- 论坛徽章:
- 0
|
tar xzvf nginx-0.7.51.tar.gz
cd nginx-0.7.51
vi src/core/nginx.h
#ifndef _NGINX_H_INCLUDED_
#define _NGINX_H_INCLUDED_
#define nginx_version 000000
#define NGINX_VERSION "6.0"
#define NGINX_VER "Microsoft-IIS/" NGINX_VERSION
#define NGINX_VAR "Microsoft-IIS"
#define NGX_OLDPID_EXT ".oldbin"
#endif
./configure --prefix=/yp-lnmp/nginx --user=ypweb --group=ypweb --with-http_stub_status_module --with-http_ssl_module
make
make install
cd ../
mv /yp-lnmp/nginx/conf/nginx.conf /yp-lnmp/nginx/conf/nginx.conf.bak
vi /yp-lnmp/nginx/conf/nginx.conf
user ypweb ypweb;
worker_processes 8;
error_log logs/nginx_error.log crit;
pid /yp-lnmp/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
}
http
{
include mime.types;
default_type application/octet-stream;
#charset gb2312;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 8m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
#limit_zone crawler $binary_remote_addr 10m;
server
{
listen 80;
server_name www.panlei.com;
index index.html index.htm index.php;
root /htdocs/phpBB;
#limit_conn crawler 20;
location ~ .*\.(php|php5)?$
{
#fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 1h;
}
log_format panlei_access '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
access_log logs/panlei_access.log panlei_access;
}
server
{
listen 80;
server_name www.jerry.com;
index index.html index.htm index.php;
root /htdocs/Discuz;
location ~ .*\.(php|php5)?$
{
#fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
log_format jerry_access '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
access_log logs/jerry_access.log jerry_access;
}
}
vi /yp-lnmp/nginx/conf/fcgi.conf
ulimit –SHn 51200
/yp-lnmp/nginx/sbin/nginx
/yp-lnmp/nginx/sbin/nginx –t
热启动
kill -HUP `cat /yp-lnmp/nginx/nginx.pid `
vi /etc/rc.local
/yp-lnmp/mysql/bin/mysqld_safe --defaults-file=/yp-lnmp/mysql/my.cnf --user=ypdb &
ulimit –SHn 51200
/yp-lnmp/php/sbin/php-fpm start
/yp-lnmp/nginx/sbin/nginx
系统安全
一.设置selinux
setup
Security Level: (*) Enabled ( ) Disabled
SELinux: Enforcing 选择
Permissive
Disabled
Customize
WWW (HTTP)
Other ports 43210:tcp
二.关闭不需要服务
chkconfig --del ip6tables
chkconfig --del netfs
三.注释掉不需要的用户和组
vi /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
#adm:x:3:4:adm:/var/adm:/sbin/nologin
#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync:x:5:0:sync:/sbin:/bin/sync
#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#halt:x:7:0:halt:/sbin:/sbin/halt
#mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
#news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator:x:11:0:operator:/root:/sbin/nologin
#games:x:12:100:games:/usr/games:/sbin/nologin
#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
#nobody:x:99:99:Nobody:/:/sbin/nologin
#vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
#nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
#ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
ypdb:x:500:500::/:/sbin/nologin
ypweb:x:501:501::/:/sbin/nologin
vi /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
#sys:x:3:root,bin,adm
#adm:x:4:root,adm,daemon
#tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
#mem:x:8:
#kmem:x:9:
wheel:x:10:root,jerry
mail:x:12:mail
#news:x:13:news
uucp:x:14:uucp
#man:x:15:
#games:x:20:
#gopher:x:30:
#dip:x:40:
#ftp:x:50:
#lock:x:54:
#nobody:x:99:
users:x:100:
utmp:x:22:
floppy:x:19:
#vcsa:x:69:
sshd:x:74:
dbus:x:81:
haldaemon:x:68:
#nscd:x:28:
#ldap:x:55:
ypdb:x:500:
ypweb:x:501:
四.修改不可修改,删除属性,需要更改时chattr -i
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/services
chattr +i /etc/inittab
五.Ctrl alt del重启注释掉
vi /etc/inittab
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
六、改变服务的权限
chmod -R 700 /etc/rc.d/init.d/*
七.只允许wheel组用户su
vi /etc/pam.d/su
auth required pam_wheel.so use_uid
