- 论坛徽章:
- 0
|
DNS : 202.101.107.55
IP : ?
NETMASK: ?
GATEWAY: ?
-----------------------------------------------------------------------------
* 确定硬件是否兼容
* 删除没必要的用户
* 关掉SSH的DNS反向解析
查看CPU个数 : # sysctl hw.ncpu
查看开启的服务: # sockstat -4l
-----------------------------------------------------------------------------
安装与配置FreeBSD7 Create by bianyuan
-----------------------------------------------------------------------------
1 安装FreeBSD操作系统,请最小化安装即可!(理由:更简洁,更好的控制,更加的安全!)
-----------------------------------------------------------------------------
2 Reboot进入FreeBSD
* 修改/boot/defaults/loader.conf 将 #autoboot_delay="10" 将#号去掉替换10为1
* ntpdate 210.72.145.44
-----------------------------------------------------------------------------
3 安装cvsup
安装方式:还是用pkg_add -r cvsup-without-gui
-----------------------------------------------------------------------------
4 升级port和内核源代码:
FreeBSD# cp /usr/share/examples/cvsup/ports-supfile /etc
FreeBSD# cp /usr/share/examples/cvsup/stable-supfile /etc
CVSUP升级源 (中国大陆)
#default host=cvsup.cn.FreeBSD.org
或
#default host=cvsup.FreeBSDChina.org
升级ports:
FreeBSD# cvsup -g -L 2 /etc/ports-supfile
升级源代码:
FreeBSD# cvsup -g -L 2 /etc/stable-supfile
-----------------------------------------------------------------------------
到这为止你的系统还没有升级!底子是打好了!
进入/usr/src
FreeBSD# make buildworld
FreeBSD# cd /usr/src
编译内核:[删除不需要的驱动]
FreeBSD# make buildkernel KERNCONF=MYKERNEL
安装新内核:
FreeBSD# make installkernel KERNCONF=MYKERNEL
-----------------------------------------------------------------------------
reboot 进入单用户模式 # mount -a 挂载全部分区
FreeBSD# mergemaster -P
-----------------------------------------------------------------------------
FreeBSD# make installworld
FreeBSD# mergemaster
-----------------------------------------------------------------------------
6 检查服务器硬件并做记录->编译内核使用
FreeBSD# dmesg
-----------------------------------------------------------------------------
5 检查与修复档案系统
FreeBSD# fsck -y
-----------------------------------------------------------------------------
7 检查硬盘容量
FreeBSD# df -h
-----------------------------------------------------------------------------
常用套件:
/usr/ports/shells/bash
/usr/ports/editors/vim-lite
/usr/ports/security/sudo [配置/usr/local/etc/sudoers]
-----------------------------------------------------------------------------
檢查系統版本
FreeBSD# uname -a
-----------------------------------------------------------------------------
防火墙
/etc/rc.conf 添加入如:
firewall_enable="YES"
firewall_type="open"
启用日志
/etc/sysctl.conf 添加如下:
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
-----------------------------------------------------------------------------
# 停掉Sendmail
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
-----------------------------------------------------------------------------
# 配置远程管理webmin
安装:
[root@FreeBSD /usr/ports/sysutils/webmin]# make install clean
配置:[更改默认端口]
注意两点:
1. 更改默认端口:修改为8888
2. 必须启用SSL
[root@FreeBSD /usr/local/lib/webmin]# ./setup.sh
开机启动
/etc/rc.conf中追加: webmin_enable="YES"
访问:
https://IP:PORT/
-----------------------------------------------------------------------------
# 配置防端口扫描套件 PortSentry
#+++++++++++++++++++++++++++++++++++++++++++
安装:
[root@FreeBSD]# cd /usr/ports/security/portsentry/
[root@FreeBSD]# make install clean
