2018年1月

因为历史原因,程序配置了ftp端口只使用66[windows],但当[linux]修改vsftp端口的时候,
是不允许非root用户使用小于1024的端口的。
兼容的方法:
要么使用root [不可选]
要么端口转发 [可选]

# Generated by iptables-save v1.4.7 on Fri Jan 26 10:13:42 2018
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 66 -j REDIRECT --to-ports 1024
#要使本机127.0.0.1也支持,则需要增加一条
-A OUTPUT -p tcp --dport 66 -j REDIRECT --to-ports 1024
COMMIT
# Completed on Fri Jan 26 10:13:42 2018

以上是本地转发,如果需要远程转发。
环境:
服务器A 公网IP XXX 内网IP 192.168.10.11
服务器B 内网IP 192.168.10.15
服务器C 内网IP 192.168.10.6 *windows
效果:
在其它电脑访问 XXX:12059 显示 服务器B的WEB页面内容
在其它电脑远程桌面 XXX:12058 能够连接到 服务器C的远程桌面
在服务器A 本机通过nc -v 或 curl没用,其它机器OK

#附加操作:
echo  1 > /proc/sys/net/ipv4/ip_forward  ##开启端口转发功能,临时生效。    
#永久生效: vim /etc/sysctl.conf   ##修改net.ipv4.ip_forward = 1 
sysctl  -p   ##生效配置文件。

#转发到40的WEB测试
-I PREROUTING  -m tcp -p tcp --dport 12059  -j DNAT --to-destination 192.168.10.15:80
-I POSTROUTING -m tcp -p tcp --dport 80 -d 192.168.10.15 -j SNAT --to-source 192.168.10.11
#转发到10.6的远程
-I PREROUTING  -m tcp -p tcp --dport 12058  -j DNAT --to-destination 192.168.10.6:12058
-I POSTROUTING -m tcp -p tcp --dport 12058 -d 192.168.10.6 -j SNAT --to-source 192.168.10.11
#本地FTP转发
-A PREROUTING -p tcp -m tcp --dport 66 -j REDIRECT --to-ports 1024
-A OUTPUT -p tcp --dport 66 -j REDIRECT --to-ports 1024
COMMIT
# Completed on Mon Feb 26 11:21:52 2018
# Generated by iptables-save v1.4.7 on Mon Feb 26 11:21:52 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [333811:81462762]

#远程转发必须配置
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -d 192.168.10.15 -p tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.10.6 -p tcp --dport 12058 -j ACCEPT
#----------

elastic就不多介绍了,一句话,牛逼的数据搜索中间件。

安装jdk ,但只能是 9.0

https://blog.pucipuci.cn/post/59.html

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.1.2.tar.gz
tar -zxvf elasticsearch-6.1.2.tar.gz
mv elasticsearch-6.1.2 /usr/local/
#移动到 /usr/local/下
cd /usr/local/
cd elasticsearch-6.1.2

安装WEB监控工具(可选)

参考https://www.elastic.co/downloads/x-pack

bin/elasticsearch-plugin install x-pack

vim config/elasticsearch.yml

network.host: 0.0.0.0
http.port: 9200

#启动
bin/elasticsearch
Caused by: java.lang.RuntimeException: can not run elasticsearch as root

由于Elasticsearch可以接收用户输入的脚本并且执行,为了系统安全考虑,
不允许root账号启动,所以建议给Elasticsearch单独创建一个用户来运行Elasticsearch。

groupadd es
useradd  esuser -g es -p GFdw#$%78Pokk
chown -R esuser:es /usr/local/elasticsearch-6.1.2

su esuser

#启动elasticsearch
bin/elasticsearch  -d #-d后台启动

ERROR: [4] bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]

解决:切换到root用户,编辑limits.conf 添加类似如下内容

vi /etc/security/limits.conf 

添加如下内容:

* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
vi /etc/security/limits.d/90-nproc.conf

* soft nproc 1024
#修改为
* soft nproc 4096
vi /etc/sysctl.conf 
添加下面配置:
vm.max_map_count=655360
并执行命令:
sysctl -p

[4]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk

原因:
这是在因为Centos6不支持SecComp,而ES5.2.0默认bootstrap.system_call_filter为true进行检测,所以导致检测失败,失败后直接导致ES不能启动。

