Posts Tagged ‘Lighttpd’

linux centos 下fail2ban安装与配置

星期二, 四月 1st, 2014

原创内容,转载请注明出处:http://www.myzhenai.com/thread-16184-1-1.html http://www.myzhenai.com.cn/post/1791.html
关键词: linux fail2ban安装 centos fail2ban安装 linux fail2ban配置 centos fail2ban配置 jail.conf说明 jail.conf配置 fail2ban apache fail2ban mysql fail2ban ddos fail2ban ftp fail2ban phpmyadmin

1:安装epel更新源:http://www.myzhenai.com/thread-15362-1-2.html http://fedoraproject.org/wiki/EPEL/zh-cn

# yum install shorewall gamin-python shorewall-shell shorewall-perl shorewall-common python-inotify python-ctypes fail2ban

or

# yum install gamin-python python-inotify python-ctypes
# wget http://dl.fedoraproject.org/pub/epel/6/i386/fail2ban-0.8.11-2.el6.noarch.rpm
# rpm -ivh fail2ban-0.8.11-2.el6.noarch.rpm

or

# yum install gamin-python python-inotify python-ctypes
# wget http://ftp.sjtu.edu.cn/fedora/epel//5/i386/fail2ban-0.8.4-29.el5.noarch.rpm
# rpm -ivh fail2ban-0.8.4-29.el5.noarch.rpm

2:源码包安装

# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
# tar -xzvf fail2ban-0.9.0.tar.gz
# cd
# ./setup.py
# cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
# chmod +x /lib/svc/method/svc-fail2ban

安装路径

/etc/fail2ban
action.d filter.d fail2ban.conf jail.conf

我们主要编辑jail.conf这个配置文件,其他的不要去管它.

# vi /etc/fail2ban/jail.conf

SSH防攻击规则

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

[ssh-ddos]
enabled = true
filter  = sshd-ddos
action  = iptables[name=ssh-ddos, port=ssh,sftp protocol=tcp,udp]
logpath  = /var/log/messages
maxretry = 2

[osx-ssh-ipfw]

enabled  = true
filter   = sshd
action   = osx-ipfw
logpath  = /var/log/secure.log
maxretry = 5

[ssh-apf]

enabled = true
filter  = sshd
action  = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5

[osx-ssh-afctl]

enabled  = true
filter   = sshd
action   = osx-afctl[bantime=600]
logpath  = /var/log/secure.log
maxretry = 5

[selinux-ssh]
enabled = true
filter  = selinux-ssh
action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath  = /var/log/audit/audit.log
maxretry = 5

proftp防攻击规则

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6

邮件防攻击规则

[sasl-iptables]

enabled  = true
filter   = postfix-sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@example.com]
logpath  = /var/log/mail.log

[dovecot]

enabled = true
filter  = dovecot
action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/mail.log

[dovecot-auth]

enabled = true
filter  = dovecot
action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/secure

[perdition]

enabled = true
filter  = perdition
action  = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog


[uwimap-auth]

enabled = true
filter  = uwimap-auth
action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog

apache防攻击规则

[apache-tcpwrapper]

enabled  = true
filter	 = apache-auth
action   = hostsdeny
logpath  = /var/log/httpd/error_log
maxretry = 6

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath  = /var/log/httpd/access_log
bantime  = 172800
maxretry = 1

[apache-shorewall]

enabled  = true
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=you@example.com]
logpath  = /var/log/httpd/error_log

nginx防攻击规则

[nginx-http-auth]

enabled = true
filter  = nginx-http-auth
action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log

lighttpd防规击规则

[suhosin]

enabled  = true
filter   = suhosin
action   = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath  = /var/log/lighttpd/error.log
maxretry = 2

