Thursday, July 23, 2020

Install LAMP Server (Apache, MySQL, PHP) on CentOS 7

LAMP is a combination of operating system and open-source software stack. The acronym of LAMP is derived from first letters of Linux, Apache HTTP Server, MySQL/MariaDB database, and PHP/Perl/Python.

My test box hostname and IP address are localhost.local.com and 192.168.1.62 respectively.

Install Apache

Apache is an open-source multi-platform web server. It provides a full range of web server features including CGI, SSL and virtual domains.

The following commands should be run with root user privileges.

To install Apache, enter the following command in your terminal:

☒yum install httpd -y

Start the Apache service and make it to start automatically on every reboot:

☒systemctl start httpd

☒systemctl enable httpd

If you’re behind firewall or router, allow Apache server through your firewall/router in case you want to access it from the remote systems. To do that, enter the following commands from your Terminal:

☒firewall-cmd --permanent --add-service=http

☒systemctl restart firewalld

Test Apache

☐Open your web browser and navigate to http://localhost/ or http://server-ip-address/.

Below steps will show both MariaDB and MySQL server so either can be installed. 

Install MariaDB

MariaDB is a drop in replacement for MySQL. It is a robust, scalable and reliable SQL server that comes rich set of enhancements.

Now, start installing MariaDB as shown below:

yum install mariadb-server mariadb -y

Start MariaDB service and let it to start automatically on every reboot:

systemctl start mariadb

systemctl enable mariadb

Set MySQL root password

By default, MySQL root password is empty. So, to prevent unauthorized access to MySQL, let us set root user password. Enter the following command to setup mysql root user password:

mysql_secure_installation

/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command not found


NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB

      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current

password for the root user.  If you've just installed MariaDB, and

you haven't set the root password yet, the password will be blank,

so you should just press enter here.

Enter current password for root (enter for none):

OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB

root user without the proper authorisation.

Set root password? [Y/n] y ## Enter Y and press Enter

New password:   ## Enter new password

Re-enter new password:  ## Enter password again

Password updated successfully!

Reloading privilege tables..

 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone

to log into MariaDB without having to have a user account created for

them.  This is intended only for testing, and to make the installation

go a bit smoother.  You should remove them before moving into a

production environment.

Remove anonymous users? [Y/n] y  ## Enter Y and press Enter

 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This

ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y  ## Enter Y and press Enter

 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can

access.  This is also intended only for testing, and should be removed

before moving into a production environment.

Remove test database and access to it? [Y/n] y  ## Enter Y and press Enter

 - Dropping test database...

 ... Success!

 - Removing privileges on test database...

 ... Success!

Reloading the privilege tables will ensure that all changes made so far

will take effect immediately.

Reload privilege tables now? [Y/n] y  ## Enter Y and press Enter

 ... Success!

Cleaning up...
 
All done!  If you've completed all of the above steps, your MariaDB

installation should now be secure.

Thanks for using MariaDB!

How to install MySQL Server 5.6 on CentOS 7

In CentOS 7/ RHEL 7 , now MariaDB is introduced as a defualt database. Still many Organisations/Company would like to continue with MySQL. Whereas System Admin who earlier worked on MySQL can easily work on MariaDB. MariaDB is a community-developed fork of the MySQL relational database management system.

Install MySQL Server 5.6 on CentOS 7 / RHEL 7
Follow the given below steps to install MySQL Server 5.6 .
You must be login with root user in system

Download the Yum Repo package of MySQL Server 5.6
Download the rpm package, which will create a yum repo file for MySQL Server installation.

☐yum install wget
☐wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
 wget http://dev.mysql.com/get/mysql57-community-release-el7-7.noarch.rpm
Install mysql-community-release-el7-5.noarch.rpm package
Install this downloaded rpm package by using rpm command.

☐rpm -ivh mysql-community-release-el7-5.noarch.rpm
After the installation of this package. We will get two new yum repo related to MySQL

[root@localhost ~]#    ☒ls -1 /etc/yum.repos.d/mysql-community*
 /etc/yum.repos.d/mysql-community.repo
 /etc/yum.repos.d/mysql-community-source.repo
Installing MySQL Server
By using yum command, now we will install MySQL Server 5.6 . All dependencies will be installed itself.

