#!/bin/bash
# modified by jack.geng 2010-07-27
# remove buildin mysql
yum -y remove mysql mysql-server
cd
cat > .bash_profile << "EOF"
# .bash_profile
# Get the aliases and functions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific environment and startup programs
PATH=/usr/local/php/bin:/usr/local/apache/bin:$PATH:$HOME/bin:/usr/local/mysql/bin
export PATH
unset USERNAME
EOF
# source .bash_profile
# make mysql 5.1.45 from source
/usr/sbin/groupadd -g 500 malabs
/usr/sbin/useradd -g malabs -u 500 -d /usr/local/mysql mysql
cd /usr/local/
tar xfz mysql-5.1.45.tar.gz
cd mysql-5.1.45
./configure --with-plugins=partition,innobase,myisam --without-docs --prefix=/usr/local/mysql
make && make install
ln -s /usr/local/mysql/lib /usr/local/mysql/lib64
cp /usr/local/mysql/lib/mysql/libmysqlclient.so.16.0.0 /usr/lib64/libmysqlclient.so.16
chown -R mysql:malabs /usr/local/mysql
# install apache
useradd –g malabs –u 501 -d /usr/local/apache web
cat > /usr/local/apache/.bash_profile <<"EOF"
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin:/usr/local/php/bin
export PATH
EOF
chown web:malabs /usr/local/apache/.bash_profile
chmod +x /usr/local/apache/.bash_profile
cd /usr/local
tar zxf httpd-2.2.15.tar.gz
cd httpd-2.2.15
./configure --prefix=/usr/local/apache --enable-mods-shared=all --enable-ssl
make && make install
rm -f /etc/init.d/httpd
cat > /etc/init.d/apache << "EOF"
#!/bin/bash
#
# Startup script for the Apache Web Server
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /usr/local/apache/logs/httpd.pid
# config: /usr/local/apache/conf/httpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/local/apache/bin/apachectl
httpd=/usr/local/apache/bin/httpd
pid=/usr/local/apache/logs/httpd.pid
prog=httpd
RETVAL=0
# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/httpd
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/httpd $pid
}
reload() {
echo -n $"Reloading $prog: "
killproc $httpd -HUP
RETVAL=$?
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f $pid ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status"
echo $"|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL
EOF
chmod +x /etc/init.d/apache
/sbin/chkconfig --add apache
/sbin/chkconfig --level 3 apache on
# install php ref components
cd /usr/local
tar xfz libiconv-1.13.1.tar.gz
cd libiconv-1.13.1
./configure --prefix=/usr/local
make && make install
ln -sf /usr/local/lib/libiconv.* /usr/lib64/
cd /usr/local/
tar zxf libmcrypt-2.5.8.tar.gz
cd libmcrypt-2.5.8
./configure && make && make install
/sbin/ldconfig
cd libltdl/
./configure --enable-ltdl-install
make
make install
ln -sf /usr/local/lib/libmcrypt.* /usr/lib64/
ln -sf /usr/local/bin/libmcrypt-config /usr/bin/
cd /usr/local/
tar zxf mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9
./configure && make && make install
ln -sf /usr/local/lib/libmhash.* /usr/lib64/
cd /usr/local/
tar zxf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8
./configure && make && make install
ln -sf /usr/local/lib/libmcrypt.* /usr/lib64/
# install php
# ln -sf /usr/lib64/libjpeg.so.62.0.0 /usr/lib64/libjpeg.so
# ln -sf /usr/lib64/libpng.so.3.10.0 /usr/lib64/libpng.so
ln -sf /usr/lib64/libapr-1.so.0.2.7 /usr/lib64/libapr-1.so
# ln -sf /usr/lib64/libxml2.so.2.6.26 /usr/lib/libxml2.so
cd /usr/local/
tar xfz php-5.3.2.tar.gz
cd php-5.3.2
./configure --with-libdir=lib64 \
--prefix=/usr/local/php --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql \
--with-mysqli=/usr/local/mysql/bin/mysql_config --with-config-file-path=/usr/local/php/etc --with-iconv-dir=/usr/local \
--with-pdo-mysql=/usr/local/mysql \
--with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml \
--disable-rpath --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem \
--enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-mbstring --with-mcrypt \
--with-gd --enable-gd-native-ttf --with-mhash --with-openssl \
--enable-sockets --with-xmlrpc --enable-zip --enable-soap
make ZEND_EXTRA_LIBS='-liconv'
make install
libtool --finish libs
cp php.ini-production /usr/local/php/etc/php.ini
cp /usr/local/php/etc/php.ini /usr/local/php/etc/php.ini.save
sed -i 's/post_max_size = 8M/ post_max_size = 30M/g' /usr/local/php/etc/php.ini
sed -i 's/upload_max_filesize = 2M/ upload_max_filesize = 25M/g' /usr/local/php/etc/php.ini
sed -i '/display_errors/s/On/Off/' /usr/local/php/etc/php.ini
sed -i '/short_open_tag/s/Off/On/' /usr/local/php/etc/php.ini
sed -i 's#;default_charset = "iso-8859-1"#default_charset = "utf8"#' /usr/local/php/etc/php.ini
sed -i 's/memory_limit = 128M/ memory_limit = 512M/g' /usr/local/php/etc/php.ini
sed -i 's#;date.timezone =#date.timezone = America/Los_Angeles#' /usr/local/php/etc/php.ini
echo "" >> /usr/local/apache/htdocs/index.php
cd /usr/local/
tar xfz APC-3.1.3p1.tgz
cd /usr/local/APC-3.1.3p1
/usr/local/php/bin/phpize
./configure --with-libdir=lib64 --enable-apc --enable-apc-mmap --with-php-config=/usr/local/php/bin/php-config
make && make install
echo "extension=apc.so" >> /usr/local/php/etc/php.ini
echo "apc.enabled=1" >> /usr/local/php/etc/php.ini
echo "apc.shm_size=128" >> /usr/local/php/etc/php.ini
echo "apc.num_files_hint=1024" >> /usr/local/php/etc/php.ini
echo "apc.mmap_file_mask=/tmp/apc.XXXXXX" >> /usr/local/php/etc/php.ini
cp apc.php /usr/local/apache/htdocs/.
