Setting up the OS and Virtualmin
Setup your SSH
Get your private key from Amazon. You will be prompted with this when you set up an instance. Save the key to your local machine and use a tool such as PuTTyGen to export the Private Key as a PPK. Keep it secret. Keep it safe. Create a new session in PuTTY, using the new keyfile. The username is firstname.lastname@example.org or email@example.com.
Go ahead and SSH into your instance.
sudo yum update -y
sudo yum install epel-release wget zip screen perl ncdu -y && sudo yum clean all
This installs some useful extras.
epel- the epel repo
wget- not included by default, for getting remote files
zip- provides support for working with zip archives
perl- needed for googleauth, amongst others
ncdu- nice easy disk usage analyser
screen- screens! if you dont need/use this then ignore it
mkdir virtualmin cd virtualmin wget http://software.virtualmin.com/gpl/scripts/install.sh chmod +x install.sh sudo ./install.sh
All in one:
mkdir virtualmin && cd virtualmin && wget http://software.virtualmin.com/gpl/scripts/install.sh && chmod +x install.sh && sudo ./install.sh
Wait for this to finish, then:
sudo yum update -y && sudo yum clean all
If you haven't already set a root password (usually on AWS installs) then you'll need to set a root password to be able to log in to VirtualMin. Do the following:
sudo /usr/libexec/webmin/changepass.pl /etc/webmin root yourrootpassword
You can now log in at the admin panel: https://mydomain.com:10000/
You will get an error about the SSL certificate when you try and log in at this point. This is to be expected. It can take a minute/a couple of log-in attempts to get access to the admin panel. This appears to be normal.
Configure Virtualmin Network settings:
To stop Virtualmin error "Virtualmin is configured to setup DNS zones, but this system is not setup to use itself as a DNS server"
sudo vi /etc/dhcp/dhclient.conf
Add the following line to the start of the file:
prepend domain-name-servers 127.0.0.1;
Add the hostname to the network config:
sudo vi /etc/sysconfig/network
Add or edit the HOSTNAME to have the following value: mydomain.com
When you've changed these you'll need to restart the network service:
sudo systemctl restart network
Configure the Virtualmin install
Go to the web interface at: https://mydomain.com:10000 Complete the Virtualmin Setup guide and configure it according to your server needs and available resources. Note that the MySQL password process may fail, if so hit blue return button and then proceed with same password and it should work.
When the Virtualmin install has finished, go to: Virtualmin -> System Settings -> Virtualmin Configuration -> Networking settings Set Default IP address for DNS records to: Automatically detect external address
After completing the install have Virtualmin check its configuration. If you're not prompted to do this on the main Virtualmin System Information page it can be found at VirtualMin -> System Settings -> Re-Check Configuration.
Setup the firewall
The firewall isn't enabled by default on CentOS 7. We need to turn it on and setup some basic rules.
sudo systemctl start firewalld
Congrats! You've now locked yourself out of the Virtualmin interface. Run the following to add the relevant rules:
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=https --permanent sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
If you want email on the domain (covered further later) also add these:
sudo firewall-cmd --zone=public --add-service=pop3s --permanent sudo firewall-cmd --zone=public --add-service=imaps --permanent sudo firewall-cmd --zone=public --add-service=smtps --permanent sudo firewall-cmd --zone=public --add-service=smtp --permanent
Restart the firewall when you've added your rules.
sudo firewall-cmd --reload
You can now log back into the Virtualmin interface. You can manage firewall rules easily in the future by going to: Webmin -> Networking -> FirewallD.
Upgrading and Configuring PHP & Apache
Update PHP 5.4 to 5.6.*
Note: This replaces the default PHP 5.4 and replaces it with 5.6.* These commands are taken from Remi's excellent Wizard: https://rpms.remirepo.net/wizard/
sudo yum install yum-utils https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y sudo yum-config-manager --enable remi-php56 sudo yum update -y
Optionally install additional packages:
sudo yum install php-xxx
Check the installed version and available extensions:
php --version php --modules
Add Additional PHP 7.1.*
Note: This adds PHP 7.1.* in addition to 5.6.*. It assumes you have followed the steps above to add Remi's PHP Repository. If you haven't already done this then use the commands above to add the repository before doing the following.