[lighttpd-auth]

enabled  = true
filter   = lighttpd-auth
action   = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath  = /var/log/lighttpd/error.log
maxretry = 2

vsftpd防攻击规则

[vsftpd-notification]

enabled  = true
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

pure-ftpd防攻击规则

[pure-ftpd]
enabled  = true
filter   = pure-ftpd
action   = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath  = /var/log/pureftpd.log
maxretry = 2
bantime  = 86400

mysql防攻击规则

[mysqld-iptables]

enabled  = true
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/mysqld.log
maxretry = 5

apache phpmyadmin防攻击规则

[apache-phpmyadmin]
enabled  = true
filter   = apache-phpmyadmin
action  = iptables[name=phpmyadmin, port=http,https protocol=tcp]
logpath  = /var/log/httpd/error_log
maxretry = 3
# /etc/fail2ban/filter.d/apache-phpmyadmin.conf

将以下内容粘贴到apache-phpmyadmin.conf里保存即可以创建一个apache-phpmyadmin.conf文件.

# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#
 
[Definition]
 
docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
 
# Option:  failregex
# Notes.:  Regexp to match often probed and not available phpmyadmin paths.
# Values:  TEXT
#
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
# service fail2ban restart

写在最后,在安装完fail2ban后请立即重启一下fail2ban,看是不是能正常启动,因为在后边我们配置完规则后如果发生无法启动的问题我们可以进行排查.如果安装完后以默认规则能够正常启动,而配置完规则后却不能够正常启动,请先检查一下你 /var/log/ 目录下有没有规则里的 logpath= 后边的文件,或者这个文件的路径与规则里的是不是一致. 如果不一致请在 logpath 项那里修改你的路径, 如果你的缓存目录里没有这个文件,那么请你将该配置项的 enabled 项目的值设置为 false. 然后再进行重启fail2ban,这样一般不会有什么错误了.

Apache和Lighttpd防盗链规则

星期三, 十二月 4th, 2013

原创内容,转载请注明出处:http://www.myzhenai.com.cn/post/1652.html http://www.myzhenai.com/thread-16092-1-1.html
Apache防盗链规则的用法:在根目录下新建一个.htaccess文件,将以下规则内容复制到.htaccess文件里保存即可.然后

service httpd restart
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !mybabya.com [NC]
RewriteCond %{HTTP_REFERER} !myzhenai.com [NC]
RewriteCond %{HTTP_REFERER} !myzhenai.com.cn [NC]
RewriteCond %{HTTP_REFERER} !google.com [NC]
RewriteCond %{HTTP_REFERER} !google.cn [NC]
RewriteCond %{HTTP_REFERER} !tianya.cn [NC]
RewriteCond %{HTTP_REFERER} !haikou-china.com [NC]
RewriteCond %{HTTP_REFERER} !0898-shop.com [NC]
RewriteRule .(JPG|JPEG|PNG|BMP|GIF|SWF|RAR|ZIP|jpge|jpg|png|bmp|jpeg|gif|swf|rar|zip|mp3|wmv|wav|wma|flv)
http://www.myzhenai.com.cn/myzhenai.gif [R,NC,L]

/* 我不知道能不能识别大小写的后缀名,所以我大小写都写上了. 后边的图片链接是当来路不是规则里允许的来路时自动跳转到的图片,需要绝对地址 */

Lighttpd防盗链规则的用法:分别在/etc/lighttpd/lighttpd.conf /home/lighttpd/conf/domains/domains.conf 规置文件里添加规则文件,然后

servcie lighttpd restart

即可.打开配置文件下的mod_access模块(找到这个,将前边的#号去掉保存就可以了.)
lighttpd官方的防盗链规则例子如下:

# deny access for all image stealers (anti-hotlinking for images)
  $HTTP["referer"] !~ "^($|http://www\.example\.org)" {
    url.access-deny = ( ".jpg", ".jpeg", ".png" )
  }

以下这个是我修改过后的防盗链规则,因为我有多个域名,所以需要多个域名之间共享.

