CentOS7に各ミドルウェアをパッケージインストールしてWordPressを構築する

    まずはサーバーにrootでログイン
    # ssh root@<server_ip>
    
    
    
    ########## 色々 ##########
    # vi /etc/hostname
      <ホスト名>
    # yum -y update
    # yum -y install \
      vim
      wget
      nmap
    
    
    
    ########## 権限周り ##########
    # vim /etc/selinux/config
      SELINUX=disabled
    
    
    
    ########## ユーザー周り ##########
    # cp /etc/ssh/sshd_config{,_ORG}
    # vim /etc/ssh/sshd_config
      PermitRootLogin no
      PasswordAuthentication no
      PubkeyAuthentication yes
    # useradd konyaa
    # passwd konyaa
    # visudo
      ※ wheelグループはroot権限を得る
      %wheel	ALL=(ALL)	ALL
      ※ root昇格にパスワードを必要としない
      %wheel	ALL=(ALL)	NOPASSWD: ALL
    # id konyaa
    # usermod -g wheel konyaa
    # id konyaa
    # su - konyaa
    # mkdir .ssh
    # chmod 700 .ssh
    # vim .ssh/authorized_keys
      ※ ログイン端末の公開鍵を貼る
    # chmod 600 .ssh/authorized_keys
    # sudo systemctl restart sshd
    
    
    
    ########## PHP7.1 ##########
    # sudo yum -y install epel-release
    # sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
    # sudo yum -y install --enablerepo=remi-php71,epel php php-devel php-common php-cli php-pdo php-mcrypt php-mbstring php-gd php-mysqlnd php-pear php-soap php-xml php-xmlrpc php-pecl-apc
    # sudo cp /etc/php.ini{,_ORG} 
    # sudo vim /etc/php.ini
      357: zend.multibyte = On
      363: zend.script_encoding = UTF-8
      374: expose_php = Off
      400: max_input_vars = 10000
      404: memory_limit = 256M
      671: post_max_size = 24M
      824: upload_max_filesize = 200M
      827: max_file_uploads = 50
      902: date.timezone = Asia/Tokyo
      1521: mbstring.internal_encoding = UTF-8
      
    
    
    ########## MariaDB ##########
    # sudo yum -y install mariadb mariadb-server
    # mysql --version
    # sudo cp /etc/my.cnf{,_ORG}
    # sudo vim /etc/my.cnf
      [mysqld]
        datadir=/var/lib/mysql
        socket=/var/lib/mysql/mysql.sock
      bind-address=127.0.0.1
        symbolic-links=0
        character-set-server = utf8
        skip-character-set-client-handshake
       
        max_connections = 200
        key_buffer_size = 32M
        max_allowed_packet = 16M
        binlog_cache_size = 1M
        table_open_cache = 2048
        sort_buffer_size = 8M
        join_buffer_size = 8M
        thread_concurrency = 8
        query_cache_size = 64M
        query_cache_limit = 2M
        tmp_table_size = 300M
        read_buffer_size = 2M
        read_rnd_buffer_size = 16M
        net_buffer_length = 8K
    
      myisam_sort_buffer_size = 8M
        innodb_buffer_pool_size = 128M
        innodb_additional_mem_pool_size = 10M
    
        [mysqld_safe]
        log-error=/var/log/mariadb/mariadb.log
        pid-file=/var/run/mariadb/mariadb.pid
        !includedir /etc/my.cnf.d
    
        [mysqldump]
        quick
        max_allowed_packet = 16M
    
        [mysql]
        no-auto-rehash
        default-character-set = utf8
    
        [myisamchk]
        key_buffer_size = 20M
        sort_buffer_size = 20M
        read_buffer = 2M
        write_buffer = 2M
    
        [mysqlhotcopy]
        interactive-timeout	
    # sudo systemctl enable mariadb
    # sudo systemctl start mariadb
    # sudo systemctl list-unit-files | grep mariadb
    # vim wordpress.sql
      set password for root@localhost=password('roothoge');
      insert into user set user="hoge", password=password("hogehoge"), host="localhost";
      create database wddb;
      grant all on wddb.* to hoge;
      FLUSH PRIVILEGES;
      drop database test;
    # mysql -uroot -Dmysql < wordpress.sql
    # rm wordpress.sql
    # mysql -uroot -proothoge
    # mysql -uhoge -phogehoge -Dwddb
    
    
    
    ########## Apache2.4 ##########
    # sudo yum -y install httpd
    # rpm -qa | grep httpd
    # sudo cp /etc/httpd/conf/httpd.conf{,_ORG}
    # sudo mkdir /var/www/sample.com
    # sudo chown apache: /var/www/sample.com
    # sudo mkdir /var/log/httpd/sample.com
    # sudo vim /etc/httpd/conf.d/sample.com.conf
      NameVirtualHost *:80
    
      <VirtualHost *:80>
        ServerName <サーバーIP>
        <Location />
           Require all denied
        </Location>
      </VirtualHost>
    
