Category Archives: CentOS

CentOS 6.x on VMware Player: Part 7

Note these documents are subject to update, this one was last edited 05/28/2014

selinux_banner

Part 7: Setting SELinux to enforcing

  • SELinux was originally written by the National Security Administration and is mostly used to confine daemons. The stock policy has come a long way and with the following additions this basic implementation is an important part of a multi-pronged security approach.
  • # ls -Z in this case / and in addition to standard permissions, user and group you will also see the SELinux contexts of user:role:type:level before the file name.

  • # setenforce permissive
  • # yum provides /usr/sbin/semanage
  • # yum install -y policycoreutils-python
  • # yum install -y setroubleshoot
  • This script with proper edits will get your web server’s SELinux in basic order:

  • Edit to your configuration, put script in /usr/local/bin with the appropriate permissions and execute.
  • # vi /etc/sysconfig/selinux
  • Edit SELINUX=permissive to SELINUX=enforcing. Save and quit vi.
  • # setenforce 1 then # getenforce to confirm it is enforcing.
  • Additional SELinux booleans and associated file permissions can be a significant part of a thorough security plan – be sure and check back for more!
  • I do expect to update this substantially over time so be sure and check back.

If you have any questions or suggestions don’t hesitate to reach out to me!

CentOS 6.x on VMware Player: Part 6

Note these documents are subject to update, this one was last edited 05/28/2014

Part 6: Installing WordPress

  • Note that many things in this WordPress installation are dependent on configurations in previous parts of this series.
  • Firefox your way to wordpress.org and download the .zip version of WordPress.
  • Choose Save File then OK.
  • # cp /home/you/Downloads/wordpress-3.9.zip /www/yourdomain.com
  • # cd /www/yourdomain.com
  • # unzip ./w* ; cd wordpress ; mv * .. ; cd .. ; rm -fr wordpress
  • # cp -a wp-config-sample.php wp-config.php
  • # chown -R apache ../*
  • # mysql -uroot -pyourpassword
  • mysql> create database databasename;
  • mysql> use databasename;
  • mysql> grant all on *.* to wp_service@’localhost’ identified by ‘password’;
  • mysql> flush privileges;
  • mysql> exit
  • # vi wp-config.php
  • These lines need to be edited with the database, service user and password made above, do not use root.

  • Save and exit the file.
  • Browse to your site address and you should now see something like this:

centos6.08

  • VERY IMPORTANT: Fill out the obvious and for Username do NOT use admin, administrator, root, your name, name of the site or domain name. I highly recommend you use something cryptic and impossible to guess for the Username.
  • Think of the WordPress Username as the 1st password the hacker bots have to guess. Towards the end of this post we will fix up the publicly displayed name associated with your Username.
  • Go ahead Install and in 1 or 2 seconds you should have Success! Go ahead and login.

centos6.09

  • On to configuring MultiSite, Dashboard > Settings > PermaLinks
  • Choose Day and name. Select Save Changes.
  • Be sure all plugins are deactivated.
  • # vi wp-config.php — above the line /* That’s all, stop editing! Happy blogging. */ insert:

  • Refresh your browser to continue.
  • Dashboard > Tools > Network Setup – choose sub-domains and Select Install.
  • Add the following to your wp-config.php file above the line reading /* That’s all, stop editing! Happy blogging. */

  • Add the following to your .htaccess file in /www/yourdomain.com/, replacing other WordPress rules:

  • After completing these steps, log in again using the link provided. You might have to clear your browser’s cache and cookies in order to log in.
  • Here are the plugins I’ll recommend for security and functionality:
  • Dashboard > Plugins > Add New > WordPress MU Domain Mapping > Install Now > Network Activate.
    • Priority install and essential plugin for managing multiple domains.
    • # cp -a /www/yourdomain.com/wp-content/plugins/wordpress-mu-domain-mapping/sunrise.php /www/yourdomain.com/wp-content
    • Dashboard > Settings > Domain Mapping > Put in your Server IP Address and check Permanent redirect then Save.
    • Dashboard > Settings > Domains – you can add additional domains here, do not add your base domain.
  • Dashboard > Plugins > Add New > WangGuard > Install Now > Network Activate.
    • Priority install and a great essential plugin. It will save you from tons of annoying bot logins. Not only is WangGuard my #1 favorite plugin but my #1 favorite plugin developer. José at WangGuard gives amazingly personally attentive support.
    • Get (free) or enter an existing WangGuard API key good for all sites at Dashboard > WangGuard > Configuration.
  • Dashboard > Plugins > Add New > Login Security Solution > Install Now > Network Activate.
    • Priority install and essential plugin.
    • Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
  • Dashboard > Plugins > Askimet > Network Activate.
    • Priority install and essential plugin.
    • Every individual site will have to get (free) or enter an existing API key at Site Dashboard > Settings > Askimet.
    • This plugin will protect you from spam comments etc.
  • I’m sure you’re anxious to add content to WordPress however I highly recommend you install and configure the above priority installs first. The plugins below may or may not be applicable to your site plans.
  • Dashboard > Plugins > Add New > Multisite User Management > Install Now > Network Activate.
    • Essential for Multisite.
  • Dashboard > Plugins > Add New > Simple Access Control > Install Now > Network Activate.
    • This will allow you to set whether users must be logged in or not to view individual pages. The settings are in page edit mode.
  • Dashboard > Plugins > Add New > WordPress Importer > Install Now > Network Activate.
    • This will allow you to import site content from various platforms including WordPress.
  • Dashboard > Plugins > Add New > WP Crontrol > Install Now > Network Activate.
    • Gives you some control and visibility into the cron job scheduling process on WordPress. Ultimately WordPress cron is worthy of being ditched for a Linux cron especially on busy sites.
  • Dashboard > Plugins > Add New > bbPress > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > GD bbPress Attachments > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > GD bbPress Tools > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Contact Form 7 > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Page Links To > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Twitter Profile Field > Install Now > Network Activate.
  • Now to fix a huge security hole in WordPress, for any user that has any kind of admin privileges go and edit the users Nickname and Display name publicly as to something completely unrelated to the Username.
  • Then be sure to go to a MySQL prompt or in MySQL Workbench and execute something like the following for every user with admin privileges:

  • VERY IMPORTANT: The ‘shadowshift’ portion of the update above I would recommend being exactly the same as your profile Nickname and Display name publicly. I stress all 3 of these name versions should be nothing like your Username.
  • Otherwise anyone will be able to see the real Username used to login and have half the equation to hack admin accounts even if it is highly unlikely mathematically for them to brute force a good password.
  • Example: http://shadowshift.com/author/shadowshift Trust me, bots will scrape this URL from Google for your Username.
  • The net effect of this change is all day and night hackers and bots try to guess the password of an account that does not exist, in this case: shadowshift – a great URL and a lousy Username.
  • OK Installing WordPress is done for now but I do expect to update this substantially over time so be sure and check back.

If you have any questions or suggestions don’t hesitate to reach out to me!

CentOS 6.x on VMware Player: Part 5

Note these documents are subject to update, this one was last edited 04/26/2014

Part 5: Configuring Apache

  • Note that many things in this Apache configuration and later WordPress are dependent on configurations in previous parts of this series.
  • # cp -a /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
  • I would just download this httpd.conf, you will see it is well documented when changed from original by #Change added tag and you can easily compare diffences from your original httpd.conf

httpd.conf unavailable currently

  • # mkdir /www/yourdomain.com
  • # chown apache /www/yourdomain.com
  • # chkconfig httpd on
  • # service httpd start
  • Fire up Firefox and browse your server, you should get the Apache Test Page.

centos6.07

  • # cat >> /www/yourdomain.com/index.html

  • Then ctrl-d on a blank line to end and save file.
  • # service httpd restart
  • Browse your server again and you should see a blank page with hello!
  • OK Configuring Apache is done for now but I do expect to update this substantially over time so be sure and check back. There are also still important configurations and setting up WordPress so please continue to Part 6.

If you have any questions or suggestions don’t hesitate to reach out to me!

Next: Part 6 – Installing WordPress

CentOS 6.x on VMware Player: Part 4

Note these documents are subject to update, this one was last edited 04/26/2014

Part 4: Configuring MySQL

  • First we will make some basic configuration changes to MySQL. Later we will get into much more database configuration and tuning.
  • # cp -a /etc/my.cnf /etc/my.cnf.orig
  • # vi /etc/my.cnf
  • After the line user=mysql insert default-storage-engine=InnoDB
  • Save and exit.
  • # chkconfig –level 2345 mysqld on
  • # service mysqld start
  • # /usr/bin/mysql_secure_installation
  • Enter current password for root (enter for none): <enter>
  • Set root password? [Y/n] <enter> and set it
  • Remove anonymous users? [Y/n]  <enter>
  • Disallow root login remotely? [Y/n] n <enter>
  • Remove test database and access to it? [Y/n] <enter>
  • Reload privilege tables now? [Y/n] <enter>
  • # mysql -uroot -pyourpassword
  • mysql> use mysql
  • mysql> grant all on *.* to you@’192.168.1.4′ identified by ‘yourpassword’;
  • mysql> flush privileges;
  • mysql> exit
  • Now you will be able to install and use MySQL Workbench from your workstation or server.
  • # yum install -y flash-plugin.x86_64
  • Start Firefox and browse to http://www.mysql.com/products/workbench
  • Login or create an account if you need to.
  • Select Download Now.
  • Select Platform… Red Hat Enterprise Linux / Oracle Linux.
  • Download the 64-bit version.
  • Open with Package Installer (default) and Select OK.
  • Choose Install including for any additional packages it wants to install and authenticate.
  • When done installing fire it up and check Server Status.
  • # mysql-workbench

centos6.06

  • OK Configuring MySQL is done for now but I do expect to update this substantially over time so be sure and check back. There are also still important configurations and setting up Apache, etc. and later WordPress so please continue to Part 5.

If you have any questions or suggestions don’t hesitate to reach out to me!

Next: Part 5 – Configuring Apache