$HTTP["referer"] !~ "^($|http://.*\.(mybabya\.com|myzhenai\.com|myzhenai\.com.cn|haikou-china\.com))" {
    url.access-deny = ( ".jpg",".jpeg",".png",".gif",".zip",".rar",".mp3",".mp4",".wmv",".mp2",".wma",".flv")
}

或者

$HTTP["referer"] !~ "^($|http://.*\.mybabya\.com)|($|http://.*\.myzhenai\.com)|($|http://.*\.myzhenai\.com.cn)|($|http://.*\.haikou-china\.com)" {
    url.access-deny = ( ".jpg",".jpeg",".png",".gif",".zip",".rar",".mp3",".mp4",".wmv",".mp2",".wma",".flv")
}

hostloc的圈圈曾说过,好像lighttpd的防盗链规则只能针对图片有效.对下载文件和音频视频文件需要额外安装什么软件,这些我没测试过,但我还是把它们加上了.万一有效了呢?
经过我测试,以上的规则都是有效的.

网盘外链工具安装及疑难问题解决过程

星期日, 十月 6th, 2013

最早是使用了凉手抚温柔的网盘外链工具源码安装,但是在安装后却发现无法正常使用,因为我第一次安装的服务器是使用lighttpd解析环境的,所以开始以为是lighttpd的rewrite规则问题,还到处咨询其他网友rewrite规则的写法,但都没得到回应,所以自己动手写了一个,貌似规则是对的,但不知道为什么就是无法正常使用.转换不出来正确的外链地址,遇到的问题有几个,分别遇到以下的问题.这里详细描述问题并给出解决方法以方便以后遇到同样问题的朋友们解决,为这些问题我折腾了好多天.
1:“正在处理中,耐心等候,请不要着急…”
安装好程序后输入要转换的网盘文件分享地址,点击转换总是出现“正在处理中,耐心等候,请不要着急…”
2:转换出正确的网盘文件外链地址却无法打开.“500内部服务器错误”
有一天不知道怎么折腾,居然把程序折腾出可以正常转换网盘分享文件为绝对地址了,但是这个地址是无法打开的,返回“500内部服务器错误”提示.
3:转换出来的地址不正常
不知道又怎么折腾,程序转换出来的地址不是绝对地址了,得到的外链地址是在程序安装域名后加了两条斜杠.类似这样的地址 http://share.mybabya.com///
Liang’s Blog(凉手抚温柔):http://www.ifoouu.com/
Demo:http://share.ifoouu.com/
源码下载:http://www.ifoouu.com/note/68.html

Lighttpd的rewrite规则

url.rewrite-once = (
"^/tools/(.*)" => "/index.php?action=tools&method=$1",
"^/xiami/(.*)" => "/index.php?action=tools&method=get&out_url=xiami/$1",
"^/st/([0-9]+).mp3" => "/index.php?action=tools&method=get&out_url=st/$1",
"^/s/([0-9]+)" => "/index.php?action=tools&method=get&out_url=st/$1",
"^/([0-9]+)/(.*)?$" =>"/index.php?action=tools&method=get&out_url=$1/$2"
)

Nginx的rewrite规则

location ~ .*\.(jpg|swf|png|gif|JPG|ico)$
{
expires      10y;
}
location /
{
rewrite ^/tools/(.*)$ /index.php?action=tools&method=$1 last;
rewrite ^/xiami/(.*)$ /index.php?action=tools&method=get&out_url=xiami/$1 last;
rewrite ^/st/([0-9]+).mp3$ /index.php?action=tools&method=get&out_url=st/$1 last;
rewrite ^/([0-9]+)/(.*)$ /index.php?action=tools&method=get&out_url=$1/$2 last;
}

