L.a. m.p environment configuration document Update-centos 5.0

The testing environment in this article is centos 5.0,
If you use red hat as3/4
Yum cannot be used.
Command management rpm
Package.

I.
System
Conventions

Software Source
Code
Package storage location/usr/local/src

Source code package compilation and installation location (prefix)/usr/local/software_name

Script and Maintenance
Program
Storage location/usr/local/sbin
MySQL

Database
Location/var/lib/

MySQL

Apache
Website Root
Directory
/
Home
/Www/wwwroot
Apache
Virtual Host
Log root directory/home/www/logs
Apache
Run account www: www

Ii. System Environment deployment and adjustment

1
. Check whether the system is normal
# More/var/log/messages
(Check for system-level error messages)
# Dmesg
(Check whether the hardware device has an error message)
# Ifconfig
(Check the NIC
Set
Is it correct)
# Ping www.163.com

(Check
Network
Normal)

2
. Disable unnecessary services
# Ntsysv

Only services to be started are listed below, and all services not listed are closed:
ATD
Crond
Irqbalance
Microcode_ctl
Network
Sendmail
Sshd
Syslog

3
. Restart the system
# Init 6

4
. Configure Vim
# Vi/root/. bashrc

In alias mv = 'mv-I'
Add a line below: alias Vi = 'vim'
Save and exit.
# Echo 'syntax on'>/root/. vimrc

5
. Use yum
Software packages required for program installation (the following are standard rpm
Package name)
# Yum install NTP vim-enhanced GCC gcc-C ++ flex bison Autoconf automake
Bzip2-devel ncurses-devel libjpeg-devel libpng-devel LibTIFF-devel
FreeType-devel Pam-devel Kernel

6
. Timed correction
Server
Clock, timing and
China
Synchronization of the National Time Service Center Time Service Server
# Crontab-e

Add a row:
*/30 * ntpdate 210.72.145.44

7
. Package required for source code compilation and Installation
(1) GD2
# Cd/usr/local/src
# Wget http://www.libgd.org/releases/oldreleases/gd-2.0.34.tar.gz


# Tar xzvf gd-2.0.34.tar.gz
# Cd gd-2.0.34
#./Configure -- prefix =/usr/local/GD2
# Make
# Make install
(2) libxml2
# Cd/usr/local/src
# Wget ftp://xmlsoft.org/libxml2/libxml2-2.6.29.tar.gz


# Tar xzvf libxml2-2.6.29.tar.gz
# Cd libxml2-2.6.29
#./Configure -- prefix =/usr/local/libxml2
# Make
# Make install
(3) libmcrypt
# Cd/usr/local/src
# Wget http://jaist.dl.sourceforge.net/sourceforge/mcrypt/libmcrypt-2.5.8.tar.bz2


# Tar xjvf libmcrypt-2.5.8.tar.bz2
# Cd libmcrypt-2.5.8
#./Configure-Prefix =/usr/local/libmcrypt
# Make
# Make install
(4) Apache
Log truncation Program
# Cd/usr/local/src
# Wget http://cronolog.org/download/cronolog-1.6.2.tar.gz


# Tar xzvf cronolog-1.6.2.tar.gz
# Cd cronolog-1.6.2
#./Configure-Prefix =/usr/local/cronolog
# Make
# Make install

8
. Upgrade OpenSSL
And OpenSSH
# Cd/usr/local/src
# Wget http://www.openssl.org/source/openssl-0.9.8e.tar.gz


# Wget http://mirror.mcs.anl.gov/openssh/portable/openssh-4.6p1.tar.gz


# Tar xzvf openssl-0.9.8e.tar.gz
# Cd openssl-0.9.8e
#./Config -- prefix =/usr/local/OpenSSL
# Make
# Make Test
# Make install
# CD ..
# Tar xzvf openssh-4.6p1.tar.gz
# Cd openssh-4.6p1
#./Configure/
"-- Prefix =/usr "/
"-- With-Pam "/
"-- With-zlib "/
"-- Sysconfdir =/etc/ssh "/
"-- With-SSL-Dir =/usr/local/OpenSSL "/
-- With-md5-passwords"
# Make
# Make install

