Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


New server build - Terminal/CLI only
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

New server build - Terminal/CLI only

I am working to build a server without any panel. I've used cPanel, DirectAdmin and CentOS Web Panel mostly. This means I never really got down and dirty with apache, php, or security. I'm doing this to learn, to make a lean server, and why not?

Essentially, I am making a file in notepad++ to copy and paste commands in CLI, so that I can rebuild a server in short order. It won't be a commercial server..just for my own personal use.

I'm looking for your inputs to see what I've missed or could do better.

  • Add Users
    -- Add users to sudoers
    -- change passwords
    -- create .ssh dirs, set perms, and populate for cert login

  • Disable modify sshd_config
    -- set root login without-password
    -- turn on pub key auth
    -- AllowUsers for my users

  • Install initial tools via yum

  • Set hostname and hosts in /etc

  • Update kernal to 5.x

  • Generate a new grub2 config and set to new kernal
  • Remove most old kernals
  • Reboot

  • Set BBR

  • Install PHP7.2 and httpd
    -- Start/enable httpd
    -- Configure for virtual hosts
    -- Generate test index.html file

  • Set time/timezone/NTP

  • Install rar and 7zip
  • Add alias lines to .bashrc
  • Yum update everything
  • Install fail2ban
    -- set options in jail.local
    -- enable and start

  • Install certbot and generate certs with https redirects and cron job

  • Install CSF
    -- Use sed to modify TCP_IN (UDP, in/out too) for only the ports I'll be using
    -- enable/start csf and lfd

  • Attach storage, modify fstab

  • Set perms for extra HDD drive (file storage)
  • Secure web dirs as needed
    -- use htpasswd to generate password file
    -- use .htaccess to set Authtype Basic
    -- chmod 640 to the .htaccess file

  • Final yum update

  • Reboot

Comments

  • FootKaput said: Essentially, I am making a file in notepad++ to copy and paste commands in CLI, so that I can rebuild a server in short order.

    Don't do it that way, it is crazy. Learn an orchestration tool like ansible or saltstack. Then you just run a script to remotely install everything when you spin up a new server.

    Thanked by 2skorous FootKaput
  • willie said: ansible or saltstack.

    I want to learn the basics first...ansible is after I get smarter. :)

    Thanked by 1FoxelVox
  • Looks clean, I'd do the ntp earlier to make troubleshooting easier.

    Httpd is there, do you need mariadb/mysql?

    Unclear if this is for vm or dedi, may want to monitor raid health if the latter.

    Postfix/config for root account recipient

    Maybe something like vnstat to give you network usage statistics over time?

    Thanked by 1FootKaput
  • @casualjoe said:
    Httpd is there, do you need mariadb/mysql?

    Not yet, not sure what will go on this box. Right now it's not doing a whole lot. I'll find a purpose.

    It's a VPS / KVM.

    I didn't install postfix, but it's there, and I installed mutt to read the emails. Got the excessive resources emails already.

    I'll use hetrix to keep an eye on what's happening on the server.

  • I did the same when I got my hands on a Debian VPS for the firs time. Made a .txt file containing all commands which I run when ever I make a clean Debian based VPS. But I don't deal with this GRUB, bootloader etc. as I use the template provided by provider. Need to learn ansible or saltstack though, seems like it will make life easy.

  • casualjoecasualjoe Member
    edited October 2019

    @FootKaput said:

    @casualjoe said:
    Httpd is there, do you need mariadb/mysql?

    Not yet, not sure what will go on this box. Right now it's not doing a whole lot. I'll find a purpose.

    It's a VPS / KVM.

    Sure no worries don't need to monitor raid then.

    I didn't install postfix, but it's there, and I installed mutt to read the emails. Got the excessive resources emails already.

    I thought the purpose was what to do to install a new server though, best not to rely on what might be in a base install and over plan.

    I'll use hetrix to keep an eye on what's happening on the server.

    Good call, but I was more thinking something to monitor your bandwidth usage to compare to your host if they ever claimed overuse etc.

    Thanked by 1FootKaput
  • It seems you have performed everything required to set up a server, however I just want to remind you to change SSH port to non-standard port.

    Thanked by 1FootKaput
  • @vladj said:
    It seems you have performed everything required to set up a server, however I just want to remind you to change SSH port to non-standard port.

    Good tip. Got it in sshd_config.

    casualjoe said: base install and over plan.

    That's a good point too. I didn't go very far in a 'generic' build; there are a lot of hard-coded paths/files that only point to this domain. Have to work on that.

