(CentOS + Nginx + PHP + Mysql) configuration and WEB server security configuration Scheme

Source: Internet
Author: User
Server Security Settings and other main content: [set Ngnix to provide download for AVI, MP3, etc.] [set the number of concurrent Website connections limit] [set the 1 Mbit/s upload limit for the nginx program] [optimize PHP] [optimize mysql] [mysql security Settings] [overall system security adjustments] [Ngnix can be used to download AVI and MP3 files] # viusrlocalwebserver

Server Security Settings and other

Main content:
[Set Ngnix to download AVI and MP3 files]
[Set the website concurrency limit]
[1 Mbit/s upload restrictions for nginx programs]
[OptimizationPHP]
[Optimizing mysql]
[Mysql Security Settings]
[Overall system security adjustment]

[Set Ngnix to download AVI and MP3 files]

# Vi/usr/local/webserver/nginx/conf/mime. types
Modify the mime. types File
TheFile. Html 'target = '_ blank'>File TypeChange to "appli"CatIon/octet-sTrEam"
# Vi/usr/local/webserver/nginx/conf/mime. types. default
Modify mime. types. default file
Change the file type before the download format to "application/octet-stream"

[Set the website concurrency limit]
Concurrency limit has been added When configuring the nginx. conf file, see the official Wikipedia (http://wiki.codemongers.com/NginxChsHttpLimit_zoneMoDuLe) "httplimit_zonemodule" section

[1 Mbit/s upload restrictions for nginx programs]
The 1 MB upload limit has been removed when the nginx. conf file is configured. For details, see the notes in the nginx. conf file.

[Optimize PHP]
See (http://www.cnprint.org/Bbs/Blogs/1/blog312.html )"PhpOptimization settings
Only some necessary content is set here

# Vi/usr/local/webserver/php/etc/php. ini
Compile the php. ini file

1. Set"Disable_fuNcTions ="
Change to "disable_functions = phpinfo, passthru,ExEc, system, popen, chroot, escapeshellcmd, escapeshellarg, shell_exec, proc_open, proc_get _StatUs"
↑ ** This suggestion is modified after the website is built. ** this option can be used to set which PHP functions are not allowed to be used. PHP has a high risk of some functions, attackers can directly execute some system-level scripts.CommandIf these functions are allowed to be executed, the loss will be very serious when the PHP program has a vulnerability!
NOTE: If your server contains PHP programs for system status detection, do not disable shell_exec, proc_open, proc_get_status, and other functions.

2. Set"Upload_max_filesize = 2 MB"
Change to "upload_max_filesize = 50M"
Optional this option sets the maximum size of files to be uploaded in PHP. The default value is 2 MB. You can increase the setting as needed.

[Optimizing mysql]
See (http://www.cnprint.org/bbs/blogs/1/blog312.html) "mysql optimization and Security Settings" For details
Only some necessary content is set here

# Vi/usr/local/webserver/mysql/my. cnf plugin edit the my. cnf File

1. Set"Table_cache = 64 ″
Change to "table_cache = 512 ″
The cache size of the specified table. When MySQL accesses a table, if there is space in the table buffer, the table is opened and put into it, so that the table content can be accessed more quickly. By checking the status values of the peak time Open_tables and OpenEd_ Tables: determines whether to increase the value of table_cache. If you find that open_tables is equal to table_cache and opened_tables is growing, you need to increase the value of table_cache (you can use show status like &LsQuo; Open_tables ). Note that you cannot blindly set table_cache to a large value. If it is set too high, the file descriptor may be insufficient, resulting in unstable performance or connection failure.

2. Set"Sort_ Buffer_size = 512k"
Change to "sort_buffer_size = 2 MB"
Sort the buffer required for sorting by each thread

3. Set"Read_buffer_size = 128k"
Change to "read_buffer_size = 2 MB"
When a query continuously scans a table, MySQL allocates a memory buffer for it. The read_buffer_size variable controls the size of the buffer. If you think continuous scanning is too slow, you can increase the performance by increasing the variable value and memory buffer size.

