Install Zabbix 4.0, Latest Nginx, Latest PHP, Latest MariaDB on CnetOS 7

# Hello,
# Date Wed Jun 12 08:16:24 PDT 2019
# Version 3
# VARS
# SERVER_IP= IP of Server
# ZBPASSWORD= MySQL Zabbix User Password
# below commands must be executed as root . so I wont use sudo for the sake of portability .

# 1 - Installing Zabbix, MySQL (MariaDB), Nginx,  from repos

# 1A - Zabbix 4.0 LTS

#>>>>>>>> BEGIN of Blind copy/paste
rpm -Uvh https://repo.zabbix.com/zabbix/4.2/rhel/7/x86_64/zabbix-release-4.2-1.el7.noarch.rpm
yum clean all  -y

yum install epel-release -y
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
yum install -y yum-utils
yum-config-manager --disable remi-php54
yum-config-manager --enable remi-php73

# below command will install all zabbix requirments including php and apache (apache will be disabled later)
yum -y install zabbix-server-mysql zabbix-web-mysql zabbix-agent php-fpm php-opcache curl

cat <<EOF > /etc/yum.repos.d/mariadb.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.3/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF

# 1B - MySQL/MariaDB
# below command will install MariaDB (mysql replacement in CentOS 7. it has better performance and debugging tools. thus it replaced base mysql)
yum -y install MariaDB-client.x86_64  MariaDB-server.x86_64

# 1C - Nginx
yum install yum-utils -y

# below PIPLINE will create file in /etc/yum.repos.d/nginx.repo containing nginx repository url
cat <<EOF > /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
EOF

yum install nginx -y

#>>>>>>>> END of Blind copy/paste

#======= BEGIN of MYSQL Configuration

# Configurring MySQL security settings
service mariadb start

# change root password and remove test database, disable anonymous login, etc...
# Note: you can run it everytime you want to change mysql root user password
/usr/bin/mysql_secure_installation
# Enter Empty for current root password and Y for the rest of questions also don't forget to set strong mysql root Password .


# Configuring Zabbix database - Execute every command on its own it will ask for password created in above setp for every comand
# create zabbix database
# Note: you can run it only once. on second run it will complain about database existence
mysql -p -e "create database zabbix character set utf8 collate utf8_bin;"

# set Zabbix-MySQL-User (change PASSWORD to whatever you like (random rubbish is preferred) )
# Note: you can run it everytime you want to change mysql zabbix user password
mysql -p -e "grant all privileges on zabbix.* to zabbix@localhost identified by 'ZBPASSWORD';"

# use Zabbix-MySQL-User password created above
zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix

# use Zabbix-MySQL-User password created above
echo "DBPassword=ZBPASSWORD" >> /etc/zabbix/zabbix_server.conf

#======= END of MYSQL Configuration



#======= BEGIN of NGINX Configuration
systemctl disable httpd
systemctl stop httpd

#======= Edit /etc/nginx/nginx.conf (-- = remove , ++ = add)
-- user nginx;
++ user apache;
#======= End of Edit /etc/nginx/nginx.conf

mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.noconf
cat <<EOF > /etc/nginx/conf.d/zabbix.conf
server {
  server_name  SERVER_IP;
  location / {
    root   /usr/share/zabbix;
    index  index.html index.htm index.php;
  }

  location ~ \.php\$ {
  root /usr/share/zabbix;
  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  fastcgi_pass   unix:/var/run/php/zabbix.sock;
  fastcgi_index  index.php;
  fastcgi_buffers 16 16k;
  fastcgi_buffer_size 32k;
  fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
  include        fastcgi_params;
  }

  location ~ /\.ht {
    deny  all;
  }

  listen 443 ssl http2;
  ssl_certificate /etc/nginx/ssl/zabbix/SERVER_IP.crt;
  ssl_certificate_key /etc/nginx/ssl/zabbix/SERVER_IP.key;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_session_cache shared:le_nginx_SSL:1m;
  ssl_session_timeout 1440m;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

  ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

}
server {
  if (\$host = SERVER_IP) {
    return 301 https://\$host\$request_uri;
  }

  listen       80;
  server_name  SERVER_IP;
  return 404;
}
EOF

#======= END of NGINX Configuration

#======= BEGIN of Self Signed SSL
mkdir -p /etc/nginx/ssl/zabbix
rm -rf /etc/nginx/ssl/zabbix/*
chmod 700 /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/zabbix/SERVER_IP.key -out /etc/nginx/ssl/zabbix/SERVER_IP.crt
# Example of input I used
#Email Address []:me@mohammedh.io
#Country Name (2 letter code) [XX]:US
#State or Province Name (full name) []:New York
#Locality Name (eg, city) [Default City]:New York City
#Organization Name (eg, company) [Default Company Ltd]:Zabbix Fake Master
#Organizational Unit Name (eg, section) []:Ministry of Water Slides
#Common Name (eg, your name or your server's hostname) []:SERVER_IP
#Email Address []:me@mohammedh.io 
#======= END of Self Signed SSL


