Q

CI T VPS
A. Cc thnh phn s ci
- Ci t Nginx, ngx_pagespeed v cu hnh ti u
- Ci t v ti u Mariadb
- Ci t v ti u php-fpm
- Phpmyadmin
- VSFTPD
- Xcache
- CSF
- Bonus : Bo mt nginx c bn
B. Cc bc chun b.
I. Add cc repo cn thit
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epelrelease-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh
http://www6.atomicorp.com/channels/atomic/centos/6/i386/RPMS/atom
ic-release-1.0-19.el6.art.noarch.rpm

II. Ci cc libs cn thit

yum -y install gcc-c++ pcre-dev pcre-devel zlib-devel make openssl-devel
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 1

III. To user cho nginx

groupadd nginx
useradd -g nginx -d /dev/null -s /sbin/nologin nginx
C. Tin hnh ci t
I.
Ci t nginx v ngx_pagespeed
Chy ln lt cc lnh sau
cd /opt
wget https://github.com/pagespeed/ngx_pagespeed/archive/release-1.9.32.2beta.zip
unzip release-1.9.32.2-beta.zip
cd ngx_pagespeed-release-1.9.32.2-beta
wget https://dl.google.com/dl/page-speed/psol/1.9.32.2.tar.gz
tar -xvf 1.9.32.2.tar.gz
cd /opt
wget http://nginx.org/download/nginx-1.7.9.tar.gz
tar -xvf nginx-1.7.9.tar.gz
cd nginx-1.7.9
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --withhttp_ssl_module --conf-path=/etc/nginx/nginx.conf --withhttp_gzip_static_module --with-http_realip_module --group=nginx
--user=nginx --pid-path=/var/run/nginx.pid --with-http_stub_status_module
--add-module=/opt/ngx_pagespeed-release-1.9.32.2-beta
make
make install
1. To file khi ng
Ti file sau y v v qung vo /etc/init.d
https://drive.google.com/file/d/0B5GXJ8MAIvQqRWZiNEl1aExuZzA/view?
usp=sharing
- Chmod cho file nginx
chmod +x /etc/init.d/nginx
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 2

- Run tip cc lnh sau

mkdir -p /var/cache/ngx_pagespeed
mkdir -p /var/log/nginx
chown -R nginx:nginx /var/cache/ngx_pagespeed
chown -R nginx:nginx /var/log/nginx
- Khi ng nginx
service nginx start
chkconfig --levels 235 nginx on
2. Cu hnh
Truy cp /etc/nginx ti 2 file sau v v chp vo
https://drive.google.com/file/d/0B5GXJ8MAIvQqOE5oNDZab3JpUWM/view?
usp=sharing
https://drive.google.com/file/d/0B5GXJ8MAIvQqRDdPa1BEX2Nzb0U/view?
usp=sharing
3. To virtual host v th mc public_html
- To th mc conf.d bng lnh sau hoc c th dng winscp tao:
mkdir -p /etc/nginx/conf.d

- To th mc public_html
mkdir -p /home/domain-ca-bn/public_html
mkdir /home/domain-ca-bn/logs
chmod 777 /domain-ca-bn/logs
chown R nginx:nginx /home/domain-ca-bn
- Truy cp vo th mc conf.d v to mt file bt k vi ui l .conf
v d mnh to file quylevhb.conf

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 3

server {
server_name www.domain-ca-bn;
rewrite ^(.*) http://domain-ca-bn-khng-c-www $1 permanent;
}
server {
listen 80;
access_log off;
error_log off;
# error_log/home/domain-ca-bn/error.log;
root /home/domain-ca-bn/public_html;
index index.php index.html index.htm;
server_name domain-ca-bn-khng-c-www;
location / {
try_files $uri $uri/ /index.php?$args;
}
include /etc/nginx/ngx_pagespeed.conf; # bt ngx_pagespeed
location ~ \.php$ {
root /home/domain-ca-bn/public_html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include
fastcgi_params;
}
}
}

Thay ng dn v server name ca cc bn vo l c. Nu cc bn mun

ghi log th b du # on # error_log/home/domain-cabn/error.log; v sa error_log off; thnh error_log on;
- Khi ng li nginx

service nginx restart

II.

Ci t mariadb
1. Add repo

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 4

Vo /etc/yum.repos.d/ to file: mariadb.repo vi ni dung

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/rhel6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
Ch : thi im mnh vit tut th phin bn MariDB mi nht l 10.1 .
kim tra phin bn cc bn c th truy cp http://yum.mariadb.org/
sau khi tm c bn mi nht th thay link phin bn vo ng:
baseurl = http://yum.mariadb.org/10.1/rhel6-amd64
2. Ci t
yum -y install MariaDB-server MariaDB-client

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 5

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 6

3. t mt khu v bo mt mysql
Chy lnh:
service mysql start
chkconfig mysql on
mysql_secure_installation

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 7

Q
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): [Bm Enter]
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password: [Nhp mt khu bn mun]
Re-enter new password: [Nhp li mt khu]
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 8

4. Ti u MariaDB

m file /etc/my.cnf v copy on ni dung ny vo di !includedir

/etc/my.cnf.d
[mysqld]
key_buffer = 500M
table_cache = 4000
sort_buffer_size = 3M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
max_connections = 400
query_cache_type = 1
query_cache_limit = 5M
query_cache_size = 500M
tmp_table_size=20M
max_heap_table_size=20M
thread_cache_size = 64