☐yum install mysql-server
How to start/stop/restart MySQL Server
Now MySQL Server is installed on your system.

To start MySQL Service, run command

☐systemctl start mysqld
To stop MySQL Service, run command

☐systemctl stop mysqld
To restart MySQL Service, run command

☐systemctl restart mysqld
To get status of MySQL Service, run command

☐systemctl status mysqld
Reset MySQL root password
On fresh installation of MySQL Server. The MySQL root user password is blank.
For good security practice, we should reset the password MySQL root user.

On newly installed MySQL Server, we generally recommend to use the command script. You have to just follow the instructions.

root/pass4mysql

 If MySQl 5.7 and above

[root@mysql ~]#  grep 'temporary password' /var/log/mysqld.log
2016-02-17T11:14:36.244458Z 1 [Note] A temporary password is generated for root@localhost: *******


☐mysql_secure_installation
In another method,you can log into MySQL server database and reset the password in secure way.

☐mysql -u root
You will see mysql prompt like this mysql> . Use the below given commands to reset root’s password.

☐mysql> use mysql;
☐mysql> update user set password=PASSWORD("user4mysql") where user='root';
☐mysql> flush privileges;
☐mysql> quit

Install PHP

PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely used open-source general purpose scripting language that is especially suited for webhttp://images.intellitxt.com/ast/adTypes/icon1.png development and can be embedded into HTML.

Install PHP with following command:

☐yum install php php-mysql php-gd php-pear -y

Test PHP:

Create a sample “testphp.php” filehttp://images.intellitxt.com/ast/adTypes/icon1.png in Apache document root folder and append the lines as shown below:

☐vi /var/www/html/testphp.php

☐Add the following lines.

<?php

phpinfo();

?>

Restart httpd service:

☐systemctl restart httpd

Navigate to http://server-ip-address/testphp.php. It will display all the details about php such as version, build date and commands etc.

If you want to install all php modules, enter the command yum install php* -y and restart the httpd service. To verify for the modules, open web browserhttp://images.intellitxt.com/ast/adTypes/icon1.png and navigate to http://server-ip-address/testphp.php. You will then see all php modules.

Install phpMyAdmin (Optional)

phpMyAdmin is a free open-source web interface tool used to manage your MySQL databases. By default phpMyAdmin will not be not found in CentOS/RHEL/Scientific Linux official repositories. So let us install it from EPEL repository.

To add EPEL repository, just follow the link.

☐cat  /etc/centos-release

☐yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

  yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Now, install phpMyAdmin:

☐yum install phpmyadmin -y

Configure phpMyAdmin

By default, phpMyAdmin can only be accessed from the localhost itself. To make it to accessible globally, do the following steps.

Edit the phpmyadmin.conf file:

☐vi /etc/httpd/conf.d/phpMyAdmin.conf

Find and comment the whole /<Directory> section and add the lines as shown below:

[...]

Alias /phpMyAdmin /usr/share/phpMyAdmin

Alias /phpmyadmin /usr/share/phpMyAdmin

 

## Comment the following Section ##

 

#<Directory /usr/share/phpMyAdmin/>

#   <IfModule mod_authz_core.c>

#     # Apache 2.4

#     <RequireAny>

#       Require ip 127.0.0.1

#       Require ip ::1

#     </RequireAny>

#   </IfModule>

#   <IfModule !mod_authz_core.c>

#     # Apache 2.2

#     Order Deny,Allow

#     Deny from All

#     Allow from 127.0.0.1

#     Allow from ::1

#   </IfModule>

#</Directory>

 

☒## Add the following lines:

 

<Directory /usr/share/phpMyAdmin/>

        Options none

        AllowOverride Limit

        Require all granted

</Directory>

[...]

Edit “config.inc.php” file and change from “cookie” to “http” to change the authentication in phpMyAdmin:

☐vi /etc/phpMyAdmin/config.inc.php

Change ‘cookie’ to ‘http’.

[...]

/* Authentication type */

$cfg['Servers'][$i]['auth_type']     = 'http';    // Authentication method (config, http or cookie based)?

[...]

Restart the Apache service:

systemctl restart httpd

Now you can access the phpmyadmin console by navigating to the URL http://nagios.gsp.com/phpmyadmin/ from your browser.

