With a MINIMAL INSTALATION of CentOS we now perform the basic configuration.

Lets start now :D First to all we need to configure the TCP/IP stack for the interface eth1 with a static IP address, for do this edit the file name ifcfg-eth1 locate on: /etc/sysconfig/network-scripts/ and add the following lines.
ONBOOT=yes NM_CONTROLLED=no BOOTPROTO=none IPADDR=192.168.180.3 PREFIX=24 PEERDNS=yes DEFROUTE=yes DNS1=8.8.8.8 DNS2=8.8.4.4 DOMAIN=lab.local

Then edit the file name network locate on /etc/sysconfig/ with the following lines:
NETWORKING=yes HOSTNAME=host name GATEWAY=192.168.180.2

Issue the command service network restart to load the new configuration for the interface eth1 Issue the command ifconfig eth1 to check that the change has been in place.

Updating the installation and enhancing the minimal install with additional administration and development tools
Issue the next commands from the TERMINAL to update the system that is, kernel and new security features to name but a few
yum -y update reboot

After reboot issue the next commands from the TERMINAL to install useful features that can use in the future.
yum -y groupinstall "Base" "Development Libraries" "Development Tools" reboot

Adding the GNOME desktop environment, changing the runlevel, and installing additional software
Issue the following commands to install the GNOME desktop environment
yum groupinstall "Desktop" "X Window System" "Fonts" "Desktop Platform"

To specify at what level run the GNOME desktop you must edit the file inittab locate on /etc/ A runlevel is a preset operating state that determines which programs are executed at system startup.
id:3:initdefault: # To specify that is not run when the system boot, if you select this configuration you need issue the command startX from the Terminal to initiate the desktop environment id:5:initdefault: # To specify that the Desktop Environment start when the system startup (graphic mode)

Here an example:

Issue the following commands in order to install additional packages that help to enjoy the Desktop environment experience

yum groupinstall "General Purpose Desktop" "Graphical Administration Tools reboot

Creating an administrative user and becoming root with the switch user command
In this session we will to create the administrative user to do the daily tasks and to permit to this user to use the su command also called switch user command in order to perform certain tasks that require privilege level such as install a packet.
useradd [USERNAME] passwd [USERNAME] [PASSWORD]

The next task is to modify the user's attributes and to add them to the wheel group like so:
usermod -a -G wheel [YOUR NEW USERNAME]

We need ensure that wheel module is activated in PAM that provides us a global method of authentication users across the system as a whole without any individual program being required to know which authentication system will be used. In order to permit that our user can use the su command we need to uncomment a line in the file su locate at /etc/pam.d/
# uncomment to permit the su command to the user auth required pam_wheel.so use_uid

Note: sudo that enables a user to execute a single command as root, su is a very powerful command
that will enable the user to become any other user (including root). The sudo command represents a flexible way of providing administrative powers without making a specific user or user group an administrator. Of course, we know that sudo will allow you to disseminate elevated privileges without revealing any details regarding the root user and a sudo command-based user can do most things, but not everything. They can assume some administrative powers, but they are not an administrator in the fullest sense of the word. To switch to the user root type su - and if you want to become to other user different to the root you can use su - [USERNAME] To know what user you are using issue the command whoami

It is important to remember that su does not keep a record of what actions are completed when an administrative user has become root. For these reasons you should reference your enquiries to /var/log/messages. Now we can launch our Desktop Environment with the command startX from the terminal as user admin

A useful command is tzselect we can use it to specify the time zone for a specific user.
yum install tzdata tzselect

In order to configure the time zone for a specific user you need to add the line generated from tzselect output command into the file .bash_profile locate at /home/[USERNAME]/ Here an example:
TZ='America/Bogota'; export TZ

In order to check the changes you need logout the session and after the log in success issue the following command from the Terminal
date

To check the time and date you can do the following:

To change the date by typing: date --set="YYYYMMDD" You can change the time by typing: date +%T -s "HH:MM:SS"

Now, we can synchronize the system with your hardware clock by typing:
Hwclock --systohc Now, we can confirm the status of your hardware clock with the following command: Hwclock --show The same, we can view the current operating system date and time by typing the following command: date