Khi ng li mysql
service mysql restart

III.
Ci t php-fpm
1. Ci t
yum -y --enablerepo=remi install php-common php-fpm php-gd php-mysql
php-pdo php-xml php-mbstring php-mcrypt php-pecl-apc php-curl php-soap
Ch : lnh ny s ci t php 5.4 nu mun ci php 5.6 cc bn
chy lnh
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 9

yum --enablerepo=remi,remi-php56 -y install php php-common php-fpm phpmysql php-gd php-xml php-mbstring php-mcrypt php-pdo php-soap
-

Khi ng php-fpm
service php-fpm start
chkconfig --levels 235 php-fpm on

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 10

2. Cu hnh
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 11

M file /etc/php-fpm.d/www.conf thay th ton b bng

[www]
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
user = nginx
group = nginx
pm = ondemand
pm.max_children = 2
; default: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 20
pm.min_spare_servers = 1
pm.max_spare_servers = 5
pm.max_requests = 500
pm.status_path = /php_status
request_terminate_timeout = 100s
pm.process_idle_timeout = 10s;
request_slowlog_timeout = 4s
slowlog = /home/domain-cua-ban/logs/php-fpm-slow.log
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_value[error_log] = / home/domain-cua-ban/logs/php-fpm-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session

Thay th: / home/domain-cua-ban/logs bng path ca cc bn

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 12

Truy cp /etc ti file sau v v chp vo

https://drive.google.com/file/d/0B5GXJ8MAIvQqZEdGVWZYQTBKOXM/view?
usp=sharing

Chy cc lnh sau:

mkdir p nginx:nginx /var/lib/php/session

chown -R nginx:nginx /var/lib/php
service php-fpm restart
IV.

Ci t phpmyadmin

1. Ci t
yum --enablerepo=remi -y install phpMyAdmin
2. Cu hnh
m file vhost (etc/nginx/conf.d/abc.conf)
abc.conf: Tn file vhost ca bn
Thm vo cui file on rule sau
server {
listen

1109;

# listen port

server_name localhost;
location / {
root /usr/share/phpMyAdmin;

# Document root

index index.php index.html index.htm;

}
location ~ \.php$ {
root

/usr/share/phpMyAdmin; # Document root

fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 13

fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include

fastcgi_params;

}
}

Trong
- 1109: L port d vo phpmyadmin. Cc bn c th t ty . Lu port
cn phi free v khng c service no s dng trnh xung t
Danh sch port cc bn c th xem y:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
4. M port
M file /etc/sysconfig/iptables thm vo rule sau
-A INPUT -m state --state NEW -p tcp --dport 1109 -j ACCEPT
- Khi ng li iptables
service iptables restart
- Khi ng li nginx
service nginx restart
- Truy cp theo a ch
http://domain.com:1109
hoc
http://ip-server:2313

V.

Ci t vsftpd

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 14

1. Ci t
yum -y install vsftpd
2. Cu hnh
M file /etc/vsftpd/vsftpd.conf
- Tm
anonymous_enable=YES
sa thnh
anonymous_enable=NO
- Tm
#ascii_upload_enable=YES
#ascii_download_enable=YES
sa thnh
ascii_upload_enable=YES
ascii_download_enable=YES
- Tm
#ls_recurse_enable=YES
sa thnh
ls_recurse_enable=YES
- Tm
#chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
sa thnh
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

- Thm 2 dng sau xung cui cng

local_root=public_html
use_localtime=YES
- To file chroot_list trong th mc /etc/vsftpd
- Khi ng vsftpd
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 15

service vsftpd start

- Cu hnh vsftpd t khi ng
chkconfig --levels 235 vsftpd on
VI.

Ci t Xcache

Chy ln lt cc lnh sau

yum --enablerepo=remi -y install xcache xcache-admin
Nu dng php 5.6 th chy lnh sau
yum --enablerepo=remi,remi-php56 -y install xcache xcache-admin
service nginx restart
service php-fpm restart

VII. Ci t csf
1. Ci cc lib cn thit
Yum -y install perl-libwww-perl
2. Ci t csf
cd /tmp

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 16

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
3. Tin hnh test csf
perl /usr/local/csf/bin/csftest.pl
Nu thy bo nh hnh l ok

4. M file /etc/csf/csf.conf
Sa: TESTING = "1"
Thnh: TESTING = "0"
5. Run cc lnh sau khi ng csf
chkconfig --level 235 csf on
service csf restart
VIII. Bo mt c bn cho nginx
1. Chmod
- Chmod th mc: home, domain-ca-bn, public_html, etc/nginx,
etc/nginx/conf.d, etc/php-fpm.d v 711
- Chmod tt c cc file trong th mc /etc/nginx, /etc/php-fpm.d,
/etc/phpMyAdmin v /etc/nginx/conf.d v 600
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 17

Chmod file /etc/phpMyAdmin/ config.inc.php v /etc/php.ini, passwd,

passwd- v 600

2. Chng run shell th mc uploads

- Add rule chng run shell trong th mc upload
M file vhost thm vo
location /uploads/ {
location ~ .*\.(inc|sql|php|cgi|pl|jsp|txt|php5|shtml|html|php4|phtml|nok|
love|kid|rp)?$
{
deny all;
}
}
-

Thay /uploads/ bng path th mc upload ca cc bn

3. t pass 2 cho admincp

Thm rule sau vo file vhost

location /admincp {
auth_basic "Private";
auth_basic_user_file /etc/nginx/conf/.htpasswd;
}
Thay /admincp bng path th mc admincp ca bn
To file .htpasswd trong th mc /etc/nginx. to cc bn dung lnh sau

htpasswd -bc /etc/nginx/.htpasswd myusername mypassword

V d:
htpasswd -bc /etc/nginx/.htpasswd quylevhb 123456
IX.

Ti liu

Cc bn c th xem them ti:

http://quylevhb.blogspot.com/search/label/Nginx

BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM

Page 18