Increase nginx open-files limit on systemd

$ cat /proc/$(cat /run/nginx.pid)/limits
 
$ nano /lib/systemd/system/nginx.service
# --> [Service]
LimitNOFILE=16384
 
$ systemctl daemon-reload
$ systemctl restart nginx && systemctl status nginx

Yum update only security-related packages

yum -y install yum-plugin-security

# To display all updates that are security relevant, and get a reutrn code on whether there are security updates enter:
yum --security check-update

# To upgrade packages that have security errata (upgrades to the latest available package) use:
yum --security update

# To upgrade packages that have security errata (upgrades to the last security errata package) use:
yum --security update-minimal

# See yum-security man page for more information:
man 8 yum-security

thanks, cyberciti

CentOS 7 / RHEL firewalld settings

CentOS 7 has adopted firelwalld by default over the previous iptables, which will require some new steps to configure your firewall.

Rule Permanence

In firewalld, rules can be designated as either permanent or immediate. If a rule is added or modified, by default, the behavior of the currently running firewall is modified. At the next boot, the old rules will be reverted.

Most firewall-cmd operations can take the --permanent flag to indicate that the non-ephemeral firewall should be targeted. This will affect the rule set that is reloaded upon boot. This separation means that you can test rules in your active firewall instance and then reload if there are problems. You can also use the --permanent flag to build out an entire set of rules over time that will all be applied at once when the reload command is issued.

Some key take-aways:

  • check active zones: firewall-cmd --get-active-zones
  • use “permanent” flag for rules you want to persist reload: firewall-cmd --permanent --zone=public --add-service=https
  • Add service FOR EACH ZONE you want. Leaving out the zone will just apply it to the default zone only.

    more info:

  • redhat.com – Security_Guide sec-Using_Firewalls
  • digitalocean – how-to-set-up-a-firewall-using-firewalld-on-centos-7
    # CentOS/RHEL 7 Firewall: 
     
    # add service to zone:
     
    $ firewall-cmd --permanent --zone=public --add-service=ssh
     
    # reload to add:
     
    $ firewall-cmd --reload
    # _or_ firewall-cmd --reload
     
    # check:
    $ sudo firewall-cmd --state
    $ firewall-cmd --zone=public --list-all
     
     
    ## apache / httpd:
    $ firewall-cmd --permanent --zone=public --add-service=http
    $ firewall-cmd --permanent --zone=public --add-service=https
    $ systemctl reload firewalld

    more info info: see:

    http://linuxmanpages.net/manpages/fedora20/man5/firewalld.zone.5.html

    http://searchdatacenter.techtarget.com/tip/A-few-ways-to-configure-Linux-firewalld?abRg=f

    https://www.certdepot.net/rhel7-get-started-firewalld/

    https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos

    Example for setting mysql 3306 and 3307 to LAN (eth1 in this case, using “dmz” zone):

    Pre-configured services are in: /etc/firewalld/services (or similar).
    You can create your own like:

    firewall-cmd --zone=public --change-interface=eth0 --permanent
    firewall-cmd --zone=dmz --change-interface=eth1 --permanent
     
    firewall-cmd --zone=dmz --permanent --add-service=mysql
    firewall-cmd --zone=dmz --permanent --add-service=mysql-ro
     
    # verify:
    firewall-cmd --permanent --zone=public --list-all
    firewall-cmd --permanent --zone=dmz --list-all
     
    firewall-cmd --reload
     
    #if any network settings were updated:
    # NOTE: may disrupt network, take care on production machine
    systemctl restart network.service
     
    # to make sure firewalld settings are updated:
    systemctl restart firewalld.service

    mysql-ro (port 3307) service: /etc/firewalld/services/mysql-ro.xml

    <?xml version="1.0" encoding="utf-8"?>
    <service>
      <short>MySQL</short>
      <description>MySQL Database Server - secondary port</description>
      <port protocol="tcp" port="3307"/>
    </service>
  • Identify current CentOS version

    how to get current CentOS version:

    cat /etc/centos-release

    and to see kernel info:

    uname -a

    hardware time on cloud server

    In order to set the time correctly (timezone, ntp time sync, etc.) on a cloud server, you need to indicate that the system does not support hardware time. I’m not entirely sure how to do this manually, at least not anymore, but if you are using webmin (which I do often use for expediency but only start it up when needed) – here is what you need to set:

    Webmin>Hardware>System Time>Module Config>System Configuration>System supports hardware time

    set to: no

    For time server sync, I use:

    0.pool.ntp.org

    and sync when webmin starts and turn the schedule on for once a day (may want to set more often if your apps are time critical and/or are syncing data based on timestamp, e.g., svn server).

    « Previous Entries