Professional Documents
Culture Documents
* * * * * * * * *
Objective:
шҖѠкдѥіъѼѥ WebServer еѠк Ѡкзҙді ѲўҖъд
ѫ ѐҐѥѕѲьѠкзҙдієѨ WebSite ѲнҖкѥь ѱчѕѲўҖ
ѯьѪѸѠъѨз
ѷ ьјѣ 5 GBytes
Specifications
°Á¦ºÉ°¸ÉÄo
CPU: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (1995.01-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x1067a Stepping = 10
Ram 2G
HardDisk IDE 500G ¨³ 250 εª°o°
o°Â¦ 500G ¦oµ / , swap ¨³ /backups
o°¸É° 250G ¦oµ /var , /tmp , /usr ¨³ /usr/local
Lan card 1 Ä (onboard)
Ân partion ´¸Ê
www# df
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/ad5s1a 507630 146844 320176 31% /
devfs 1 1 0 100% /dev
/dev/ad7s1g 400913540 16644420 352196038 5% /backups
/dev/ad7s1e 1012974 12 931926 0% /tmp
/dev/ad7s1f 10154158 1150928 8190898 12% /usr
/dev/ad5s1d 231978828 4 213420518 0% /usr/local
/dev/ad7s1d 60931274 1066 56055708 0% /var
www#
ѱюіѰдієъѨѷјк
1. ÂoÅ
¢j¤¸ÉεÁ}
2. Compile Kernel Á¡ºÉ°Ä®o¦°¦´ Firewall ¨³ Quota
3. Update ports tree
4. µ¦·´Ê Firewall
5. µ¦Îµ Quota
6. ·´Ê mysql50-server
7. ·´Ê Apache22
8. ·´Ê PHP5
9. ·´Ê PHP5-extensions
10. ·´Ê ZendOptimizer
11. ·´Ê webmin
12. ·´Ê phpmyadmin
13. ·´Ê vsftp
14. ·´Ê awstats
15. ·´Ê ntp
16. ·´Ê clamav
17. ·´Ê hostsentry
18. ·´Ê portsentry
19. ·´Ê lynx
20. ·´Ê phpbb3
21. ·´Ê denyhosts
22. µ¦ Backup Áª
ѲьдѥішѧчшѤѸкѝѥєѥіщћѩдќѥѳчҖлѥд
http://bsd.psru.ac.th/microcom/micro240/install53_1.pdf
http://bsd.psru.ac.th/microcom/micro240/install53_2.pdf
Welcome to FreeBSD!
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
$ su root
Password:
www#
www# vi /boot/defaults/loader.conf
##############################################################
### Loader settings ########################################
##############################################################
ѰјѣѰдҖѰђґє sshd_config ѯёѪѷѠѠьѫрѥшѲўҖ User нѪѷѠ sermpan ѝѥєѥіщъѨѷлѣ Secure Shell ѳчҖѰшҕѯёѨѕкяѬҖѯчѨѕњ
www# vi /etc/ssh/sshd_config
# Authentication:
AllowUsers sermpan
#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
cpu I486_CPU
cpu I586_CPU
cpu I686_CPU
#ident GENERIC
ident PH
www# pwd
/usr/src/sys/i386/conf
www# ll
total 82
-rw-r--r-- 1 root wheel 13 Jun 20 2005 .cvsignore
-rw-r--r-- 1 root wheel 534 Apr 15 10:14 DEFAULTS
-rw-r--r-- 1 root wheel 12472 Apr 15 10:14 GENERIC
-rw-r--r-- 1 root wheel 1745 Apr 15 10:14 GENERIC.hints
-rw-r--r-- 1 root wheel 1034 Apr 15 10:14 MAC
-rw-r--r-- 1 root wheel 131 Apr 15 10:14 Makefile
-rw-r--r-- 1 root wheel 38891 Apr 15 10:14 NOTES
-rw-r--r-- 1 root wheel 2016 Apr 15 10:14 PAE
-rw-r--r-- 1 root wheel 12786 Aug 12 16:51 PH
-rw-r--r-- 1 root wheel 3539 Apr 15 10:14 XBOX
www# config PH
Kernel build directory is ../compile/PH
Don't forget to do ``make cleandepend && make depend''
www# cd ../compile/PH
www# make depend ; make ; make install
.