sudo yum install php71 php71-php php71-php-bcmath php71-php-cli php71-php-common php71-php-curl php71-php-devel php71-php-fpm php71-php-gd php71-php-gmp php71-php-intl php71-php-json php71-php-mbstring php71-php-mcrypt php71-php-mysqlnd php71-php-opcache php71-php-pdo php71-php-pear php71-php-pecl-apcu php71-php-pecl-geoip php71-php-pecl-imagick php71-php-pecl-json-post php71-php-pecl-memcache php71-php-pecl-xmldiff php71-php-pecl-zip php71-php-process php71-php-pspell php71-php-simplexml php71-php-soap php71-php-tidy php71-php-xml php71-php-xmlrpc -y
Run the following to test the install. This should generate an error "no package php71-php-xxx found", this is desired:
sudo yum --enablerepo=remi-test install php71-php-xxx
Check the installed version and available extensions:
php71 --version php71 --modules
Change Apache default settings
Go to: Webmin -> Others -> PHP Configuration -> Manage -> Resource Limits Set Maximum file upload size to 32M (or suitable value) Set Maximum HTTP POST size to 32M (or suitable value)
GNU Terry Pratchett
A man is not dead while his name is still spoken This adds a custom server header named X-Clacks, in memorium of the author Terry Pratchett. See http://www.gnuterrypratchett.com/ for more information.
Open the apache config file:
sudo vi /etc/httpd/conf/httpd.conf
Insert after last
<IfModule headers_module> header set X-Clacks-Overhead "GNU Terry Pratchett" </IfModule>
Save and restart apache:
sudo systemctl restart httpd
Installing Node, Gem, SASS and LESS.
Install Node from the EPEL Repository
sudo yum install epel-release -y sudo yum install nodejs -y node --version
Optionally install LESS
sudo npm install -g less
Optionally install SASS
sudo gem install sass
If installing Gem doesn't work and the install fails to compile, chances are you need
sudo yum install gcc -y
The npm version of SASS won't work with the CMSMS module CSSPreProcessor and you must use the Gem version instead.
Securing your admin panel with SSL
At this point, reboot your server and run the Virtualmin Configuration check. It can be found at: Virtualmin -> System Settings -> Re-Check Configuration. If everything here passes, you're good to go!
Setup the Domain
It's best to create a website for the main FQDN that you're using for the server admin panel. In this example we use mydomain.com. Note you can use mydomain.com for your regular website as the admin panel will only be visible at mydomain.com:10000
Go to Virtualmin -> Create Virtual Server
Set Domain name: domain.com (without http/https/www or trailing /) Set Admin password: Something decent. You'll only need it once for setting up SSH keys. Set Admin username: Up to you. Something short, relevant and ideally not a direct copy of your domain name.
Under Enabled Features ensure "Setup SSL website too?" is ticked. Create the site. Give Virtualmin a while to make all the various config files.
Go to Virtualmin -> mydomain.com -> Edit Virtual Server Check that Quotas and Limits are suitable.
Get the SSL Certificate
Go to Virtualmin -> mydomain.com -> Server Configuration -> Manage SSL Certificate -> Let's Encrypt Set Months between automatic renewal to 2. 2 months between renewals will be sufficient as default expiry is 3 months. Ensure all domains needed are in the box. Click Request Certificate
If the cetificate fails with an error similar to the folowing: "DNS problem: NXDOMAIN looking up TXT for _acme-challenge" Chances are that it'll work for domain.com but not www.domain.com. This means that the DNS record needs a *or www. TXT record.
The following steps are only needed if the admin panel has it own domain, ignore this most likely:
Go to Webmin -> Webmin -> Webmin Configuration -> SSL Encryption -> Let's Encrypt Ensure that:
- Website root directory for validation file: Other directory
- Copy new key and certificate to Webmin: Yes.
- Enable Auto Renew (2 months). Request certificate
Copy the Cert to Webmin and Email
Go to Virtualmin -> mydomain.com -> Server Configuration -> Manage SSL Certificate Click the buttons:
- Copy to Webmin
- Copy to Usermin
- Copy to Postfix
- Copy to Dovecot
If you get an error when copying to Postfix about "no such file at /etc/postfix/ssl/*" then do the following and retry:
sudo mkdir /etc/postfix/ssl
If the certificate request succeeded and you've copied the certificate over to Webmin then your admin panel should now be valid HTTPS. If Chrome is being awkward and not detecting the new certifcate, open the admin panel in a new Incognito Tab, then re-open it in a regular tab.