(1
) Disable SSH V1
Protocol

Find:
# Protocol 2, 1

Changed:
Protocol 2

(2
) Disable root.
Log on directly

Create a common system
User
:
# Useradd Username
# Passwd Username

Find:
# Permitrootlogin Yes

Changed:
Permitrootlogin No

(3
) Disable gssapi on the server

Locate the following two lines and comment them out:
Gssapiauthentication Yes
Gssapicleanupcredentials Yes

(4
) Disable DNS
Name resolution

Find:
# Usedns yeas

Changed:
Usedns No

(5
) Disable the client gssapi
# Vi/etc/ssh/ssh_config

Find:
Gssapiauthentication Yes

Comment out this line.

Finally, confirm the modification is correct and restart SSH
Service
# Service sshd restart
# Ssh-V

Confirm OpenSSH
And OpenSSL
The version is correct.

Iii. Compile and install l.a. m.p
Environment
1.

Download
Software
# Cd/usr/local/src
# Wget http://apache.mirror.phpchina.com/httpd/httpd-2.2.4.tar.bz2


# Wget http: // download.
Discuz
. Net/ENV/mysql-5.0.27.tar.gz


# Wget http://cn.php.net/distributions/php-5.2.3.tar.bz2


# Wget http://downloads.phpchina.com/zend/optimizer/3.3.0/ZendOptimizer-3.3.0-linux-glibc21-i386.tar.gz


2.
Compile and install MySQL
# Tar xzvf mysql-5.0.27.tar.gz
# Cd mysql-5.0.27
#./Configure/
"-- Prefix =/usr/local/MySQL "/
"-- Localstatedir =/var/lib/MySQL "/
(Note:/var
Is partition suitable ?)

"-- With-Comment = source "/
"-- With-server-suffix =-comsenz "/
"-- With-mysqld-user = MySQL "/
"-- Without-Debug "/
"-- With-big-tables "/
"-- With-charset = "/
(Set MySQL here
Default Character Set)

"-- With-collation = "/
(Set MySQL here
Corrected Character Set)

"-- With-extra-charsets = all "/
"-- With-pthread "/
"-- Enable-static "/
"-- Enable-thread-safe-client "/
"-- With-client-ldflags =-all-static "/
"-- With-mysqld-ldflags =-all-static "/
"-- Enable-Cycler "/
"-- Without-isam "/
"-- Without-InnoDB "/
"-- Without-NDB-Debug"
# Make
# Make install
# Useradd MySQL
# Cd/usr/local/MySQL
# Bin/mysql_install_db -- user = MySQL
# Chown-r root: MySQL.
# Chown-r MySQL/var/lib/MySQL
# Cp share/MySQL/my-huge.cnf/etc/My. CNF
# Cp share/MySQL. Server/etc/rc. d/init. d/mysqld
# Chmod 755/etc/rc. d/init. d/mysqld
# Chkconfig -- add mysqld
# Chkconfig -- level 3 mysqld on
#/Etc/rc. d/init. d/mysqld start
# Bin/mysqladmin-u Root Password 'password _ for_root'

3.
Compile and install Apache
# Cd/usr/local/src
# Tar xjvf httpd-2.2.4.tar.bz2
# Cd httpd-2.2.4
#./Configure/
"-- Prefix =/usr/local/apache2 "/
"-- With-defined ded-APR "/
"-- Enable-so "/
"-- Enable-Deflate = shared "/
"-- Enable-expires = shared "/
"-- Enable-Rewrite = shared "/
"-- Enable-static-support "/
"-- Disable-userdir"
# Make
# Make install
# Echo '/usr/local/apache2/bin/apachectl start'>/etc/rc. Local

