CentOS7に各ミドルウェアをパッケージインストールしてWordPressを構築する
  (※ rootユーザーであるのにsudoを使っているところはまぁ申し訳ないっす。。)

  まずはサーバーにrootでログイン
  # ssh root@<server_ip>
  
  ########## 色々 ##########
  # vi /etc/hostname
    <ホスト名>
  # yum -y update
  # yum -y install \
    vim
    wget
    nmap
  
  ########## 権限周り ##########
  # vim /etc/selinux/config
    SELINUX=disabled
  
  ########## ユーザー周り ##########
  # cp /etc/ssh/sshd_config{,_ORG}
  # vim /etc/ssh/sshd_config
    PermitRootLogin no
    PasswordAuthentication no
    PubkeyAuthentication yes
  # useradd konyaa
  # passwd konyaa
  # visudo
    ※ wheelグループはroot権限を得る
    %wheel	ALL=(ALL)	ALL
    ※ root昇格にパスワードを必要としない
    %wheel	ALL=(ALL)	NOPASSWD: ALL
  # id konyaa
  # usermod -g wheel konyaa
  # id konyaa
  # su - konyaa
  # mkdir .ssh
  # chmod 700 .ssh
  # vim .ssh/authorized_keys
    ※ ログイン端末の公開鍵を貼る
  # chmod 600 .ssh/authorized_keys
  # sudo systemctl restart sshd
  
  ########## PHP7.1 ##########
  # sudo yum -y install epel-release
  # sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
  # sudo yum -y install --enablerepo=remi-php71,epel php php-devel php-common php-cli php-pdo php-mcrypt php-mbstring php-gd php-mysqlnd php-pear php-soap php-xml php-xmlrpc php-pecl-apc
  # sudo cp /etc/php.ini{,_ORG} 
  # sudo vim /etc/php.ini
    357: zend.multibyte = On
    363: zend.script_encoding = UTF-8
    374: expose_php = Off
    400: max_input_vars = 10000
    404: memory_limit = 256M
    671: post_max_size = 24M
    824: upload_max_filesize = 200M
    827: max_file_uploads = 50
    902: date.timezone = Asia/Tokyo
    1521: mbstring.internal_encoding = UTF-8
    
  ########## MariaDB ##########
  # sudo yum -y install mariadb mariadb-server
  # mysql --version
  # sudo cp /etc/my.cnf{,_ORG}
  # sudo vim /etc/my.cnf
    [mysqld]
      datadir=/var/lib/mysql
      socket=/var/lib/mysql/mysql.sock
      bind-address=127.0.0.1
      symbolic-links=0
      character-set-server = utf8
      skip-character-set-client-handshake
     
      max_connections = 200
      key_buffer_size = 32M
      max_allowed_packet = 16M
      binlog_cache_size = 1M
      table_open_cache = 2048
      sort_buffer_size = 8M
      join_buffer_size = 8M
      thread_concurrency = 8
      query_cache_size = 64M
      query_cache_limit = 2M
      tmp_table_size = 300M
      read_buffer_size = 2M
      read_rnd_buffer_size = 16M
      net_buffer_length = 8K
  
      myisam_sort_buffer_size = 8M
      innodb_buffer_pool_size = 128M
      innodb_additional_mem_pool_size = 10M
  
      [mysqld_safe]
      log-error=/var/log/mariadb/mariadb.log
      pid-file=/var/run/mariadb/mariadb.pid
      !includedir /etc/my.cnf.d
  
      [mysqldump]
      quick
      max_allowed_packet = 16M
  
      [mysql]
      no-auto-rehash
      default-character-set = utf8
  
      [myisamchk]
      key_buffer_size = 20M
      sort_buffer_size = 20M
      read_buffer = 2M
      write_buffer = 2M
  
      [mysqlhotcopy]
      interactive-timeout	
  # sudo systemctl enable mariadb
  # sudo systemctl start mariadb
  # sudo systemctl list-unit-files | grep mariadb
  # vim wordpress.sql
    set password for root@localhost=password('roothoge');
    insert into user set user="hoge", password=password("hogehoge"), host="localhost";
    create database wddb;
    grant all on wddb.* to hoge;
    FLUSH PRIVILEGES;
    drop database test;
  # mysql -uroot -Dmysql < wordpress.sql
  # rm wordpress.sql
  # mysql -uroot -proothoge
  # mysql -uhoge -phogehoge -Dwddb
  
  ########## Apache2.4 ##########
  # sudo yum -y install httpd
  # rpm -qa | grep httpd
  # sudo cp /etc/httpd/conf/httpd.conf{,_ORG}
  # sudo mkdir /var/www/sample.com
  # sudo chown apache: /var/www/sample.com
  # sudo mkdir /var/log/httpd/sample.com
  # sudo vim /etc/httpd/conf.d/sample.com.conf
    NameVirtualHost *:80
  
    <VirtualHost *:80>
      ServerName <サーバーIP>
      <Location />
         Require all denied
      </Location>
    </VirtualHost>
  