Redirect http to https
Go to Virtualmin -> Services -> Configure Website -> Aliases and Redirects Add a rule for "Permanent URL redirects" From: / To: https://www.mydomain.com/
To finish and apply click "Apply Changes" button at top right
Enable 2-Factor Authentication with GoogleAuth
We can setup Virtualmin to use GoogleAuth on all logins for extra security.
Note: some installs may fail with an error about being unable to untar the package. Particularly on low-memory instances such as the t1 and t2 series. This is due to low memory. Workaround is to use systemctl to temporarily stop httpd and mariadb
First we need to install the PERL modules:
sudo yum install perl-CPAN -y cpan -or- sudo perl -MCPAN -e
Choose: yes, sudo, yes
install Archive::Tar Authen:OATH Digest::HMAC Digest::SHA Math::BigInt Moo Moose Module::Build Test::More Test::Needs Type::Tiny Types::Standard
(Can't remember if we already installed gcc, so maybe this: sudo yum install gcc -y)
Activate and enroll
Then go to Webmin -> Webmin -> Webmin Configuration -> Two-Factor Authentication -> Enable Google Authenticator.
When you have enabled Google Authenticator, you will need to complete the enrollment. Go to Webmin -> Webmin -> Webmin Users -> Two-Factor Authentication
Don't forget to restart httpd and mariadb if you had to stop them for memory conservation.
Setting up additional virtual sites
Now your admin panel is all setup to run off the back of your primary FQDN, we can go ahead and setup other virtual sites for the server if they're needed. If not, you can follow this section (with some adjustments) to obtain a keyfile for the user you have already created.
Setup a new Virtual Server
Virtualmin -> Create Virtual Server
Domain name: domain.com (without http/https/www or trailing /) Admin password: Make it a decent one. You'll only need it for setting up SSH keys for the user below. Admin username: Up to you. Something short, relevant and ideally not a direct copy of your domain name.
Under Enabled Features ensure "Setup SSL website too" is ticked. Create the site. Give Virtualmin a while to make all the various config files.
Setup SSH for Virtualmin User
From an ssh console, su to the user. Use the password you entered when you created the virtual site:
su username cd /home/username mkdir .ssh && chmod 700 .ssh && ssh-keygen -t rsa
This will start the keygen process and you will be prompted to enter a name for the keyfile Enter name: sitename_key
This will output sitename_key and sitename_key.pub in the current directory. We're using the sitename_key.pub file, but first we need to edit it. Do the following:
cp sitename_key.pub .ssh/authorized_keys vi .ssh/authorized_keys
Once in vi, remove the last part of the file that begins with username@hostname, leaving just the key itself.
Exit vi by hitting
Esc then type
:wq and press
chmod 600 .ssh/authorized_keys tar cvf public_html/sitename_key.tar sitename_key
Now we need to download the key. Go to http://www.mydomain.com/sitename_key.tar
Take that file and extract it, open with PuTTyGen, export and save the Private key as a PPK. Use this to connect via SSH as the user@domain in PuTTy, FileZilla, etc.
Don't forget to cleanup after yourself:
rm sitename_key rm sitename_key.pub rm public_html/sitename_key.tar
Done all this and getting an error in PuTTy about no suitable authentication method found? This means you saved the public key with PuTTyGen instead of the private key. Go back and try again.
Warning: here be dragons.
This section is a little rough around the edges, and may even be missing steps. I'll tidy this up one of these days...
Ensure you have already copied the LetsEncrypt certificate to Postfix and Webmin to get these to work properly.
Go to Webmin -> Servers -> Postfix -> Edit Config Files -> /etc/postfix/main.cf
Scroll all the way down to the bottom. Find the lines (677-679ish) containing:
# readme_directory: The location of the Postfix README files.
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
Remove everything beneath the lines above and insert the following:
allow_percent_hack = no broken_sasl_auth_clients = yes home_mailbox = Maildir/ mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 sender_bcc_maps = hash:/etc/postfix/bcc smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_use_tls = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_tls_cert_file = /etc/postfix/ssl/server.crt smtpd_tls_key_file = /etc/postfix/ssl/server.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom virtual_alias_maps = hash:/etc/postfix/virtual
Restart Postfix to enable Encrypted mail:
sudo systemctl restart postfix
Webmin -> Servers -> Postfix -> General Options
- What domain to use in outbound mail: Use hostname
- Send outgoing mail via host Deliver directly
- Internet hostname of this mail system: Default
- Local internet domain name: Default
- Local networks: Default
Dovecot / Email in General
Go to Virtualmin -> System Settings -> Server Templates Edit template section: Mail for domain
Set "Format for usernames that include domain" to username@domain
Notes on DNS Settings:
Domain must have an MX record set Example (for Google DNS): @ MX 1H domain.com
To verify email you need an SPF record (this avoids emails showing in Gmail with a ?) Create an TXT record with the value: v=spf1 mx a -all Example: @ TXT 1H v=spf1 mx a -all
Set up Backups
Set up backups for both the virtual servers, as well as the Virtualmin/Webminconfiguration files.
