vsftpd on Centos7

To install vsftpd on Centos7 it need to do next:

yum update
yum install -y vsftpd

rm -f /etc/vsftpd/vsftpd.conf

cat << EOF >> /etc/vsftpd/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
pasv_address=
pasv_max_port=65399
pasv_min_port=65350
anonymous_enable=NO
local_enable=YES
write_enable=YES
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
vsftpd_log_file=/var/log/vsftpd.log
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_allowed_list
userlist_deny=NO
listen_port=21
EOF

generate key file /etc/vsftpd/vsftpd.pem:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

and fill in the value for pasv_addres in the file  /etc/vsftpd/vsftpd.conf IP address your server:

pasv_address=XXX.XXX.XXX.XXX

restart vsftpd service:

systemctl restart vsftpd

Add firewall rules :

firewall-cmd --permanent --add-port=20-21/tcp
firewall-cmd --permanent --add-port=65350-65399/tcp
firewall-cmd --reload

and now you can add users from your system in to the file /etc/vsftpd/user_allowed_list

to disable ssh access for ftp users need set /sbin/nologin shell instead /bin/bash for users:

usermod -s /sbin/nologin $USER

and add /sbin/nologin in the /etc/shells

To connect to ftp use for example FileZilla and configure connection like this:

That's all.

Centos7 join to AD

To join Centos 7 to Active Directory it needs to configure time sync between Centos and domain controlled. So you need to install crony :

yum install chrony -y

and set domain controller servers in /etc/chrony.conf:

server 172.27.x.x
server 172.27.x.y
server 172.27.x.z

and restart chrony service:

systemctl restart chrony

also need to check service is enabled:

systemctl status chrony

then install needs packages :

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

then dicsover your domain:

realm discover your_domain.local

you should receive something like that:

your_domain.local
  type: kerberos
  realm-name: YOUR_DOMAIN.LOCAL
  domain-name: your_domain.local
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

And join a machine to the domain:

realm join -U administrator your_domain.local

If no errors all ok.

To disable login with full domain name :

sed -i 's/use_fully_qualified_names\ =\ True/use_fully_qualified_names\ =\ False/g'  /etc/sssd/sssd.conf

and user's home dir without domain name

sed -i 's/home\/\%u\@\%d/home\/\%u/' /etc/sssd/sssd.conf

To enable users to create home directories:

authconfig --enablemkhomedir --enablesssdauth --updateall

enable service and restart it:

systemctl enable sssd.service && systemctl restart sssd

RDP server on Ubuntu 18 desktop

To add rdp server on Ubuntu 18 do that:

  sudo add-apt-repository ppa:martinx/xrdp-hwe-18.04
  sudo apt-get update
    
  # Install new packages
  sudo apt-get install xrdp xorg
    
  # Add xrdp user to ssl-cert group and reboot
  sudo adduser xrdp ssl-cert
  sudo reboot

After that use rdesktop client to connect to your server. If you face error to set color device, do next^

sudo apt-get install gnome-tweak-tool -y 

sudo sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config

sudo touch /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf

sudo gedit /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf

and paste next text:

polkit.addRule(function(action, subject) {
if ((action.id == “org.freedesktop.color-manager.create-device” ||
action.id == “org.freedesktop.color-manager.create-profile” ||
action.id == “org.freedesktop.color-manager.delete-device” ||
action.id == “org.freedesktop.color-manager.delete-profile” ||
action.id == “org.freedesktop.color-manager.modify-device” ||
action.id == “org.freedesktop.color-manager.modify-profile”) &&
subject.isInGroup(“{group}”)) {
return polkit.Result.YES;
}
});

Also to add xrdp to ubuntu18 server you shoud do next:

tasksel install ubuntu-mate-core
systemctl enable lightdm

apt install xfce4 xfce4-goodies xorg dbus-x11 x11-xserver-utils 

apt install xrdp

adduser xrdp ssl-cert

firewall-cmd --zone=public --permanent --add-port=3389/tcp




Nginx proxy & real IP to apache 2.4.6

In centos7  apache 2.4.6 uses module remoteip instead  rpaf.
to check if module available run:

 httpd -M | grep remoteip

response should be like :

 remoteip_module (shared)

Then create file /etc/httpd/conf.modules.d/remoteip.conf:

<IfModule remoteip_module>
  RemoteIPHeader X-Forwarded-For
  RemoteIPInternalProxy  172.27.0.1
</IfModule>

where 172.27.0.1 - internal IP your nginx proxy

In the /etc/httpd/conf/httpd.conf file replace %h to %a in rows LogFormat

nginx conf should contain next rows:

    location / {

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass https://your_site.com;

}

After that, you can see real IP in logs and can set real IP in restriction rules in apache conf files.

Wildcard certificate from Let's Encrypt

If you need wildcard certificate from Let's Encrypt for your domain, you can use certbot to do it.

