架设某大型网站服务器之全部过程(4)

发布者: hao 2008年07月26日围观次点赞:0

(`groupname`, `gid`, `members`) VALUES("5dxc", "5500", "xxxx"); Mysql>Insert INTO `ftpquotalimits`

(`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`,

`bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`)

VALUES("test", "user", "false", "soft", "1.024e 06", "0", "0", "0", "0", "0"); Mysql> Insert INTO `ftpquotatallies` (`name`, `quota_type`, `bytes_in_used`,

`bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`,

`files_xfer_used`) VALUES("test", "user", "809781", "0", "809781", "0", "0", "0"); Mysql> Insert INTO `ftpuser` (`id`, `userid`, `passwd`,

`uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`)

VALUES("1", "test", "test", "5500", "5500", "/site", "/sbin/nologin",

"0", "0000-00-00 00:00:00", "0000-00-00 00:00:00"); 配置proftp: #tar xzvf proftpd-1.3.0rc5.tar.gz #cd proftpd-1.3.0rc5 #./configure --prefix=/usr/local/proftpd

--with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql:mod_ratio

--with-includes=/usr/include/mysql --with-libraries=/usr/lib/mysql #make&&make install #mv /etc/local/proftpd/etc/proftpd.conf /etc/local/proftpd/etc/proftpd.confbak #vi /etc/local/proftpd/etc/proftpd.conf ////////////////////////文件内容/////////////////// # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. #ServerName "ProFTPD Default Installation" ServerName "Mingfu's ftp" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd). MaxInstances 100 MaxLoginAttempts 3 # Set the user and group under which the server will run. User nobody Group nobody # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. #DefaultRoot ~ DefaultRoot ~ #put the proftpd log files in /var/log/ftp.syslog #SystemLog /var/log/ftp.syslog SystemLog /var/log/xxxx/ftp.syslog #TransferLog log files TransferLog /var/log/xxxx/ftp.transferlog MaxHostsPerUser 1 "Sorry, you may not connect more than one time 1." MaxClientsPerUser 13 "Only one such user at a time 2." MaxClientsPerHost 20 "Sorry, you may not connect more than one time 3." #setup the Restart AllowRetrieveRestart on RootLogin off RequireValidShell off TimeoutStalled 600 MaxClients 2000 AllowForeignAddress on AllowStoreRestart on ServerIdent off DefaultRoot ~ xxxx #Slow logins UseReverseDNS off IdentLookups off #IdentLookups and tcpwrappers *** # Normally, we want files to be overwriteable. AllowOverwrite on TimeoutIdle 600 SQLAuthTypes Backend Plaintext SQLAuthenticate users* groups* # databasename@host database_user user_password #SQLConnectInfo ftpdb@localhost proftpd password SQLConnectInfo ftpdb@localhost ftpuser xxxx SQLUserInfo ftpuser userid passwd uid gid homedir shell SQLGroupInfo ftpgroup groupname gid members SQLHomedirOnDemand on # Update count every time user logs in SQLLog PASS updatecount SQLNamedQuery updatecount Update "count=count 1,accessed=now() Where userid='%u'" ftpuser # Update modified everytime user uploads or deletes a file SQLLog STOR,DELE modified SQLNamedQuery modified Update "modified=now() Where userid='%u'" ftpuser QuotaEngine on QuotaDirectoryTally on QuotaDisplayUnits kb QuotaShowQuotas on QuotaLog "/var/log/quota" SQLNamedQuery get-quota-limit Select "name, quota_type, per_session,

limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail,

files_out_avail, files_xfer_avail FROM ftpquotalimits

Where name = '%{0}'AND quota_type = '%{1}'" SQLNamedQuery get-quota-tally Select "name, quota_type,

bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used,

files_xfer_used FROM ftpquotatallies Where name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally Update "bytes_in_used = bytes_in_used %{0},

bytes_out_used = bytes_out_used %{1}, bytes_xfer_used = bytes_xfer_used %{2},

files_in_used = files_in_used %{3}, files_out_used = files_out_used %{4},

files_xfer_used = files_xfer_used %{5} Where name = '%{6}'

AND quota_type = '%{7}'" ftpquotatallies SQLNamedQuery insert-quota-tally Insert "%{0}, %{1}, %{2},

%{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies QuotaLimitTable sql:/get-quota-limit QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally ////////////////////////文件内容/////////////////// 在/etc/rc.local文件中新增 /usr/local/proftpd/sbin/proftpd & LPM配置完毕.

注意:以后添加ftp帐号只需操作ftpuser表添加相应字段.用户磁盘限额操作ftpquotalimits表添加相应字段.

Mysql管理win工具推荐:mysql-front

其中远程连接帐号:

User:root

            Host:IP

            Pswd:xxxx

(与grant all privileges on *.* to root@’%’ identified by “xxxx”;

中设置的密码一致) .

8.配置MAIL

配合jboss工程程序实施与建立MAIL帐号相关联,方便维护与管理,我这里选择了邮件服务器与数据库结合的方式来实现的.

具体架设参考邮件发送程序,然后来配置邮件服务器,邮件系统的用户帐号不准创建真实的系统帐号,所有的帐号均建在mysql数据库中.

具体架设过程略。

9.安全策略

下面是一个简易有效的防火墙设置,只要没有固定IP来入侵,服务器均可正常访问.