4. Set"Read_rnd_buffer_size = 512k"
Change to "read_rnd_buffer_size = 4 m"
The secondary node accelerates the read data after the sorting operation and increases the speed of reading the classified rows. If you are performing the group by or order by operation on a table that is far greater than the available memory, you should increase the value of read_rnd_buffer_size to accelerate row reading after the sorting operation. Still do not understand the usefulness of this option...

5. Set"Myisam_sort_buffer_size = 8 m"
Change to "myisam_sort_buffer_size = 32M"
Used for repair table. Do not understand the usefulness of this option, Baidu also found a wide range of settings, 128 M, 64 M, 32 M, etc., choose one.

[Mysql Security Settings]
For more information, see (http://www.cnprint.org/bbs/blogs/1/blog312.html) "Mysql Security Settings" section
Only some necessary content is set here

** Set in iptables ** to disable the remote connection, that is, port 3306. This is the default listening port of MySQL. MySQL only serves local scripts, so remote connection is not required. Although the built-in security mechanism of MySQL is very strict, listening to a TCP port is still dangerous, because if the MySQL program itself has problems, unauthorized access can bypass the built-in security mechanism of MySQL. (Are you sure you do not need to connect to mysql remotely)

[Overall system security adjustment]

1. If you ** last set ** RHEL or Red Had Enterprise Linux 5.X, you must first enable SElinux, the method is to modify selinux = "" in the/etc/SELINUX/config file to enforcing. It ensures that your system will not crash abnormally. Some people think it should be disabled. I strongly do not recommend it. Of course, it is just to use RHEL for play. It doesn't matter if it is not used for actual servers.
2. ** last setup ** enabling iptables firewall has many benefits for increasing system security. Set firewall rules.
Iptables requirements:
* Shield all ports
* Set the default port of SSH to 56565.
* Open ports 56565, 80, and 3306
* Set port 3306 to allow only local access

Iptables rules:
# Vi/usr/local/webserver/fw. sh
Paste the following script command into the fw. sh File
#! /Bin/bash
# Stop iptables service
/Sbin/service iptables stop
# Inner chains default policy
/Sbin/iptables-F-t filter
/Sbin/iptables-P INPUT DROP
/Sbin/iptables-P OUTPUT ACCEPT
# Enable Native Network Transfer
/Sbin/iptables-a input-I lo-j ACCEPT
# Accept Established Connections
/Sbin/iptables-a input-m state-state ESTABLISHED, RELATED-j ACCEPT
# ICMP Control
/Sbin/iptables-a input-p ICmp-M limit-limit 1/s-limit-burst 10-j ACCEPT
# WWW Service
/Sbin/iptables-a input-p tCp-Dport 80-j ACCEPT
# SSH Service
/Sbin/iptables-a input-p tcp-dport 56565-j ACCEPT
# Anti DDOS
/Sbin/iptables-I INPUT-p tcp-syn-m ttl-eq 117-j DROP
/Sbin/iptables-I INPUT-p tcp-syn-m length-length: 40-j DROP
# Mysql 3306 Accept
/Sbin/iptables-a input-p tcp-s 127.0.0.1-dport 3306-j ACCEPT
/Sbin/iptables-a output-p tcp-s 127.0.0.1-dport 3306-j ACCEPT
# Start iptables service
/Sbin/service iptables start

Save and execute the following command
#Chmod755/usr/local/webserver/fw. sh
# Echo '/usr/local/webserver/fw. Sh'>/etc/rc. d/rc. local
#/Usr/local/webserver/fw. sh

