Setup Secure FTP server on CentOS

Setup SFTP Server

When finished you’ll have a SFTP server setup that is configured so the users are in a chroot environment, and can not ssh, or telnet to the server.

Install SSH server if it is not already

yum install openssh-server openssh-client

Create group that is limited to sftp so they can’t ssh, scp etc.

groupadd sftpusers

Add chroot settings to /etc/ssh/sshd_config.  The %u is a variable, which is the users username.

Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp

Make ftp directory

mkdir /sftp

Add SFTP user

useradd -g sftpusers -d /sftp -s /sbin/nologin newsftpuser

Create password for new user

passwd newsftpuser

Create directory for user

mkdir /sftp/newsftpuser

Create directory to put ftp files

mkdir /ftp/newsftpuser/files

Change permissions

chown newsftpuser:sftpusers /ftp/newsftpuser/files/

Restart sshd

systemctl restart sshd

Should be good to go.  Test it by logging in with your favorite FTP client.

Add Self Signed SSL certificate to LibreNMS in CentOS

Install mod_ssl

yum install mod_ssl -y

Create Directory for SSL key.

mkdir /etc/ssl/key
chmod 700 /etc/ssl/key

Create certificate.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/key/localhost.key -out /etc/ssl/certs/localhost.crt

Fill out the info or what is applicable.

Now edit the LibreNMS Apache config file /etc/httpd/conf.d/librenms.conf

All you have to do is add the following three lines under the VirtualHost and change *:80 to *:443.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/localhost.crt
SSL CertificateKeyFile /etc/ssl/key/localhost.key

So when your finished the file should look like this.

<VirtualHost *:443>
 DocumentRoot /opt/librenms/html/
 ServerName server_hostname_or_IP
 SSLEngine on
 SSLCertificateFile /etc/ssl/certs/localhost.crt
 SSLCertificateKeyFile /etc/ssl/key/localhost.key
 CustomLog /opt/librenms/logs/access_log combined
 ErrorLog /opt/librenms/logs/error_log
 AllowEncodedSlashes NoDecode
 <Directory "/opt/librenms/html/">
 Require all granted
 AllowOverride All
 Options FollowSymLinks MultiViews

Don’t forget to allow https/port 443 traffic through the firewall.  Guide here

If you have any issues, you may need to chmod the key and crt file.

chmod 644 /etc/ssl/certs/localhost.crt
chmod 644 /etc/ssl/key/localhost.key

You should now be able to access LibreNMS using https.  Note, you’ll need to allow an exception in your browser for your self signed certificate.


Install SSH Server on Linux (Debian, Ubuntu, Fedora, CentOS, RedHat)

Debian / Ubuntu

sudo apt-get install -y openssh-server

RPM based Distros, Fedora / CentOS / RedHat

sudo dnf install -y openssh-server

or use yum

sudo yum install -y openssh-server

Start ssh service

sudo systemctl start sshd

By default the SSH service should start when the system starts, but if not try the following command to enable the service on boot up.

Debian / Ubuntu

systemctl enable ssh

Fedora, CentOS, RedHat

systemctl enable ssh

Change SSH port

Not necessary, but it is a good idea to change the default ssh port.  To change the port edit the sshd file.

vi /etc/ssh/sshd_config

Moving emails to new host with imapsync

More info about imapsync here

Install imapsync

CentOS 7, Works on cPanel servers too

yum install epel-release && yum install imapsync

Once installed check and make sure it works.

imapsync --version

If it gives you the version number you should be good to go.

Move email account

imapsync --host1 --user1 --password1  "password1" --host2 --user2 --password2  "password2"

Example :

imapsync --host1 --user1 --password1  "password1" --host2 --user2 --password2  "password2"

Moving Multiple accounts

Best way to move multiple accounts is to use a script and and a list that contains all the usernames and passwords to the accounts you want to move.

example scripts can be found on the imapsync website here is a script example and here is the example file.txt

Example script.