Enter your MySQL username and password which you have given in previous steps. In my case its “root” and “********”.

You will be redirected to PhpMyAdmin main web interface.

Now you will able to manage your MySQL databases from phpMyAdmin web interface.

That’s it. Your LAMP server is up and ready to use

Fail2ban

Introduction


Fail2ban is a software that helps in protecting the Linux servers from brute force hack attempts. A common example of this is with SSH, which will be the subject of brute force attacks that attempt to hack common account names.

Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.

The basic idea behind fail2ban is to monitor the logs of common services to spot patterns in authentication failures.

Install steps


Install Fail2Ban on Ubuntu

apt-get update
# apt-get install fail2ban

Install Fail2ban on CentOS

While Fail2ban is not available in the official CentOS package repository, it is packaged for the EPEL project. EPEL, standing for Extra Packages for Enterprise Linux, can be installed with a release package that is available from CentOS.

# yum install epel-release 
# yum install fail2ban

Once the installation has finished, use systemctl or chkconfig to enable the fail2ban service

# systemctl enable fail2ban
                  or
# chkconfig fail2ban on

Fail2ban Service Settings


Fail2ban is configured through a variety of files located within /etc/fail2ban/ directory.

The fail2ban.conf file configures some basic operational settings like the way the daemon logs info, and the socket and pid file it will use. The main configuration, however takes place in the files jail.conf.

Note:- Fail2ban bans watches the service logs and creating rules that can automatically alter your iptables firewall configuration based on a predefined number of unsuccessful login attempts.

Config

Bantime for an IP:- 10 hours (36000 seconds in conf file)
Number of failed attempts:- 3 (after 3 failed attempts the IP is blocked)
Services Watched by Fail2ban:- ssh, vsftp, Apache

How To check IP in iptables

If one of our user is not able to access our Linux servers it is a possibility the user's IP has been blocked due to too many failed login attempts.

To check if the IP has been blocked use the below given command as root user.

# iptables -L -n --line-numbers (this will give the list of iptable rules, check and see if the IP is blocked)

Sample
Chain fail2ban-ssh (2 references)
num      target         prot opt source               destination
1    DROP       all  --  59.45.175.66         0.0.0.0/0
2    DROP       all  --  74.112.255.218       0.0.0.0/0
3    DROP       all  --  59.45.175.64         0.0.0.0/0
4    DROP       all  --  190.152.110.202      0.0.0.0/0
5    DROP       all  --  85.105.212.12        0.0.0.0/0
6    DROP       all  --  59.45.175.56         0.0.0.0/0
7    DROP       all  --  59.45.175.67         0.0.0.0/0
8    DROP       all  --  201.178.113.162      0.0.0.0/0
9    DROP       all  --  59.45.175.86         0.0.0.0/0
10  DROP       all  --  101.66.253.100       0.0.0.0/0
11  DROP       all  --  59.45.175.88         0.0.0.0/0
12  DROP       all  --  27.194.249.192       0.0.0.0/0
13  DROP       all  --  123.96.174.30        0.0.0.0/0
14  DROP       all  --  221.122.101.203      0.0.0.0/0


# iptables -L -n --line-numbers | grep our-IP (will show if the IP in question is blocked or has some other rule against it or not)
# iptables -D fail2ban-ssh num (say if the IP you want to unban/unblock is on number 5 in fail2ban-ssh rules then num will be 5 and fail2ban-ssh will be the section in which the rule is, -D is for deleting a iptable rule )
# iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX -j ACCEPT (will add a rule to accept all incoming connection from the IP)
# iptables -A OUTPUT -p tcp -d  XXX.XXX.XXX.XXX -j ACCEPT (will add a rule to accept all outgoing connection from the IP)

How to whitelist an IP in Fail2ban

Fail2ban uses iptables to block attackers, so if we want to add permanent IP address and never be blocked, we must add it in the config file.

First, edit the config file :
#vim /etc/fail2ban/jail.conf


Then, check the line :
ignoreip =
Add now add all ip you want. Each IP or range IP must be placed here with a space. Ex: 192.168.0.1 192.168.5.0/32
Save. And restart Fail2Ban:

service fail2ban restart