#+++++++++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++++++++++++++
配置: 添加一些指定的需要防扫描的端口
[root@FreeBSD]# cp portsentry.conf.default portsentry.conf
找到Dropping Routes這部份,选择阻擋(block)可疑主機的方式,有二種:
1.用IPFW
2.block-hole route (若無IPFW時,用這種)
#+++++++++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++++++++++++++
启动PortSentry:
[root@FreeBSD]# cd /usr/local/etc/rc.d
[root@FreeBSD]# ./portsentry.sh start
#+++++++++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++++++++++++++
查看监听的端口:
[root@FreeBSD]# sockstat
#+++++++++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++++++++++++++
查看受攻击日志:
[root@FreeBSD ~]# vi /usr/local/etc/portsentry.blocked.tcp
[root@FreeBSD ~]# vi /usr/local/etc/portsentry.blocked.udp
#+++++++++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++++++++++++++
忽略一些IP
/usr/local/etc/portsentry.ignore
#+++++++++++++++++++++++++++++++++++++++++++
-----------------------------------------------------------------------------
流量查看软件
[root@FreeBSD ~]# whereis iftop
[root@FreeBSD ~]# cd /usr/ports/net-mgmt/iftop/
[root@FreeBSD /usr/ports/net-mgmt/iftop]# make install clean
-----------------------------------------------------------------------------
安装Apache
#+++++++++++++++++++++++++++++++++++++++++++
vi /boot/defaults/loader.conf
accf_http_load="NO" 修改成: accf_http_load="YES"
#+++++++++++++++++++++++++++++++++++++++++++
[root@FreeBSD ~]# cd /usr/ports/www/apache22
[root@FreeBSD ~]# make WITH_MPM=worker
[root@FreeBSD ~]# make install; make clean
修改httpd.conf
Include etc/apache22/extra/httpd-mpm.conf //把#去掉
修改/usr/local/etc/apache22/extra/httpd-mpm.conf
调节:mpm_worker_module里的参数
修改/etc/rc.conf追加:
apache22_enable="YES"
运行 Apache
[root@FreeBSD ~]# /usr/local/sbin/apachectl start
#+++++++++++++++++++++++++++++++++++++++++++
# ERROR1
httpd: apr_sockaddr_info_get() failed for
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Wed Jun 06 18:13:13 2007] [warn] (2)No such file or directory: Failed to enable
运行:# hostname localhost
修改/etc/rc.conf 中的hostname="localhost"
-----------------------------------------------------------------------------
安装PHP
[root@FreeBSD ~]# cd /usr/ports/lang/php5
[root@FreeBSD ~]# make install clean
[root@FreeBSD ~]# cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini
LoadModule php5_module libexec/apache/libphp5.so
没有发现libphp5.so 是因为编译php的时候没有 选择apache
[root@FreeBSD ~]# cd /usr/ports/lang/php5-extensions/
[root@FreeBSD ~]# make
[root@FreeBSD ~]# make install; make clean
重装使用:
[root@localhost ~]# make install FORCE_PKG_REGISTER="yes"
----------------------------------------------------------------------------
安装Zend Optimizer
[root@FreeBSD ~]# cd /usr/ports/devel/ZendOptimizer/
[root@FreeBSD ~]# make install clean
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer="/usr/local/lib/php/20060613-zts/Optimizer"
zend_extension_manager.optimizer_ts="/usr/local/lib/php/20060613-zts/Optimizer_TS"
zend_extension="/usr/local/lib/php/20060613-zts/ZendExtensionManager.so"
zend_extension_ts="/usr/local/lib/php/20060613-zts/ZendExtensionManager_TS.so"
----------------------------------------------------------------------------
安装Mysql
[root@FreeBSD ~]# cd /usr/ports/databases/mysql50-server
[root@FreeBSD ~]# make WITH_CHARSET=utf8 WITH_XCHARSET=all