.
.
===> zyd (install)
install -o root -g wheel -m 555 if_zyd.ko /boot/kernel
install -o root -g wheel -m 555 if_zyd.ko.symbols /boot/kernel
kldxref /boot/kernel
www#
www# reboot
Welcome to FreeBSD!
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
ѯєѪѷѠщѬдщѥє ѯіѪѷѠк cvsup ѲўҖѯјѪѠд X11 чҖњѕ (дѶюјҕѠѕѳюшѥє default)ѯьѪѷѠклѥдѲьдѥіјкѱюіѰдієєѨэѥкзіѤѸкъѨѷшҖѠкдѥі library еѠк X11 оѩѷкщҖѥѳєҕѯјѪѠдѲь
дѥі compile эѥкѱюіѰдіє лѣѯлѠ Fatal error
ѰјѣѯєѪѷѠщѬдщѥєњҕѥ ѯіѪѷѠк perl ѯіѥѯјѪѠд DEBUGGING, GDBM, PERL_MALLLOC, PERL_64BITINT, THREADS, SUIDPERL, USE_PERL
www#
лѥдьѤѸь ѯѠѥѰђґє ports-supfile ѳюѳњҖъѨѷ /tmp ѰјҖњѯјѪѠд port ъѨѷшҖѠкдѥі Update шѥєшҖѠкдѥі
# If you seem to be limited by CPU rather than network or disk bandwidth, try
# commenting out the following line. (Normally, today's CPUs are fast enough
# that you want to run compression.)
*default compress
## Ports Collection.
#
# The easiest way to get the ports tree is to use the "ports-all"
# mega-collection. It includes all of the individual "ports-*"
# collections,
#ports-all
#ports-mbone
ports-misc
#ports-multimedia
ports-net
ports-net-im
ports-net-mgmt
ports-net-p2p
#ports-news
#ports-palm
#ports-polish
ports-ports-mgmt
#ports-portuguese
ports-print
#ports-russian
#ports-science
ports-security
ports-shells
ports-sysutils
ports-textproc
#ports-ukrainian
#ports-vietnamese
ports-www
ports-x11
ports-x11-clocks
ports-x11-drivers
ports-x11-fm
ports-x11-fonts
ports-x11-servers
ports-x11-themes
ports-x11-toolkits
ports-x11-wm
*default host=cvsup1.FreeBSD.org
http://www.freebsd.org/doc/en/books/handbook/cvsup.html#CVSUP-MIRRORS
ѰјҖњѯіѥдѶѝѤѷкѱчѕѲнҖзѼѥѝѤѷкѯчѧє
Á¤ºÉ°Á¦µÅo Compile kernel Á¡ºÉ°¦°¦´ Firewall ¨³ Quota ¨oª Ĩε´n°ÅÈÁ}Á¦ºÉ° °µ¦Îµ Firewall
Á¡·É¤°¦¦´ oµ¨nµÁ oµÅ
firewall_enable="YES"
firewall_script="/backups/ipfw.rules"
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# port 20 = ftp-data
#$IPF 90 allow tcp from any to any 20 in
#$IPF 100 allow tcp from any to any 20 out
# port 21 = ftp
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
# port 22 = ssh
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
# telnet port=23
#$IPF 150 allow tcp from any to any 23 in
#$IPF 160 allow tcp from any to any 23 out
# smtp port=25
#$IPF 170 allow tcp from any to any 25 in
#$IPF 180 allow tcp from any to any 25 out
# nameserver port=42
#$IPF 190 allow tcp from any to any 42 in
#$IPF 200 allow tcp from any to any 42 out
# domain port=53
#$IPF 210 allow udp from any to any 53 in
#$IPF 220 allow udp from any to any 53 out
# tftp port=69
#$IPF 230 allow tcp from any to any 69 in
#$IPF 240 allow tcp from any to any 69 out
# finger port=79
#$IPF 250 allow tcp from any to any 79 in