解决:
在config/elasticsearch.yml中配置bootstrap.system_call_filter为false,注意要在Memory下面:

bootstrap.memory_lock: false
bootstrap.system_call_filter: false

以1-2-3上修改后,需要进行一个su的切换或重启服务器才能生效

bin/elasticsearch  -d

要等大概半分钟 ,后台启动看不到什么信息。

su root

#防火墙开启 端口
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9200 -j ACCEPT

#设置默认密码
bin/x-pack/setup-passwords auto

#密码修改为

Changed password for user kibana
PASSWORD kibana = vypQ9$hSlI6-dtQ#uME@

Changed password for user logstash_system
PASSWORD logstash_system = V6?s@e#dBhKC^zQDrXma

Changed password for user elastic
PASSWORD elastic = r8DrvME^s7b6X@=*W*-g

浏览器
http://192.168.1.146:9200/?pretty

输入 帐号密码

{
"name" : "corWxa7",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "kO48JzpwQYa9quJ1JpY9Xw",
"version" : {

"number" : "6.1.2",
"build_hash" : "5b1fea5",
"build_date" : "2018-01-10T02:35:59.208Z",
"build_snapshot" : false,
"lucene_version" : "7.1.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"

},
"tagline" : "You Know, for Search"
}

开机启动脚本

es开机启动

es.sh

#!bin/bash
su - esuser<<!
cd /usr/local/elasticsearch-6.1.2
./bin/elasticsearch &
exit
!

vim /etc/rc.d/rc.local

sh /shell/es.sh

可选安装 :Kibana 是一个开源分析和可视化平台,旨在可视化操作 Elasticsearch 。

到官网根据不同操作系统下载最新版本的Kibana压缩包

wget https://artifacts.elastic.co/downloads/kibana/kibana-6.1.2-linux-x86_64.tar.gz
tar -zxvf kibana-6.1.2-linux-x86_64.tar.gz
mv kibana-6.1.2-linux-x86_64 /usr/local/kibana
cd /usr/local/kibana

vim config/kibana.yml

设置 elasticsearch.url: "http://127.0.0.1:9200"

运行 bin/kibana

log   [08:11:28.565] [info][listening] Server running at http://localhost:5601

配置一下ip 让外网访问

vim config/kibana.yml

server.host: "192.168.1.146"

需要开启5601端口

后台运行

nohup  bin/kibana &

效果

wanmei.jpg

mpm-itk扩展模块的用途,使站点可以以同用户运行,结合linux文件系统权限,使当前站点目录即使被攻击,也一定程度上限制攻击的危害波及其它站点。

wget http://mpm-itk.sesse.net/mpm-itk-2.4.7-04.tar.gz
tar -zxvf mpm-itk-2.4.7-04.tar.gz
cd mpm-itk-2.4.7-04
./configure --with-apxs=/usr/local/apache/bin/apxs
make 
make install

输出

chmod 755 /usr/local/apache/modules/mpm_itk.so

在httpd.conf中添加

LoadModule mpm_itk_module modules/mpm_itk.so

的虚拟主机配置增加

<IfModule mpm_itk_module>
AssignUserId 用户 组
</IfModule>

当然要先添加一个用户

useradd -s /sbin/nologin -g www -M abc


<VirtualHost *:80>
    ServerAdmin www.abc.com
    DocumentRoot "/home/public_html/default/"
    ServerName www.abc.com

        <IfModule mpm_itk_module>
                AssignUserId abc www
        </IfModule>

</VirtualHost>

重启apache 死掉

mpm-itk cannot use threaded MPMs; please use prefork.

