ps.參考以下各文章架一個安全的 web server 以及google的搜尋
還請各位先進多多指導,是否還有沒注意可改進的地方
使用debian3.1 sarge為範例用os 核心版本為2.6版
所有網路服務大多以 tarball 安裝
並以 stand-alone 啟動 (設定不支援 TCP_WRAPPERS 及 PAM)
download CD
http://cdimage.debian.org/debian-cd/...86-netinst.iso
這是最小安裝版 裝基本os 其餘部分 經由網路安裝
安裝完基本系統後 再由網路安裝其他系統所需lib跟軟體後
在#的 命令提示符號下 開始以下的動作
# uname -a //查看版本
# ps ax //查看起動的程序
# netstat -natp //查看開啟的網路服務
設定 kernel parameters at runtime (依需要設定)
修改sysctl.conf
# vi /etc/sysctl.conf
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_echo_ignore_all=1
net/ipv4/tcp_syncookies=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/all/send_redirects=0
---apt環境設定----
修改apt的 來源 編輯 sources.list
# vi /etc/apt/sources.list
deb http://debian.linux.org.tw/debian sarge main non-free contrib
deb http://debian.linux.org.tw/debian-non-US sarge/non-US main non-free contrib
deb http://security.debian.org/ stable/updates main
# apt-get updata
# apt-get install partimage //安裝硬碟備份工具
# apt-get install mondonestst
# apt-get install iptraf //安裝顯示網路流量 擇一安裝
或使用
# apt-get install sysvconfig //安裝顯示網路流量 擇一安裝
----網路校時設定--------------------------------------------
# apt-get install ntpdate //安裝網路校時
# ntpdate watch.stdtime.gov.tw
----安裝 rcconf---------------------------------------------------------
apt-get install rcconf
# rcconf //關閉不需要的服務
# apt-get remove portmap //移除 RPC services
# tasksel //移除 Mail server
-----mysql-standard-4.1.13 -------
# wget
ftp://mirror.mcs.anl.gov/pub/mysql/D...nu-i686.tar.gz
# groupadd mysql
# useradd -g mysql mysql
# cd /usr/local
# gunzip < ~/server/mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz | tar xvf
-m
# mkdir mysql
# mv mysql-standard-4.1.13-pc-linux-gnu-i686/* mysql/
# cd mysql
# scripts/mysql_install_db --user=mysql
# chown -R root .
# chown -R mysql data
# chgrp -R mysql .
# bin/mysqld_safe --user=mysql &
# ./bin/mysqladmin -u root password
----------openssl-0.9.7g-----------------------------------------------------
不使用openssl-0.9.8 因為會與之後的apache2衝突 造成無法編譯
OPENSSL為之後的加密網頁預備
# wget wget http://www.openssl.org/source/openssl-0.9.7g.tar.gz
# tar zxvf openssl-0.9.7g.tar.gz
# cd openssl-0.9.7g
# ./config --prefix=/usr/local --openssldir=/usr/local/openssl
# make
# make install
_______以下部分 是為了之後的PHP增加影像模組用的______目前XOOPS不支援PHP5
----zlib-1.2.3----
這是最新版的zlib
# wget http://www.zlib.net/zlib-1.2.3.tar.gz
# tar -zxf zlib-1.2.3.tar.gz
# cd zlib-1.2.3
# ./configure
# make
# make install
---libjpeg----
# wget http://www.ijg.org/files/jpegsrc.v6b.tar.gz
# tar -zxf jpegsrc.v6b.tar.gz
# cd jpeg-6b/
# ./configure --prefix=/usr/local/jpeg6
# make
# mkdir /usr/local/jpeg6 & mkdir /usr/local/jpeg6/include & mkdir
/usr/local/jpeg6/lib & mkdir /usr/local/jpeg6/bin & mkdir
/usr/local/jpeg6/bin/cjpeg & mkdir /usr/local/jpeg6/man & mkdir
/usr/local/jpeg6/man/man1
