/* 本文为原创,转载请注明来自:http://meisw.cn/show-15-1.html */
/* QQ:5846690,mail/msn:mymail#3126.com */
一 安全优化配置和升级内核
1 采用RPM包方式
rpm -ivh kernel*rpm
停止不需要的服务
可以用ntsysv
或 chkconfig
显示乱码
vi /etc/sysconfig/i18n
修改登录控制台
vi /etc/inittab
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
删除无用用户
userdel lp
userdel adm
userdel halt
userdel mail
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel vcsa
userdel xfs
userdel ntp
userdel webalizer
userdel squid
userdel smmsp
userdel nfsnobody
保存指纹信息
rpm -aV > rpm_o
将/etc/rc.d/ini.d下的文件设为700
chmod 700 /etc/rc.d/init.d/*
备份部分程序的md5
for i in `ls /bin/`;do md5sum /bin/$i;done > bin_md5
for i in `ls /sbin/`;do md5sum /sbin/$i;done > sbin_md5
for i in `ls /usr/sbin/`;do md5sum /usr/sbin/$i;done > usbin_md5
for i in `ls /usr/bin/`;do md5sum /usr/bin/$i;done > ubin_md5
for i in `ls /etc/rc.d/init.d/`;do md5sum /etc/rc.d/init.d/$i;done > initd_md5
tar -zcvf md5_host.tar.gz *
修改/etc/passwd的不可改属性
chattr +i /etc/passwd
查找带有S位的文件
find / -perm +2000
chmod 755 /usr/bin/write
chmod 755 /usr/sbin/sendmail.sendmail
chmod 755 /usr/sbin/utempter
chmod 755 /usr/bin/wall
chmod 755 /sbin/netreport
find / -perm +4000
chmod 755 /bin/mount
chmod 755 /bin/umount
chmod 755 /bin/traceroute
chmod 755 /bin/traceroute6
chmod 755 /bin/ping
chmod 755 /bin/ping6
chmod 755 /bin/su
chmod 755 /usr/bin/rlogin
chmod 755 /usr/bin/newgrp
chmod 755 /usr/bin/crontab
chmod 755 /usr/sbin/usernetctl
chmod 755 /usr/sbin/userisdnctl
chmod 755 /usr/sbin/suexec
chmod 755 /usr/sbin/userhelper
chmod 755 /usr/bin/sudo
chmod 755 /usr/bin/rsh
chmod 755 /usr/bin/gpasswd
chmod 755 /usr/bin/rcp
chmod 755 /usr/bin/lppasswd
再次检查
find / -perm +2000 -o -perm +4000
检查没有用户缩主的文件
find / -nouser
设置gcc等编译器的权限
chmod 700 /usr/bin/gcc*
chmod 700 /usr/bin/g++*
设置网卡传输速率
mii-tools -F
系统优化设置
echo "30" >/proc/sys/net/ipv4/tcp_fin_timeout
echo "10240" >/proc/sys/net/ipv4/tcp_max_syn_backlog
echo "1800" >/proc/sys/net/ipv4/tcp_keepalive_time
#163760
echo "81920" >/proc/sys/net/ipv4/ip_conntrack_max
echo "3" >/proc/sys/net/ipv4/tcp_synack_retries
echo "3" >/proc/sys/net/ipv4/tcp_syn_retries
echo "81920" >/proc/sys/net/ipv4/tcp_max_orphans
echo "380000" >/proc/sys/net/ipv4/tcp_max_tw_buckets
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
echo 0 >/proc/sys/net/ipv4/tcp_sack
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
echo "3" >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
二 apache/mysql/php的安装
下载相关软件和包(略)
mysql
编辑 sql/mysqld.cc :
搜索:&max_connections, 0, GET_ULONG, REQUIRED_ARG, 100, 1, 16384, 0, 1,
修改:&max_connections, 0, GET_ULONG, REQUIRED_ARG, 1000, 1, 16384, 0, 1,
groupadd mysql
useradd -g mysql -d /dev/null -s /sbin/nologin mysql
./configure --prefix=/www/servers/mysql --with-unix-socket-path=/tmp/mysql.sock --with-mysqld-user=mysql
make;make install
$path/bin/mysql_install_db
chown -R mysql.mysql $path/var
cp $path/share/msyql/mysql.server /etc/rc.d/init.d/mysqld
chkconfig --add mysqld
use mysql
update user set password=password("") where user="root";
flush privileges;
http
tar ...
./configure --prefix=/www/servers/httpd20 --enable-cgi --with-mpm=worker --enable-rewrite --enable-so
--enable-proxy --enable-cache --enable-disk-cache
make;make install
freetype
./configure --prefix=/usr/local/freetype;make;make install
jpeg
mkdir /usr/local/jpeg
mkdir /usr/local/jpeg/bin
mkdir /usr/local/jpeg/lib
mkdir /usr/local/jpeg/include
mkdir /usr/local/jpeg/man
mkdir /usr/local/jpeg/man/man1
./configure --prefix=/usr/local/jpeg --enable-shared --enable-static
make;make install
##### LibPNG #####
cd libpng-1.2.8
cp scripts/makefile.linux makefile
make test
make install
zlib
cd zlib-1.2.2
./configure
make
make install
gd
cd gd-2.0.33
./configure --prefix=/usr/local/gd --with-jpeg=/usr/local/jpeg --with-freetype=/usr/local/freetype --with-png --with-zlib;make;make install
php
./configure --prefix=/www/servers/php --with-apxs2=/www/servers/httpd/bin/apxs --with-gd=/usr/local/gd --enable-gd-native-ttf --with-jpeg-dir=/usr/local/jpeg --with-png --with-ttf --with-zlib --with-freetype-dir=/usr/local/freetype --with-mysql=/www/servers/mysql --with-iconv --enable-mbstring --enable-ftp --with-openssl=/usr/local/ssl --with-openssl-dir=/usr/local/ssl
make;make install
##### vsftpd #####
cd vsftpd-2.0.3
编辑 builddefs.h :
#define VSF_BUILD_PAM
修改为
#undef VSF_BUILD_PAM
编辑 defs.h :
#define VSFTP_DEFAULT_CONFIG "/etc/vsftpd.conf"
修改为
#define VSFTP_DEFAULT_CONFIG "/server/vsftpd/conf/vsftpd.conf"
make
mkdir /usr/share/empty
mkdir /www/servers/vsftpd
install -m 755 vsftpd /www/servers/vsftpd/vsftpd
install -m 644 vsftpd.8 /usr/share/man/man8
install -m 644 vsftpd.conf.5 /usr/share/man/man5
install -m 644 vsftpd.conf /etc/vsftpd.conf
#mod_evasive
http://www.nuclearelephant.com/projects/mod_evasive/
faq
checking lex output file root... ./configure: line 2540: lex: command not found
下载安装flex
需要安装yacc
ftp://rpmfind.net/linux/SuSE-Linux/i386/9.0/suse/i586/yacc-91.7.30-768.i586.rpm
patch
patch -d flex-2.5.4 -p1 < filename
chattr list
passwd
shadow
php.ini
apache/bin
mysql/bin
soft
ftp://rpmfind.net/linux/dag/redhat/el4/en/i386/dag/RPMS/nload-0.6.0-1.2.el4.rf.i386.rpm
