服务器配置：

apache(2.2.22) 下载地址：

php（5.2.17）下载地址：

mysql(5.5.20,64-bit)下载地址：http://dev.mysql.com/get/Downloads/MySQL-5.5/mysql-5.5.20-linux2.6-x86_64.tar.gz/from/http://mysql.ntu.edu.tw/

Apache

安装http前先安装apr和apu

#cd srclib/apr

#./configure

#make&&make install

#cd ../apr-util/

#./configure --with-apr=/usr/local/apr/bin/apr-1-config

#make&&make install

#cd ../..

安装http

#./configure --prefix=/usr/local/apache --enable-rewrite --enable-so  --with-apr=/usr/local/apr/bin/apr-1-config --with-apr-util=/usr/local/apr/bin/apu-1-config

#make&&make install

 

修改/usr/local/apache/conf/httpd.conf

 

PidFile /var/run/httpd.pid

 

#DocumentRoot "/usr/local/apache/htdocs"

 

NameVirtualHost serverip:80

 

# The following directives modify normal HTTP response behavior to

# handle known problems with browser implementations.

#

BrowserMatch "Mozilla/2" nokeepalive

BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

BrowserMatch "RealPlayer 4\.0" force-response-1.0

BrowserMatch "Java/1\.0" force-response-1.0

BrowserMatch "JDK/1\.0" force-response-1.0

 

#

# The following directive disables redirects on non-GET requests for

# a directory that does not include the trailing slash.  This fixes a

# problem with Microsoft WebFolders which does not appropriately handle

# redirects for folders with DAV methods.

# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.

#

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully

BrowserMatch "MS FrontPage" redirect-carefully

BrowserMatch "^WebDrive" redirect-carefully

BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully

BrowserMatch "^gnome-vfs/1.0" redirect-carefully

BrowserMatch "^XML Spy" redirect-carefully

BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

 

#mod_deflate Browser set

BrowserMatch ^Mozilla/4 gzip-only-text/html

BrowserMatch ^Mozilla/4\.0[678] no-gzip

BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

 

AddLanguage ca .ca

AddLanguage cs .cz .cs

AddLanguage da .dk

AddLanguage de .de

AddLanguage el .el

AddLanguage en .en

AddLanguage eo .eo

AddLanguage es .es

AddLanguage et .et

AddLanguage fr .fr

AddLanguage he .he

AddLanguage hr .hr

AddLanguage it .it

AddLanguage ja .ja

AddLanguage ko .ko

AddLanguage ltz .ltz

AddLanguage nl .nl

AddLanguage nn .nn

AddLanguage no .no

AddLanguage pl .po

AddLanguage pt .pt

AddLanguage pt-BR .pt-br

AddLanguage ru .ru

AddLanguage sv .sv

AddLanguage zh-CN .zh-cn

AddLanguage zh-TW .zh-tw

 

CustomLog logs/access_log combined

 

    AllowOverride FileInfo AuthConfig Limit

    Options MultiViews -Indexes FollowSymLinks IncludesNoExec

   

        Order allow,deny

        Allow from all

   

   

        Order deny,allow

        Allow from all

   

 

Include /home/bus_user/sites-enabled/*

 

 

Mysql

shell> groupadd mysql

shell> useradd -r -g mysql mysql

shell> cd /usr/local

shell> tar zxvf /path/to/mysql-VERSION-OS.tar.gz

shell> ln -s full-path-to-mysql-VERSION-OS mysql

shell> cd mysql

shell> chown -R mysql .

shell> chgrp -R mysql .

shell> scripts/mysql_install_db --user=mysql

shell> chown -R root .

shell> chown -R mysql data

# Next command is optional

shell> cp support-files/my-medium.cnf /etc/my.cnf

shell> bin/mysqld_safe --user=mysql &

# Next command is optional

shell> cp support-files/mysql.server /etc/init.d/mysql

 

php：

需要安装的rpm包（扩展库文件）

yum install libjpeg-devel libxml2-devel libpng-devel libXpm-devel freetype-devel libmcrypt-devel curl-devel

 

[root@CentOS6-78 php-5.3.6]# cat config.nice

#! /bin/sh

#

# Created by configure

 

'./configure' \

'--prefix=/usr/local/php5' \

'--with-apxs2=/usr/sbin/apxs' \

'--with-mysql=/usr/local/mysql' \

'--with-mysqli=/usr/local/mysql/bin/mysql_config' \

'--with-mcrypt=/usr/lib' \

'--enable-sockets' \

'--with-gd' \

'--enable-gd-native-ttf' \

'--with-curl' \

'--with-pdo-mysql=/usr/local/mysql/bin/mysql_config' \

'--with-jpeg-dir' \

'--with-freetype-dir' \

'--with-png-dir' \

'--with-xpm-dir' \

'--enable-gd-native-ttf' \

'--with-libxml-dir=/usr/lib' \

'--with-zlib-dir=/usr/include' \

'--enable-soap' \

"$@"

 

#./config.nice

#make&&make install

修改/etc/httpd/conf/httpd.conf

AddType application/x-httpd-php .php 

AddType application/x-httpd-php-source .phps

DirectoryIndex index.html index.html.var index.php

修改/usr/local/php5/lib/php.ini

 