First of all, you should have access to your dns to create TXT records like this

_acme-challenge.domain.com IN TXT   "some_value"

Second - install certbot

yum install -y certbot


then make a request like this:

certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.domain.com' -d domain.com


During a dialog, you will receive wich TXT record you should put in your DNS

MariaDB create master slave replication

First of all, you should check mariadb server config file(usually it /etc/my.cnf.d/server.cnf) on master and slave server. There are must present on the master:
[mariadb]
binlog_format=MIXED
log-bin
server_id=1

and on the slave:

[mariadb]

binlog_format=MIXED

log-bin

server_id=2

Also, you should create user for replication and grant privileges to him:

create user 'replication_user'@'$SLAVE_IP' identified by '$PASSWORD';

grant replication slave on *.* to 'replication_user'@'$SLAVE_IP';

flush privileges;

Then you should login to the master database and lock tables to read status, get master log file and position and create databases dump:

FLUSH TABLES WITH READ LOCK;

Query OK, 0 rows affected (0.08 sec)

SHOW MASTER STATUS;

+-------------------+-----------+--------------+------------------+

| File              | Position  | Binlog_Do_DB | Binlog_Ignore_DB |

+-------------------+-----------+--------------+------------------+

| master-bin.003437 | 852552729 |              |                  |

+-------------------+-----------+--------------+------------------+

in another screen create database dump:

mysqldump -u root -p -A | gzip > all_db_dump.sql.gz 

or you can use without lock tables:
mysqldump -u root -p -v --insert-ignore --skip-lock-tables --single-transaction=TRUE -A | gzip >  all_db_dump,sql.gz

after dump created, unlock tables:

UNLOCK TABLES;

Query OK, 0 rows affected (0.00 sec)

On the slave server drop and create empty users' databases and import data :

gunzip < all_db_dump.sql.gz | mysql -u root -p 

Then stop slave:
STOP SLAVE;
and create replication on the slave server :
CHANGE MASTER TO 

MASTER_HOST='$MASTER_IP', 

MASTER_USER='replication_user', 

MASTER_PASSWORD='$PASSWORD', 

MASTER_PORT=3306, 

MASTER_LOG_FILE='master-bin.003437', 

MASTER_LOG_POS=852552729, 

MASTER_CONNECT_RETRY=10;

and start slave:

START SLAVE;

After that you can check slave status:

SHOW SLAVE STATUS\G

Moving /var/lib/docker to another drive

For example : we have a VM with docker , but we need to move directory /var/lib/docker to separate partition or HDD:
 lvs
  LV            VG     Attr       LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  home          centos -wi-ao---- 20.00g                                                    
  root          centos -wi-ao---- 25.80g                                                    
  swap          centos -wi-ao----  2.00g                                                    
  tmp           centos -wi-ao----  2.00g                                                    
  var           centos -wi-ao---- 25.00g                                                    
  var_log       centos -wi-ao---- 20.00g                                                    
  var_log_audit centos -wi-ao----  2.00g                                                    
  var_tmp       centos -wi-ao----  2.00g  

df -h
File system                 Size Used Available Used%  Mounted
/dev/mapper/centos-root             26G         5.7G   19G           24% /
devtmpfs                           858M            0  858M            0% /dev
tmpfs                              870M            0  870M            0% /dev/shm
tmpfs                              870M         9.4M  860M            2% /run
tmpfs                              870M            0  870M            0% /sys/fs/cgroup
/dev/sda2                          976M         407M  503M           45% /boot
/dev/sda1                          200M          19M  182M           10% /boot/efi
/dev/mapper/centos-var              25G         3.2G   21G           14% /var
/dev/mapper/centos-tmp             2.0G          33M  1.8G            2% /tmp
/dev/mapper/centos-var_log          20G         397M   19G            3% /var/log
/dev/mapper/centos-home             20G         115M   19G            1% /home
/dev/mapper/centos-var_log_audit   2.0G          35M  1.8G            2% /var/log/audit
/dev/mapper/centos-var_tmp         2.0G         160M  1.7G            9% /var/tmp
tmpfs                              174M            0  174M            0% /run/user/1000

So add new HDD and check in OS:
lsblk 
NAME                     MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                        8:0    0  100G  0 disk 
├─sda1                     8:1    0  200M  0 part /boot/efi
├─sda2                     8:2    0    1G  0 part /boot
└─sda3                     8:3    0 98.8G  0 part 
  ├─centos-root          253:0    0 25.8G  0 lvm  /
  ├─centos-swap          253:1    0    2G  0 lvm  [SWAP]
  ├─centos-tmp           253:2    0    2G  0 lvm  /tmp
  ├─centos-var           253:3    0   25G  0 lvm  /var
  ├─centos-var_tmp       253:4    0    2G  0 lvm  /var/tmp
  ├─centos-var_log       253:5    0   20G  0 lvm  /var/log
  ├─centos-var_log_audit 253:6    0    2G  0 lvm  /var/log/audit
  └─centos-home          253:7    0   20G  0 lvm  /home
sdb                        8:16   0   40G  0 disk 
sr0                       11:0    1 1024M  0 rom  

fdisk -l /dev/sdb

Disk /dev/sdb: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

Create new LVM partition on new HDD:

parted -s /dev/sdb mklabel gpt; parted -s /dev/sdb unit mib mkpart primary 1 100% set 1 lvm on

fdisk -l /dev/sdb
WARNING: fdisk GPT support is currently new, and therefore in an experimental phase. Use at your own discretion.

