For around 100 hosts to monitor use 2 cores, 2GB RAM and 40G space.

Install CentOS 7 minimal, enable NTPD, set static IP (use your internal DNS servers if wanting to resolve by internal hostnames..) and a fqdn that you will add to your DNS system later. If using multiple NICS to monitor multiple networks, add a gateway only to the NIC that can access other networks (this is typically not your management LAN or other isolated networks)

1. Reboot and perform a yum update + install vim then reboot again…

yum update && yum install vim
shutdown -r now

Create user with password

useradd sudo_username && passwd sudo_username

Add user to wheel group for sudo privileges

usermod -aG wheel sudo_username

Log out of root and into newly created account.

Disable root login over SSH

sudo vim /etc/ssh/sshd_config

Add line

PermitRootLogin no

Restart sshd

sudo systemctl restart sshd

Configure your hosts file with your fqdn

sudo vim /etc/hosts

Add something like:

10.254.157.147 zabbix.domain.com zabbix 

sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload
sudo systemctl daemon-reload

This will help prevent the baddies from brute forcing your SSH password…

Install epel repo, install fail2ban and enable it

sudo yum install epel-release
sudo yum install fail2ban
sudo systemctl enable fail2ban

Create a jail for sshd

sudo vim /etc/fail2ban/jail.d/sshd.local

Add as follows:

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 5
bantime = 3600

Restart fail2ban

sudo systemctl restart fail2ban

sudo yum install wget mariadb-server httpd policycoreutils-python

sudo systemctl enable mariadb
sudo systemctl start mariadb

Secure the MariaDB install

sudo mysql_secure_installation

sudo yum install epel-release
wget http://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo rpm -Uvh remi-release-7.rpm
sudo yum install yum-utils
sudo yum-config-manager --enable remi-php73
sudo yum --enablerepo=remi-php73 install php

Search for available modules

yum --enablerepo=remi-php73 search php | grep php73

Install modules

sudo yum --enablerepo=remi-php73 install php-gd php-bcmath php-ctype php-xml php-xmlreader php-xmlwriter php-session php-mysqlnd php-mbstring php-gettext php-ldap php-mysqli php-pecl-mysql

Edit php.ini to set some variables…

sudo vim /etc/php.ini

Set the following variables as such

post_max_size = 16M
max_execution_time = 300
max_input_time = 300
date.timezone = America/Los_Angeles

ofc use your own time zone…

https://www.zabbix.com/download?zabbix=4.0&os_distribution=red_hat_enterprise_linux&os_version=7&db=mysql

a. Install Zabbix repository documentation

sudo rpm -Uvh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm
sudo yum clean all

b. Install Zabbix server, frontend, agent

sudo yum install zabbix-server-mysql zabbix-web-mysql zabbix-agent

c. Create initial database documentation

sudo mysql -uroot -p
password
create database zabbix character set utf8 collate utf8_bin;
grant all privileges on zabbix.* to zabbix@localhost identified by 'password';
quit;

Import initial schema and data. You will be prompted to enter your newly created password.

sudo zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -u zabbix -p zabbix

d. Configure the database for Zabbix server

Edit file /etc/zabbix/zabbix_server.conf

DBPassword=password
e. Configure PHP for Zabbix frontend
Edit file /etc/httpd/conf.d/zabbix.conf, uncomment and set the right timezone for you.
# php_value date.timezone Europe/Riga
f. Start Zabbix server and agent processes

Fix SELinux permissions

https://www.zabbix.com/forum/zabbix-help/367261-selinux-and-zabbix

Start Zabbix server and agent processes and make it start at system boot:

sudo systemctl restart zabbix-server zabbix-agent httpd
sudo systemctl enable zabbix-server zabbix-agent httpd

sudo grep httpd_t /var/log/audit/audit.log | audit2allow -M httpd_custom
sudo semodule -i httpd_custom.pp
sudo systemctl restart zabbix-server zabbix-agent httpd

Now your Zabbix server is up and running!

Configure Zabbix frontend Connect to your newly installed Zabbix frontend: http://server_ip_or_name/zabbix

Go through step, the default username is Admin (case sensitive) and the password is zabbix.

Fix a systemd issue where zabbix server won't shutdown. It should be fixed in a later release as it was being discussed on 06/15/19. Note: this fix might corrupt the database during updates so change it back to TimeoutSec=0 before doing any upgrades.

Edit the systemd file

vim /etc/systemd/system/multi-user.target.wants/zabbix.server.service

Change the line to match as follows

TimeoutSec=60s

https://www.zabbix.com/documentation/4.0/manual/installation/requirements/best_practices

This section contains best practices that should be observed in order to set up Zabbix in a secure way.

