTO_ICONNECT', `15s')dnl
    define(`confTO_CONNECT', `3m')dnl
    define(`confTO_HELO', `2m')dnl
    define(`confTO_MAIL', `1m')dnl
    define(`confTO_RCPT', `1m')dnl
    define(`confTO_DATAINIT', `1m')dnl
    define(`confTO_DATABLOCK', `1m')dnl
    define(`confTO_DATAFINAL', `1m')dnl
    define(`confTO_RSET', `1m')dnl
    define(`confTO_QUIT', `1m')dnl
    define(`confTO_MISC', `1m')dnl
    define(`confTO_COMMAND', `1m')dnl
    define(`confTO_STARTTLS', `2m')dnl

Reference: Mail Filtering - Sendmail Config

Sendmail SMTP AUTH

Make sure to install cyrus-sasl-plain package:

yum install cyrus-sasl-plain

Installing denyhosts

denyhosts is not available in the repository, so download the latest version from sourceforge.

Reference: linux CentOS 6.2 - installation

VPN via the TUN/TAP device

If you are using an OpenVZ container, you will need to ask your provider to grant your container access to the tun/tap device.

Reference: VPN via the TUN/TAP device