cd /usr/local/
tar zxvf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
/usr/local/apache/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
yum -y install pcre-devel
mkdir /tmp/modsecurity
chown web:malabs /tmp/modsecurity
cd /usr/local
tar xfz modsecurity-apache_2.5.12.tar.gz
cd modsecurity-apache_2.5.12/apache2
./configure --with-apr=/usr/local/apache/bin --with-apu=/usr/local/apache/bin && make && make install
mkdir /usr/local/apache/conf/secu
cp /usr/local/modsecurity-apache_2.5.12/rules/modsecurity_crs_10_config.conf /usr/local/apache/conf/secu
cp -r /usr/local/modsecurity-apache_2.5.12/rules/base_rules /usr/local/apache/conf/secu
cp -r /usr/local/modsecurity-apache_2.5.12/rules/optional_rules /usr/local/apache/conf/secu
cd /usr/local/apache/conf
mv httpd.conf httpd.conf.orig
cat > /usr/local/apache/conf/httpd.conf <<"EOF"
ServerRoot "/usr/local/apache"
Listen 80
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule include_module modules/mod_include.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule mime_module modules/mod_mime.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php5_module modules/libphp5.so
User web
Group malabs
ServerAdmin you@example.com
ServerName maweb1:80
DocumentRoot "/usr/local/apache/htdocs"
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
DirectoryIndex index.html index.php
Order allow,deny
Deny from all
Satisfy All
ErrorLog "logs/error_log"
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
CustomLog "|/usr/local/apache/bin/rotatelogs /usr/local/apache/logs/%Y_%m_%d.access_log 86400 480" common
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
AllowOverride None
Options None
Order allow,deny
Allow from all
DefaultType text/plain
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
Include conf/extra/httpd-info.conf
Include conf/extra/httpd-mpm.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from 192.168.20.173
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
# install virtualhost to apache
NameVirtualHost *
Include conf/malabs.conf
Include conf/backend.conf
Include conf/security.conf
Include conf/admin.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFheader X-Forwarded-For
RPAFproxy_ips 10.1.8.116 10.1.8.120
EOF
cat > /usr/local/apache/conf/malabs.conf << "EOF"
ServerName
DocumentRoot "/usr/local/malabs/web"
DirectoryIndex index.php
ErrorLog "logs/malabs_error_log"
AllowOverride ALL
Allow from All
php_admin_value session.save_path "/tmp/session"
Alias /sf "/usr/local/symfony/data/web/sf"
AllowOverride All
Allow from All
EOF
cat > /usr/local/apache/conf/backend.conf << "EOF"
ServerName backend.malabs.com
DocumentRoot "/usr/local/backend/web"
ErrorLog "logs/backend_error_log"
DirectoryIndex index.php
AllowOverride All
Allow from 10.1.11 192.168.20
php_admin_value session.save_path "/tmp/session"
EOF
cat > /usr/local/apache/conf/admin.conf << "EOF"
Alias /admin /usr/local/apache/htdocs
Order Deny,Allow
Deny from all
Allow from 192.168.20.173
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from 192.168.20.173
EOF
# install mod_security
cat > /usr/local/apache/conf/security.conf << "EOF"
TraceEnable off
ServerTokens Prod
ServerSignature Off
LoadFile /usr/lib64/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
Include conf/secu/*.conf
Include conf/secu/base_rules/modsecurity_crs_40_generic_attacks.conf
Include conf/secu/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Include conf/secu/base_rules/modsecurity_crs_41_xss_attacks.conf
Include conf/secu/base_rules/modsecurity_crs_45_trojans.conf
SecDataDir /tmp/modsecurity
# Include conf/secu/optional_rules/*.conf
EOF
mkdir /tmp/session
chown web:malabs /tmp/session
cd /usr/local
tar xfz rkhunter-1.3.6.tar.gz
cd rkhunter-1.3.6
./installer.sh --install
rkhunter --propupd
cd /usr/local/
mkdir {malabs,symfony,backend}
chown -R web:malabs {malabs,symfony,backend}
rm -rf /usr/local/package.xml
# passwd web
# web!@2010
# install project
# cd /usr/local
# from 192.168.21.50 deploy to maweb1 and maweb2
# reboot the server
阅读(1832) | 评论(0) | 转发(0) |