    <VirtualHost *:80>
      DocumentRoot /var/www/sample.com
      ServerName sample.com
      SetEnvIf Request_URI "\.(gif|jpg|png|css|js|ico)$" nolog
      ErrorLog logs/sample.com/error_log
      CustomLog logs/sample.com/access_log common
  
      # .htaccessが効くようにする
      <Directory /var/www/sample.com>
        AllowOverride All
      </Directory>
  
      # ブラウザのキャッシュを活用
      <Files ~ ".(gif|jpe?g|png|svg|ico|otf|ttf|eot|woff)$">
        Header set Cache-Control "max-age=2592000, public"
      </Files>
  
      <Files ~ ".(css|js|html|gz)$">
        Header set Cache-Control "max-age=604800, public"
      </Files>
  
      ServerAlias www.sample.com
      RewriteEngine on
      RewriteCond %{HTTP_HOST} ^www\.sample\.com$
      RewriteRule ^/(.*) http://sample.com/$1 [R=301,L]
    </VirtualHost>
  # sudo vim /etc/httpd/conf/httpd.conf
    :%s/#.* で全てのコメント行を空白に変換
    :v/\S/d で全ての空白行を削除
  # sudo vim /etc/httpd/conf.d/security.conf
    ServerTokens Prod
    Header unset "X-Powered-By"
    RequestHeader unset Proxy
    Header append X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options nosniff
    TraceEnable Off
  
    <Directory /var/www/sample.com>
        AllowOverride All
        Options -Indexes
        <IfVersion < 2.3>
            ServerSignature Off
            FileETag MTime Size
        </IfVersion>
    </Directory>
  
    <Directory "/var/www/cgi-bin">
        <IfVersion < 2.3>
            ServerSignature Off
            FileETag MTime Size
        </IfVersion>
    </Directory>
  # sudo systemctl enable httpd
  # sudo systemctl start httpd
  # sudo systemctl list-units | grep httpd
  
  ########## Firewalld ##########
  # sudo firewall-cmd --state
  # sudo firewall-cmd --list-services
  # sudo firewall-cmd --add-service=http --zone=public --permanent(SSLを利用する場合は打たない)
  # sudo firewall-cmd --add-service=https --zone=public --permanent
  # sudo firewall-cmd --reload
  
  ########## WordPress ##########
  # wget https://ja.wordpress.org/wordpress-4.9.6-ja.zip
  # sudo cp wordpress-4.9.6-ja.zip /var/www/sample.com
  # cd /var/www/sample.com
  # sudo unzip wordpress-4.9.6-ja.zip
  # sudo rm wordpress-4.9.6-ja.zip
  # sudo mv wordpress/* .
  # sudo rmdir wordpress
  # sudo cp wp-config-sample.php wp-config.php
  # sudo vim wp-config.php
    mariadbの設定に合わせる
    下を追加
    define('FS_METHOD', 'direct');
  # sudo cp wp-includes/functions.php{,_ORG}
    remove_action('wp_head', 'wp_generator'); を追加
  # sudo rm readme.html
  # sudo chown -R kooo: /var/www/sample.com
  # http://www.example.comをブラウザで開いてWordPressを利用
  # http://www.htaccesseditor.com/でhtpasswd作成
  # sudo vim /etc/httpd/.htpasswd
    上で作ったものを貼る
  # sudo vim /var/www/sample.com/.htaccess
    # 管理画面遷移においてBasic認証を設置
    <Files wp-login.php>
      AuthUserFile /etc/httpd/.htpasswd
      AuthName "Please enter your ID and password"
      AuthType Basic
      require valid-user
    </Files>
  
    # サーバーからブラウザにファイルを送る際に圧縮機能を利用する
    <IfModule mod_deflate.c>
      AddOutputFilterByType DEFLATE image/svg+xml
      AddOutputFilterByType DEFLATE text/plain
      AddOutputFilterByType DEFLATE text/html
      AddOutputFilterByType DEFLATE text/xml
      AddOutputFilterByType DEFLATE text/css
      AddOutputFilterByType DEFLATE text/javascript
      AddOutputFilterByType DEFLATE application/xml
      AddOutputFilterByType DEFLATE application/xhtml+xml
      AddOutputFilterByType DEFLATE application/rss+xml
      AddOutputFilterByType DEFLATE application/javascript
      AddOutputFilterByType DEFLATE application/x-javascript
      AddOutputFilterByType DEFLATE application/x-font-ttf
      AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
      AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf
    </IfModule>
  
  # sudo su
  # cd /var/www/sample.com
  # rm -f /var/www/sample.com/readme.html
  # rm -f /var/www/sample.com/readme-ja.html
  # rm -f /var/www/sample.com/license.txt
  # chown -R kooo: /var/www/sample.com
  # chmod 757 /var/www/sample.com
  # chmod -R 707 /var/www/sample.com/wp-content
  # chmod 755 /var/www/sample.com/wp-includes/js/swfupload
  # chown apache: /var/www/sample.com/wp-config.php
  # chmod 644 wp-config.php
  # mkdir -p /var/www/sample.com/wp-content/uploads
  # chown apache: /var/www/sample.com/wp-content/uploads
  # chmod 707 /var/www/sample.com/wp-content/uploads
  # chown -R apache: /var/www/sample.com/wp-includes
  # chown -R apache: /var/www/sample.com/wp-admin
  # chown apache: /var/www/sample.com/*.php
  