Is often a good idea to ensure if the correct time zone information is linked to your server's local time settings
rm /etc/localtime ln -sf /usr/share/zoneinfo/XXX /etc/localtime reboot

Here an example:

Synchronizing the system clock with NTP

Issue the commands:
yum y install ntp

In order to personalize the ntp service edit the file ntp.conf locate at /etc/ and add and confirm a network range in order that we can determine who can and who cannot receive time service-based requests.
server 192.168.1.1 iburst logfile /var/log/ntpd.log

The iburst option, this feature is designed to tell the NTP service to issue a burst of eight packets to the remote server instead of one in order to offer an improved approach to the time synchronization process. If your network does not have Internet connection or the Internet connection is intermittent, then a fallback solution is often required. In such cases you can implement a process known as reflective synchronization. Uncomment the following lines.
server fudge 127.127.1.0 # local clock

127.127.1.0 stratum 10

chkconfig ntpd on service ntpd restart reboot ntpq p # to check ntp association

How to change the hostname of the server, please do the following. Edit the file network locate at /etc/sysconfig/ and add the following line
HOSTNAME=CENTOS-SERVER

Edit the file hosts locate at /etc/ and add the following line
192.168.180.3 CACTI-SERVER.lab.local CACTI-SERVER

To check issue the following commands from Terminal

hostname hostname -f hostname --fqdn

How to configure SSH

First to all we need to back up the configuration file of SSH
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak vi /etc/ssh/sshd_config

After execute vi add and/or modify the following lines:

Port 2202 # Authentication: AllowUsers admin LoginGraceTime 60 PermitRootLogin no X11Forwarding no #X11Forwarding yes PrintMotd yes PrintLastLog yes ClientAliveInterval 60 ClientAliveCountMax 5 TCPKeepAlive yes

Save the file and edit the file motd locate at /etc/ in order to configure the banner Message Of The Day (MOTD)
vi /etc/motd

Edit the IPTABLES rule in order to permit the new port assigned to SSH (2202) to do this edit the file iptables locate at /etc/sysconfig/ Here an example

Service iptables restart

Using logrotate to manage logfiles

The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files. Logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size. In order to configure logrotate we need to edit the file logrotate.conf located at /etc/ and add/modify the following lines:
vi /etc/logrotate.conf monthly rotate 7 compress size 500M logrotate -vfd /etc/logrotate.conf vi /etc/logrotate.d/ntp /var/log/ntpd.log { missingok notifempty size 50M rotate 5 weekly create 0600 root root postrotate /sbin/service ntpd restart endscript } logrotate -vfd /etc/logrotate.conf # This option specifies if there is no log file do not issue an error or warning missingok # This option specifies not to rotate an empty log. notifempty # This option rotates the logs over 50M. size50M # This option specifies the need to keep 5 log files at a time. rotate 5 # This option rotates the logs weekly. weekly # This option sets the permissions for the newly created log files. create 0600 root root # This option specifies the need to restart the NTP service. # You have two options prerotate or postrotate. postrotate /sbin/service ntpd restart Endscript

Note
By using the previous command to test our settings we have implied the use of several flags: v: Logrotate reports on what is happening and when it happens f: Logrotate is asked to process the request regardless of the current cron status d: Logrotate is asked to process the request without actually rotating them

Evaluating current memory usage with the free and top commands and clearing the memory cache
In order to check the status of the server regarding MEMORY you can issues the utilities free and top Here an example
free -m

top

In order to release the cache of the memory you can issue the following commands form the terminal
sync echo 3 > /proc/sys/vm/drop_caches

Managing Packages with Yum

yum check-update yum -y update reboot yum provides your_filename_here

These files are very useful, but over time they will accumulate in size to such an extent that you may find that Yum is acting erratically or not as intended. The frequency of this happening can vary from system to system but it generally implies that the Yum cache system requires your immediate attention. In order to clean yum please issue the following commands.
yum yum yum yum yum clean packages clean metadata clean dbcache clean all makecache

Removing packages with YUM

You can use the following command
yum remove package_name yum search keyword yum info package_name yum deplist package_name yum list all yum list all | less yum list installed | less

Installing Yum Priorities to support additional repositories

In order to use other repositories issues the following commands and edit the proper files
yum install yum-plugin-priorities