Apache的rewrite规则

RewriteEngine On
RewriteRule ^tools/(.*)$ index.php?action=tools&method=$1 [L]
RewriteRule ^xiami/(.*)$ index.php?action=tools&method=get&out_url=xiami/$1 [L]
RewriteRule ^st/([0-9]+).mp3$ index.php?action=tools&method=get&out_url=st/$1 [L]
RewriteRule ^([0-9]+)/(.*)$ index.php?action=tools&method=get&out_url=$1/$2 [L]

在添加规则后,我发现问题仍然没有解决,又以为是我修改了程序的代码改错了的问题,于是又一遍一遍的检查代码,在确认代码没有问题后又以为是服务器上的问题,因为作者凉手抚温柔的安装说明里说需要安装Memcache缓存程序,跟着又在服务器上安装了Memcache程序和php的Memcache模块.安装模块后发现问题仍然没有解决,而到这一步我已经折腾了几天了.
于是我又找到了冻猫的另一个网盘外链工具源码,在最初的安装中也出现了类似前几天的一堆问题,但是这次冻猫提醒了我,他让我打开curl模块,因为程序需要这个模块来进行下一步操作.虽然说我同样也折腾了两三天,但最终还是安装成功了.
icycat(冻猫):http://www.icycat.com/
Demo:http://www.icycat.com/baidupan
源码下载:http://www.icycat.com/tech/85.html
Lighttpd的rewrite规则

url.rewrite-once = (
"^/index.php$" => "/",
"^/(w.*)$" => "/index.php?$1",
)

Nginx的rewrite规则

rewrite ^/index.php$ /- last;
rewrite ^/(w.*)$ /index.php?$1 last;

Apache的rewrite规则

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^(w.*)$ index.php?$1 [L]

打开curl模块的方法,在php.ini里找到disable_functions = 有两行,在前边用;分号注释掉模块即可.但是又有两个php.ini文件需要修改,一个是当前域名下的php.ini 一个是/etc/php.ini 都把那两行注释掉,然后reboot即可.问题得到完美解决了.
呜谢:凉手抚温柔 冻猫 七目亥
演示:http://share.myzhenai.com http://share.myzhenai.com.cn http://share.haikou-china.com http://share.mybabya.com

CentosVPS服务器硬盘占用大的优化方法

星期一, 九月 3rd, 2012

原帖地址:http://www.myzhenai.com/thread-15065-1-1.html
起个标题这么难,难为要想着搜索引擎的感受. 我的VPS服务器是Centos5 安装了Kloxo,10G的硬盘空间,但莫明其妙的总是自动增加到3G多,因为那笞服务器只安装了一个WordPress博客系统,上传的附件也不算太多,所以根本用不了这么些空间,于是以为是日志在作怪,便把所有统计日志与Kloxo日志都清除了并禁止产生,但还是会自动增加.没办法,只能自己折腾了,我看到Kloxo后台里有一个程序安装的功能,里边自带了好多的安装程序,这些都是我们平时用不着的,于是把它们删除了.确实清理出了不少文件.
用到的清理命令是使用SSH登录系统,然后执行以下命令.

#du -sh * | sort -n
#rm -rf /usr/local/lxlabs/kloxo/serverfile/tmp/*
#rm -rf /tmp/*
#rm -f /home/admin/__processed_stats/*
#rm -rf /home/kloxo/httpd/lighttpd/*
#rm -rf /var/log/kloxo/*
#rm -f /home/httpd/*/stats/*log
#rm -rf /home/kloxo/httpd/installapp/*
#echo 3 > /proc/sys/vm/drop_caches
#echo 0 > /proc/sys/vm/drop_caches
#yum clean all
#mysql -u root -p
#reset master;
#quit
#service mysqld restart
#service httpd restart
#service lighttpd restart
#reboot