#$IPF 260 allow tcp from any to any 79 out
# http port=80
$IPF 270 allow tcp from any to any 80 in
$IPF 280 allow tcp from any to any 80 out
# pop3 port=110
#$IPF 290 allow tcp from any to any 110 in
#$IPF 300 allow tcp from any to any 110 out
# webmin port=10000
$IPF 310 allow tcp from any to any 10000 in
$IPF 320 allow tcp from any to any 10000 out
www# sh /backups/ipfw.rules
Typethefollowingcommand:
www# ipfw list
00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00080 allow icmp from any to any
00110 allow tcp from any to any dst-port 21 in
00120 allow tcp from any to any dst-port 21 out
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00270 allow tcp from any to any dst-port 80 in
00280 allow tcp from any to any dst-port 80 out
00310 allow tcp from any to any dst-port 10000 in
00320 allow tcp from any to any dst-port 10000 out
00500 deny log logamount 120 ip from any to any
65535 allow ip from any to any
www#
ѲьјѼѥчѤэшҕѠѳюѯюҝьдѥіъѼѥ quota
www# cd /etc/
www# vi fstab
enable_quotas="YES"
check_quotas="YES"
ѝѤѷк Reboot
www# reboot
www# quotacheck -a
www# quotaon -a
www# quota -v sermpan
Disk quotas for user sermpan (uid 1002):
Filesystem usage quota limit grace files quota limit grace
/usr/local 0 0 0 0 0 0
www# www# edquota -u sermpan
Quotas for user sermpan:
/usr/local: kbytes in use: 0, limits (soft = 1044480, hard = 1048576)
inodes in use: 1, limits (soft = 0, hard = 0)
www#
www# edquota -t
Time units may be: days, hours, minutes, or seconds
Grace period before enforcing soft limits for users:
/var/mail: block grace period: 7 days, file grace period: 7 days
www# edquota -p sermpan `awk -F: '$3 > 1003 {print $1}' /etc/passwd`
www#
************************************************************************
install-info --quiet /usr/local/info/mysql.info /usr/local/info/dir
===> Installing rc.d startup script(s)
===> Compressing manual pages for mysql-server-5.0.84
===> Registering installation for mysql-server-5.0.84
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/ndb_drop_table
/usr/local/bin/ndb_delete_all
/usr/local/libexec/ndbd
/usr/local/bin/ndb_restore
/usr/local/libexec/ndb_mgmd
/usr/local/bin/ndb_select_all
/usr/local/bin/ndb_drop_index
/usr/local/bin/ndb_desc
/usr/local/bin/ndb_show_tables
/usr/local/lib/mysql/libndbclient.so.2
/usr/local/bin/ndb_waiter
/usr/local/libexec/mysqld
/usr/local/libexec/ndb_cpcd
/usr/local/bin/ndb_select_count
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/mysql-server
www# vi /etc/rc.conf
ѯёѧѷєэііъѤчшҕѠѳюьѨѸѯеҖѥѳю
mysql_enable="YES"
www# reboot
ѯєѪѷѠѯіѥ reboot ѯзіѪѷѠкѰјҖњ дѶ login ѯеҖѥіѣээ ѝѧѷкѰідъѨѷшҖѠкъѼѥзѪѠ ѲўҖ password ѝѼѥўіѤэдѥі login ѯёѪѷѠѯеҖѥ database ѱчѕ
Welcome to FreeBSD!