[root@FreeBSD ~]# make install
[root@FreeBSD ~]# make clean
[root@FreeBSD ~]# cd /usr/ports/databases/mysql50-scripts/
[root@FreeBSD ~]# make install clean;
[root@FreeBSD ~]# /usr/local/bin/mysql_install_db
启动mysql
/usr/local/bin/mysqld_safe &
或者/usr/local/etc/rc.d/mysql-server.sh start
[root@FreeBSD ~]# cp /usr/local/share/mysql/my-large.cnf /etc/my.cnf
mysql_enable="YES"
-----------------------------------------------------------------------------
安装与配置Apache防DDos攻击套件
[root@FreeBSD ~]# /usr/ports/www/mod_evasive
[root@FreeBSD ~]# make install
编辑httpd.conf 打开mod_evasive 的LoadModule
Apache 2.x
DOSHashTableSize 5000
DOSPageCount 10
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
参数简单说明:
DOSHashTableSize 3097 记录和存放黑名单的哈西表大小,假如服务器访问量很大,能够加大该值
DOSPageCount 5 同一个页面在同一时间内能够被统一个用户访问的次数,超过该数字就会被列为攻击,同一时间的数值能够在DosPageInterval参数中配置。
DOSSiteCount 50 同一个用户在同一个网站内能够同时打开的访问数,同一个时间的数值在DOSSiteInterval中配置。
DOSPageInterval 2 配置DOSPageCount中时间长度标准,默认值为1。
DOSSiteInterval 2 配置DOSSiteCount中时间长度标准。
DOSBlockingPeriod 10 被封时间间隔秒,这中间会收到 403 (Forbidden) 的返回。
其他可选参数:
DOSEmailNotify
lee@toplee.com
配置受到攻击时接收攻击信息提示的邮箱地址。
DOSSystemCommand “su - someuser -c ‘/sbin/… %s …’” 受到攻击时Apache运行用户执行的系统命令
DOSLogDir “/var/lock/mod_dosevasive” 攻击日志存放目录,BSD上默认是 /tmp
查看攻击记录:ls /tmp
-----------------------------------------------------------------------------
*** 时区设定:
# cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
-----------------------------------------------------------------------------
在FreeBSD下locate想要尋找某個檔案時,卻出現
locate: database too small: /var/db/locate.database訊息,可以:
运行: [root@FreeBSD ~]# /usr/libexec/locate.updatedb
-----------------------------------------------------------------------------
/usr/local/bin/mysqladmin -u root password '123456'
/usr/local/bin/mysqladmin -u root -h bsd password 'new-password'
/usr/local/bin/mysql_secure_installation
You can start the MySQL daemon with:
cd /usr/local ; /usr/local/bin/mysqld_safe &
-----------------------------------------------------------------------------
ntop流量检查
/usr/ports/net/ntop
自动启动:ntop_enable="YES" 加入/etc/rc.conf
设置密码:ntop -A
设置启动:ntop -d
-----------------------------------------------------------------------------
日志轮询
# cd /usr/ports/sysutils/cronolog/
# make install
设置apache日志部份
1.自定义日志格式
ErrorLog "|/usr/local/sbin/cronolog /var/log/httpd/%Y/%m/%d/errors.log"
CustomLog "|/usr/local/sbin/cronolog /var/log/httpd/%Y/%m/%d/access.log" combined
------------------------------------------------------------------------------
证书成生
http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
#./new-root-ca.sh (生成根证书)
#./new-server-cert.sh server(生成server证书)
# ./sign-server-cert.sh server(签署server证书)
# 虚拟主机设置
NameVirtualHost 192.168.1.125:80
NameVirtualHost 192.168.1.125:443
ServerName mybsd
ServerAlias mybsd.com
DocumentRoot "/home/www/"
ServerName mysite
ServerAlias mysite.com
DocumentRoot "/home/www/mysite/public/"
ServerName mysite
ServerAlias mysite.com
UseCanonicalName Off
DocumentRoot "/home/www/mysite/public/"
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/etc/apache22/server.crt
SSLCertificateKeyFile /usr/local/etc/apache22/server.key
SSLRequireSSL
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/10599/showart_1769622.html |
|
免费注册
发表于 2009-01-03 04:56