usermod -G 10 jerry
八.登陆消息删除
rm –rf /etc/issue
rm –rf /etc/issue.net
touch /etc/issue
touch /etc/issue.net
九.防止IP欺骗
vi /etc/host.conf
order bind,hosts
multi on
nospoof on
十.ttl基数伪装
vi /etc/rc.local
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
十一.防止dos攻击,限制用户使用的内存和进程
vi /etc/security/limits.conf
hard core 0
hard rss 5000
hard nproc 20
vi /etc/pam.d/login
session required /lib/security/pam_limits.so
上面的命令禁止调试文件,限制进程数为50并且限制内存使用为5MB
十二.mysql安全
vi /yp-lnmp/mysql/my.cnf
[mysqld]
bind-address = 127.0.0.1
/yp-lnmp/mysql/bin/mysql
mysql>SET PASSWORD FOR root@localhost=PASSWORD('复杂密码');
mysql>use mysql;
mysql>update user set user="新管理员用户名" where user="root";
mysql>select Host,User,Password,Select_priv,Grant_priv from user;
mysql>delete from user where user='';
mysql>delete from user where password='';
mysql>delete from user where host='%';
mysql>drop database test;
mysql>flush privileges;
mysql>quit;
十三.ssh服务安全
vi /etc/ssh/sshd_config
Port 43210
PermitRootLogin no
十四.伪装nginx,已经在安装第七步修改过了
iptables配置
iptables -F
iptables -X RH-Firewall-1-INPUT
#iptables -A INPUT -p tcp --sport 12000 -j DROP
--limit 1/s 限制syn并发数每秒1次
iptables -A INPUT -s 124.115.16.121 -j ACCEPT
游戏服务器连接
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
ftp服务器
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 43210 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
rm -rf /etc/sysconfig/iptables.save
service iptables save
sysctl文件设置
net.ipv4.tcp_max_syn_backlog = 4096 队列长度
net.ipv4.tcp_syncookies = 1 打开syncookies
net.ipv4.tcp_synack_retries = 2 syn重试次数
net.ipv4.tcp_syn_retries = 2 syn重试次数
提高tcp连接能力
net.ipv4.tcp_rmem = 32768
net.ipv4.tcp_wmem = 32768
net.ipv4.tcp_sack = 0
nginx日志备份
#!/bin/bash
LOG_PATH="/yp-lnmp/nginx/logs/"
LOG_NAME1="panlei"
LOG_NAME2="jerry"
LOG_NAME3="mgr"
mkdir -p ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/
mv ${LOG_PATH}${LOG_NAME1}_access.log ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/${LOG_NAME1}_access_$(date -d "yesterday" +"%Y%m%d").log
mv ${LOG_PATH}${LOG_NAME2}_access.log ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/${LOG_NAME2}_access_$(date -d "yesterday" +"%Y%m%d").log
mv ${LOG_PATH}${LOG_NAME3}_access.log ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/${LOG_NAME3}_access_$(date -d "yesterday" +"%Y%m%d").log
mv ${LOG_PATH}nginx_error.log ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/nginx_error_$(date -d "yesterday" +"%Y%m%d").log
kill -USR1 `cat /yp-lnmp/nginx/nginx.pid`
cd ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/
tar zcf $(date -d "yesterday" +"%Y%m%d").tar.gz *.log
rm -rf ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/*.log
mysql增量备份nlog_backup_db.sh
#!/bin/bash
/yp-lnmp/mysql/bin/mysqladmin flush-logs
DATADIR="/yp-lnmp/mysql/data/"
BACKDIR="/opt/backup/"
TIME=`date -d today +%A`
cd $DATADIR
FILELIST=`cat mysql-bin.index`
COUNTER=0
for file in $FILELIST
do
COUNTER=`expr $COUNTER + 1`
done
NUM=0
for file in $FILELIST
do
BASE=`basename $file`
NUM=`expr $NUM + 1`
if [ $NUM -eq $COUNTER ]
then
echo "backup done"
else
mv $BASE $BACKDIR
echo $BASE
cd $BACKDIR
/yp-lnmp/mysql/bin/mysqlbinlog $BASE > $BASE.sql
rm -rf $BASE
fi
cd $DATADIR
done
cd $BACKDIR
tar czvf $TIME.tar.gz *.sql
rm -rf *.sql
cd $DATADIR
TEMP1=`cat mysql-bin.index`
TEMP2=`echo $TEMP1|awk '{print $NF}'`
echo $TEMP2 > mysql-bin.index
mysql完全备份full_backup_db.sh
#!/bin/bash
BackDir="/opt/backup/"
DATE=`date -d today +%A`
DumpFile=$DATE.sql
GZDumpFile=$DATE.tar.gz
/yp-lnmp/mysql/bin/mysqldump --single-transaction --flush-logs --master-data=2 --delete-master-logs --all-databases > $BackDir$DumpFile
cd $BackDir
tar czvf $GZDumpFile $DumpFile
rm -f $DumpFile
vi /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u2/75896/showart_2162953.html |
|
免费注册
发表于 2010-01-28 11:52