1. Install Sphinx on CentOS

    Download the latest beta release from the Downloads page.

    wget http://sphinxsearch.com/files/sphinx-2.0.2-1.el5.x86_64.rpm

    Install from the RPM (if updating use ‘rpm -Uvh’ instead):

    rpm -ivh sphinx-2.0.2-1.el5.x86_64.rpm

    Enable auto-lauching of the search daemon on boot:

    chkconfig --level 345 searchd on

    Start the search daemon:

    /etc/init.d/searchd start

  2. Workaround for installing phpMyAdmin on CentOS

    Having mysql/php/apache already setup I decided to install phpMyAdmin, however because the mysql is Percona there were some dependency checks that failed.

    After a lot of trial and error the following did the trick:

    #stop the services
    /etc/init.d/httpd stop
    /etc/init.d/mysql stop
    
    #remove mysql
    yum --enablerepo=remi remove Percona* mysql*
    
    #install everything in one shot
    yum --enablerepo=remi install Percona-Server-server-55 Percona-Server-client-55 phpMyAdmin
    
    #start the services
    /etc/init.d/httpd start
    /etc/init.d/mysql start
    
    #rerun the secure installation script
    /usr/bin/mysql_secure_installation

    Once that has finished you’ll need to edit the apache config to allow you remote access to the phpMyAdmin site:

    nano /etc/httpd/conf.d/phpMyAdmin.conf
    
    #add allow from your ip address
    allow from 123.456.789.101

    You should now be able to access it at http://example.com/phpMyAdmin/

  3. Change I/O Scheduler on CentOS

    To change the default scheduler from cfq to deadline simply edit /etc/grub.conf and add elevator=deadline to the kernel that is being used:

    $ nano -w /etc/grub.conf
    
    title CentOS (2.6.18-274.3.1.el5)
            root (hd0,0)
            kernel /vmlinuz-2.6.18-274.3.1.el5 ro root=LABEL=/ elevator=deadline
            initrd /initrd-2.6.18-274.3.1.el5.img

    This entry tells the 2.6.18-274.3.1.el5 kernel to use the Deadline scheduler. Make sure to reboot the system to activate the new scheduler.

  4. Secure /tmp on CentOS →

  5. Find which packages are installed by which repo

    A handy tip I saw on IRC today. If you’ve ever wanted to see which packages were installed from where then the ‘keychecker’ program is for you.

    Make sure you have the EPEL repository setup first, then install via yum:

    yum install keychecker

    Once installed simply run the ‘keychecker’ command and it will output all your installed packages sorted by reposity.

  6. Install mediainfo on CentOS

    MediaInfo supplies technical and tag information about a video or audio file.

    First lets grab the rpms. From the download page download the rpms that are appropriate for your platform. My system is CentOS 5 x_64 in the following example:

    mkdir /usr/local/src/mediainfo
    cd /usr/local/src/mediainfo
    
    #libzen0
    wget http://downloads.sourceforge.net/zenlib/libzen0-0.4.22-1.x86_64.CentOS_5.rpm
    
    #libmediainfo0
    wget http://downloads.sourceforge.net/mediainfo/libmediainfo0-0.7.50-1.x86_64.CentOS_5.rpm
    
    #CLI
    wget http://downloads.sourceforge.net/mediainfo/mediainfo-0.7.50-1.x86_64.CentOS_5.rpm

    Once downloaded, install them via the following commands:

    rpm -i libzen0-0.4.22-1.x86_64.CentOS_5.rpm
    rpm -i libmediainfo0-0.7.50-1.x86_64.CentOS_5.rpm
    rpm -i mediainfo-0.7.50-1.x86_64.CentOS_5.rpm

    That’s it! You can test it by running the ‘mediainfo’ command.

  7. Helpful links for adding a second hard drive to CentOS

    Using the following resources helped setup my second hard drive:

  8. Install Denyhosts on CentOS

    Install the YUM priorities and denyhosts:

    yum install yum-priorities denyhosts

    Add denyhosts to startup and then start it up:

    # chkconfig denyhosts on
    # service denyhosts start

    Any further configuration can be done by editing the configuration file /etc/denyhosts.conf

  9. Install APF Firewall on CentOS

    Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of todays Internet deployed servers and the unique needs of custom deployed Linux installations.

    Make sure iptables is installed:

    yum install iptables*

    Download, unpack, and install APF from source:

    cd /usr/local/src
    wget http://www.rfxn.com/downloads/apf-current.tar.gz
    tar -zxf apf-current.tar.gz
    cd apf-9*
    ./install.sh

    Backup the original APF config file:

    cp /etc/apf/conf.apf /etc/apf/conf.apf.bak

    Now edit the current APF config file:

    nano -w /etc/apf/conf.apf

    Change the following values:

    * RAB="0" to RAB="1"
    * RAB_PSCAN_LEVEL="2" to RAB_PSCAN_LEVEL="3"
    * TCR_PASS="1" to TCR_PASS="0"
    * DLIST_PHP="0" to DLIST_PHP="1"
    * DLIST_SPAMHAUS="0" to DLIST_SPAMHAUS="1"
    * DLIST_DSHIELD="0" to DLIST_DSHIELD="1"
    * DLIST_RESERVED="0" to DLIST_RESERVED="1"

    Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface.

    Locate HELPER_SSH_PORT=”22″ and change it to your SSH port IF you changed it in your sshd_config.

    Locate IG_TCP_CPORTS=”22″ and change it to your SSH port IF you changed it in your sshd_config.

    Now restart the APF:

    /usr/local/sbin/apf -r

    Now relogin though ssh again, to verify that you still can login into your server.

    When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1″ and change it to DEVEL_MODE=”0″.

    Restart the APF again:

    /usr/local/sbin/apf -r

    Make sure APF starts automatic after restart:

    chkconfig --add apf
    chkconfig --level 345 apf on

    The firewall should now be active!

    Here are some common ports used by cpanel:

    Cpanel:
    IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096″
    IG_UDP_CPORTS=”21,53,873″
    
    EGF=”1″
    EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089″
    EG_UDP_CPORTS=”20,21,37,53,873″

  10. Harden SSHD on CentOS

    First of all we need to make a regular user, since we are disabling direct root login:

    adduser admin && passwd admin

    Backup the current sshd_config:

    mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

    Create a new sshd_config file:

    nano -w /etc/ssh/sshd_config

    Paste the following config into the new file but be sure to change the Port to something different:

    ## Change to other port is recommended, etc 2488
    Port 22
     
    ## Sets listening address on server. default=0.0.0.0
    #ListenAddress 192.168.0.1
     
    ## Enforcing SSH Protocol 2 only
    Protocol 2
     
    ## Disable direct root login, with no you need to login with admin user, then "su -" you into root
    PermitRootLogin no
     
    ##
    UsePrivilegeSeparation yes
     
    ##
    AllowTcpForwarding no
     
    ## Disables X11Forwarding
    X11Forwarding no
     
    ## Checks users on their home directority and rhosts, that they arent world-writable
    StrictModes yes
     
    ## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
    IgnoreRhosts yes
     
    ##
    HostbasedAuthentication no
     
    ## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. 
    RhostsRSAAuthentication no
     
    ## Adds a login banner that the user can see
    #Banner /etc/motd
     
    ## Enable / Disable sftp server
    Subsystem      sftp    /usr/libexec/openssh/sftp-server
     
    ## Add users that are allowed to log in
    AllowUsers admin

    Restart the SSHD daemon:

    service sshd restart

    Start a NEW ssh session to ensure you can connect on the new port. Do not close your current session until you are sure the new config is working.