Make sure that priorities is enable, we can do this check the file priorities.conf locate at /etc/yum/pluginconf.d/
vi /etc/yum/pluginconf.d/priorities.conf

Then, add the directive priority=1 to the [base], [updates], [extras]

vi/etc/yum.repos.d/CentOS-Base.repo [base] priority=1 [updates] priority=1 [extras] priority=1 yum update

In order to add additional repositories we need to have the files that permit us install the repo (EPEL and REMI)
yum install wget

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-67.noarch.rpm wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Edit the following files and change as see below

vi /etc/yum.repos.d/remi.repo enable=1 priority=10 vi /etc/yum.repos.d/epel.repo enable=1 priority=10 yum update

Protecting SSH with fail2ban

Fail2ban is designed to monitor users who repeatedly fail to log in correctly on your server and its main purpose is to mitigate attacks designed to crack passwords and steal user credentials. It works by continuously reading logfiles, and if a logfile contains a pattern indicating a number of failed attempts, then it will proceed to act against the offending IP address. Install fail2ban from terminal
yum install fail2ban

To do this add/modify the following lines in the file fail2ban locate at /etc/fail2ban/
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local ignoreip = 192.168.180.1/24 bantime findtime = 3600 = 900

maxretry = 5 logtarget = /var/log/fail2ban.log chkconfig fail2ban on service fail2ban start

bantime value, represents the total number of seconds a host will be blocked from accessing the server if they are found to be in violation of the rules. findtime means that if the user fails to log in within the maximum number of attempts during the designated period, then they are banned

Running antivirus scans with ClamAV

Fast, free, and efficient, ClamAV is an open source antivirus engine that can be employed by CentOS to detect trojans, viruses, and other malicious software, malware, or threats.
yum install clamd chkconfig clamd on service clamd start freshclam clamscan clamscan --infected --remove --recursive /DIRECTORYNAME /var/log/clamav/clamd.log

SELinux
Security-Enhanced Linux is a very robust security mechanism that is enabled by default. It is designed to improve the security of your server but on occasion it has been the case that you have been required to disable it in order to install a new package or to speed up the process of server management. SELinux has three possible states: enforcing: Choose this value to determine that SELinux security policy is enforced. To set this condition, type SELINUX=enforcing. This level enforces security and access policies around both files and processes. permissive: Choose this value to determine that SELinux prints warnings instead of enforcing. To set this condition, type SELINUX=permissive. This level allows operations that would otherwise be blocked by SELinux security policies. In this state SELinux will report messages to /var/log/audit/audit.log indicating which operations would have been blocked. You should also be aware that in this state the mechanism that labels files and processes according to SELinux policies is still active in this enforcement mode. disabled: Choose this value to determine that no SELinux policy is loaded. To set this condition, type SELINUX=disabled. This level completely disables SELinux, thereby permitting all operations and disabling logging and file/process labeling.

In order to disable SELinux edit the file selinux locate at /etc/sysconfig/ and add/modify the following lines
SELINUX=disabled

reboot To determine the current state of SELinux, we can issue the command: getenforce

Note:
When SELinux is running, you can use the setenforce command. However, this will only affect the server if you are switching between enforcing or permissive mode. Here an example:

FTP with VSFTPD

In order to install FTP issue the command from the terminal.
yum install vsftpd

Edit the file vsftpd.conf locate at /etc/vsftpd/ and add/modify the following lines:
vi /etc/vsftpd/vsftpd.conf anonymous_enable=NO xferlog_std_format=NO ascii_upload_enable=YES ascii_download_enable=YES chroot_local_user=YES chroot_list_enable=YES # (default follows) chroot_list_file=/etc/vsftpd/chroot_list idle_session_timeout=600 data_connection_timeout=120 # to the bottom of the file and add the following lines

use_localtime=YES local_root=/home/admin/public_ftp # makes sure that this folder exist

Next, add the users that will have part of chroot process creating the chroot_list file and locate it at /etc/vsftpd/
vi /etc/vsftpd/chroot_list admin chkconfig vsftpd on service vsftpd start

The chroot jail represents an essential security feature, and having done this, all users will be restricted to access the files in their own home directory only.
yum install ncftp ncftp -u admin localhost # in order to test the ftp server