#======= BEGIN of PHP-FPM configuration
mkdir -p /var/run/php/
echo "d /var/run/php/ 0755 nginx nginx - -" > /usr/lib/tmpfiles.d/php-fpm.conf
mv /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.noconf
cat <<EOF > /etc/php-fpm.d/zabbix.conf
[zabbix]
user = apache
group = apache
listen = /var/run/php/zabbix.sock
listen.owner = apache
listen.group = apache
pm = ondemand
pm.max_children = 150
pm.process_idle_timeout = 10s
pm.max_requests = 2000
php_value[post_max_size] = 32M
php_value[max_execution_time] = 600
php_value[max_input_time] = 600
php_value[max_input_time] = 600
php_value[date.timezone] = UTC
EOF



#======= END of PHP-FPM configuration

# lets disable apache and enable php-fpm, nginx mysql and to start at boot
systemctl disable httpd && systemctl stop httpd
systemctl enable php-fpm && systemctl start php-fpm
systemctl enable nginx && systemctl start nginx
systemctl enable mariadb && systemctl start mariadb
systemctl enable zabbix-server zabbix-agent && systemctl restart zabbix-server zabbix-agent

#======= Begin of Permissions fix
semanage fcontext -a -t httpd_sys_content_t "/usr/share/zabbix(/.*)?"
semanage fcontext -a -t httpd_user_rw_content_t "/usr/share/zabbix/assets(/.*)?"
restorecon -R -v /usr/share/zabbix/
chmod -R 777 /usr/share/zabbix/assets
#======= End of Permissions fix




#======= BEGIN of MySQL Optimization
# I usually use script like mysqltuner that give correct settings based hardware specs and workload in the past 24 hours
cat <<EOF > /etc/my.cnf.d/zabbix.cnf
[mysqld]
innodb_stats_on_metadata = 0
performance_schema = on
EOF

systemctl restart mariadb

cd /usr/local/src
curl "https://codeload.github.com/good-dba/mariadb-sys/zip/master" > mariadb-sys.zip
unzip mariadb-sys.zip
cd mariadb-sys-master/


mysql -u root -p < ./mariadb_sys_install.sql

wget http://mysqltuner.pl/ -O mysqltuner.pl
wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/basic_passwords.txt -O basic_passwords.txt
wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/vulnerabilities.csv -O vulnerabilities.csv

perl mysqltuner.pl
# and add recomannded settings to /etc/my.cnf.d/zabbix.cnf
systemctl restart mariadb

# RUN THIS AFTER 24 HOURS OF YOUR WORK LOAD
perl mysqltuner.pl
# and add recomannded settings to /etc/my.cnf.d/zabbix.cnf
systemctl restart mariadb
#======= END of MySQL Optimization

# lets install zabbix by accessing our url https://SERVER_IP after installation we can login with Admin username and zabbix as password .

#======= BEGIN of Zabbix SELinux module
cd /usr/local/src
audit2allow -a -M sezabbix
semodule -i sezabbix.pp
systemctl restart zabbix-server
audit2allow -a -M sezabbix
semodule -i sezabbix.pp
restorecon -R -v /run/zabbix/zabbix_server_alerter.sock
restorecon -R -v /run/zabbix/zabbix_server_preprocessing.sock
systemctl restart zabbix-server


#======= END of Zabbix SELinux module

#======= BEGIN of CSF Firewall Installation (fail2ban alternative firewall and login blocker with gui)
# we will need an editor to edit config file of csf
yum -y install nano perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN  perl-IO-Socket-INET6 perl-Socket6 perl-Digest-MD5.x86_64 perl-LWP-Protocol-https.noarch perl-LWP-MediaTypes.noarch wget unzip bind-utils
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

nano /etc/csf/csf.conf
# above command will open nano editor we need to set TESTING = 0 and find this keyword UI_PORT in this file use F6 type the keyword and press Enter once you find it edit directives as below
TESTING = 0
UI = 1
UI_PORT = "2034"
UI_USER = "admin"
UI_PASSWORD = "yourpassword"
UI_ALLOW = 0
# once you edited all above values pest Ctrl + X and enter to save the file the execute below commands
systemctl restart lfd.service csf.service

# then access your firewall gui from this url https://SERVER_IP:2034 using both username and password added above
#======= END of CSF Firewall Installation

#======= Begin of SELinux check
# CentOS 7 by default comes with SELinux enabled by default we can find out that using this commands
getenforce
# Enforcing

sestatus
# SELinux status:                 enabled
# SELinuxfs mount:                /sys/fs/selinux
# SELinux root directory:         /etc/selinux
# Loaded policy name:             targeted
# Current mode:                   enforcing
# Mode from config file:          enforcing
# Policy MLS status:              enabled
# Policy deny_unknown status:     allowed
# Max kernel policy version:      31
#======= END of SELinux Firewall Installation

# On Google Cloud I had to reboot
reboot

Comments

Popular posts from this blog

Google Analytics Console not working for new accounts

WHMCS sell in multiple currencies for the same client

How to install lets encrypt SSL on Windows server ?