3. ExecutionSetUp to close services that are not needed. Opening one service is less risky. It has been set in <initial environment settings after system installation>
4. Disable the Control-Alt-Delete command on the keyboard.
Comment out the following line in the "/etc/inittab" file (use #):
# Vi/etc/inittab
Change "ca: ctrlaltdel:/sbin/shutdown-t3-r now" to "# ca: ctrlaltdel:/sbin/shutdown-t3-r now"
To make this change take effect, enter the following command:
#/Sbin/init q
5. Set permissions for the script file under "/etc/rc. d/init. d ".
Set permissions for script files of programs executed during execution or shutdown.
# Chmod-R 700/etc/rc. d/init. d /*
This indicates that only the root user can read, write, and execute script files in this directory.
6. Make the "/etc/services" file immune
Make the "/etc/services" file immune to prevent unauthorized deletion or addition of services:
#Chattr+ I/etc/services
7. Prevent your system from responding to any external/internal requestsPingRequest.
Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to/etc/rc. d/rc. local to run automatically after each startup.
# Vi/etc/rc. d/rc. local
Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
8. Setting resource limits for all users on your system can prevent DoS attacks (denial of service attacks)
Such as the maximum number of processes and the number of memories. For example, the following restrictions apply to all users:
# Vi/etc/security/limits. conf
In the following code example, each session of all users is limited to 10 MB, and four logins are allowed at the same time. The third line disables the kernel dump for everyone. The fourth row removes all bin restrictions.
* Hard rss 10000
* Hard maxlogins 4
* Hard core 0
Bin-
Activate these limits
# Add a line at the bottom of vi/etc/pam. d/login: session required/lib/security/pam_limits.so.
9. Use the chattr command to add unchangeable attributes to the following files.
# Chattr + I/etc/Passwd
# Chattr + I/etc/shadow
# Chattr + I/etc/group
# Chattr + I/etc/gshadow
** Change the password of the mysql database and set it again ** note that after you perform this operation, you cannot add a user or change the password to the system as the root user.
If you want to add a user or change the password. You should first use commands such as chattr-I/etc/passwd to unwrite the settings and then perform operations.
10. Modify the sshd Port:
Modify the firewall configuration and enable the new remote port (56565)
# Vi/etc/sysconfig/iptables

Modify/etc/ssh/sshd_config:
# Vi/etc/ssh/sshd_config
Change the Port to 56565 (the specific Port is random and cannot conflict with the Port of other programs ). And comment out the previous #

To make the sshd service take effect:
# PKillSshd
# Service sshd start

Modify the firewall configuration and disable the old remote port (22)
# Vi/etc/sysconfig/iptables
Note: The firewall configuration file cannot be used after modificationSetupModify the firewall settings. Otherwise, the current settings will become invalid.
11. Kernel Parameter Adjustment
Edit the sysctl. conf file:
# Vi/etc/sysctl. conf
Modify as follows:
Net. ipv4.conf. default. accept_source_route = 0
Net. ipv4.icmp _ echo_ignore_broadcasts = 1
Net. ipv4.icmp _ echo_ignore_all = 1
Net. ipv4.icmp _ ignore_bogus_error_responses = 1
Net. ipv4.ip _ conntrack_max = 65535
Net. ipv4.tcp _ syn_retries = 1
Net. ipv4.tcp _ synack_retries = 1
Net. Route 4.route. gc _TimeOut = 100
Net. ipv4.tcp _ max_syn_backlog = 32768
Net. ipv4.conf. default. rp_filter = 0
Net. ipv4.tcp _ max_syn_backlog = 8192
Net. ipv4.tcp _ max_tw_buckets = 5000
Kernel. shmmax = 134217728
View status:
# Sysctl-p
12. Check System logs frequently. System logs are stored in the/var/log/directory. Prevent problems before they occur.

-Automatic Data Backup

Main content:
[Install NCFTP to support automatic Database Backup upload]
[Daily Database Backup]
[Real-time database backup ** On-Demand **]
[Log backup]

[Install NCFTP to support automatic Database Backup upload]

#Cd/Software
# WgetFtp: // Ftp.Ncftp. Com/ncftp/ncftp-3.2.2-src.tar.gz
# Tar zxvf ncftp-3.2.2-src.tar.gz
# Cd ncftp-3.2.2
#./Configure-prefix =/usr/local/webserver/ncftp
# Make & make install

[Daily Database Backup]
Copy the database to/backup/day at every day.CompressionAnd then upload the file to the FTP server./backup/day/the compressed file is retained for one day.