Here an example:

Secure connection to VSFTP with SSL/TLS using OpenSSL encryption

We need to create the key pair or digital certificate and configure the VSFTPD to use TLS and to force the users to login secure to the FTP service
cd /etc/vsftpd/ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem chmod 600 vsftpd.pem vi /etc/vsftpd/vsftpd.conf # add this line at the bottom to the file ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem service vsftpd restart

Now with this done, we can test the connection with a client that support the ftp service secure such as WINSCP. Here an example:

Make sure that the port specified in the Port number: box is the same used for the process SSH (2202)

Now we can see that the connection is secured

Cacti
Cacti (cacti.net) is a network monitoring tool that graphs system and network information over time (time-series data) and provides a comprehensive Web interface for browsing and examining the ongoing performance of the devices on a network. We can configure Cacti to monitor the network traffic passing through the network ports on local servers and the switch and router ports on the local network. Cacti graphs provide information on traffic levels on the various parts of the network. When the network is slow, for example, we can refer to the historical graphs and see if anything out of the ordinary has occurred. In addition to network traffic levels, Cacti can collect data on CPU utilization, disk space usage, page views on a Web server, and almost any other data points available on the local network.

Prerequisites
Install the following packages: cacti (Fedora only; download cacti for RHEL from fedoraproject.org/wiki/EPEL) mysql (page 635) mysql-server (page 635) php (installed with cacti) httpd (Apache; page 917; installed with cacti) rrdtool (installed with cacti) net-snmp (optional; needed only to monitor the local system) net-snmp-utils (optional)

Cacti Configuration
Data retrieval
Cacti retrieves data through poller. It's an application executed at a constant time interval as a schedule service under different operating systems. It is set in the operating system scheduler. In Unix, it is set under crontab. Cacti uses cmp.php by default. But if a faster poller is required due to a large infrastructure, then you can use spine, formally known as cactid, a very fast poller written in C that makes use of POSIX threads and links directly to Net-SNMP library for minimal SNMP polling overhead. Presently, network infrastructure contains lot of different devices such as routers, switches, servers, UPS, and different computer and network appliances. To retrieve data from these remote devices, Cacti

use SNMP (Simple Network Management Protocol). Devices that are capable of using SNMP can be monitored by Cacti.

Data storage
There are lot of options to do this task, such as SQL database and flat file database. Cacti uses RRDTool to store data. RRD is a system to store and show time series data collected from different SNMP-capable devices. It consolidates historical data based on consolidation functions such as AVERAGE, MINIMUM, MAXIMUM, and so on to keep the storage size minimum. That's why it's fast and easy to create graphs and reports from RRD files.

Data presentation
The most important feature of the RRDTool is a built-in graphing function. Cacti uses this built-in graphing function to deploy customized graphing reports based on time series data collected from different SNMP-capable devices. This built-in graphing function supports auto-scaling and logarithmic yaxis. It is possible to graph one or many items in one graph, also adding different legends denoting characteristics such as maximum, average, minimum, etc.

Net-SNMP is a suite of software for using and deploying SNMP protocol (version v1, v2c, and v3) and
AgentX subagent protocol. It supports IPv4, Ipv6, IPX, AAL5, UNIX domain sockets and others. The suite includes: Command line applications A generic client library A graphical MIB browser using Perl/TK A daemon application for receiving SNMP notifications (snmptrapd) An extensible SNMP agent to respond to management queries (snmpd) Perl, C, and Python modules and sets of APIs to build external applications

RRDTool is developed by Tobi Oeticker, also known for his famous creation MRTG. RRDTool is written
in C language and stores its data in .rdd files. The number of records in a single .rrd file never increases, meaning that old records are frequently removed, and it presents useful graphs by processing the data to enforce a certain data density. RRDTool offers several command line switches to access and manipulate .rdd files: create update updatev graph dump restore fetch

tune last info rrdresize xport rrdcgi

How does the RRDTool work?

RRDTool follows a logical design to acquire and process data collected from data sources (DS). The following is a brief discussion of the different steps in the logical process:

Data acquisition: When monitoring a device or system, it is necessary to receive data on a constant
time interval. Manually, it is not possible to maintain such activity as a system administrator. In such situations, the RRDTool comes in handy. It stores the data in a round-robin database, which is received on a constant time interval set by the system administrator, using the poller application set as scheduler in the operating system.