      <VirtualHost *:80>
        DocumentRoot /var/www/sample.com
        ServerName sample.com
        SetEnvIf Request_URI "\.(gif|jpg|png|css|js|ico)$" nolog
        ErrorLog logs/sample.com/error_log
        CustomLog logs/sample.com/access_log common
    
        # .htaccessが効くようにする
        <Directory /var/www/sample.com>
          AllowOverride All
        </Directory>
    
        # ブラウザのキャッシュを活用
        <Files ~ ".(gif|jpe?g|png|svg|ico|otf|ttf|eot|woff)$">
          Header set Cache-Control "max-age=2592000, public"
        </Files>
    
        <Files ~ ".(css|js|html|gz)$">
          Header set Cache-Control "max-age=604800, public"
        </Files>
    
        ServerAlias www.sample.com
          RewriteEngine on
          RewriteCond %{HTTP_HOST} ^www\.sample\.com$
          RewriteRule ^/(.*) http://sample.com/$1 [R=301,L]
      </VirtualHost>
    # sudo vim /etc/httpd/conf/httpd.conf
      :%s/#.* で全てのコメント行を空白に変換
      :v/\S/d で全ての空白行を削除
    # sudo vim /etc/httpd/conf.d/security.conf
      ServerTokens Prod
      Header unset "X-Powered-By"
      RequestHeader unset Proxy
      Header append X-Frame-Options SAMEORIGIN
      Header set X-XSS-Protection "1; mode=block"
      Header set X-Content-Type-Options nosniff
      TraceEnable Off
    
      <Directory /var/www/sample.com>
          AllowOverride All
          Options -Indexes
          <IfVersion < 2.3>
              ServerSignature Off
              FileETag MTime Size
          </IfVersion>
      </Directory>
    
      <Directory "/var/www/cgi-bin">
          <IfVersion < 2.3>
              ServerSignature Off
              FileETag MTime Size
          </IfVersion>
      </Directory>
    # sudo systemctl enable httpd
    # sudo systemctl start httpd
    # sudo systemctl list-units | grep httpd
    
    
    
    ########## Firewalld ##########
    # sudo firewall-cmd --state
    # sudo firewall-cmd --list-services
    # sudo firewall-cmd --add-service=http --zone=public --permanent(SSLを利用する場合は打たない)
    # sudo firewall-cmd --add-service=https --zone=public --permanent
    # sudo firewall-cmd --reload
    
    
    
    ########## WordPress ##########
    # wget https://ja.wordpress.org/wordpress-4.9.6-ja.zip
    # sudo cp wordpress-4.9.6-ja.zip /var/www/sample.com
    # cd /var/www/sample.com
    # sudo unzip wordpress-4.9.6-ja.zip
    # sudo rm wordpress-4.9.6-ja.zip
    # sudo mv wordpress/* .
    # sudo rmdir wordpress
    # sudo cp wp-config-sample.php wp-config.php
    # sudo vim wp-config.php
      mariadbの設定に合わせる
      下を追加
      define('FS_METHOD', 'direct');
    # sudo cp wp-includes/functions.php{,_ORG}
      remove_action('wp_head', 'wp_generator'); を追加
    # sudo rm readme.html
    # sudo chown -R kooo: /var/www/sample.com
    # http://www.example.comをブラウザで開いてWordPressを利用
    # http://www.htaccesseditor.com/でhtpasswd作成
    # sudo vim /etc/httpd/.htpasswd
      上で作ったものを貼る
    # sudo vim /var/www/sample.com/.htaccess
      # 管理画面遷移においてBasic認証を設置
      <Files wp-login.php>
        AuthUserFile /etc/httpd/.htpasswd
        AuthName "Please enter your ID and password"
        AuthType Basic
        require valid-user
      </Files>
    
      # サーバーからブラウザにファイルを送る際に圧縮機能を利用する
      <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE image/svg+xml
        AddOutputFilterByType DEFLATE text/plain
        AddOutputFilterByType DEFLATE text/html
        AddOutputFilterByType DEFLATE text/xml
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE text/javascript
        AddOutputFilterByType DEFLATE application/xml
        AddOutputFilterByType DEFLATE application/xhtml+xml
        AddOutputFilterByType DEFLATE application/rss+xml
        AddOutputFilterByType DEFLATE application/javascript
        AddOutputFilterByType DEFLATE application/x-javascript
        AddOutputFilterByType DEFLATE application/x-font-ttf
        AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
        AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf
      </IfModule>
    
    # sudo su
    # cd /var/www/sample.com
    # rm -f /var/www/sample.com/readme.html
    # rm -f /var/www/sample.com/readme-ja.html
    # rm -f /var/www/sample.com/license.txt
    # chown -R kooo: /var/www/sample.com
    # chmod 757 /var/www/sample.com
    # chmod -R 707 /var/www/sample.com/wp-content
    # chmod 755 /var/www/sample.com/wp-includes/js/swfupload
    # chown apache: /var/www/sample.com/wp-config.php
    # chmod 644 wp-config.php
    # mkdir -p /var/www/sample.com/wp-content/uploads
    # chown apache: /var/www/sample.com/wp-content/uploads
    # chmod 707 /var/www/sample.com/wp-content/uploads
    # chown -R apache: /var/www/sample.com/wp-includes
    # chown -R apache: /var/www/sample.com/wp-admin
    # chown apache: /var/www/sample.com/*.php
    