# make install-lib
# make install
---libpng-1.2.8---
# wget
http://keihanna.dl.sourceforge.net/s...2.8-config.tar
.gz
# tar -zxf libpng-1.2.8-config.tar.gz
# cd libpng-1.2.8-config
# cp scripts/makefile.linux makefile
使用DEBAIN 當作OS必須修正makefile
# vi makefile
#ZLIBLIB=/usr/local/lib
#ZLIBINC=/usr/local/include
ZLIBLIB=../zlib
ZLIBINC=../zlib
改成↓↓
ZLIBLIB=/usr/lib
ZLIBINC=/usr/include
# ./configure --prefix=/usr/local/libpng2
# make
# make install
----freetype-2.1.10------
# wget http://savannah.nongnu.org/download/...-2.1.10.tar.gz
# tar -zxf freetype-2.1.10.tar.gz
# cd freetype-2.1.10
# ./configure --prefix=/usr/local/freetype2
# make
# make install
----xpm 3.4k----
# wget ftp://ftp.cise.ufl.edu/pub/depot/arc...pm-3.4k.tar.gz
# tar zxvf xpm-3.4k.tar.gz
# cd xpm-3.4k
# make
# make installbin
---gd-2.0.33---
# wget http://www.boutell.com/gd/http/gd-2.0.33.tar.gz
# tar -zxf gd-2.0.33.tar.gz
# cd gd-2.0.33
# ./configure --prefix=/usr/local/gd2 --with-zlib
--with-png=/usr/local/libpng2/ --with-jpeg=/usr/local/jpeg6/
--with-freetype=/usr/local/freetype2/ (請指定及格插件的安裝路徑,否則安裝php的
時候可能出錯!)
# make
# make install
__________________PHP影像模組的部分結束________
________安全性部分__________________
---- openssh-4.1p1 ---------------------------------------------------------
# wwget
ftp://openbsd.nsysu.edu.tw/BSD/OpenB...h-4.1p1.tar.gz
# tar zxvf openssh-4.1p1.tar.gz
# cd openssh-4.1p1
# ./configure --with-ssl-dir=/usr/local/openssl
# vi Makefile
修改
LIBS=-lresolv -lcrypto -lutil -lz -lnsl -lcrypt
變成
LIBS=-lresolv -lcrypto -lutil -lz -lnsl -lcrypt -ldl
# make; make install
vi /usr/local/etc/sshd_config
Port 520
Protocol 2
PermitRootLogin no
AllowUsers new
/usr/local/sbin/sshd //啟動 openssh
__________________安裝APACHE以提供網頁服務______APACHE必須在PHP之前安裝__
__使用apt-get方式裝apache2跟php5的部分 我無法讓php5順利啟動執行_____
---apache2.0.54--
# wget http://apache.stu.edu.tw/httpd/httpd-2.0.54.tar.gz
# tar zxvf httpd-2.0.54.tar.gz
# cd httpd-2.0.54
# ./configure --prefix=/usr/local/apache2 --enable-module=so --enable-dav
--enable-dav-fs --enable-cgi --enable-logio --enable-rewrite --enable-so
--enable-module=most --enable-shared=max --with-mpm=worker
--enable-modules=rewrite --enable-shared=rewrite --enable-ssl
--with-ssl=/usr/include
# make
# make install
______________________以下是要讓APACHE有支援加密功能____
產生正確的ssl金鑰
# mkdir /usr/local/apache2/conf/ssl.crt
# openssl genrsa -des3 -passout pass:"輸入你要的密碼" -out
/usr/local/apache2/conf/ssl.crt/mykeys.key 1024
# openssl req -new -passin pass:"輸入你要的密碼" -passout pass:"輸入你要的密
碼" -key /usr/local/apache2/conf/ssl.crt/mykeys.key -out
/usr/local/apache2/conf/ssl.crt/server.csr -days 3650
# openssl req -x509 -passin pass:"輸入你要的密碼" -passout pass:"輸入你要的
密碼" -key /usr/local/apache2/conf/ssl.crt/mykeys.key -in
/usr/local/apache2/conf/ssl.crt/server.csr -out