The practices contained here are not required for the functioning of Zabbix. They are recommended for better security of the system.

The principle of least privilege should be used at all times for Zabbix. This principle means that user accounts (in Zabbix frontend) or process user (for Zabbix server/proxy or agent) have only those privileges that are essential to perform intended functions. In other words, user accounts at all times should run with as few privileges as possible.

<note important>Giving extra permissions to 'zabbix' user will allow it to access configuration files and execute operations that can compromise the overall security of infrastructure.</note>

When implementing the least privilege principle for user accounts, Zabbix frontend user types should be taken into account. It is important to understand that while a "Zabbix Admin" user type has less privileges than "Zabbix Super Admin" user type, it has administrative permissions that allow managing configuration and execute custom scripts.

<note>Some information is available even for non-privileged users. For example, while Administration → Scripts is not available for non-Super Admins, scripts themselves are available for retrieval by using Zabbix API. Limiting script permissions and not adding sensitive information (like access credentials, etc) should be used to avoid exposure of sensitive information available in global scripts.</note>

In the default configuration, Zabbix server and Zabbix agent processes share one 'zabbix' user. If you wish to make sure that the agent cannot access sensitive details in server configuration (e.g. database login information), the agent should be run as a different user:

1. Create a secure user
2. Specify this user in the agent configuration file ('User' parameter)
3. Restart the agent with administrator privileges. Privileges will be dropped to the specified user.

UTF-8 is the only encoding supported by Zabbix. It is known to work without any security flaws. Users should be aware that there are known security issues if using some of the other encodings.

On RHEL/Centos, install mod_ssl package:

yum install mod_ssl

Create directory for SSL keys:

mkdir -p /etc/httpd/ssl/private
chmod 700 /etc/httpd/ssl/private

Create SSL certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/private/apache-selfsigned.key -out /etc/httpd/ssl/apache-selfsigned.crt

Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter the domain name that you want to be associated with your server. You can enter the public IP address instead if you do not have a domain name. We will use example.com in this article.

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:

Edit Apache SSL configuration:

/etc/httpd/conf.d/ssl.conf

DocumentRoot "/usr/share/zabbix"
ServerName example.com:443
SSLCertificateFile /etc/httpd/ssl/apache-selfsigned.crt
SSLCertificateKeyFile /etc/httpd/ssl/private/apache-selfsigned.key

Restart the Apache service to apply the changes:

systemctl restart httpd.service

Add a virtual host to Apache configuration and set permanent redirect for document root to Zabbix SSL URL. Do not forget to replace example.com with the actual name of the server.

/etc/httpd/conf/httpd.conf

#Add lines

<VirtualHost *:*>
    ServerName example.com
    Redirect permanent / http://example.com
</VirtualHost>

Restart the Apache service to apply the changes:

systemctl restart httpd.service

HSTS is enforced by Zabbix frontend in versions 4.0.0 - 4.0.2.

Starting with 4.0.3 to protect Zabbix frontend against protocol downgrade attacks, we recommend to enable HSTS policy on webserver.

For example, to enable HSTS policy for your Zabbix frontend in Apache configuration:

/etc/httpd/conf/httpd.conf

add the following directive to your virtual host's configuration:

<VirtualHost *:443>
   Header set Strict-Transport-Security "max-age=31536000"
</VirtualHost>

Restart the Apache service to apply the changes:

systemctl restart httpd.service

It is recommended to disable all web server signatures as part of the web server hardening process. The web server is exposing software signature by default:

The signature can be disabled by adding two lines to the Apache (used as an example) configuration file:

ServerSignature Off
ServerTokens Prod

PHP signature (X-Powered-By HTTP header) can be disabled by changing the php.ini configuration file (signature is disabled by default):

expose_php = Off

Web server restart is required for configuration file changes to be applied.

Additional security level can be achieved by using the mod_security (package libapache2-mod-security2) with Apache. mod_security allows to remove server signature instead of only removing version from server signature. Signature can be altered to any value by changing “SecServerSignature” to any desired value after installing mod_security.

Please refer to documentation of your web server to find help on how to remove/change software signatures.

It is recommended to disable default error pages to avoid information exposure. Web server is using built-in error pages by default:

Default error pages should be replaced/removed as part of the web server hardening process. The “ErrorDocument” directive can be used to define a custom error page/text for Apache web server (used as an example).

Please refer to documentation of your web server to find help on how to replace/remove default error pages.

It is recommended to remove the web server test page to avoid information exposure. By default, web server webroot contains a test page called index.html (Apache2 on Ubuntu is used as an example):

The test page should be removed or should be made unavailable as part of the web server hardening process.