1. Install/configure Apache
1. Update the system & install Apache
Yum update
Yum install httpd
Recommendation: Use the following command to back up the Apache configuration file:
Cp/etc/httpd/conf/httpd. conf ~ /Httpd. conf. backup
In order to expand your thinking, this tutorial on CentOS will share with you another Apache method of binding domain names and creating virtual machines ~
2. Edit/etc/httpd/conf. d/vhost. conf. If we want to bind the domain names example.com and example.org, add the following content to the file,
NameVirtualHost *: 80
<VirtualHost *: 80>
ServerAdmin webmaster@example.com
ServerName example.com
ServerAlias www.111cn.net
DocumentRoot/srv/www/example.com/public_html/
ErrorLog/srv/www/example.com/logs/error.log
CustomLog/srv/www/example.com/logs/access.log combined
</VirtualHost>
<VirtualHost *: 80>
ServerAdmin webmaster@example.org
ServerName example.org
ServerAlias www.example.org
DocumentRoot/srv/www/example.org/public_html/
ErrorLog/srv/www/example.org/logs/error.log
CustomLog/srv/www/example.org/logs/access.log combined
</VirtualHost>
3. Because we have specified several directories and these directories do not exist, use the following command to create the corresponding directories,
Mkdir-p/srv/www/example.com/public_html
Mkdir/srv/www/example.com/logs
Mkdir-p/srv/www/example.org/public_html
Mkdir/srv/www/example.org/logs
4. Start Apache
/Etc/init. d/httpd start
To modify the vhost. conf file in the future, run the following command to reload the configuration file of Apache:
/Etc/init. d/httpd reload
5. Set Apache startup
/Sbin/chkconfig -- levels 235 httpd on
II. Install/configure MySQL
1. Install MySQL
Yum install mysql-server
2. Set MySQL to automatically start upon startup
/Sbin/chkconfig -- levels 235 mysqld on
3. Start MySQL
/Etc/init. d/mysqld start
The MySQL configuration file is located in/etc/my. cnf
4. Install mysql_secure_installation (MySQL security settings)
Mysql_secure_installation
5. Attach common MySQL commands
Log on to MySQL
Mysql-u root-p
Create a database vmvps (note that all MySQL command lines must end with;), and grant all permissions of the database to vmvps_user (password: 123)
Create database vmvps;
Grant all on vmvps. * to 'vmvps _ user' identified by '123456 ';
Exit MySQL
Quit
3. Install/configure PHP
1. Install PHP
Yum install php-pear php-mysql
2. Edit the configuration file/etc/php. ini and modify the following content:
Error_reporting = E_COMPILE_ERROR | E_RECOVERABLE_ERROR | E_ERROR | E_CORE_ERROR
Display_errors = Off
Log_errors = On
Error_log =/var/log/php. log
Max_execution_time= 300
Memory_limit = 64 M
Register_globals = Off
Finally, restart Apache ~
/Etc/init. d/httpd restart
IV. Configure VSFTP server in CentOS
[1] installing VSFTP
[Root @ localhost ~] # Yum-y install vsftpd
[2] configure the vsftpd. conf file
[Root @ localhost ~] # Vi/etc/vsftpd. conf
# Example config file/etc/vsftpd. conf
#
# The default compiled in settings are fairly paranoid. This sample file
# Loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd. conf.5 for all compiled in defaults.
#
# Read this: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd. conf.5 manual page to get a full idea of vsftpd's
# Capabilities.
#
# Allow anonymous FTP? (Beware-allowed by default if you comment this out ).
# Anonymous_enable = YES
#
# Uncomment this to allow local users to log in.
Local_enable = YES
#
# Uncomment this to enable any form of FTP write command.
Write_enable = YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# If your users CT that (022 is used by most other ftpd's)
Local_umask = 022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# Has an effect if the above global write enable is activated. Also, you will
# Obviously need to create a directory writable by the FTP user.
# Anon_upload_enable = YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# New directories.
# Anon_mkdir_write_enable = YES
#
# Activate directory messages-messages given to remote users when they
# Go into a certain directory.
Dirmessage_enable = YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
Xferlog_enable = YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data ).