  ########## Let's Encrypt ##########
  # sudo su
  # yum -y install certbot certbot-apache
  # certbot run --apache -d www.sample.com -d sample.com
    > メアド入力
    > httpからhttpsへのリダイレクトをするなら2を選択
  # systemctl status crond
  # vim /etc/cron.d/letsencrypt
    0 24 * * 7 root /bin/certbot renew --post-hook "systemctl restart httpd"
  
  ########## Fail2ban ##########
  # sudo yum -y install epel-release
  # sudo yum -y install fail2ban fail2ban-systemd
  # sudo mkdir /var/log/fail2ban
  # sudo vim /etc/fail2ban/fail2ban.conf
    loglevel  = NOTICE
    logtarget = /var/log/fail2ban/fail2ban.log
  # sudo vim /etc/fail2ban/filter.d/apache-request-dos.conf
    [Definition]
    failregex = ^<HOST> -.*"(GET|POST).*
    ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
  # sudo vim /etc/fail2ban/filter.d/apache-403-dos.conf
    [Definition]
    failregex = ^<HOST>.*"(GET|POST).*" (403) .*$
    ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
  # sudo vim /etc/fail2ban/filter.d/apache-404-dos.conf
    [Definition]
    failregex = ^<HOST>.*"(GET|POST).*" (404) .*$
    ignoreregex = \.(?i)(jpe?g|gif|png|bmp|pdf|js|css|woff|eot|ttf|ico|txt|xml|swf|xlsx?|docx?|pptx?)
  # sudo vim /etc/fail2ban/jail.local ※基本jail.confはいじらない
    [DEFAULT]
    ignoreip  = 127.0.0.1
    backend   = auto
    
    # sshログインを5回連続で失敗したIPを15分間Ban
    [ssh-brute]
    enabled  = true
    filter   = sshd
    action   = iptables[name=ssh_brute, port="ssh"]
    logpath  = /var/log/secure
    maxretry = 5
    bantime  = 900
    
    # 3分間に100回以上のリクエストを送ったIPを60分間Ban
    [apache-short-span-dos]
    enabled  = true
    filter   = apache-request-dos
    action   = iptables-multiport[name=apache_short_span_dos, port="http,https"]
    logpath  = /var/log/httpd/sample.com/access_log
    maxretry = 100
    findtime = 180
    bantime  = 3600
    
    # 24時間中に100回以上のリクエストを送ったIPを60分間Ban
    [apache-long-span-dos]
    enabled  = true
    filter   = apache-request-dos
    action   = iptables-multiport[name=apache_long_span_dos, port="http,https"]
    logpath  = /var/log/httpd/sample.com/access_log
    maxretry = 100
    findtime = 86400
    bantime  = 3600
  
    # 3分間に403を60回発生させたIPを1時間Ban
    [apache-403-dos]
    enabled  = true
    filter   = apache-403-dos
    action   = iptables-multiport[name=apache_403_dos, port="http,https"]
    logpath  = /var/log/httpd/sample.com/access_log
    maxretry = 60
    findtime = 180
    bantime  = 3600
    
    ## 3分間に404を60回数発生させたIPを1時間Ban
    [apache-404-dos]
    enabled  = true
    filter   = apache-404-dos
    action   = iptables-multiport[name=apache_404_dos, port="http,https"]
    logpath  = /var/log/httpd/sample.com/access_log
    maxretry = 60
    findtime = 180
    bantime  = 3600
  # systemctl enable fail2ban
  # systemctl start fail2ban
  
  ########## ModSecurity ##########
  # sudo yum -y install mod_security
  # sudo yum -y install mod_security_crs
  # 設定ファイルは
    /etc/httpd/conf.d/mod_security.conf
    /etc/httpd/conf.d/modsecurity_crs_10_config.conf
    /etc/httpd/modsecurity.d/activated_rules/*
  
  ########## ClamAV ##########
  # sudo yum -y install clamav clamav-update clamav-scanner-systemd
  # sudo cp /etc/freshclam.conf{,_ORG}
  # sudo cp /etc/sysconfig/freshclam{,_ORG}
  # sudo vim /etc/freshclam.conf
    #Example(最近はデフォでコメントアウトされてる)
    DatabaseMirror db.jp.clamav.net
  # sudo vim /etc/sysconfig/freshclam
    FRESHCLAM_DELAY=disabled
  # sudo freshclam
  # sudo ln -s /etc/clamd.d/scan.conf /etc/clamd.conf
  # sudo vim /etc/clamd.conf
    #Example
    LocalSocket /var/run/clamd.scan/clamd.sock
    TCPSocket 3310
    TCPAddr 127.0.0.1 
  # sudo clamd
  # pgrep -a clamd
  
  ########## Vuls ##########
  
  スキャンする側のマシン
  
  スキャンされる側のマシン
  # sudo yum install -y yum-plugin-changelog, yum-utils
トップへ