Data consolidation: The system administrator may log the data in a five-minute interval, but he/she
might be interested in knowing the accumulated update over the last month. In this case, simply storing the data in a five-minute interval for the whole month will solve the problem. But this will require huge disk space and a considerable amount of time to analyse the data, as in a network environment, administrators are not monitoring only a single device. RRDTool solves this problem with the data consolidation feature. When creating a round-robin database, the administrator can define at which interval data consolidation should occur using consolidation functions (CF) such as MAXIMIUM, AVERAGE, MINIMUM, and others.

Round Robin Archives of consolidated data: Data values of consolidation setup are stored in Round
Robin Archives (RRA). In this way, the RRDTool stores data in the most efficient way for a certain time period defined by the system administrator. This process keeps the database file at a constant size for faster processing and analyzing.

Unknown data: RRDTool stores data at a constant interval in a round-robin database. Sometimes, this
data might not be available to store in RRD due to device failure or other causes. In this case, the RRDTool stores the RRD file with *UNKNOWN* data value. This *UNKNOWN* value is supported by all RRDTool functions.

Graphing: RRDtool allows system administrator to generate reports in graphical and numerical forms
based on data stored in the round-robin database (RDD) by using its built-in graph processing functions. Customization of these graphics is possible based on color, size, and contents

Lets start installing CACTI

yum install httpd # To install APACHE WEB SERVER chkconfig --list httpd chkconfig httpd on service httpd start vi /etc/sysconfig/iptables # permit http request to the server -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT service iptables restart netstat -tan iptables -nL vi /etc/httpd/conf.d/welcome.conf # Comment all lines within this file vi /etc/httpd/conf/httpd.conf <Directory "/var/www/html"> Options -Indexes FollowSymLinks Allow from 192.168.180.0/255.255.255.0 </Directory> # Modify the word Indexes for Indexes in order to disable the listing directory

yum install php service httpd restart <CENTER><FONT SIZE=+3 COLOR=RED> <?php $timezone = date_default_timezone_get(); echo "The current server timezone is: " . $timezone; ?> <p></p> <?php $date = date('m/d/Y h:i:s a', time()); echo "The current server date and time is: " . $date; ?> </CENTER> # WITH THIS CODE WE CAN CREATE A PAGE TO THE PHP AND THE MODULES THAT HAS BEEN LOADED TO PHP

http://192.168.180.3/phpinfo.php # output to check if Apache has loaded the php module yum install mysql-server yum instal php-mysql service httpd restart # test phpinfo.php output to check if php has loaded the mysql module yum install net-snmp net-snmp-utils php-snmp service httpd restart # test phpinfo.php output to check if php has loaded the snmp module yum install rrdtool # enable the services mysql and snmp to start when the system startup chkconfig snmpd on chkconfig mysqld on service snmpd start service mysqld start mysqladmin -u root password 'PASSWORD' # Change the root password

# Now let's download and install cacti

# First download the source file to manually install cacti and copy the file to the server through SFTP

tar -xzvf /home/admin/Desktop/cacti-0.8.8b.tar.gz mysql u root p # in order to access to MYSQL ENGINE CREATE DATABASE cacti; GRANT ALL ON cacti.* \ TO cactiuser@localhost \ IDENTIFIED BY '[SPECIFYCACTIPASS]'; flush privileges; exit

mysql -u root -p cacti < /home/admin/Desktop/cacti-0.8.8b/cacti.sql mv /home/admin/Desktop/cacti-0.8.8b /var/www/html/cacti cd /var/www/html/cacti vi include/config.php $database_password = "cactiuser"; vi /etc/cron.d/cacti */5 * * * * admin /usr/bin/php /var/www/html/cacti/poller.php > /dev/null 2>&1 # We have to change the ownership of rra and log folder to admin user and admin group chown chown chmod chmod -R admin:admin /var/www/html/cacti/log -R admin:admin /var/www/html/cacti/rra 775 /var/www/html/cacti/rra 775 /var/www/html/cacti/log

vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT

Ok, now only we need to access from a web browser like Internet Explorer, you must change the default Username : admin Password : admin