Install LAMP on CentOS 6.5 及apache加固

原创

hj192837 2014-09-01 21:05:42 博主文章分类：Linux ©著作权

文章标签 centos lamp 文章分类 开源

©著作权归作者所有：来自51CTO博客作者hj192837的原创作品，请联系作者获取转载授权，否则将追究法律责任

yum -y install httpd mod_ssl mod_perl mod_auth_mysql mysql-server php php-mysql php-gd php-bcmath php-dba php-mbstring php-devel php-cli php-pdo php-mcrypt php-xml php-pecl-apc

vi /etc/php.ini

date.timezone = Asia/Shanghai
expose_php = Off
magic_quotes_gpc = Off
short_open_tag = On

vi /etc/httpd/conf/httpd.conf
ServerName x.x.x.x:80
ServerTokens Prod
ServerSignature Off
KeepAlive On
MaxKeepAliveRequests 1000

<IfModule prefork.c>
StartServers       25
MinSpareServers    50
MaxSpareServers   50
ServerLimit      2000
MaxClients       2000
MaxRequestsPerChild 10000
</IfModule>

service httpd start; chkconfig httpd on
service mysqld start; chkconfig mysqld on

安全措施：（这个只针对web server）

first you should setup EPEL repository:

yum -y install mod_security mod_evasive

cd /etc/httpd
mkdir crs
cd crs
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

(https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project)
tar xzf master
mv SpiderLabs-owasp-modsecurity-crs-ebe8790 owasp-modsecurity-crs
cd owasp-modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

vi /etc/httpd/conf/httpd.conf
# add at the end of file
<IfModule security2_module>
Include crs/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
Include crs/owasp-modsecurity-crs/base_rules/*.conf
</IfModule>

vi /etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
comment line 98 to allow numeric IP address access

vi /etc/httpd/conf.d/mod_evasive.conf
<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        100
    DOSSiteCount        200
    DOSPageInterval     10
    DOSSiteInterval     60
    DOSBlockingPeriod   10
</IfModule>

hostname查看主机名

vi /etc/hosts添加主机名
ip-address hostname

service httpd restart

mod_security日志：/var/log/httpd
mod_evasive日志： /tmp

iptables并发数控制：
vi /etc/modprobe.d/xt_recent.conf
options xt_recent ip_list_tot=1024 ip_pkt_list_tot=200

modprobe xt_recent
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -s <Exception-IP-Address> -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 200 -j DROP
service iptables save
service iptables restart

/proc/net/xt_recent/

echo +addr >/proc/net/xt_recent/DEFAULT
    to add addr to the DEFAULT list
echo -addr >/proc/net/xt_recent/DEFAULT
    to remove addr from the DEFAULT list
echo / >/proc/net/xt_recent/DEFAULT
    to flush the DEFAULT list (remove all entries).

enable memcached for php on apache:
Enable EPEL repository
yum -y install memcached php-pecl-memcache
vi /etc/sysconfig/memcached
# Running on Port 11211
PORT="11211"

# Start as memcached daemon
USER="memcached"

# Set max simultaneous connections to 1024
MAXCONN="1024"

# Set Memory size to 2048 - 4GB(4096)
CACHESIZE="2048"

#Set server IP address
OPTIONS="-l 127.0.0.1"

service memcached start; chkconfig memcached on
service httpd restart

memcached-tool 127.0.0.1 stats

check web status:

vi httpcheck.sh

while true; do
   dns=`curl -o /dev/null -s -w %{http_code} www.xxx.com`
   echo "$(date) This is for DNS name,status code is $dns"
   if [ $dns -ne 200 ]; then
       echo "problem"
   fi
   ip=`curl -o /dev/null -s -w %{http_code} x.x.x.x `
        echo "$(date) This is for IP name,status code is $ip"
        if [ $ip -ne 200 ]; then
                echo "problem"
        fi
   sleep 60
done