  • lonealonea Member, Host Rep

    why are you installing fail2ban and CSF together?

    Thanked by 1FootKaput
  • lonea said: why are you installing fail2ban and CSF together?

    I thought one was a firewall, the other more like an IDS. I really only use fail2ban for SSH port though, and if it's a changed port, it probably won't be hammered much.

  • Don't forget that a little bit of swap is always advisable ;-)

    Thanked by 1FootKaput
  • @FootKaput said:
    Essentially, I am making a file in notepad++ to copy and paste commands in CLI, so that I can rebuild a server in short order. It won't be a commercial server..just for my own personal use.

    Can you share the file when you're ready? I'm too lazy to do my own. :blush:

    Thanked by 1FootKaput
  • @willie said:

    FootKaput said: Essentially, I am making a file in notepad++ to copy and paste commands in CLI, so that I can rebuild a server in short order.

    Don't do it that way, it is crazy. Learn an orchestration tool like ansible or saltstack. Then you just run a script to remotely install everything when you spin up a new server.

    I think it's better this way than going straight up to something like that :)

  • Certainly learn how to do everything by hand before automating it. But trying to run everything from a giant static script means a lot of ways to go wrong. Everyone's templates vary and something like ansible can allow for that.

    Thanked by 1FootKaput
  • A couple suggestions:

    1) DigitalOcean and Linode have excellent provisioning tutorials, they will save you a lot of time.

    2) If you are primarily focused on a no-panel option, why don't you try either easyengine.io or webinoly.com. Both are open source CLI server management and well tested.

    Good luck.

    Thanked by 1FootKaput
  • SNACTeam said: webinoly.com

    That's a pretty slick way to get a server up fast! Just one command!

    Thanked by 1SNACTeam
  • willie said: a lot of ways to go wrong

    Most definitely. I think ansible will be the way to go.

  • Definitely set up at least 1 server completely from scratch, you can use the provider templates as a good starting point and build from there. You will learn so much about Linux and the location of various files etc that will be useful to you in your journey.

    Thanked by 2vimalware FootKaput
  • dahartigan said: location of various files

    This. I've found it varies wildly depending on setup--it's a lot to keep track.
    Webroot lives either at |home|user|public_html or |var|www|examplecom|html
    Web users, nobody vs apache
    httpd.conf is at user|local|apache|conf or |etc|httpd|conf

    And that's comparing with just Centos7 and CWP. I'm sure it also changes for other control panels, and other distros...

    Thanked by 1dahartigan
  • FHRFHR Member, Host Rep

    @vladj said:
    It seems you have performed everything required to set up a server, however I just want to remind you to change SSH port to non-standard port.

    Please don't.

    Thanked by 1flatland_spider
  • FootKaput said: Update kernal to 5.x

    Is there a specific reason for this? RH backports lots of stuff to their kernel, and while the stock kernel is 3.10, it's not a vanilla 3.10 kernel.

    FootKaput said: -- set root login without-password

    I would disable root login via SSH altogether. You don't really lose anything, and if the server is borked, you'll probably need to login via the console anyway.

  • It's better to start from scratch is you one to learn for sure. Do not use ready templates. If the server broke this is good you will know what you have done wrong and re-do it. It is good when a server is fully ready for work to create a image of the OS. Good Luck

  • flatland_spider said: Is there a specific reason for this?

    No, not really. I wanted to use BBR, and that needed (I think) 4.9, so I figured since I was updating, get the latest.

    Cloudware said: know what you have done wrong and re-do it

    Yes. Lots and lots of this. I probably reloaded this latest one 4 times already.

  • SpryServers_TabSpryServers_Tab Member, Host Rep
    edited October 2019

    If you want to automate adding users, setting up ssh keys, etc, and it's for your own use - Spin up a VM and create a FreeIPA server. Then you can just join the servers to the kerberos/IPA realm and you'll have access to all of them via the same credentials as your IPA.

    You'd just install the freeipa-client software, and the only other command you'd have to run to setup your NTP, ssh, users, etc is:

    # ipa-client-install --mkhomedir

  • farsighterfarsighter Member
    edited October 2019

    You can also add bash functions to .bashrc:

    This for example
    hh () { history | grep $1 ;}
    will use hh to grep text in command history

    So hh xyz will be equal to history | grep xyz

    Why hh?
    Because 'h' is already an alias for history command in my .bashrc....

Sign In or Register to comment.