4.
Compile and install
PHP

# Cd/usr/local/src
# Tar xjvf php-5.2.3.tar.bz2
# Cd php-5.2.3
#./Configure/
"-- Prefix =/usr/local/PHP "/
"-- With-apxs2 =/usr/local/apache2/bin/apxs "/
"-- With-config-file-Path =/usr/local/PHP/etc "/
"-- With-mysql =/usr/local/MySQL "/
"-- With-libxml-Dir =/usr/local/libxml2 "/
"-- With-Gd =/usr/local/GD2 "/
"-- With-JPEG-Dir "/
"-- With-PNG-Dir "/
"-- With-bz2 "/
"-- With-FreeType-Dir "/
"-- With-iconv-Dir "/
"-- With-zlib-Dir "/
"-- With-OpenSSL =/usr/local/OpenSSL "/
"-- With-mcrypt =/usr/local/libmcrypt "/
"-- Enable-Soap "/
"-- Enable-Gd-native-TTF "/
"-- Enable-memory-limit "/
"-- Enable-FTP "/
"-- Enable-mbstring "/
"-- Enable-EXIF "/
"-- Disable-ipv6 "/
"-- Disable-cgi "/
"-- Disable-CLI"
# Make
# Make install
# Mkdir/usr/local/PHP/etc
# Cp PHP. ini-Dist/usr/local/PHP/etc/PHP. ini

5.
Install Zend Optimizer
# Cd/usr/local/src
# Tar xzvf ZendOptimizer-3.2.8-linux-glibc21-i386.tar.gz
#./ZendOptimizer-3.2.8-linux-glibc21-i386/install. Sh

Install Zend Optimizer
Do not restart Apache at the end of the process
.

6.
Integrate Apache
And PHP
# Vi/usr/local/apache2/CONF/httpd. conf

Find:
Addtype application/X-gzip. GZ. tgz

Add
Addtype application/X-httpd-PHP. php

Find:
<Ifmodule dir_module>
Directoryindex index.html
</Ifmodule>

Change this row
<Ifmodule dir_module>
Directoryindex index.html index.htm index. php
</Ifmodule>

Find:
# Include CONF/extra/httpd-mpm.conf
# Include CONF/extra/httpd-info.conf
# Include CONF/extra/httpd-vhosts.conf
# Include CONF/extra/httpd-default.conf

Remove the preceding "#"
Cancel comments.

Note: The above 4
Extension configurations

File
Please configure according to relevant principles!

Save the modification and exit.
#/Usr/local/apache2/bin/apachectl restart

7.
Check and confirm l.a. m.p
Environment Information and improvement of PHP
Security

Place phpinfo. php In the root directory of the website
Script, check phpinfo
The information in is correct.
# Vi phpinfo. php
<? PHP
Phpinfo ();
?>

Confirm PHP
After it works properly
To Upgrade PHP
Security.
# Vi/etc/PHP. ini

Find:
Disable_functions =

Set:

Passthru, exec, system, chroot, scandir, chgrp,

Chown, escapeshellcmd, escapeshellarg, shell_exec,

Proc_open, proc_get_status, error_log, ini_alter, ini_alter,

Ini_restore, DL, pfsockopen, openlog, syslog, readlink, symlink, leak, popepassthru, stream_socket_server

Iii. Server Security Settings
1.
Set system firewall
# Touch/usr/local/sbin/FW. Sh

Paste the following script command (green part) to FW. Sh
File.

#! /Bin/bash

# Stop iptables service first
Service iptables stop

# Load FTP Kernel Modules
/Sbin/modprobe ip_conntrack_ftp
/Sbin/modprobe ip_nat_ftp

# Inner chains default policy
/Sbin/iptables-F-T Filter
/Sbin/iptables-P input drop
/Sbin/iptables-P output accept

# Enable Native network transfer
/Sbin/iptables-A input-I lo-J accept

# Accept established connections
/Sbin/iptables-A input-M state -- State established, related-J accept

# ICMP Control
/Sbin/iptables-A input-p icmp-m limit -- limit 1/s -- limit-burst 10-J accept

# WWW Service
/Sbin/iptables-A input-p tcp -- dport 80-J accept

# Ftp service
/Sbin/iptables-A input-p tcp -- dport 21-J accept

# SSH service
/Sbin/iptables-A input-p tcp -- dport 22-J accept

# Chmod 755/usr/local/sbin/FW. Sh
# Echo '/usr/local/sbin/FW. Sh'>/etc/rc. Local
#/Usr/local/sbin/FW. Sh