# Vi/usr/local/webserver/backupd. sh

↑ Edit script/usr/local/webserver/backupd. sh

Write the following content:

#! /Bin/bash
Rm-Rf/backup/day /*
Cd/backup/day/
Cp-rf/usr/local/webserver/mysql/data/(Database Name Here) // backup/day/wp_db _ $ (Date+ % Y % m % d)
Sleep10
Echo "ready to tar in 10 s ."
Tar zcvf 'hostname' _ wpdata_of _ $ (date 1_policy1_m1_d1_.tar.gz wp_db _ $ (date + % Y % m % d)
Sleep 10
Echo "ready to upload in 10 s ."
/Usr/local/webserver/ncftp/bin/ncftpput-u backupd-p (FTP password) (FTP server address) // backup/day/'hostname' _ wpdata_of _ $
Sleep 30
Echo "upload done ."
Rm-f 'hostname' _ wpdata_of _ $ (date parameter policyuncm=d=.tar.gz
Sleep 5
Rm-rf wp_db _ $ (date + % Y % m % d)
Clear

Save and set the scheduled task:

#Crontab-E

Add a row:

00 4 ***/bin/bash/usr/local/webserver/backupd. sh

↑ The database will be automatically backed up and uploaded at every day.

[Real-time database backup ** On-Demand **]
Copy the database to the/backup/hour directory every six hours for backup, upload the compressed file to the FTP server, and save the compressed file for one day.

# Vi/usr/local/webserver/backuph. sh

↑ Edit script/usr/local/webserver/backuph. sh

Write the following content ::

#! /Bin/bash
Rm-rf/backup/hour /*
Cd/backup/hour/
Cp-rf/usr/local/webserver/mysql/data/(Database Name) // backup/hour/wp_db _ $ (date + % Y % m % d % H)
Sleep 10
Echo "ready to tar in 10 s ."
Tar zcvf 'hostname' _ wpdata_of _ $ (date 1_policy1_m1_d1_h1_.tar.gz wp_db _ $ (date + % Y % m % d % H)
Sleep 10
Echo "ready to upload in 10 s ."
/Usr/local/webserver/ncftp/bin/ncftpput-u backuph-p (FTP password) (FTP server address) // backup/hour/'hostname' _ wpdata_of _ $
Sleep 30
Echo "upload done ."
Rm-f 'hostname' _ wpdata_of _ $ (date parameter policyuncm1_d1_h0000.tar.gz
Sleep 5
Rm-rf wp_db _ $ (date + % Y % m % d % H)
Clear

Save and set the scheduled task:

# Crontab-e

Add a row:

0 */6 ***/bin/bash/usr/local/webserver/backuph. sh

↑ The database is automatically backed up and uploaded every six hours.

[Log backup]
Compress the logs from/logs/next day at every day and upload them to the FTP server.

# Vi/usr/local/webserver/logs. sh

↑ Edit script/usr/local/webserver/logs. sh

Write the following content ::

#! /Bin/bash
Cd/logs/
MkdirLogs_of _ $ (date-d "yesterday" + "% Y % m % d ")
Cp $ (date-d "yesterday" + "% Y")/$ (date-d "yesterday" + "% m ") /access _ $ (date-d "yesterday" + "% Y % m % d "). log/logs/logs_of _ $ (date-d "yesterday" + "% Y % m % d ")
Cp $ (date-d "yesterday" + "% Y")/$ (date-d "yesterday" + "% m ") /nginx_error _ $ (date-d "yesterday" + "% Y % m % d "). log/logs/logs_of _ $ (date-d "yesterday" + "% Y % m % d ")
Sleep 10
Echo "ready to tar in 10 s ."
Tar zcvf 'hostname' _ logs_of _ $ ")
Sleep 10
Echo "ready to upload in 10 s ."
/Usr/local/webserver/ncftp/bin/ncftpput-u logs-p (FTP password) (FTP server address) // logs/'hostname' _ logs_of _ $
Sleep 30
Echo "upload done ."
Rm-f 'hostname' _ logs_of _ $ (date-d "yesterday" when using policy?m=d=#.tar.gz
Sleep 5
Rm-rf logs_of _ $ (date-d "yesterday" + "% Y % m % d ")
Clear

Save and set the scheduled task ::

# Crontab-e

Add a row:

00 2 ***/bin/bash/usr/local/webserver/logs. sh

↑ Logs are automatically backed up and uploaded at 2 o'clock every morning.

Author: molutran

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.