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
$ su root
Password:
www# /usr/local/bin/mysqladmin -u root password ppppp
www# mysql -u root mysql -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \q
Bye
www#
ѯєѪѷѠщѬдщѥєѯіѪѷѠк arp-ipv6-gdbm-db42
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/apache22/mod_cgid.so
This port has installed the following startup scripts which may cause
www# vi /etc/rc.conf
ѯёѧѷєэііъѤчшҕѠѳюьѨѸѯеҖѥѳю
apache22_enable="YES"
save ѰјѣѠѠдлѥд vi
***************************************************************
***************************************************************
===> Compressing manual pages for php5-5.2.10
===> Registering installation for php5-5.2.10
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/apache22/libphp5.so
/usr/local/bin/php
/usr/local/bin/php-cgi
ѲьјѼѥчѤэшҕѠѳюѯюҝьдѥішѧчшѤѸк php5-extensions
ѯєѪѷѠщѬдщѥєѯіѪѷѠк curl
ѯєѪѷѠщѬдщѥєѯіѪѷѠк c-ares-config
ѯєѪѷѠщѬдщѥєѯіѪѷѠк ca_root_nss
www# cd /usr/local/etc/apache22/Includes
www# vi php5.conf
ѯёѧѷєэііъѤчшҕѠѳюьѨѸѯеҖѥѳю
DirectoryIndex index.php
AddDefaultCharset tis-620
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
Include etc/apache22/extra/httpd-ssl.conf
save ѰјѣѠѠдлѥд vi
ѝіҖѥкѳђјҙ php.ini
www# cd /usr/local/etc/
www# cp php.ini-recommended php.ini
дѼѥўьчзҕѥѲьѳђјҙ php.ini
www# cd /usr/local/etc/apache22/
www# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
.......++++++
e is 65537 (0x10001)
www# openssl req -new -days 365 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Bangkok
Locality Name (eg, city) []:Rajchavithi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Faculty of Public Health, Mahidol University
Organizational Unit Name (eg, section) []:Computer Division
Common Name (eg, YOUR name) []:Computer
Email Address []:phwww@mahidol.ac.th
www# vi /etc/rc.conf
ѯёѧѷєэііъѤчшҕѠѳюьѨѸѯеҖѥѳю
apache22_enable="YES"
www# reboot
www# cd /usr/local/www/apache22/data
www# echo "<?PHP phpinfo();?>" > info.php
ўіѪѠ http://www.mu-ph.org/info.php
********************************************************************************
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer="/usr/local/lib/php/20060613/Optimizer"
zend_extension_manager.optimizer_ts="/usr/local/lib/php/20060613/Optimizer_TS"
zend_extension="/usr/local/lib/php/20060613/ZendExtensionManager.so"
zend_extension_ts="/usr/local/lib/php/20060613/ZendExtensionManager_TS.so"
********************************************************************************
===> Registering installation for ZendOptimizer-3.3.0.a
===> Cleaning for compat6x-i386-6.4.604000.200810
===> Cleaning for ZendOptimizer-3.3.0.a
www#
After installing Webmin for the first time you should perform the following
steps as root:
The parameters requested by setup.sh may then be changed from within Webmin
itself.
www# /usr/local/lib/webmin/setup.sh
***********************************************************************
* Welcome to the Webmin setup script, version 1.480 *
***********************************************************************
Webmin is a web-based interface that allows Unix-like operating
systems and common Unix services to be easily administered.
***********************************************************************
Webmin uses separate directories for configuration files and log files.
Unless you want to run multiple versions of Webmin at the same time
you can just accept the defaults.
***********************************************************************
Webmin is written entirely in Perl. Please enter the full path to the
Perl 5 interpreter on your system.
***********************************************************************
Operating system name: FreeBSD
Operating system version: 7.2
***********************************************************************
Webmin uses its own password protected web server to provide access
to the administration programs. The setup script needs to know :
- What port to run the web server on. There must not be another
web server already using this port.
- The login name required to access the web server.
- The password required to access the web server.
- If the webserver should use SSL (if your system supports it).
- Whether to start webmin at boot time.