模式? with-mpm=prefork 因为当下是event

删除原安装源目录 重新解压

cd /usr/tmp/apr
 ./configure --prefix=/usr/local/apr   
make && make install


cd /usr/tmp/apr-util/
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
make && make install

进apache安装目录 重新编译

./configure --prefix=/usr/local/apache --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre/  --with-mpm=prefork 
make && make install

/usr/local/apache/bin/apachectl start

`
/usr/local/apache/bin/apachectl -l

Compiled in modules:
  core.c
  mod_so.c
  http_core.c
  prefork.c

再启用那个mpm-itk

LoadModule mpm_itk_module modules/mpm_itk.so

说明:
1.一旦配置了 mpm-itk,进程将以root用户运行
2.不同站点配置的用户,必须在useradd 添加
3.给不同站点配置权限,最好拒绝同组和其它用户的读写执行,以达到好的权限隔离。 即 700
4.关于以root运行进程,个人认为,只有root才能对所有站点和目录和用户进行权限管辖吧。

附:apache + php7 部署日志

groupadd www
useradd -s /sbin/nologin -g www -M www

yum -y install make gcc gcc-c++ gcc-g77 flex bison file libtool libtool-libs autoconf kernel-devel libjpeg libjpeg-devel libpng libpng-devel libpng10 libpng10-devel gd gd-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glib2 glib2-devel bzip2 bzip2-devel libevent libevent-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel gettext gettext-devel ncurses-devel gmp-devel pspell-devel unzip libcap lsof cmake automake autoconf zlib zlib-devel glibc glibc-devel glib2 libxml glib2-devel libxml2 libxml2-devel bzip2 bzip2-devel libXpm libXpm-devel libidn libidn-devel libtool libtool-ltdl-devel* libmcrypt libmcrypt-devel libevent-devel libmcrypt* curl curl-devel perl perl-Net-SSLeay pcre pcre-devel openldap openldap-devel openldap-clients openldap-servers libjpeg libpng libjpeg-devel libjpeg-6b libjpeg-devel-6b libpng-devel libtiff-devel freetype freetype-devel gd gd-devel

wget http://nchc.dl.sourceforge.net/project/pcre/pcre/8.34/pcre-8.34.tar.gz
tar -zxvf pcre-8.34.tar.gz
cd pcre-8.34
./configure
make && make install

cd ../

wget --no-check-certificate https://mirrors.aliyun.com/apache/apr/apr-1.6.3.tar.gz
wget --no-check-certificate https://mirrors.aliyun.com/apache/apr/apr-util-1.6.1.tar.gz
wget --no-check-certificate https://mirrors.aliyun.com/apache/httpd/httpd-2.4.29.tar.gz

tar -zxvf apr-1.6.3.tar.gz
tar -zxvf apr-util-1.6.1.tar.gz
tar -zxvf httpd-2.4.29.tar.gz

cp ./apr-1.6.3 ./httpd-2.4.29/srclib/apr -r
cp ./apr-util-1.6.1 ./httpd-2.4.29/srclib/apr-util -r
cd httpd-2.4.29

./configure --prefix=/usr/local/apache --with-included-apr=/usr/lib64 --with-pcre=/usr/local/pcre/


yum install expat-devel

make  
make && make install

wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz
tar zxvf libiconv-1.14.tar.gz
cd libiconv-1.14
./configure --prefix=/usr/local/libiconv
make && make install


cd ../

wget http://nchc.dl.sourceforge.net/project/mhash/mhash/0.9.9.9/mhash-0.9.9.9.tar.gz
tar -zxvf  mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9
./configure
make && make install
cd ../



cd ../
wget http://cn2.php.net/distributions/php-7.2.1.tar.gz
tar -zxvf php-7.2.1.tar.gz
cd php-7.2.1

./configure --prefix=/usr/local/php --with-libxml-dir=/usr/local/libxml2 --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-iconv-dir --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-magic-quotes --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-mbstring --with-mcrypt --enable-ftp --with-gd --enable-gd-native-ttf --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --without-pear --with-gettext --disable-fileinfo --enable-maintainer-zts

make 
make install

cp php.ini-development /usr/local/php/lib/php.ini

cd /usr/local/apache
cd conf
vim httpd.conf

在LoadModule处添加

LoadModule php7_module modules/libphp7.so
末尾添加
<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>

/usr/local/apache/bin/apachectl start













PHP安装redis扩展
以下操作需要在下载的 phpredis 目录中完成:

$ wget https://github.com/phpredis/phpredis/archive/3.1.4.tar.gz
$ cd phpredis-3.1.4                      # 进入 phpredis 目录
$ /usr/local/php/bin/phpize              # php安装后的路径
$ ./configure --with-php-config=/usr/local/php/bin/php-config
$ make && make install
修改php.ini文件
vi /usr/local/php/lib/php.ini
增加如下内容:

extension_dir = "/usr/local/php/lib/php/extensions/no-debug-zts-20090626"

extension=redis.so

----------------------------


设置apache用户为www

wget http://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz
tar -zxvf LuaJIT-2.1.0-beta3.tar.gz
LuaJIT-2.1.0-beta3
make && make install
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
wget https://codeload.github.com/simpl/ngx_devel_kit/zip/master
wget https://codeload.github.com/openresty/lua-nginx-module/zip/master

解压

进入nginx目录
重新编译

./configure --prefix=/usr/local/nginx \
--user=www \
--group=www \
--with-mail \
--with-mail_ssl_module \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_dav_module \
--with-http_sub_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-pcre \
--add-module=/usr/tmp/naxsi-master/naxsi_src/ \
--add-module=/usr/tmp/ngx_devel_kit-master/ \
--add-module=/usr/tmp/lua-nginx-module-master/

make && make install


Stoping nginx... /usr/local/nginx/sbin/nginx: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory
 failed. Use force-quit
Starting nginx... nginx (pid ) already running.
[root@localhost nginx-1.13.8]# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
[root@localhost nginx-1.13.8]# echo "/usr/local/lib" >> /etc/ld.so.conf
[root@localhost nginx-1.13.8]# ldconfig
[root@localhost nginx-1.13.8]# service nginx restart
Stoping nginx...  done
Starting nginx...  done
[root@localhost nginx-1.13.8]# 

ngx_lua_waf防火墙配置相关
https://github.com/loveshell/ngx_lua_waf

Apache 安装 mod_rpaf 扩展获取代理机前的访客真实ip

模块的github: https://github.com/gnif/mod_rpaf/

下载编译

wget -O mod_rpaf.zip https://github.com/gnif/mod_rpaf/archive/stable.zip
unzip mod_rpaf.zip
cd mod_rpaf-stable
/usr/local/apache/bin/apxs -i  -c -n mod_rpaf.so mod_rpaf.c

记录一下编译后的.so文件位置

chmod 755 /usr/local/apache/modules/mod_rpaf.so

配置可放在httpd.conf也可放在虚拟目录配置中

<VirtualHost *:80>

        LoadModule              rpaf_module modules/mod_rpaf.so
        RPAF_Enable             On
        RPAF_ProxyIPs           代理机ip 代理机ip2
        RPAF_SetHostName        On
        RPAF_SetHTTPS           On
        RPAF_SetPort            On
        RPAF_ForbidIfNotProxy   Off

        ServerAdmin www.test.com
        DocumentRoot "/home/public_html/test/"
        ServerName www.test.com
</VirtualHost>

配置也可放在httpd.conf中全局配置

#ben 20180204 配置接收代理ip的客户地址并设置成remote_add
LoadModule rpaf_module modules/mod_rpaf.so

<IfModule mod_rpaf.c>
        RPAF_Enable             On
        RPAF_ProxyIPs           代理机ip 代理机ip2
        RPAF_SetHostName        On
        RPAF_SetHTTPS           On
        RPAF_SetPort            On
        RPAF_ForbidIfNotProxy   Off

</IfModule>

如果对日志有要求,则也要对日志的ip做修改
LogFormat "%{X-Forwarded-For}i %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%{X-Forwarded-For}i %h %l %u %t "%r" %>s %b" common

暂时不能确定 {X-Forwarded-For} 做为日志记录ip,是否百分百对系统安全,个人认为仅仅一个字符而以。

不过不确定,就用自定义的其它头。

这个扩展模块主要是获取 X-Forwarded-For 来替换

为防止出现基于 X-Forwarded-For的攻击
nginx上必须修改掉这个的值

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-For $remote_addr;

完整如下

server {
        listen  80;
        rewrite_log on;
        server_name  www.test.com;
        access_log  /home/public_html/test/access.log;
        error_log /home/public_html/test/error.log debug;
        location / {
                proxy_store off;
                proxy_redirect off;
                #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_pass http://后端ip;
        }
}

            

通过firefox 修改header,X-Forwarded-For 。
直接解析到服务器不走代理。
则不会触发 mod_rpaf ,只有通过代理服务器来的,
才会触发 mod_rpaf扩展的功能。

RPAF_ProxyIPs 代理机ip