# $Id:,v 1.6 2015/11/04 18:23:04 gilles Exp gilles $

# Example for imapsync massive migration on Unix systems.
# See also
# Data is supposed to be in file.txt in the following format:
# host001_1;user001_1;password001_1;host001_2;user001_2;password001_2;
# ...
# Separator is character semi-colon ";" it can be changed by any character changing IFS=';' 
# in the while loop below.
# # Each line contains 6 columns, columns are parameter values for 
# --host1 --user1 --password1 --host2 --user2 --password2
# and a trailing empty fake column to avaid CR LF part going 
# in the 6th parameter password2. Don't forget the last semicolon.
# You can add extra options after the variable "$@" 
# Use character backslash \ at the end of each suplementary line, except for the last one.
# You can also pass extra options via the parameters of this script since
# they will be in "$@"

# The credentials filename "file.txt" used for the loop can be renamed 
# by changing "file.txt" below.

echo Looping on account credentials found in file.txt

{ while IFS=';' read  h1 u1 p1 h2 u2 p2 fake
        { echo "$h1" | egrep "^#" ; } > /dev/null && continue # this skip commented lines in file.txt
        echo "==== Starting imapsync from host1 $h1 user1 $u1 to host2 $h2 user2 $u2 ===="
        imapsync --host1 "$h1" --user1 "$u1" --password1 "$p1" \
                 --host2 "$h2" --user2 "$u2" --password2 "$p2" \
        echo "==== Ended imapsync from host1 $h1 user1 $u1 to host2 $h2 user2 $u2 ===="
} < file.txt

Example list of accounts to;;password1;;;password2;


How to use,

You can run these command from a Linux computer

Download script


Make the script executable

chmod +x

Create a text file named “imapsync_list.txt”

This file will contain the mail server to transfer from, username, and password, and then the mail server to transfer to, username and password.  Add one line per account.


Execute the script to start moving mail



In the username you may need to use the username@domainname.tld, so if the username is bob, and the mail domain is, use for the username in the imapsync_list.txt.

Setting up SNMP V3 on CentOS

Install SNMP.

yum install net-snmp net-snmp-utils

Configure the SNMP V3 user by running the following command and then following the prompts it gives you.


Example: The username is “snmpadmin” and the password is”r123456″

[root@localhost ~]# net-snmp-create-v3-user
Enter a SNMPv3 user name to create:
Enter authentication pass-phrase:
Enter encryption pass-phrase:
  [press return to reuse the authentication pass-phrase]

adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser snmpadmin MD5 "r123456" DES
adding the following line to /etc/snmp/snmpd.conf:
   rwuser snmpadmin
[root@localhost ~]#


Start snmpd service

service snmpd start

configure snmp to start on system boot.

chkconfig snmpd on


Test and make sure snmp is working

replace “password” and “username” with the ones you setup when you created the SNMP V3 user.

snmpwalk -v 3 -a MD5 -A password -l authNoPriv -u username localhost

If you receive something like “snmpwalk: Timeout” then something is not working correctly.  Check to make sure the service is started, and make sure that your firewall is not blocking SNMP.

If you are running a firewall, run the following commands to allow it through.

firewall-cmd --zone=public --add-port=161/udp --permanent
semanage port -a -t snmp_port_t -p udp 161
firewall-cmd --reload

On iptables you should be able to do

 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 161 -j ACCEPT

or add it to /etc/sysconfig/iptables and then restart iptables

Set up Minecraft Server on CentOS 6

Update system

yum update -y

Install Java and wget

yum install -y java wget

Allow Minecraft port through the firewall

Insert the following line in your iptables config file, found in “/etc/sysconfig/iptables”

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25565 -j ACCEPT


vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
 # Manual customization of this file is not recommended.
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 25565 -j ACCEPT <--- Added Rule
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
"/etc/sysconfig/iptables" 14L, 544C written
 [root@localhost ~]# service iptables restart
 iptables: Setting chains to policy ACCEPT: filter [ OK ]
 iptables: Flushing firewall rules: [ OK ]
 iptables: Unloading modules: [ OK ]
 iptables: Applying firewall rules: [ OK ]
 [root@localhost ~]#


Setup your network.

you will need to edit the network config file in “/etc/sysconfig/network-scripts/ifcfg-eth0”


If your using DHCP then just change “ONBOOT=no” to “ONBOOT=yes”


If you need a static address, then change “ONBOOT=no” to “ONBOOT=yes” and change “BOOTPROTO=dhcp” to “BOOTPROTO=static”

add the following to “/etc/sysconfig/network-scripts/ifcfg-eth0”



Start Minecraft server on system boot

Create user

useradd -m steve

Create password for steve

passwd steve

Login as your new user.

su steve

Go to user root directory

cd ~/

Download the minecraft server jar


Create a directory for the start up script and create start up script.

mkdir /home/steve/mc
touch /home/steve/mc/

Copy and paste the following text into

#! /bin/sh
# /etc/init.d/mcserver

# Minecraft CraftBukkit Start script

case "$1" in
    echo "Starting mcserver"
    cd "$MCDIR"
    java -Xmx512M -jar minecraft_server.1.8.7.jar -o true &
    echo "Stopping mcserver"
    kill `pgrep mcserver`
    echo "Usage: /etc/init.d/mcserver {start|stop}"
    exit 1
exit 0

Make the script executable

chmod +x /home/steve/mc/

Add to the crontab

Access the crontab by running the following command

crontab -e

Add the following to the crontab.