Disk /dev/sdb: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk label type: gpt
Disk identifier: 47E3AF39-FFC1-470E-A40A-334150007411


#         Start          End    Size  Type            Name
 1         2048     83884031     40G  Linux LVM       primary

pvs

  PV         VG     Fmt  Attr PSize  PFree

  /dev/sda3  centos lvm2 a--  98.80g    0 

Create new physical group:

pvcreate /dev/sdb1 

  Physical volume "/dev/sdb1" successfully created.

pvs

  PV         VG     Fmt  Attr PSize   PFree  

  /dev/sda3  centos lvm2 a--   98.80g      0 

  /dev/sdb1         lvm2 ---  <40.00g <40.00g

New volume group:

vgcreate docker /dev/sdb1

  Volume group "docker" successfully created

pvs

  PV         VG     Fmt  Attr PSize   PFree  

  /dev/sda3  centos lvm2 a--   98.80g      0 

  /dev/sdb1  docker lvm2 a--  <40.00g <40.00g

New logical volume:

lvcreate -l100%FREE docker -n var_lib_docker

  Logical volume "var_lib_docker" created.

lvs

  LV             VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert

  home           centos -wi-ao----  20.00g                                                    

  root           centos -wi-ao----  25.80g                                                    

  swap           centos -wi-ao----   2.00g                                                    

  tmp            centos -wi-ao----   2.00g                                                    

  var            centos -wi-ao----  25.00g                                                    

  var_log        centos -wi-ao----  20.00g                                                    

  var_log_audit  centos -wi-ao----   2.00g                                                    

  var_tmp        centos -wi-ao----   2.00g                                                    

  var_lib_docker docker -wi-a----- <40.00g                             

And make ext4 file system on the new volume:

mkfs.ext4 /dev/mapper/docker-var_lib_docker 

mke2fs 1.42.9 (28-Dec-2013)

Discarding device blocks: done                            

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

Stride=0 blocks, Stripe width=0 blocks

2621440 inodes, 10484736 blocks

524236 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=2157969408

320 block groups

32768 blocks per group, 32768 fragments per group

8192 inodes per group

Superblock backups stored on blocks: 

32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 

4096000, 7962624

Allocating group tables: done                            

Writing inode tables: done                            

Creating journal (32768 blocks): done

Writing superblocks and filesystem accounting information: done   

Mount new volume to empty directory:

mount /dev/mapper/docker-var_lib_docker /mnt/

Check it:

mount | column -t | grep mnt

/dev/mapper/docker-var_lib_docker  on  /mnt                             type  ext4        (rw,relatime,data=ordered)

Stop docker service:

systemctl stop docker

and check open files in /var/lib/docker:

lsof /var/lib/docker

Now rsync data from /var/lib/docker  to /mnt and remove files and dirs on source:

rsync -avr --remove-source-files --prune-empty-dirs   /var/lib/docker/* /mnt/ && find /var/lib/docker -depth=1  -type d -empty -exec rmdir "{}" \; && mkdir /var/lib/docker

Then umount /mnt :

umount /mnt

Add new mount point to /etc/fstab:

echo  "/dev/mapper/docker-var_lib_docker  /var/lib/docker      ext4    defaults        1 2" >> /etc/fstab

and mount new logical volume :

mount -a

check block devices and mounts:

 lsblk 

NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT

sda                         8:0    0  100G  0 disk 

├─sda1                      8:1    0  200M  0 part /boot/efi

├─sda2                      8:2    0    1G  0 part /boot

└─sda3                      8:3    0 98.8G  0 part 

  ├─centos-root           253:0    0 25.8G  0 lvm  /

  ├─centos-swap           253:1    0    2G  0 lvm  [SWAP]

  ├─centos-tmp            253:3    0    2G  0 lvm  /tmp

  ├─centos-var            253:4    0   25G  0 lvm  /var

  ├─centos-var_tmp        253:5    0    2G  0 lvm  /var/tmp

  ├─centos-var_log        253:6    0   20G  0 lvm  /var/log

  ├─centos-var_log_audit  253:7    0    2G  0 lvm  /var/log/audit

  └─centos-home           253:8    0   20G  0 lvm  /home

sdb                         8:16   0   40G  0 disk 

└─sdb1                      8:17   0   40G  0 part 

  └─docker-var_lib_docker 253:2    0   40G  0 lvm  /var/lib/docker

and start docker service;

systemctl start docker