..done
www#
ѯєѪѷѠѯіѥ login ѯеҖѥѝѬҕіѣээ Ѱјѣ Click ъѨѷ Server лѣѝѤкѯдшѫњҕѥѳєҕєѨ Apache WebServer
ъѨѷнҕѠк Search ѲўҖѲѝҕзѼѥњҕѥ apache јкѳю дчюѫҐє Enter лѣёэ Apache 41 ъѨѷ ѲўҖѯіѥ Click ъѨѷ Column Module шікъѨѷ Apache Webserver
ѯёѪѷѠчѼѥѯьѧьдѥішҕѠ
юқрўѥзѪѠ webmin ѳєҕёэъѨѷѠѕѬҕеѠк httpd.conf ѲўҖѯіѥ Click ъѨѷ module configuration (ѯюҝь Highlight ѝѨьѸѼѥѯкѧь)ѯёѪѷѠчѼѥѯьѧьдѥішҕѠ
ѰјѣѯєѪѷѠѯіѥ refresh ўьҖѥлѠ Ѱјѣ Click ъѨѷ Server дѶлѣюіѥдс Apache Webserver шѥєшҖѠкдѥі
лѥдьѤѸьѯіѥдѶѝѥєѥіщъѨѷлѣ config apache яҕѥьъѥк webmin ѳчҖ (ѰшҕѳєҕѰьѣьѼѥ)
ѯєѪѷѠщѬдщѥєѯіѪѷѠк php5-pcre
ѯєѪѷѠщѬдщѥєѯіѪѷѠк php5-gd
ѯєѪѷѠщѬдщѥєѯіѪѷѠк php5-mbstring
****************************************************************************
extension=mysqli.so
****************************************************************************
===> Returning to build of phpMyAdmin-3.2.0.1
===> phpMyAdmin-3.2.0.1 depends on shared library: mysqlclient.15 - found
===> Generating temporary packing list
===> Checking if databases/phpmyadmin already installed
/usr/local/www/phpMyAdmin
<Directory "/usr/local/www/phpMyAdmin/">
Options none
AllowOverride Limit
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 .example.com
</Directory>
www#
<Directory "/usr/local/www/phpMyAdmin/">
Options none
AllowOverride Limit
Order Deny,Allow
Allow from all
</Directory>
ѯёѧѷєіўѤѝјѤэјкѳю
$cfg['blowfish_secret'] = 'mysecret'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH!
*
Ѱјѣ ѯѠѥ // еҖѥкўьҖѥэііъѤчѠѠд
/* Advanced phpMyAdmin features */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
$cfg['Servers'][$i]['relation'] = 'pma_relation';
$cfg['Servers'][$i]['table_info'] = 'pma_table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma_column_info';
$cfg['Servers'][$i]['history'] = 'pma_history';
$cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';
/* Contrib / Swekey authentication */
$cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
лѥдьѤѸьјѠкѯеҖѥѯњэъѨѷ http://www.mu-ph.org/admin/phpMyAdmin/
лѣѯўѶь warning юіѥдсѠѕѬҕѯіѪѷѠк mcrypt ѯьѪѷѠклѥдшѠьъѨѷјк php5-extensions щҖѥѯјѪѠд mcrypt лѣ Compile ѳєҕяҕѥь
ѲўҖѲѝҕ нѪѷѠяѬҖѲнҖ ѯюҝь root Ѱјѣ password ъѨѷіѣэѫ шѠьъѨѷѯіѥјк mysql50-server
ѯіѥдѶлѣѯеҖѥѝѬҕўьҖѥѯњэеѠк phpMyAdmin ѯёѪѷѠлѤчдѥіѯдѨѷѕњдѤэ database ѰшҕяѬҖѯеѨѕьнѠэ config database Ѱээ text mode єѥддњҕѥ
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/vsftpd
www# cd /usr/local/etc/
www# vi vsftp.conf
#write_enable=YES
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
chown_uploads=YES
chown_username=ftp
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
nopriv_user=ftp
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
www# vi /etc/inetd.conf
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
ftp stream tcp nowait root /usr/local/libexec/vsftpd vsftpd /usr/local/etc/vsftpd.conf
*****************************************************************
Please add the following to your apache config, and restart.