#date.timezone =

max_execution_time = 120

upload_max_filesize = 100M

error_reporting = E_ALL & ~E_NOTICE

short_open_tag = On

 

 

ftp：

wget

tar -zxvf pure-ftpd.tar.gz

./configure --prefix=/usr/local/pure-ftpd

make install

mkdir /usr/local/pure-ftpd/etc

cp configuration-file/pure-config.pl /usr/local/pure-ftpd/sbin/

cp configuration-file/pure-ftpd.conf /usr/local/pure-ftpd/etc/

chmod a+x /usr/local/pure-ftpd/sbin/pure-config.pl

cp pam/pure-ftpd /etc/pam.d/

cd contrib

编辑 redhat.init 文件。修改

fullpath=/usr/local/sbin/$prog   -->  fullpath=/usr/local/pure-ftpd/sbin/$prog

pureftpwho=/usr/local/sbin/pure-ftpwho   -->   pureftpwho=/usr/local/pure-ftpd/sbin/pure-ftpwho

$fullpath /etc/pure-ftpd.conf --daemonize   -->   $fullpath /usr/local/pure-ftpd/etc/pure-ftpd.conf --daemonize

cp redhat.init  /etc/rc.d/init.d/pureftpd

service pureftpd start

 

 

监控：

安装nrpe  用于线下245的nagios监控

安装snmp用于线下245的cacti监控

 

安全

 

更换ssh,ftp端口（暂不执行）
 

ssh:

service iptables stop

切记先关掉防火墙，以免出现悲剧

sed -ir 's/#Port\s+22/Port\ 22008/' /etc/ssh/sshd_config

service sshd restart

 

ftp：

修改/usr/local/etc/pure-ftpd.conf

找到#bind 127.0.0.1,21

修改为bind     21201

service pureftpd restart

 

 

 

从服务器随时下载同步主服务器的php程序（参见OJO的同步脚本）

 

Mod_evasive

用途，特点：

mod_evasive 是Apache（httpd)服务器的防DDOS的一个模块。对于WEB服务器来说，是目前比较好的一个防护DDOS攻击的扩展模块。虽然并不能完全防御DDOS攻击，但在一定条件下，还是起到缓服Apache（httpd)服务器的压力。

 

安装：

是官方网站，可以下载最新版本

 

 

#tar zxvf mod_evasive_1.10.1.tar.gz

#cd mod_evasive

#/usr/local/apache/bin/apxs -cia mod_evasive20.c

 

 

 

在httpd.conf中下面加入：

 

DOSHashTableSize 3097

DOSPageCount 2

DOSSiteCount 50

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 10

Include modevasive.d/*

 

 

 

 

 

在/usr/local/apache下创建文件夹modevasive.d

创建白名单文件whitelist.conf

内容例如：

DOSWhitelist 127.0.0.1

 

不会挡住来自本机的可能ddos攻击

 

 

重启apache服务

/usr/local/apache/bin/apachectl restart

 

 

测试：

在mod_evasive中自带一个test.pl的脚本。用于测试是否配置成功

在test.pl脚本内将127.0.0.1改为要测试的服务器ip地址,然后执行测试脚本：

perl test.pl

或者用apache自带的ab工具:

/usr/local/apache/bin/ab -n 1000 -c 50

如果成功挡住ddos攻击会在/tmp下面生成例如名字为dos-127.0.0.1的文件。证明成功

 

iptables

开放3306端口可以被远程访问，但是限制只有从服务器ip地址有此权限

 

优化：

安装eaccelerator

具体安装方法查看包内readme

 

安装zend Optimizer （仅支持5.2.x以下的php)

具体安装方法查看包内readme

 

Apache：

httpd.conf：

 

KeepAlive On

KeepAliveTimeout 15

MaxKeepAliveRequests 100

StartServers       8

MinSpareServers    5

MaxSpareServers   20

ServerLimit      1024

MaxClients       1024

MaxRequestsPerChild  4000

以上两个参数限定同一时间内允许接受的请求数量。如果需要增加需要两个参数都增加

 

隐藏apache和php版本：

Apache:

ServerTokens ProductOnly 

ServerSignature Off

Php.ini:

expose_php = Off

 

开启gzip压缩：

 

LoadModule headers_module modules/mod_headers.so

LoadModule deflate_module modules/mod_deflate.so

 

DeflateCompressionLevel 3

AddOutputFilter DEFLATE html xml php js css

SetOutputFilter DEFLATE

#BrowserMatch ^Mozilla/4 gzip-only-text/html

#BrowserMatch ^Mozilla/4\.0[678] no-gzip

#BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

SetEnvIfNoCase Request_URI no-gzip dont-vary

SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary

SetEnvIfNoCase Request_URI .(?:pdf|mov|avi|mp3|mp4|rm)$ no-gzip dont-vary

 

开启mysql慢查询日志：

添加/etc/my.cnf

long_query_time = 2

log-slow-queries =  /home/data/slowquery.log

日志3天过期

expire_logs_days = 3