因此服务器上线后需要提取服务器通信状态信息.这里服务器已进配置好LAMP环境,因此系统监控请安装CACTI(http://www.cacti.net)软件来监控.

关于它的安装方法比较简单,这里不一一说明了.

还要时时将#netstat –na|grep SYN的结果中连续15个相同的伪连接给DJOP出系统通信间道.

当有这样的入侵连接时….

#iptables –A …………..djop(注意请不要将这个写入到iptables文件中)

下面是iptables文件的所有内容:

#cat /etc/sysconfig/iptables

            ////////////////////文件内容////////////////////

            # Firewall configuration written by system-config-securitylevel

            # Manual customization of this file is not recommended.

            *filter

            :INPUT ACCEPT [0:0]

            :FORWARD ACCEPT [0:0]

            :OUTPUT ACCEPT [0:0]

            :RH-Firewall-1-INPUT - [0:0]

            -A INPUT -j RH-Firewall-1-INPUT

            -A FORWARD -j RH-Firewall-1-INPUT

            -A RH-Firewall-1-INPUT -i lo -j ACCEPT

            -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

            -A RH-Firewall-1-INPUT -p 50 -j ACCEPT

            -A RH-Firewall-1-INPUT -p 51 -j ACCEPT

            -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

            -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

            -A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT

            #modify by mingfu 060404

            #Please do not modify the content below

            #ACK FIN SYN

            -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j Drop

            #port scan

            # NMAP FIN/URG/PSH

            -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j Drop

            # Xmas Tree

            -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j Drop

            # Another Xmas Tree

            -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Drop

            # Null Scan(possibly)

            -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j Drop

            # SYN/RST

            -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j Drop

            # SYN/FIN -- Scan(possibly)

            -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j Drop

            #!--syn

            -A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j Drop

            #Dos

            -A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second 

--limit-burst 300 -j ACCEPT

            #sync flood

            -N synfoold

            -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN

            -A synfoold -p tcp -j REJECT --reject-with tcp-reset

            -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -j synfoold

            -N ping

            -A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN

            -A ping -p icmp -j REJECT

            -I RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m state 

--state NEW -j ping

            #-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s 0/0 -j Drop

            #-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT

            #-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s localip -j Drop

            #-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s localip -j Drop

            #all ports

            -A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

            #FTP

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 32800:34000 -j ACCEPT

            #MAIL

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT

            #SSH

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT

            #WEB

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 4443 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT

            #DNS

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

            #DATABASE

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT

            #VNC

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 5801: -j ACCEPT

            #ICMP

            -A RH-Firewall-1-INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited

            -A RH-Firewall-1-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

            -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,INVALID -j Drop

            COMMIT

            ////////////////////文件内容////////////////////

            在/etc/rc.local中新增如下内容:

            ////////////////////文件内容////////////////////

            echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

            echo 1 >/proc/sys/net/ipv4/tcp_syncookies

            echo "1" > /proc/sys/net/ipv4/tcp_syn_retries

            echo "1" > /proc/sys/net/ipv4/tcp_synack_retries

            echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog

            ////////////////////文件内容////////////////////

            其中8192=1024*4*2.更多详情请查阅/proc相关文献介绍

            关于获取netstat –na|grep SYN_RECV 与TIME_WAIT的脚本：这里我无法写下来。





共5页: 
上一页
1
2
3
4
5
下一页





 顶(0)

 
 
踩(0)

 
 









    
	
        
           【搜索相关内容】[打印] [关闭]

        
          上一篇：Apache FAQ帮助集锦  
          下一篇：2003 回收应用程序池设置  
        
        
           您可能还会对下面的文章感兴趣：
          
          
        
        
           相关文章
          
		   1 自动重启server2003服务器 
 2 ibmx335/ibmx336服务器做RAID阵列的图文方法(包括删除RAID阵列) 
 3 让服务器iis支持.apk文件下载的设置方法 
 4 提高IIS网站服务器性能2点考虑(缓存+gzip) 
 5 服务器中aux,com1,com2,prn,con,nul等特殊文件删除方法 
 6 LVS(Linux Virtual Server)Linux 虚拟服务器介绍及配置(负载均衡 
 

          
        
        
          



	
	
			
				
					最新评论
					
				
				
				
				
			
	








        
        
      
    
  
  
    
      
	  
        热门推荐
		

      
      
	  
	  
            
          MYSQL安装最后一步出现MySQL 1045错误解决办法...
        

            
          Windows2012远程桌面提示＂这可能是由于 CredSSP 加密 Oracle 修正＂ 修复方法...
        

            
          NtLmSsp 登录爆破防御办法 附修改RDP远程桌面3389端口方法...
        

            
          win2008-win2016英文版改成中文版的方法 Windows英文系统切换成中文方法...
        

            
          Windows 2003 搭建最新IIS+php+Mysql+Zend+phpMyaAdmin WEB服务器运行环境...
        

  
      
    
    
      
        扫一扫手机阅读
      
      
          
        关注官方微博微信有惊喜哦
      
    
  





  
    ^
  


  
	关于我们 - 
    联系我们 - 
    广告服务 - 
	版权声明 - 
    人才招聘 - 
	 网站帮助 - 
    免责声明
			
			
  
     Copyright © 2005-2024  Bnxb.Com All Rights Reserved. 笨牛网 技术教程分享 版权所有 
架设某大型网站服务器之全部过程(4)文章版权归原作者所有,如需转载请与我们联系