#
# Directives to allow use of AWStats as a CGI
#
Alias /awstatsclasses "/usr/local/www/awstats/classes/"
Alias /awstatscss "/usr/local/www/awstats/css/"
Alias /awstatsicons "/usr/local/www/awstats/icons/"
ScriptAlias /awstats/ "/usr/local/www/awstats/cgi-bin/"
#
# This is to permit URL access to scripts/files in AWStats directory.
#
<Directory "/usr/local/www/awstats/">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
*****************************************************************
If you are upgrading from AWStats 6.4 or older, please note the following:
If you used the geoip plugin, you must edit your AWStats config file
to change the line
LoadPlugin="geoip GEOIP_STANDARD"
into
LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat"
*****************************************************************
===> Registering installation for awstats-6.9,1
===> Cleaning for p5-Net-XWhois-0.90_4
===> Cleaning for awstats-6.9,1
www#
www# cd /usr/local/www/awstats/cgi-bin/
www# ll
total 648
-r-xr-xr-x 1 root wheel 5407 Jul 20 15:11 awredir.pl
-r--r--r-- 1 root wheel 60596 Jul 20 15:11 awstats.model.conf
-r-xr-xr-x 1 root wheel 558260 Jul 20 15:11 awstats.pl
drwxr-xr-x 5 root wheel 1536 Jul 20 15:11 lang
drwxr-xr-x 2 root wheel 512 Jul 20 15:11 lib
drwxr-xr-x 3 root wheel 512 Jul 20 15:11 plugins
www# cp awstats.model.conf awstats.conf
www# vi awstats.conf
#
LogType=W
#
SiteDomain="www.mu-ph.org"
#
HostAliases="www.mu-ph.org localhost 127.0.0.1 REGEX[myserver\.com$]"
#
AllowToUpdateStatsFromBrowser=1
ѯеҖѥчѬѝщѧшѧѳчҖъѨѷ http://www.mu-ph.org/awstats/awstats.pl
Error: Couldn't open server log file "/var/log/httpd/mylog.log" : No such file or directory
эьўьҖѥѯњэ ѲўҖѯіѥ
0 5 * * * /usr/local/bin/ntpdate –u 203.185.69.60
www# date
Wed Aug 12 21:39:00 ICT 2009
www# /usr/local/bin/ntpdate -u 203.185.69.60
12 Aug 21:39:15 ntpdate[70368]: adjust time server 203.185.69.60 offset 0.393085 sec
www# date
Wed Aug 12 21:39:17 ICT 2009
www#
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/clamav-milter
/usr/local/etc/rc.d/clamav-freshclam
/usr/local/etc/rc.d/clamav-clamd
ѯёѧѷєѝѠкэііъѤчеҖѥкјҕѥкјкѳюѲь /etc/rc.conf
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
LogFile /var/log/clamav/clamd.log
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
User clamav
AllowSupplementaryGroups yes
ScanPE yes
ScanOLE2 yes
ScanPDF yes
ScanHTML yes
ScanArchive yes
ъѨѷ crontab –e ѲўҖѯёѧѷє дѥіѳююіѤэюіѫкеҖѠєѬј Virus лѥд site еѠк clamav ъѫдѵнѤѷњѱєкѝѠкьѥъѨ Ѱјѣ ѲўҖ scan ъѨѷѯдѶэ web ъѫдѵшѨўьѩѷкеѠкъѫдѵњѤь
www# crontab –e
0 6 * * * /sbin/reboot
0 5 * * * /usr/local/bin/ntpdate -u 203.185.69.60
2 * * * * /usr/local/bin/freshclam –quiet
0 1 * * * /usr/local/bin/clamscan -r -i /usr/local/www
10 11 * * * /etc/webmin/cron/tempdelete.pl
www# /usr/local/bin/freshclam
ClamAV update process started at Wed Aug 12 21:46:54 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
WARNING: getfile: daily-9451.cdiff not found on remote server (IP: 193.1.193.64)
WARNING: getpatch: Can't download daily-9451.cdiff from database.clamav.net
Trying host database.clamav.net (130.59.10.36)...