@reboot /home/steve/mc/ start

Start the server.

/home/steve/mc/ start

Note: Starting the server will fail because you need to agree to the end user license agreement.

Agree to the eula

sed -i s/false/true/g eula.txt

Reboot the server and connect to your new Minecraft server.

How To change the Hostname in CentOS 7

Check current hostname with the hostname command.


Change hostname with hostnamectl

hostnamectl set-hostname newhostname



Changing hostname from “localhost” to “newhost”.

[root@localhost ~]# hostname
[root@localhost ~]# hostnamectl set-hostname newhost
[root@localhost ~]# hostname
[root@localhost ~]# 



How to Install Zenoss 5 on CentOS 7


  1. This is not a comprehensive guide, if you need more info, refer to the installation manual here.
  2. This assumes that all your partitions are going to be on one drive

Installing CentOS 7

Note: If you have issues installing CentOS via the default install interface, try using the Fallback graphics mode, found in the Grub boot menu under “trubbleshooting”.

Install CentOS like you normally would, just be sure to leave at least 60GB of free space for Docker/Zenoss


You can Select Automatic Partitioning, but you will need to make additional space available.  I just configured it manually.3

 Note that I have about 75GB of free space, this will be used for “/var/lib/docker” and “/opt/serviced/var/volumes”.  We’ll set these up later on.1

You don’t necessarily need to setup a user, but you can if you want to.  4

Once your finished reboot and login.5


Configuring CentOS for Zenoss

Setup network

You will need to setup your network settings.  Refer to this post to set a static IP address if needed.


Note: In CentOS 7 ifconfig is not installed by default.  If you need to check the IP address use the following command.

ip addr sh

After your connected to the internet you can install ifconfig with

yum install -y net-tools

Setup Hostname

Zenoss seems to have issues if you change the hostname after it is installed so be sure to set up the hostname before you start installing zenoss.

Check current hostname


Change the hostname.  Replace “newhostname” with your new hostname.

hostnamectl set-hostname newhostname

After you finish configuring the hostname, add it to “/etc/hosts” with the following command.  Change the IP address and the hostname “zenoss” to your systems IP address and hostname.

echo "   zenoss" >> /etc/hosts

Update your system

yum update -y

Disable Firewall

systemctl stop firewalld && systemctl disable firewalld

Enable persistent log storage

mkdir -p /var/log/journal && systemctl restart systemd-journald

Create two Btrfs file systems

First create two normal linux partitions using your favorite disk utility.  I am using cfdisk.  Each partition should be over 30GB.

cfdisk /dev/sda


Create two Primary partitions and put them at the end and then write and exit.


Take note of the two new partitions names.  Mine are “sda4” and “sda3”.

After the above changes are made, it would be a good idea to reboot the machine so the partition table can be updated.


Now we will reformat the two partitions as Btrfs

Create mount point.

mkdir -p /var/lib/docker /opt/serviced/var/volumes

Change “/dev/sda3” and “/dev/sda4” to your partitions names if they are different.

mkfs -t btrfs --nodiscard $DOCKER_PART
mkfs -t btrfs --nodiscard $APP_PART

Add the new file systems to fstab, so they automatically mount on boot.

echo "$DOCKER_PART /var/lib/docker btrfs rw,noatime,nodatacow 0 0" >> /etc/fstab
echo "$APP_PART $APP_PATH btrfs rw,noatime,nodatacow 0 0" >> /etc/fstab

Mount the new filesystems, and make sure that they mounted

mount -a
if [[ `mount | egrep 'docker|serviced'` ]]; then echo "Mounted" ; else echo "Not Mounted" ; fi

You can manually check by running the following command.

mount | egrep 'docker|serviced'

you should receive something like the following

/dev/sda3 on /var/lib/docker type btrfs (rw,noatime,seclabel,nodatasum,nodatacow,space_cache)
/dev/sda4 on /opt/serviced/var/volumes type btrfs (rw,noatime,seclabel,nodatasum,nodatacow,space_cache)

Disable SELinux

By default SELinux is installed and enabled.  To disable SELinux either edit the config file “/etc/selinux/config” and change “SELINUX=enforcing” to “SELINUX=disabled”, or you can run the following command.