    
    
    
    ########## Let's Encrypt ##########
    # sudo su
    # yum -y install certbot certbot-apache
    # certbot run --apache -d www.sample.com -d sample.com
      > メアド入力
      > httpからhttpsへのリダイレクトをするなら2を選択
    # systemctl status crond
    # vim /etc/cron.d/letsencrypt
      0 24 * * 7 root /bin/certbot renew --post-hook "systemctl restart httpd"
    
    
    
    ########## Fail2ban ##########
    # sudo yum -y install epel-release
    # sudo yum -y install fail2ban fail2ban-systemd
    # sudo mkdir /var/log/fail2ban
    # sudo vim /etc/fail2ban/fail2ban.conf
      loglevel  = NOTICE
      logtarget = /var/log/fail2ban/fail2ban.log
    # sudo vim /etc/fail2ban/filter.d/apache-request-dos.conf
      [Definition]
      failregex = ^<HOST> -.*"(GET|POST).*
      ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
    # sudo vim /etc/fail2ban/filter.d/apache-403-dos.conf
      [Definition]
      failregex = ^<HOST>.*"(GET|POST).*" (403) .*$
      ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
    # sudo vim /etc/fail2ban/filter.d/apache-404-dos.conf
      [Definition]
      failregex = ^<HOST>.*"(GET|POST).*" (404) .*$
      ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
    # sudo vim /etc/fail2ban/jail.local ※基本jail.confはいじらない
      [DEFAULT]
      ignoreip  = 127.0.0.1
      backend   = auto
      
      # sshログインを5回連続で失敗したIPを15分間Ban
      [ssh-brute]
      enabled  = true
      filter   = sshd
      action   = iptables[name=ssh_brute, port="ssh"]
      logpath  = /var/log/secure
      maxretry = 5
      bantime  = 900
      
      # 3分間に100回以上のリクエストを送ったIPを60分間Ban
      [apache-short-span-dos]
      enabled  = true
      filter   = apache-request-dos
      action   = iptables-multiport[name=apache_short_span_dos, port="http,https"]
      logpath  = /var/log/httpd/sample.com/access_log
      maxretry = 100
      findtime = 180
      bantime  = 3600
      
      # 24時間中に100回以上のリクエストを送ったIPを60分間Ban
      [apache-long-span-dos]
      enabled  = true
      filter   = apache-request-dos
      action   = iptables-multiport[name=apache_long_span_dos, port="http,https"]
      logpath  = /var/log/httpd/sample.com/access_log
      maxretry = 100
      findtime = 86400
      bantime  = 3600
    
      # 3分間に403を60回発生させたIPを1時間Ban
      [apache-403-dos]
      enabled  = true
      filter   = apache-403-dos
      action   = iptables-multiport[name=apache_403_dos, port="http,https"]
      logpath  = /var/log/httpd/sample.com/access_log
      maxretry = 60
      findtime = 180
      bantime  = 3600
      
      ## 3分間に404を60回数発生させたIPを1時間Ban
      [apache-404-dos]
      enabled  = true
      filter   = apache-404-dos
      action   = iptables-multiport[name=apache_404_dos, port="http,https"]
      logpath  = /var/log/httpd/sample.com/access_log
      maxretry = 60
      findtime = 180
      bantime  = 3600
    # systemctl enable fail2ban
    # systemctl start fail2ban
    
    
    
    ########## ModSecurity ##########
    # sudo yum -y install mod_security
    # sudo yum -y install mod_security_crs
    # 設定ファイルは
      /etc/httpd/conf.d/mod_security.conf
      /etc/httpd/conf.d/modsecurity_crs_10_config.conf
      /etc/httpd/modsecurity.d/activated_rules/*
    # sudo vim /etc/httpd/conf.d/mod_security.conf
      Wordpress 4.9.6における正しいアクセスを無効にするルールを除外
      SecRuleRemoveById 960015 981173 960024 950109
    
    
    
    ########## ClamAV ##########
    # sudo yum -y install clamav clamav-update clamav-scanner-systemd
    # sudo cp /etc/freshclam.conf{,_ORG}
    # sudo cp /etc/sysconfig/freshclam{,_ORG}
    # sudo vim /etc/freshclam.conf
      #Example(最近はデフォでコメントアウトされてる)
      DatabaseMirror db.jp.clamav.net
    # sudo vim /etc/sysconfig/freshclam
      FRESHCLAM_DELAY=disabled
    # sudo freshclam
    # sudo ln -s /etc/clamd.d/scan.conf /etc/clamd.conf
    # sudo vim /etc/clamd.conf
      #Example
      LocalSocket /var/run/clamd.scan/clamd.sock
      TCPSocket 3310
      TCPAddr 127.0.0.1 
    # sudo clamd
    # pgrep -a clamd
    
    ########## Vuls ##########
    
    スキャンする側のマシン
    
    
    スキャンされる側のマシン
    # sudo yum install -y yum-plugin-changelog, yum-utils
トップへ