/usr/local/apache2/conf/ssl.crt/server.crt -days 3650
# openssl rsa -passin pass:"輸入你要的密碼" -in
/usr/local/apache2/conf/ssl.crt/mykeys.key -out
/usr/local/apache2/conf/ssl.crt/server.key
# mkdir /usr/local/apache2/conf/ssl.key
# mv /usr/local/apache2/conf/ssl.crt/server.key
/usr/local/apache2/conf/ssl.key/server.key
# chmod 400 /usr/local/apache2/conf/ssl.key/server.key
________________________SSL加密部份暫告一段落_______
______繼續APACHE的組態修正___________________
編輯httpd.conf
# vi /usr/local/apache2/conf/httpd.conf
DirectoryIndex index.html index.html.var index.php index.htm
一般都在
#AddType application/x-tar .tgz
下加
AddType application/x-httpd-php .php
這樣就可以支援PHP網頁
______________________________________________
____________________讓PHP支援XML的預備_________
----libxml2-2.6.20----------
# wget http://xmlsoft.org/sources/libxml2-2.6.20.tar.gz
# tar -zxf libxml2-2.6.20.tar.gz
# cd libxml2-2.6.20
# ./configure (xml默認安裝就可以,不要指定路徑了,因為安裝時php可能找不到它
,PHP5只支持libxml2-2.5.10以上版本)
# make
# make install
--php5.04---
# wget http://tr.php.net/distributions/php-5.0.4.tar.gz
# tar -zxf php-5.0.4.tar.gz
# cd php-5.0.4
# ./configure --prefix=/usr/local/php
--with-apxs2=/usr/local/apache2/bin/apxs --with-jpeg-dir=/usr/local/jpeg6/
--with-png-dir=/usr/local/libpng2/ --with-gd=/usr/local/gd2/ --with-xml
--with-freetype-dir=/usr/local/freetype2/ --enable-trace-vars --with-zlib
--enable-mbregex -with-mysql=/usr/local/mysql
最後出現
+--------------------------------------------------------------------+
| License: |
| This software is subject to the PHP License, available in this |
| distribution in the file LICENSE. By continuing this installation |
| process, you are bound by the terms of this license agreement. |
| If you do not agree with the terms of this license, you must abort |
| the installation process at this point. |
+--------------------------------------------------------------------+
Thank you for using PHP.
才算是configure成功
# make
# make install
# cp php.ini-dist /usr/local/php/lib/php.ini
測試PHP功能 建立一個index.php來測試
# vi index.php
<?php phpinfo() ?>
啟動apache 有ssl加密的
#/usr/local/apache2/bin/apachectl startssl
----安裝samba 3.0.14---
這部份有點失敗 我還沒確認過 後來改用apt方式安裝
# wget http://www.samba.org/samba/ftp/samba-3.0.14a.tar.gz
# tar zxvf samba-3.0.14a.tar.gz
# cd samba-3.0.14a/source
# ./configure --with-automount --with-winbind --with-syslog --with-mmap
--with-xml-prefix=PFX --with-mysql-prefix=PFX --with-quotas
--with-libsmbclient
# make
# make installbin
-----為webmin提供ssl加密預備 需要libnet-ssleay-perl元件------
# apt-get install libnet-ssleay-perl
---安裝webmin 1.220--
加上網頁的管理介面 比較好操作
# wget http://webmin.mamemu.de/devel/tarbal...n-1.220.tar.gz
# cd /usr/local
# gunzip < /home/punk/webmin-1.220.tar.gz | tar xvf -
# cd webmin-1.220
# ./setup.sh
.......未完待續
書籤