命令注释:
#du -sh * | sort -n ‘查看哪些文件比较大,可以有选择的来删除占用大的文件
#rm -rf /usr/local/lxlabs/kloxo/serverfile/tmp/* ’删除Kloxo里的tmp临时文件
#rm -rf /tmp/* ‘删除系统临时文件
#rm -f /home/admin/__processed_stats/* ’删除系统日志文件,如果硬盘满了Mysql不能启动,首先想到的应该是执行这条命令
#rm -rf /home/kloxo/httpd/lighttpd/* ‘删除日志文件
#rm -rf /var/log/kloxo/* ’删除日志文件
#rm -f /home/httpd/*/stats/*log ‘删除日志文件
#rm -rf /home/kloxo/httpd/installapp/* ’删除installapp目录里的所有安装包文件.
#echo 3 > /proc/sys/vm/drop_caches ‘清理内存
#echo 0 > /proc/sys/vm/drop_caches ’清理内存
#yum clean all ‘删除yum更新或安装的所有包或下载文件
#mysql -u root -p ‘登录数据库?
输入密码登录后再执行:
#reset master; ’清理数据库的临时备份文件好像
#quit ‘mysql命令模式
#service mysqld restart ’重启Mysql数据库
#service httpd restart ‘重启apache
#service lighttpd restart ’重启Lighttpd
#reboot ‘重启系统

上图是我没清理前的VPS硬盘占用,下图是我执行清理后的硬盘占用.

关键字:Centos VPS Kloxo 日志 删除日志 Centos服务器优化 Kloxo优化 LinuxVPS优化

Kloxo环境下安装eAccelerator

星期日, 八月 12th, 2012

转载自:http://blog.vpswind.com/archive/104.html
eaccelerator-0.9.5.3:http://autosetup1.googlecode.com/files/eaccelerator-0.9.5.3.tar.bz2
eaccelerator-0.9.6.1:http://acelnmp.googlecode.com/files/eaccelerator-0.9.6.1.tar.bz2
在putty中执行以下命令,安装完成后,如果你是apache的就执行service httpd restart命令,如果你是使用lighttpd的,就执行service lighttpd restart命令,重启后可以在putty中执行 php -v 命令来查看.

yum install -y make
wget http://autosetup1.googlecode.com/files/eaccelerator-0.9.5.3.tar.bz2
bzip2 -d   eaccelerator-0.9.5.3.tar.bz2
tar -xvf eaccelerator-0.9.5.3.tar
cd eaccelerator-0.9.5.3
phpize
./configure --enable-eaccelerator=shared --with-php-config=/usr/bin/php-config --with-eaccelerator-shared-memory
make
make install

cat >/etc/php.d/eaccelerator.ini< <EOF
extension="eaccelerator.so"
eaccelerator.shm_size="64"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.log_file = "/var/log/eaccelerator_log"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
eaccelerator.keys = "shm_and_disk"
eaccelerator.sessions = "shm_and_disk"
eaccelerator.content = "shm_and_disk"
EOF
service httpd restart
service lighttpd restart

php探针不显示服务器实时数据信息的解决方法

星期六, 八月 11th, 2012

方法有两种.
1: 打开Kloxo面板,在左侧控制导航里,依次打开域名 — 你的域名 — 网站 : apache — 其他设置,在 禁用Openbasedir 前打勾,然后保存.service httpd restart或service Lighttpd restart
2:可以尝试将proc目录的权限设置为默认的0555
在apache下修改方法
编辑“/home/httpd/域名/conf/kloxo.域名”这个文件。
比如,我绑定的域名是vvx.cc,那就编辑“/home/httpd/vvx.cc/conf/kloxo.vvx.cc”这个文件
删掉其中open_basedir部分的内容(一共有四处),然后重启service httpd restart,打开探针就会发现CPU信息和内存信息已经显示出来了。
在Lighttpd下修改方法
编辑/home/httpd/vvx.cc/php.ini
注释掉或删除open_basedir = /home/vvxcc::/tmp:/usr/share/pear:/home/httpd/vvx.cc:/var/lib/php/session:/home/kloxo/httpd/script:/home/httpd/vvx.cc/kloxoscript/
然后重启Lighttpd