Postgresql Centos 7

To install Postgresql :

yum install -y postgresql-server

Initialize  cluster:

postgresql-setup initdb

Modify config /var/lib/pgsql/data/pg_hba.conf, comment all rows and left one:

local     all             postgres                    peer

Such we enable access to all databases from localhost via Unix socket only user postgres.

Also, you can reset password system's user postgres:

passwd postgres

Now start postgresql server:

systemctl start postgresql

Became postgres user:

su - posgres

Enter postgres shell:

psql

Now you can create a new database, user and grant all privileges to the datababase:

CREATE DATABASE test_database;

CREATE USER test_user WITH password 'qwerty';

GRANT ALL ON DATABASE test_database TO test_user;

Now you can't connect as user  test_user because in config  /var/lib/pgsql/data/pg_hba.conf all connection disabled except postgres. Lets add next row to config file:

local     test_database   test_user                                      md5

and then restart postgresql server :

systemctl restart postgresql

and try to connect :

psql  -d template1 test_user

server'll ask password for user test_user

If you need to connect to the server from another host, need to add next 

host      test_database   test_user     192.168.1.21/32             md5

But you should place it before the previous, set listening interface in config /var/lib/pgsql/data/postgresql.conf:

listen_addresses = '*'

and restart postgresql server

For backup all databases need to run from user postgres:

su - postgres 

pg_dumpall  > pgdumpall.sql

To restore use:

su - postgres

psql -f  pgdumpall.sq

Install Net SDK 3.1 on Centos 7

To install .Net Core SDK 3.1 on Centos 7 need to do the next:

yum update

rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm

yum install -y dotnet-sdk-3.1

That's all. :)

Now you can test it. Let's create .Net Core console application:

dotnet new console -o helloworldApp

cd helloworldApp/

dotnet run

You should get "Hello World!" on the console.

Also you can create .Net Core web app:

cd 

dotnet new razor -o myfirstwebapp

cd myfirstwebapp/

dotnet run

You should see something like this:

vsftpd on Centos7

To install vsftpd on Centos7 it need to do next:

yum update
yum install -y vsftpd

rm -f /etc/vsftpd/vsftpd.conf

cat << EOF >> /etc/vsftpd/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
pasv_address=
pasv_max_port=65399
pasv_min_port=65350
anonymous_enable=NO
local_enable=YES
write_enable=YES
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
vsftpd_log_file=/var/log/vsftpd.log
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_allowed_list
userlist_deny=NO
listen_port=21
EOF

generate key file /etc/vsftpd/vsftpd.pem:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

and fill in the value for pasv_addres in the file  /etc/vsftpd/vsftpd.conf IP address your server:

pasv_address=XXX.XXX.XXX.XXX

restart vsftpd service:

systemctl restart vsftpd

Add firewall rules :

firewall-cmd --permanent --add-port=20-21/tcp
firewall-cmd --permanent --add-port=65350-65399/tcp
firewall-cmd --reload

and now you can add users from your system in to the file /etc/vsftpd/user_allowed_list

to disable ssh access for ftp users need set /sbin/nologin shell instead /bin/bash for users:

usermod -s /sbin/nologin $USER

and add /sbin/nologin in the /etc/shells

To connect to ftp use for example FileZilla and configure connection like this:

That's all.

Centos7 join to AD

To join Centos 7 to Active Directory it needs to configure time sync between Centos and domain controlled. So you need to install crony :

yum install chrony -y

and set domain controller servers in /etc/chrony.conf:

server 172.27.x.x
server 172.27.x.y
server 172.27.x.z

and restart chrony service:

systemctl restart chrony

also need to check service is enabled:

systemctl status chrony

then install needs packages :

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

then dicsover your domain:

realm discover your_domain.local

you should receive something like that:

your_domain.local
  type: kerberos
  realm-name: YOUR_DOMAIN.LOCAL
  domain-name: your_domain.local
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

And join a machine to the domain:

realm join -U administrator your_domain.local

If no errors all ok.

To disable login with full domain name :

sed -i 's/use_fully_qualified_names\ =\ True/use_fully_qualified_names\ =\ False/g'  /etc/sssd/sssd.conf

and user's home dir without domain name

sed -i 's/home\/\%u\@\%d/home\/\%u/' /etc/sssd/sssd.conf

To enable users to create home directories:

authconfig --enablemkhomedir --enablesssdauth --updateall

enable service and restart it:

systemctl enable sssd.service && systemctl restart sssd

RDP server on Ubuntu 18 desktop

To add rdp server on Ubuntu 18 do that:

  sudo add-apt-repository ppa:martinx/xrdp-hwe-18.04
  sudo apt-get update
    
  # Install new packages
  sudo apt-get install xrdp xorg
    
  # Add xrdp user to ssl-cert group and reboot
  sudo adduser xrdp ssl-cert
  sudo reboot

After that use rdesktop client to connect to your server. If you face error to set color device, do next^

sudo apt-get install gnome-tweak-tool -y 

sudo sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config

sudo touch /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf

sudo gedit /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf

and paste next text:

polkit.addRule(function(action, subject) {
if ((action.id == “org.freedesktop.color-manager.create-device” ||
action.id == “org.freedesktop.color-manager.create-profile” ||
action.id == “org.freedesktop.color-manager.delete-device” ||
action.id == “org.freedesktop.color-manager.delete-profile” ||
action.id == “org.freedesktop.color-manager.modify-device” ||
action.id == “org.freedesktop.color-manager.modify-profile”) &&
subject.isInGroup(“{group}”)) {
return polkit.Result.YES;
}
});

Also to add xrdp to ubuntu18 server you shoud do next:

tasksel install ubuntu-mate-core
systemctl enable lightdm

apt install xfce4 xfce4-goodies xorg dbus-x11 x11-xserver-utils 

apt install xrdp

adduser xrdp ssl-cert

firewall-cmd --zone=public --permanent --add-port=3389/tcp




Nginx proxy & real IP to apache 2.4.6

In centos7  apache 2.4.6 uses module remoteip instead  rpaf.
to check if module available run:

 httpd -M | grep remoteip

response should be like :

 remoteip_module (shared)

Then create file /etc/httpd/conf.modules.d/remoteip.conf:

<IfModule remoteip_module>
  RemoteIPHeader X-Forwarded-For
  RemoteIPInternalProxy  172.27.0.1
</IfModule>

where 172.27.0.1 - internal IP your nginx proxy

In the /etc/httpd/conf/httpd.conf file replace %h to %a in rows LogFormat

nginx conf should contain next rows:

    location / {

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass https://your_site.com;

}

After that, you can see real IP in logs and can set real IP in restriction rules in apache conf files.

Wildcard certificate from Let's Encrypt

If you need wildcard certificate from Let's Encrypt for your domain, you can use certbot to do it.

First of all, you should have access to your dns to create TXT records like this

_acme-challenge.domain.com IN TXT   "some_value"

Second - install certbot

yum install -y certbot


then make a request like this:

certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.domain.com' -d domain.com


During a dialog, you will receive wich TXT record you should put in your DNS