WARNING: getfile: daily-9451.cdiff not found on remote server (IP: 130.59.10.36)
WARNING: getpatch: Can't download daily-9451.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-9451.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 9684, sigs: 64237, f-level: 43, builder: ccordes)
Database updated (609272 signatures) from database.clamav.net (IP: 130.59.10.36)
Clamd successfully notified about the update.
www# /usr/local/bin/freshclam
ClamAV update process started at Wed Aug 12 21:48:03 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
daily.cvd is up to date (version: 9684, sigs: 64237, f-level: 43, builder: ccordes)
www#
дѥіѝѤѷкѲўҖ scan ъѨѷ directory ъѨѷшҖѠкдѥіѱчѕ scan іњє sub-directory ѰјѣѰѝчкѯмёѥѣ ѰђґєъѨѷшѧч virus
www# cd /usr/ports/security/hostsentry
www# make config
===> No options to configure
www# make install clean
www# cd /usr/local/etc/hostsentry/
www# ll
total 10
-rw------- 1 root wheel 49 Aug 11 21:31 hostsentry.action-dist
-rw------- 1 root wheel 2767 Aug 11 21:31 hostsentry.conf-dist
-rw------- 1 root wheel 67 Aug 11 21:31 hostsentry.ignore-dist
-rw------- 1 root wheel 135 Aug 11 21:31 hostsentry.modules-dist
www# cp hostsentry.action-dist hostsentry.action
www# cp hostsentry.conf-dist hostsentry.conf
www# cp hostsentry.ignore-dist hostsentry.ignore
www# cp hostsentry.modules-dist hostsentry.modules
www# ll
total 20
-rw------- 1 root wheel 49 Aug 11 21:33 hostsentry.action
-rw------- 1 root wheel 49 Aug 11 21:31 hostsentry.action-dist
-rw------- 1 root wheel 2767 Aug 11 21:33 hostsentry.conf
-rw------- 1 root wheel 2767 Aug 11 21:31 hostsentry.conf-dist
-rw------- 1 root wheel 67 Aug 11 21:34 hostsentry.ignore
-rw------- 1 root wheel 67 Aug 11 21:31 hostsentry.ignore-dist
-rw------- 1 root wheel 135 Aug 11 21:34 hostsentry.modules
-rw------- 1 root wheel 135 Aug 11 21:31 hostsentry.modules-dist
www#
www# cd /usr/ports/security/portsentry
www# make config
===> No options to configure
www# make install clean
***************************************************
* IGNORE stealth mode. It is for Linux only. *
* The author hopes to have a platform independent *
* version at some time. So don't even bother *
* trying it now. *
***************************************************
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/portsentry.sh
www# cd /usr/local/etc/
www# cp portsentry.conf.default portsentry.conf
www# cp portsentry.ignore.default portsentry.ignore
www# touch portsentry.blocked
www# touch portsentry.history
јѠкѯеҖѥ
www# cd /usr/ports/www/phpbb3
www# make config
===> No options to configure
www# make install clean
----------------------------------------------------------------------------
phpBB3 has been installed, but is not quite ready to be used yet!