Connect_from_port_20 = YES
#
# If you want, you can arrange for uploaded anonymous files to be owned
# A different user. Note! Using "root" for uploaded files is not
# Recommended!
# Chown_uploads = YES
# Chown_username = whoever
#
# The name of log file when xferlog_enable = YES and xferlog_std_format = YES
# WARNING-changing this filename affects/etc/logrotate. d/vsftpd. log
# Xferlog_file =/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
Xferlog_std_format = YES
#
# You may change the default value for timing out an idle session.
Idle_session_timeout = 600
#
# You may change the default value for timing out a data connection.
Data _ connection_timeout = 120
#
# It is recommended that you define on your system a unique user which
# Ftp server can use as a totally isolated and unprivileged user.
# Nopriv_user = ft1_cure
#
# Enable this and the server will recognize asynchronous ABOR requests. Not
# Recommended for security (the code is non-trivial). Not enabling it,
# However, may confuse older FTP clients.
# Async_abor_enable = YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# The request. Turn on the below options to have the server actually do ASCII
# Mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# Attack (DoS) via the command "SIZE/big/file" in ASCII mode. vsftpd
# Predicted this attack and has always been safe, reporting the size of
# Raw file.
# ASCII mangling is a horrible feature of the protocol.
Ascii_upload_enable = YES
Ascii_download_enable = YES
#
# You may fully customise the login banner string:
Ftpd_banner = Welcome to lightnear FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# Useful for combatting certain DoS attacks.
# Deny_email_enable = YES
# (Default follows)
# Banned_email_file =/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot () to their home
# Directory. If chroot_local_user is YES, then this list becomes a list
# Users to NOT chroot ().
Chroot_local_user = YES
# Chroot_list_enable = YES
# (Default follows)
# Chroot_list_file =/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled
# Default to avoid remote users being able to cause excessive I/O on large
# Sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# The presence of the "-R" option, so there is a strong case for enabling it.
Ls_recurse_enable = YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# Listens on IPv4 sockets. This directive cannot be used in conjunction
# With the listen_ipv6 directive.
Listen = YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# Sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
# Listen_ipv6 = YES
Pam_service_name = vsftpd
Userlist_enable = YES
Userlist_deny = NO
Local_root =/var/public_root
Tcp_wrappers = YES
Use_localtime = YES
[3] add an FTP account
[Root @ localhost ~] # Useradd cent-s/sbin/nologin
[Root @ localhost ~] # Passwd cent
[4] edit the user_list file to allow cent users to access FTP
[Root @ localhost ~] # Vi/etc/vsftpd/user_list
# Vsftpd userlist
# If userlist_deny = NO, only allow users in this file
# If userlist_deny = YES (default), never allow users in this file, and
# Do not even prompt for a password.
# Note that the default vsftpd pam config also checks/etc/vsftpd/ftpusers
# For users that are denied.
Root
Bin
Daemon
Adm
Lp
Sync
Shutdown
Halt
Mail
News
Uucp
Operator
Games
Nobody
Cent
[5] create our root directory and set access permissions
[Root @ localhost ~] # Mkdir/var/public_root
[Root @ localhost ~] # Chown-R cent/var/public_root
[Root @ localhost ~] # Chmod-R 755/var/public_root
[6] enabling the vsftpd service
[Root @ localhost ~] # Service vsftpd start
Starting vsftpd for vsftpd: [OK]
[7] enabling vsftp by default
[Root @ localhost var] # chkconfig vsftpd on
5. Strong fire prevention configuration
Common iptables configurations
Iptables has multiple parameters. Because iptable is executed in order, if there is a match, the next step is not performed.
-I indicates to insert a record, which uses more
-A indicates appending to the end
-D indicates deleting a record.
-A RH-Firewall-1-INPUT-p icmp-m icmp -- icmp-type any-j ACCEPT
Receive ping packets
Disable all data packets, usually used at the end
-A RH-Firewall-1-INPUT-j REJECT -- reject-with icmp-host-prohibited
Common IPTABLES rules are as follows:
Only emails can be sent and received. All other emails are disabled.