Go to Virtualmin -> Backup and Restore -> Scheduled Backups
Webmin can backup all configuration files also. It is in a different section.
Go to Webmin - Webmin - Backup Configuration Files - Scheduled Backups - Add a new scheduled backup
- Select all modules
- Choose your backup destination
- Destination folder/file name can contain vars if enabled in Setttings (click cog icon on main Backup Configuration Files page)
- Ensure "Webmin module configuration files" is ticked.
Backing up a database via SSH
mysqldump -u username -p database > sql.sql
Importing a database via SSH
mysql -u username -p database < sql.sql
v=spf1 mx a -all
Simple backup example:
tar cvzpf backup.tar.gz public_html/
Excluding a single sub-dir:
tar --exclude='public_html/uploads/_CGSmartImage' -cvzpf backup.tar.gz public_html/
Excluding mutliple sub-dirs:
tar --exclude='public_html/tmp' --exclude='public_html/assets/example' -cvzpf backup.tar.gz public_html/
Changing an Amazon Instance to a different type
- Make an image of the instance
- Wait until its finished
- Go to AMIs
- Choose the Image you just created
- Launch the AMI as a new instance with the desired hardware.
When it boots, go to the new Virtualmin location on the temporary public address, something like: https://ec2-12-34-56-78.eu-west-2.compute.amazonaws.com:10000
- Log in. Virtualmin will give you a warning that your systems primary IP address appears to have changed. Choose "Update incorrect IP Addresses" Ensure that "Address type to change" is set to "Real address" Ensure that "Servers to update" is set to "All servers" Click "Change Now" This process can take a while, depending on how many domains you're hosting.
Installing Ark on Centos 7.4
Create a new Virtual Site at the domain/subdomain you want: eg: ark.mydomain.com
Following commands assume username ark from
Update sysctl.conf to allow more files to be open: Source: https://www.cyberciti.biz/faq/linux-increase-the-maximum-number-of-open-files/
sudo sysctl -w fs.file-max=100000
We need to make this permanant:
sudo vi /etc/sysctl.conf
Append the following line:
fs.file-max = 100000
Save and close the file. Users need to log out and log back in again to changes take effect or just type the following command:
sudo sysctl -p
Verify your settings with command:
Now add higher hard and soft limits for the user we created:
sudo vi /etc/security/limits.conf
Add in the following entries, adjust your username as appropriate:
ark soft nofile 100000 ark hard nofile 100000
Give the user sudo priveledges via a root account:
sudo usermod -aG wheel <username>
On CentOS, if adding the user to the group does not work immediately, you may have to edit the /etc/sudoers file to uncomment the group name:
Find and ensure the following is not commented out:
%wheel ALL=(ALL) ALL
Make a directory for and obtain the steam client
mkdir steam cd steam curl -sqL "https://steamcdn-a.akamaihd.net/client/installer/steamcmd_linux.tar.gz" | tar zxvf - chmod +x ./steamcmd.sh
Open all the ports:
sudo firewall-cmd --zone=public --add-port=27015/tcp --permanent sudo firewall-cmd --zone=public --add-port=27015/udp --permanent sudo firewall-cmd --zone=public --add-port=27016/tcp --permanent sudo firewall-cmd --zone=public --add-port=27016/udp --permanent sudo firewall-cmd --zone=public --add-port=7778/tcp --permanent sudo firewall-cmd --zone=public --add-port=7778/udp --permanent sudo firewall-cmd --zone=public --add-port=32330/tcp --permanent
Run steam once to install it:
Get ark-server-tools (https://github.com/FezVrasta/ark-server-tools)
curl -sL http://git.io/vtf5N | bash -s -- --me --perform-user-install
Backing up an Ark Save:
tar xvf ../../../../public_html/ragnarok.tar.gz Ragnarok.ark Ragnarok_AntiCorruptionBackup.bak Ragnarok_NewLaunchBackup.bak *.arkprofile *.profilebak *.arktribe *.tribebak