You have to ensure that you have a database server (or ODBC access to a
remote database) installed and configured, and you have to ensure that your
PHP installation has been compiled with support for your database or
database access method. You have to create a database for phpBB3 to use,
and ensure that this database may be accessed and changed by the user id
under which your web server executes. Further information on these
installation procedures may be found in:
/usr/local/share/doc/phpbb/README.html
Once these steps have been taken, you may connect to the following URL to
configure your installation of phpBB3:
http://localhost/phpBB3/
----------------------------------------------------------------------------
===> Registering installation for phpbb-3.0.5
===> Cleaning for phpbb-3.0.5
www#
www# cd /usr/local/www/
www# ll
total 10
drwxr-xr-x 6 root wheel 512 Aug 12 19:37 apache22
drwxr-xr-x 8 root wheel 512 Aug 12 21:29 awstats
drwxr-xr-x 13 www www 1024 Aug 12 22:02 phpBB3
drwxr-xr-x 10 root wheel 2560 Aug 12 21:05 phpMyAdmin
www# mv phpBB3/ forum/
www# ll
total 10
drwxr-xr-x 6 root wheel 512 Aug 12 19:37 apache22
drwxr-xr-x 8 root wheel 512 Aug 12 21:29 awstats
drwxr-xr-x 13 www www 1024 Aug 12 22:02 forum
drwxr-xr-x 10 root wheel 2560 Aug 12 21:05 phpMyAdmin
www#
www# vi /usr/local/etc/apache22/httpd.conf
<Directory "/usr/local/www/forum/">
Options none
AllowOverride Limit
Order Deny,Allow
Allow from all
</Directory>
ѰјҖњјѠкѯеҖѥѯњэъѨѷ http://www.mu-ph.org/members/forum/
www# cd /usr/ports/security/denyhosts
www# make config
===> No options to configure
www# make install clean
-------------------------------------------------------------------------------
To run denyhosts from startup, add denyhosts_enable="YES"
in your /etc/rc.conf.
Configiration options can be found in /usr/local/etc/denyhosts.conf
-------------------------------------------------------------------------------
In order to proper working of denyhosts
1. edit your /etc/hosts.allow file and add:
sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow
2. issue the following command if /etc/hosts.deniedssh does not exist yet
touch /etc/hosts.deniedssh
-------------------------------------------------------------------------------
Warning:
syslogd should ideally be run with the -c option; this will ensure that
denyhosts notices multiple repeated login attempts.
ѰдҖѳеѰђґє /usr/local/etc/denyhosts.conf
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.allow
PURGE_DENY = 7d
BLOCK_SERVICE = sshd
HOSTNAME_LOOKUP=YES
ADMIN_EMAIL = sermpan@mu-ph.org
#!/bin/sh
#backup database
cd /usr/local/util
mysqldump phpBB3 > phpBB3.sql --password=ppppppp
#backup conf
cp /etc/rc.conf .
cp /usr/local/etc/apache22/httpd.conf .
cp /usr/local/etc/apache22/Includes/php5.conf .
cp /usr/local/etc/php.ini .
cp /etc/resolv.conf .
cd /usr/home/util
rm -f passwd*
rm -f group*
rm -f master*
ѯёѧѷєзѼѥѝѤѷкѲь crontab –e
0 4 * * * /backups/backups.sh
[sermpan@www backupsw]$ ll -h
total 5.4G
-rw-r--r-- 1 root root 2.6K Jun 18 08:46 backups.sh
-rwx------ 1 root root 2.2K Apr 17 12:01 backups.sh.org*
drwxr-xr-x 2 root root 80 Apr 17 11:58 last-full/
-rw-r--r-- 1 root root 17M Aug 7 04:02 www-Fri.tar
-rw-r--r-- 1 root root 6.6M Aug 10 04:02 www-Mon.tar
-rw-r--r-- 1 root root 150M Aug 8 04:02 www-Sat.tar
-rw-r--r-- 1 root root 5.2G Aug 9 04:05 www-Sun.tar
-rw-r--r-- 1 root root 16M Aug 6 04:02 www-Thu.tar
-rw-r--r-- 1 root root 7.3M Aug 11 04:02 www-Tue.tar
-rw-r--r-- 1 root root 7.8M Aug 12 04:02 www-Wed.tar
[sermpan@www backupsw]$
ъҖѥѕъѨѷѝѫчьѨѸ
ѯѝіѧєёѤьыѫҙ ьѧшѕҙьіѥ
12 ѝѧкўѥзє 2552