EXT=$(date +"%j-%H%M%S")
sudo sed -i.${EXT} -e 's/^SELINUX=.*/SELINUX=disabled/g' \
/etc/selinux/config && \
grep '^SELINUX=' /etc/selinux/config

Enable Dnsmasq

systemctl enable dnsmasq && systemctl start dnsmasq

Install and Configure NTP

yum install -y ntp && systemctl enable ntpd

Have NTP start on system boot and then start NTP

echo "systemctl start ntpd" >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
systemctl start ntpd

Download and install the Zenoss repository

rpm -ivh
yum clean all

Final Reboot



Installing Zenoss


Once your logged back into the system start installing zenoss

Install the Zenoss-core service and start docker

yum --enablerepo=zenoss-stable install -y zenoss-core-service
systemctl start docker

Add the Btrfs and DNS flags to the Docker startup options

Identify ip for docker

ip addr | grep -A 2 'docker0:' | grep inet

Add the docker startup options.  Change the ip address if needed.  It should match the one from the previous command.

echo 'DOCKER_OPTS="-s btrfs --dns="' >> /etc/sysconfig/docker

Change the volume type for application data

You can manually edit the serviced file “/etc/default/serviced” and change the variable “SERVICED_FS_TYPE” from “rsync” to “btrfs” or run the following command.

EXT=$(date +"%j-%H%M%S")
 sudo sed -i.${EXT} \
 -e 's|^#[^S]*\(SERVICED_FS_TYPE=\).*$|\1btrfs|' \

Restart docker

systemctl stop docker && systemctl start docker

Start the control center

systemctl start serviced

you can monitor the process with

journalctl -u serviced -f

Serviced has about 5-10 minutes worth of work to do before you’ll be able to login to the Control Center interface.  If the service fails to start, reboot the server.

Setting up name resolution

To setup name resolution on you local computer just add the following line to your “hosts” file.  On Linux and OS X this is located in “/etc/hosts” On Windows machines it is under “\Windows\Sytem32\Drivers\etc\hosts” hostname zenoss5.hostname hbase.hostname opentsdb.hostname rabbitmq.hostname

Be sure to change the IP address and “hostname”  to the IP address and hostname of your server.  You also might need administrative privileges to edit the hosts file.


Logging into the Control Center.

Now open up a web browser and go the following URL.  Change the IP address to your servers IP.

Login with the Zenoss server root username and password.  If you want to setup a user other then root, please refer to the Zenoss Installation guide here.


Change the hostname to your Zenoss server hostname12

Select the check boxes in the next two steps.13 14

Give it a deployment id and deploy it.15 16

Once it is deployed Make sure that it is started.  Once it finishes go log into Zenoss.  It can take awhile for Zenoss to start up, depending on your hardware, so be patient.

The Direct URL for Zenoss is




How to Install Nagios 4.0.8 on CentOS 6.5

Install the prerequisite packages

yum install gd gd-devel httpd php gcc glibc glibc-common make perl wget

If you want to monitor SNMP you should install net-snmp now

yum install net-snmp net-snmp-utils
service snmpd start
chkconfig snmpd on

Create the Nagios user.

useradd -m nagios
passwd nagios
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagcmd apache

Create a directory to download and build Nagios from

mkdir /root/nagios
cd /root/nagios

Download Nagios and the Nagios plugins


Extract the Nagios zip

tar xvzf nagios-4.0.8.tar.gz
cd nagios-4.0.8

Compile and make it

make all
make install
make install-init
make install-commandmode
make install-config
make install-webconf

Create a password so you can login to the web interface

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Enable Nagios on startup

 chkconfig nagios on

Start the service

service nagios start

Install the plugins.

cd ..
tar xvzf nagios-plugins-2.0.2.tar.gz
cd nagios-plugins-2.0.2
make install

Start apache and make sure it starts on boot.

service httpd start
chkconfig httpd on

You should now be able to access Nagios by going to https://nagiosserverip/nagios

If you run into issues check your firewall and make sure SELinux is disabled.