Iptables-I Filter-m mac-source 00: 0F: EA: 25: 51: 37-j DROP
Iptables-I Filter-m mac-source 00: 0F: EA: 25: 51: 37-p udp-dport 53-j ACCEPT
Iptables-I Filter-m mac-source 00: 0F: EA: 25: 51: 37-p tcp-dport 25-j ACCEPT
Iptables-I Filter-m mac-source 00: 0F: EA: 25: 51: 37-p tcp-dport 110-j ACCEPT
Ipsec nat policy
Iptables-I PFWanPriv-d 192.168.100.2-j ACCEPT
Iptables-t nat-a prerouting-p tcp-dport 80-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.2: 80
Iptables-t nat-a prerouting-p tcp-dport 1723-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.2: 1723
Iptables-t nat-a prerouting-p udp-dport 1723-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.2: 1723
Iptables-t nat-a prerouting-p udp-dport 500-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.2: 500
Iptables-t nat-a prerouting-p udp-dport 4500-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.2: 4500
NAT of the FTP server
Iptables-I PFWanPriv-p tcp-dport 21-d 192.168.100.200-j ACCEPT
Iptables-t nat-a prerouting-p tcp-dport 21-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.200: 21
Only access to the specified URL is allowed
Iptables-A Filter-p udp-dport 53-j ACCEPT
Iptables-A Filter-p tcp-dport 53-j ACCEPT
Iptables-A Filter-d www.3322.org-j ACCEPT
Iptables-A Filter-d img.cn99.com-j ACCEPT
Iptables-A Filter-j DROP
Open some ports of an IP address, and other ports are closed
Iptables-A Filter-p tcp-dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPT
Iptables-A Filter-p tcp-dport 25-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-dport 109-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-dport 110-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-dport 53-j ACCEPT
Iptables-A Filter-p udp-dport 53-j ACCEPT
Iptables-A Filter-j DROP
Multiple ports
Iptables-A Filter-p tcp-m multiport-destination-port 22,53, 80,110-s 192.168.20.3-j REJECT
Continuous Port
Iptables-A Filter-p tcp-m multiport-source-port 22,53, 80,110-s 192.168.20.3-j REJECT iptables-A Filter-p tcp-source-port 2: 80-s 192.168.20.3-j REJECT
Internet access at specified time
Iptables-A Filter-s 10.10.10.253-m time-timestart-timestop-days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j DROP
Iptables-A Filter-m time-timestart 12:00-timestop 13:00-days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j ACCEPT
Iptables-A Filter-m time-timestart-timestop-days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j ACCEPT
Disable multiple port services
Iptables-A Filter-m multiport-p tcp-dport 21,23, 80-j ACCEPT
Nat wan port to PC
Iptables-t nat-a prerouting-I $ INTERNET_IF-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.0.1
NAT port 8000 of the WAN port to port 192. 168. 100. Port 80 of 200
Iptables-t nat-a prerouting-p tcp-dport 8000-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.200: 80
Port to be transferred by the MAIL server
Iptables-t nat-a prerouting-p tcp-dport 110-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.200: 110
Iptables-t nat-a prerouting-p tcp-dport 25-d $ INTERNET_ADDR-j DNAT-to-destination 192.168.100.200: 25
Only PING 202 is allowed. 96. 134. 133. All other services are prohibited.
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.small-j ACCEPT
Iptables-A Filter-j DROP
Disable BT configuration
Iptables-A Filters-p tcp-dport 6000: 20000-j DROP
Disable QQ firewall configuration
Iptables-A Filter-p udp-dport! 53-j DROP
Iptables-A Filter-d 218.17.209.0/24-j DROP
Iptables-A Filter-d 218.18.95.0/24-j DROP
Iptables-A Filter-d 219.133.40.177-j DROP
Only emails can be sent and received based on MAC, and other emails are rejected.
Iptables-I Filter-m mac-source 00: 0A: EB: 97: 79: A1-j DROP
Iptables-I Filter-m mac-source 00: 0A: EB: 97: 79: A1-p tcp-dport 25-j ACCEPT
Iptables-I Filter-m mac-source 00: 0A: EB: 97: 79: A1-p tcp-dport 110-j ACCEPT
Disable www.111cn.net for MSN configuration
Iptables-A Filter-p udp-dport 9-j DROP
Iptables-A Filter-p tcp-dport 1863-j DROP
Iptables-A Filter-p tcp-dport 80-d 207.68.178.238-j DROP
Iptables-A Filter-p tcp-dport 80-d 207.46.110.0/24-j DROP
Only PING 202 is allowed. 96. 134. 133 other public IP addresses cannot be pinged.
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.small-j ACCEPT
Iptables-A Filter-p icmp-j DROP
Prohibit a MAC address from accessing the internet:
Iptables-I Filter-m mac-source 00: 20: 18: 8F: 72: F8-j DROP
Disable PING from an IP address:
Iptables-A Filter-p icmp-s 192.168.0.1-j DROP
Disable an IP address service:
Iptables-A Filter-p tcp-s 192.168.0.1-dport 80-j DROP
Iptables-A Filter-p udp-s 192.168.0.1-dport 53-j DROP
Only some services are allowed, and others are rejected (2 rules)
Iptables-A Filter-p tcp-s 192.168.0.1-dport 1000-j ACCEPT
Iptables-A Filter-j DROP
Disable a port service of an IP address
Iptables-A Filter-p tcp-s 10.10.10.253-dport 80-j ACCEPT
Iptables-A Filter-p tcp-s 10.10.10.253-dport 80-j DROP
Disable a port service of a MAC address
Iptables-I Filter-p tcp-m mac-source 00: 20: 18: 8F: 72: F8-dport 80-j DROP
Prohibit a MAC address from accessing the internet:
Iptables-I Filter-m mac-source 00: 11: 22: 33: 44: 55-j DROP
Disable PING from an IP address:
Iptables-A Filter-p icmp-s 192.168.0.1-j DROP